Threat Alerts

Recently patched Apple and Chrome zero-day vulnerabilities have been seen exploited in Predator spyware-related attacks.

On iOS devices, the attackers’ zero-day exploit used CVE-2023-41993 for initial remote code execution in Safari using maliciously crafted web pages, the CVE-2023-41991 bug to bypass signature validation, and CVE-2023-41992 for kernel privilege escalation.

Infections appear to be targeting various African and Middle Eastern countries, although research is still ongoing, and researchers have yet to reach their final verdict.

GitLab has released security patches to address a critical flaw that could allow an attacker to run pipelines as another user. The vulnerability, tracked as CVE-2023-5009(CVSS score: 9.6), affects all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 – as well as from 16.3 and before 16.3.4.

Successful exploitation of CVE-2023-5009 could allow an attacker to access sensitive information or leverage the elevated permissions of the impersonated user to modify source code or run arbitrary code on the system, leading to severe consequences.

P2Pinfct is a peer-to-peer botnet targeting servers with exposed Redis instances. However, it can also propagate via SSH brute-force attacks.

The botnet was discovered in July 2023, and has grown exponentially since, with a dramatic increase of 60216.7% throughout September.

This increase has coincided with a growing number of variants seen in the wild, suggesting that P2Pinfect’s developers are operating at an extremely high development cadence.

The RedLine and Vidar malware families have recently been seen adopting a significant change in their attack methods – by obtaining EV certificates to sign their data-stealing malware and diversifying their payloads to include ransomware.

Even though the CA/Browser Forum (CABF) – a public key infrastructure (PKI) industry group – mandated hardware-based key generation for these certificates in June 2023, threat actors have found a way around it.

Adobe released a patch for a zero-day vulnerability in Acrobat and Reader that were exploited in attacks.

The vulnerability, tracked as CVE-2023-26369, is considered to be critical by the vendor, and can allow attackers to gain code execution. While exploitation does not require high privileges, it is noted that the flaw can only be exploited by local attackers, and it also requires user interaction.

While additional information on the attacks is not available yet, the zero-day is known to affect both Windows and macOS systems.

Microsoft’s September 2023 Patch Tuesday brings critical updates for security, addressing a total of 59 vulnerabilities. Notably, two of these vulnerabilities, CVE-2023-36761 and CVE-2023-36802, have been actively exploited and have earned a spot in CISA’s Known Exploited Vulnerabilities Catalog.

CVE-2023-36761 (CVSS score 6.2), identified as a Microsoft Word information disclosure vulnerability, has the potential to disclose NTLM hashes, with the Preview Pane serving as an attack vector. These hashes could be leveraged in NTLM Relay attacks (pass-the-hash) to gain unauthorized access, allowing attackers to impersonate users and acquire their access rights.

CVE-2023-36802 (CVSS score 7.8), categorized as a Microsoft Streaming Service Proxy Elevation of Privilege (EoP) vulnerability, poses a risk of granting attackers SYSTEM privileges upon successful exploitation.