Cold Fusion, EncroChat, Apple Device Spoofing, Tesla Breach, Jason Wood & More – SWN #320

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier) that could result in arbitrary code execution in the context of the current user without requiring any interaction.

Deserialization (aka unmarshaling) refers to the process of reconstructing a data structure or an object from a byte stream. But when it's performed without validating its source or sanitizing its contents, it can lead to unexpected consequences such as code execution or denial-of-service (DoS).

An intelligence analyst working for police in the North West of England shared information about a major countrywide operation with a criminal contact, in what has been described as a “disgraceful” betrayal of her colleagues.

Natalie Mottram, 24, from Warrington, was working on secondment at the North West Regional Organised Crime Unit (ROCU) when she was arrested by National Crime Agency (NCA) officers on June 12 2020.

At Liverpool Crown Court on Friday, she pleaded guilty to charges of misconduct in public office, perverting the course of justice and unauthorized access to computer material.

She was working on Operation Venetic, a major covert police operation launched after European investigators managed to crack EncroChat, an encrypted communications platform used by organized criminals.

Read more on Operation Venetic: Two Drug Dealers Get 18 Years Following EncroChat Bust

NCA officers believe Mottram told Jonathan Kay, 38, not only about the operation but also that police also had intelligence on him.

Mottram had been friends with Kay – who has convictions for driving offences and being drunk and disorderly – and his partner Leah Bennett, 38, for three years, the NCA said. They had apparently grown close over a “shared love of gym exercise.”

Police suspected a leak after intercepting EncroChat messages from a friend of Kay’s to another contact, saying a woman who works for the police had tipped them off about Operation Venetic.

US-based IT software company Ivanti warned customers today that a critical Sentry API authentication bypass vulnerability is being exploited in the wild.

Ivanti Sentry (formerly MobileIron Sentry) functions as a gatekeeper for enterprise ActiveSync servers like Microsoft Exchange Server or backend resources such as Sharepoint servers in MobileIron deployments, and it can also operate as a Kerberos Key Distribution Center Proxy (KKDCP) server.

A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser.

Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results.

White hat hackers at the recent hacking conference Def Con demonstrated how to spoof an Apple device and trick users into sharing their sensitive data. At the recent Def Con hacking conference, white hat hackers demonstrated how to spoof an Apple device and trick users into sharing their sensitive data.

As reported by Techcrunch, attendees at the conference using iPhones started observing pop-up messages prompting them to connect their Apple ID or share a password with a nearby Apple TV.

Threat actors responsible for developing the HiatusRAT malware have resumed their operations after a period of inactivity by launching a fresh wave of attacks. These attacks, observed from mid-June to August, were launched against organizations in Taiwan, as well as a procurement system utilized by the U.S. military.

Researchers at Black Lotus Lab claim that the tactics and techniques are different from the group’s previous focus on Latin America and Europe, wherein more than 100 edge networking devices were used to secretly collect traffic and operate as a covert C2 network.

What’s new? From June through August, Black Lotus Labs observed multiple newly compiled versions of the HiatusRAT malware in the wild. They found prebuilt binaries targeting new architectures and associated these samples with their previous report. This time, the HiatusRAT payloads were now hosted on different procured VPSs. Further analysis showed that over 91% of the inbound connections to the malicious files originated from Taiwan, with a preference for Ruckus-manufactured edge devices. Various Taiwanese organizations, including semiconductor manufacturers and a municipal government organization, were affected. Although its targets also include semiconductor and chemical manufacturers, the actors allegedly aimed to snoop on military contracts.

Cybersecurity company Cyfirma claims to have uncovered the real identity of the developer behind the CypherRAT and CraxsRAT remote access trojans (RATs).

Using the online handle of ‘EVLF DEV’ and operating out of Syria for the past eight years, the individual is believed to have made over $75,000 from selling the two RATs to various threat actors. The same person is also a malware-as-a-service (MaaS) operator, according to Cyfirma.

For the past three years, EVLF has been offering CraxsRAT, one of the most dangerous Android RATs available now, on a surface web store, with at least 100 lifetime licenses sold to date.

The CraxsRAT builder, Cyfirma says, generates highly obfuscated packages, allowing threat actors to customize the contents based on the type of attack they are preparing, including with WebView page injections.

The builder also includes a quick install feature that generates applications with few install permissions to help bypass detections. After installation, however, the threat actor can send requests to turn on additional permissions.

“In order to gain access to the device’s screen and keystrokes, the app needs to enable its accessibility in settings. So, the builder allows the threat actor to edit the page which pops up right after the app’s installation is completed,” Cyfirma notes.

Additionally, a ‘super mod’ feature is available, to make the application difficult to remove from the infected devices, by crashing the page whenever an uninstall attempt is detected.

Tesla has disclosed a data breach impacting roughly 75,000 people, but the incident is the result of a whistleblower leak rather than a malicious cyberattack.

Tesla told US authorities that a data breach discovered in May resulted in the exposure of the personal information, including social security numbers, of more than 75,700 individuals.

A notification letter sent to impacted people reveals that the data breach is related to a couple of former employees sending confidential information to German media outlet Handelsblatt. Tesla said the ex-workers “misappropriated the information in violation of Tesla’s IT security and data protection policies”.

The compromised information includes names, contact information, and employment-related records associated with current and former employees. Impacted individuals are being offered credit monitoring and identity protection services.

The leak came to light in May, when Handelsblatt reported that it had received 100 Gb of confidential Tesla data from a whistleblower. The newspaper said Tesla had failed to adequately protect employee, customer and partner data.

The leaked files, dubbed ‘Tesla Files’, reportedly included information on more than 100,000 current and former employees, customer bank details, production secrets, and customer complaints regarding driver assistance systems.

Handelsblatt has assured Tesla that it does not intend to publish the personal data provided by the whistleblower.

Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to proactively alert users when an extension they have installed has been removed from the Chrome Web Store.

The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware.

The tech giant said it intends to highlight such extensions under a "Safety check" category in the "Privacy and security" section of the browser settings page.

"When a user clicks 'Review,' they will be taken to their extensions and given the choice to either remove the extension or hide the warning if they wish to keep the extension installed," Oliver Dunk, a developer relations engineer for Chrome extensions, said.

U.S. intelligence agencies are warning about unnamed foreign intelligence entities targeting the private space sector to steal sensitive data related to satellite payloads and disrupting and degrading US satellite capabilities.

The FBI, the National Counterintelligence and Security Center and the Air Force Office of Special Investigations on Friday published a two-page advisory warning that the foreign intelligence entities see U.S. space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise.

"Foreign intelligence entities recognize the importance of the commercial space industry to the U.S. economy and national security, including the growing dependence of critical infrastructure on space-based assets," the agencies said.

A U.S. counterintelligence official told Reuters to expect growing threats to this burgeoning sector of the U.S. economy and that "China and Russia are among the leading foreign intelligence threats to the U.S. space industry."

The U.S. financial sector estimates that the global space economy is projected to grow from $469 billion in 2021 to more than $1 trillion by 2030, the advisory said.

Scaling Health Applications Research for Everyone (SHARE)