Apple zero-day patch, Cisco 911 patch, ICS exposure warning
Apple rolls out patch for active iOS Zero-Day
Tracked as CVE-2023-42824, this is a kernel vulnerability that can be abused for privilege escalations. Apple says it has mitigated the issue with improved checks. They also mentioned in an advisory that the issue “may have been actively exploited against versions of iOS before iOS 16.6.” According to The Hacker News, “while additional details about the nature of the attacks and the identity of the threat actors perpetrating them are currently unknown, successful exploitation likely hinges on an attacker already obtaining an initial foothold by some other means.”
(The Hacker News and Apple)
Cisco patches urgent Emergency Responder flaw
Cisco has released updates to manage a critical security flaw in its Cisco Emergency Responder software, a product that “enhances the emergency 9-1-1 functionality of Cisco Unified Communications Manager by tracking and updating the location of callers and phones.” The vulnerability is identified as CVE-2023-20101 with a CVSS score of 9.8. According to The Hacker News, this high rating is “due to the presence of static user credentials for the root account that the company said is usually reserved for use during development.” This issue affects release 12.5(1)SU4 and has been addressed in version 12.5(1)SU5. Other releases of the product are not impacted.
Researchers warn of 100,000 exposed ICS systems
Power grids, traffic light systems, security and water systems are among the infrastructure that cybersecurity company BitSight has noted as being exposed and vulnerable on the internet, through units such as “sensors, actuators, switches, building management systems, and automatic tank gauges.” This number is actually a year-over-year improvement since 2019. The vulnerabilities cover all major industry sectors, such as finance, education, and energy, and the most vulnerable countries are the US, Canada, Italy, the UK, and France.
GoldDigger Android trojan takes aim at AsiaPac banking apps
This is a new Android banking trojan that according to Group-IB has been targeting more than 50 Vietnamese banking, e-wallet, and crypto wallet applications. The trojan, which impersonates a Vietnamese government portal and an energy company, takes advantage of Android’s accessibility services, which are designed to help users with disabilities to use apps. Through this channel it is able to extract PII, steal banking app credentials, intercept SMS messages, and perform various user actions.
领英推荐
Thanks to this week’s episode sponsor, @Conveyor
Cloud giants face UK competition probe over lock-in practices
The UK’s Competition and Markets Authority (CMA) is launching a broad investigation into large cloud organizations like AWS, Google, and Microsoft, to determine whether large cloud companies make it difficult for businesses to move or to use multiple providers. These three companies account for 90 percent of cloud revenues in the UK. Key issues being scrutinized are egress fees, that cloud companies charge customers for moving their data elsewhere, and interoperability, in which cloud companies make their procedures incompatible with other vendors, making moving out more problematic.
FDA pushes cyber mandates for medical devices
The Food and Drug Administration has released a new mandate placing responsibility upon the vendors of medical technology such as pacemakers and insulin pumps to “find and mitigate vulnerabilities, create a software bill of materials and have a plan in place to address vulnerabilities for products after they have been sold.” The rules allow the FDA to refuse to accept devices that do not meet the guidelines. The rules apply to cyber devices, meaning specifically, medical devices that are connected to the internet, or that have software or technical characteristics that could be vulnerable.
Atlassian patches already-exploited Confluence zero-day
This was a “maximum severity zero-day vulnerability in its Confluence Data Center and Server software, which has been exploited in attacks,” according to Bleeping Computer. Numbered CVE-2023-22515, it affects Confluence Data Center and Server 8.0.0 and later and is remotely exploitable in low-complexity attacks that don’t require user interaction. Admins are being advised to check for breach signs such as unexpected newly created user accounts. The company mentioned in a statement that “Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”
Fake Amazon callers top this year’s list of phone scams
A new report from Hiya, a company that focuses on phone security and fighting phone fraud, shows that phone fraud and scam calls continue to plague phone owners, with the UK, the US and Canada seeing 28%, 27% as 20% of calls respectively, as phone fraud and spam. Among the chief phone scams this year are Amazon impersonators alerting to an unauthorized purchase and urging an account update, outstanding insurance bills, Medicare fraudsters offering medical services in exchange for peoples’ Medicare numbers, get-rich-quick crypto sales, and impersonators of loved ones who need money wired quickly.
(Security Magazine and Hiya)