IPStorm botnet dismantled after hacker’s guilty plea
The FBI have dismantled the IPStorm botnet proxy network and its infrastructure this week following a plea deal with the hacker behind the operation. IPStorm malware was first spotted in June 2019 and used the InterPlanetary File System (IPFS) peer-to-peer protocol to infect thousands of Linux, Mac, and Android devices worldwide. Back in September, Sergei Makinin, a Russian and Moldovan national, pled guilty to three hacking charges that each carry a maximum sentence of ten years in prison. Makinin made at least $550,000 by selling illegitimate infected device access to customers seeking to hide their Internet activities. He agreed to forfeit all crypto proceeds related to the operation.
Federal court rules social media giants must face child safety lawsuits
On Tuesday, a US District Judge rejected a motion from social media giants to dismiss lawsuits against them. School districts across the US have filed suit against Meta, ByteDance, Alphabet, and Snap, alleging the companies cause physical and emotional harm to children. Additionally, last month, 42 states sued Meta over claims Facebook and Instagram “profoundly altered the psychological and social realities of a generation of young Americans.” Tuesday’s ruling states that the First Amendment and Section 230, which says platforms shouldn’t be treated as the publishers of third-party content, don’t shield platforms from all liability. Many of the plaintiff claims relate to alleged “defects” on the platforms including insufficient parental controls, weak age verification systems, and difficult account deletion processes.
Authorities warn of Royal ransom gang’s activities and rebranding
On Tuesday, the FBI and CISA issued a joint advisory focusing on the threat posed by the Royal ransomware gang. Royal has targeted more than 350 victims worldwide, netting $275 million since September 2022. Authorities say Royal leveraged phishing to gain initial network access in 66.7% of their attacks and continues to deploy partial-encryption and double-extortion tactics. The partial encryption technique allows Royal to throttle down the encryption percentage for larger files and helps to evade detection. Royal is believed to have emerged from the now-defunct Conti Group, and may again be rebranding itself as Blacksuit, a gang that emerged in the middle of this year. The advisory includes a list of files, programs, and IP addresses associated with Royal’s attacks and recommends organizations prioritize remediation of exploitable vulnerabilities, bolster employee phishing training, and enforce multi factor authentication across their systems.
Intel fixes high-severity CPU bug that causes “very strange behavior”
On Tuesday, Intel pushed fixes for a high-severity CPU bug (CVE-2023-23583) that affects virtually all modern Intel CPUs causing them to “enter a glitch state.” Google identified the issue which can result in system crashes and privilege escalation even when untrusted code is executed within a guest account of a virtual machine. Most cloud security models were assumed to be safe from such faults. Intel’s official bulletin lists two classes of affected products, those already fixed and those fixed by Tuesday’s microcode updates.
Huge thanks to our sponsor, Sysdig
Bug exposes 600K WordPress sites to attacks
A WordPress plugin called WP Fastest Cache is vulnerable to a SQL injection vulnerability (CVE-2023-6063) that could allow unauthenticated attackers to read the contents of the site’s database. The plugin is used to speed up page loads, improve visitor experience, and boost site rankings on Google search. According to WordPress.org, over 600,000 websites are running vulnerable plugin versions, all prior to version 1.2.2. A fix for the high-severity bug was issued on Monday and WPScan plans to release a low-complexity proof-of-concept (PoC) exploit on November 27, 2023.
You should probably patch that (Patch Tuesday edition)
On Tuesday, Microsoft released fixes for more than five dozen security holes, including three zero day vulnerabilities being exploited in active attacks. The first zero-day (CVE-2023-36025) allows malicious content to bypass the Windows SmartScreen Security feature after a user clicks on a malicious link. The second zero day (CVE-2023-36033) is a vuln in the DWM Core Library in Windows 10 and later and Windows Server 2019 and later that can be exploited locally, with low complexity and without needing high-level privileges or user interaction. The final zero day is a Windows Cloud Files Mini Filter Driver issue (CVE-2023-36036) allowing attackers to escalate privileges in a relatively straight-forward attack on Windows 10 and later, and Windows Server 2008 at later. Other notable bugs include a malicious software installation flaw in Microsoft Exchange Server (CVE-2023-36439) and three other Exchange bugs designated as “exploitation more likely” (CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035). Finally, SANS Internet Storm Center recommends prioritizing remediation for a denial of service vulnerability in ASP.NET Core (CVE-2023-36439) and a Microsoft Office security feature bypass (CVE-2023-36413).
(Krebs on Security)
VMware discloses critical appliance bug with no patch
VMware has disclosed a critical authentication bypass vulnerability (CVE-2023-34060) affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage cloud services as part of Virtual Data Centers (VDC). Unauthenticated attackers could remotely exploit the bug in low-complexity attacks that don’t require user interaction. The issue only affects appliances running VCD Appliance 10.5 that were previously upgraded from an older release. The company said the bug does not impact fresh VCD Appliance 10.5 installs, Linux deployments, and other appliances. VMware doesn’t yet have a patch for the issue but has published a temporary workaround to its knowledge base.
New research reveals software vulnerabilities are on the decline
On Tuesday, Synopsys, Inc. published the 2023 Software Vulnerability Snapshot report which reveals that the number of known software vulnerabilities have dropped from 97% in 2020 to 83% in 2022. Only 27% of tests contained high-severity vulnerabilities, and 6.2% contained critical-severity vulnerabilities. This is an encouraging sign that code reviews, automated testing and continuous integration are helping to reduce common programming errors. Report data was derived from leveraging real-world hacking techniques (penetration (pen) testing, dynamic application security testing (DAST), mobile application security testing (MAST) and network security testing) on web applications, mobile applications, network systems and source code. Although this is a positive development for the industry, the report highlights that single security testing solutions are no longer sufficient for identifying software vulnerabilities.