Apple

Don’t Let Zero-Day Vulnerabilities Spoil Your Holidays

In this article, we will be discussing several recent developments in cybersecurity. First, we will cover the FortiOS SSLVPN Buffer Overflow, a vulnerability that allows attackers to execute arbitrary code on affected devices. Next, we will discuss new Atlassian security flaws, which have been discovered in several of the company’s popular software tools. We will also examine the issue of JSON requests bypassing Web Application Firewalls and how this can leave systems vulnerable to attacks. Finally, we will discuss Apple’s efforts to patch iPhone and iPad Zero-Days, which are vulnerabilities that have not yet been publicly disclosed. These topics highlight the ongoing importance of staying vigilant and taking steps to protect against emerging threats in the digital landscape.

FortiOS SSL-VPN Heap-Based Buffer Overflow Discovered

FortiGuard Labs has published a critical advisory warning of a heap-based buffer overflow vulnerability in FortiOS SSL-VPN. This may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The vulnerability is assigned the number FG-IR-22-398, has a CVSSv3 9.3 rating and has been confirmed to be exploited in the wild. FortiGuard Labs has included the indicators of compromise (IOCs) for FortiOS administrators to review the integrity of their systems. It is recommended that organizations upgrade to an unaffected version of FortiOS and follow FortiGuard’s advice to review existing systems for signs of compromise. To stay on top of new vulnerabilities like this, nGuard recommends having, at a minimum, quarterly vulnerability scans conducted on your internal and external environments. In addition, to get a full view of what an attacker could do if they gain access to your network, annual internal and external penetration testing is recommended.

Security Flaws Discovered in Atlassian Products

CloudSEK researchers have identified a flaw in Atlassian products Jira, Confluence, and BitBucket that could be exploited by threat actors to take over corporate Jira accounts. The researchers found that even if a password is changed with 2FA enabled, cookies are not invalidated and only expire when a user logs out or after 30 days. As a result, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions using stolen cookies, even if they do not have access to the multi-factor authentication or one-time PIN required for 2FA. With over 10 million users across 180,000 companies, including 83% of Fortune 500 firms, Atlassian products are widely used, and threat actors are actively exploiting the flaw to compromise enterprise Jira accounts. CloudSEK is releasing a free tool that allows companies to check if their compromised computers and Jira accounts are being advertised on dark web marketplaces. Additionally, conducting a web application penetration test can help discover vulnerabilities with session cookies and other areas, using the OWASP Top 10 as the foundation of the assessment.

Web Application Firewalls Bypassed by JSON Requests

Researchers at Claroty have discovered that web application firewalls (WAFs) from Amazon Web Services, Cloudflare, F5, Imperva and Palo Alto are vulnerable to malicious requests that use the JavaScript Object Notation (JSON) format to obfuscate database commands and escape detection. This technique allows attackers to access and potentially change data as well as compromise the application. The researchers found that WAFs do not understand commands written in JSON, while major SQL databases do. This allows attackers to forward malicious requests to the back-end database without detection. WAFs are widely used to protect against application attacks, but they are not foolproof. A 2020 survey found that 40% of security professionals claimed at least half of application attacks had bypassed the WAF. This research shows that even if you have security devices in place, they can be bypassed. nGuard can find the vulnerabilities within your web applications before an attacker can by performing a web application penetration test.

Apple Send Updates to Patch New Zero-Day

Apple has released security updates for iOS, iPadOS, macOS, tvOS, and Safari to address a zero-day vulnerability that could result in the execution of malicious code. The issue, which has been given the code name of CVE-2022-42856, has been described as a type of confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content. This could lead to arbitrary code execution, with Apple saying it is aware of a report that the issue may have been actively exploited against versions of iOS released before iOS 15.1. It is thought that the issue involved social engineering or a watering hole attack, with the devices being infected when visiting a rogue or legitimate-but-compromised domain via the browser. The company has addressed the issue with improved state handling.

TWiC | This Week in Cybersecurity

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories covering Microsoft patching the Follina Zero-Day, Apple M1 Kernel security flaws, a record-breaking DDoS attack, a Kaiser Permanente data breach, and US military hackers conducting offensive activities in support of Ukraine. Check out the details below.

Cloudflare Saw Record-Breaking DDoS Attack Peaking at 26 Million Request Per Second: Cloudflare disclosed that it had acted to prevent a record-setting 26 million requests per second (RPS) distributed denial-of-service (DDoS) attack last week, making it the largest HTTPS DDoS attack detected to date. In late April 2022, it said it staved off a 15.3 million RPS HTTPS DDoS attack aimed at a customer operating a crypto launchpad. According to the company’s DDoS attack trends report for Q1 2022, volumetric DDoS attacks over 100 gigabits per second surged by up to 645% quarter-on-quarter.
Microsoft Patches ‘Follina’ Zero-Day Flaw in Monthly Security Update: Microsoft has issued a patch for the recently disclosed and widely exploited “Follina” zero-day vulnerability in the Microsoft Support Diagnostic Tool as part of its scheduled security update for June. It’s a good idea for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. Applying the patch will protect users but the patch only fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document. For more information on this vulnerability, check out nGuard’s last Security Advisory: Microsoft Zero-Day with No Patch! This vulnerability will be commonly exploited via phishing attempts. Social Engineering simulations and Social Engineering Awareness Training can assist your organizations employees in identifying these types of attacks.
Kaiser Permanente data breach exposes health data of 69K people: Kaiser Permanente, one of America’s leading not-for-profit health plans and health care providers, has recently disclosed a data breach that exposed the health information of more than 69,000 individuals. The company revealed in a notice published on its website that an attacker accessed an employee’s email account containing patients’ protected health information on April 5, 2022, without authorization. Sensitive info exposed in the attack includes:
- The patients’ first and last names
- Medical record numbers
- Dates of service
- Laboratory test result information
Design Weakness Discovered in Apple M1 Kernel Protections: Security researchers released details about a new attack they designed against Apple’s M1 processor chip that can undermine a key security feature that protects the operating system kernel from memory corruption attacks. The work offers a tangible example of how the one-two punch of hardware vulnerabilities and low-level software flaws can provide ample opportunities for attackers to run rampant in the kernel.
US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command: General Nakasone, the head of US Cyber Command, confirmed for the first time that the US was conducting offensive hacking operations in support of Ukraine in response to the Russian invasion. Speaking in Tallinn, Estonia, the general, who is also director of the National Security Agency, told Sky News that he is concerned “Every single day” about the risk of a Russian cyber attack targeting the US and said that the hunt forward activities were an effective way of protecting both America as well as allies.

Apple Sues Spyware Firm NSO Group

If you are not familiar with NSO Group, nGuard released a Security Advisory in August detailing the history of the NSO Group and their spyware platform, Pegasus. If you haven’t read the advisory, check it out here, or you can watch the summary video below:

In late November, Apple announced that it is suing the Israeli spyware firm NSO Group and its parent company OSY Technologies for targeting its users with their spyware. This is the second lawsuit against NSO Group with the first coming from Facebook, now owned by Meta, for targeting its users on the message application WhatsApp.

In addition to the lawsuit, which is seeking unspecified damages, Apple is requesting the NSO Group be banned from using Apple software, services, or devices. NSO Group created over 100 fake Apple IDs used to deploy their spyware Pegasus, which violates the iCloud terms of service. NSO Group still states they only sell spyware to government for lawful interceptions and says, “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers.” Although the NSO group states it has ethical purposes, evidence has shown otherwise and has led to the United States implementing sanctions and a blacklist on them for enabling “transnational repression.”

Apple did release software updates to patch the vulnerabilities exploited by NSO Group and has not seen any indications of Pegasus or any other NSO tools being used against their latest software, iOS 15. Apple has strongly urged iOS users to upgrade to the latest version of software to protect themselves from these types of attacks.