Vulnerability News: Apple WebKit Zero-Day, Ransomware Attacks, and More

In this week’s vulnerability news, Apple’s disclosure and patching of three WebKit zero-day vulnerabilities became the biggest focus. In addition to the wide-ranging impact, all of them have been locked and exploited. In addition, when we took stock of the vulnerability news, we noticed a new vulnerability in Samsung devices (CVE-2023-21492), and there are two known vulnerabilities in Cisco’s early years (CVE-2016-6415, CVE-2004-1464). Both confirmed that successful exploitation requires priority attention.

Other noteworthy new vulnerability patching trends include: Cisco, KeePass, and IoT and industrial control-related updates and patches for Teltonika Networks, Wemo Mini, Advantech, and Rockwell Automation.

In terms of threat situation and attack focus, the new trend of ransomware attracts attention, including the revelation of BianLian’s recent attack situation, MalasLocker locking mail server Zimbra, CheckMate locking SMB file sharing agreement, and using Babuk source code to build ransomware In addition, information security companies continue to disclose related incidents. Other notable threat activities and events include: Cobalt Strike developed by hackers using the Go language, the disclosure of MerDoor’s backdoor program, and Chinese hackers implanting malicious programs in TP-Link routers and targeting EU diplomatic agencies for attacks .

As for the domestic aspect, a number of information security incidents have attracted attention this week, including the taxi dispatch service Yoxi announcement being attacked by account stuffing, Eslite leakage of personal information has become the focus again, Tonglian Passenger customers received fraudulent calls suspected of data leakage The emergency shutdown of online ticket bookings and the use of common default passwords for corporate accounts on the Ministry of Finance’s electronic invoice platform were revealed. In addition, the latest incident is Smile Bicycle.Announcement on the 19th (Friday)Its official website was attacked by hackers.The Transportation Bureau of the Taipei City Government also announced at 7:00 p.m. on the same dayThe YouBike system was attacked, and it is estimated that the transaction data of about 21,000 members nationwide were obtained.

[May 15th]Eslite Bookstore leaked personal information and was used by supporters of China’s military reunification to launch psychological warfare against Taiwanese people

There have been frequent incidents of personal data leaks in online shopping malls in Taiwan, accompanied by various fraud incidents, but now these outflowing shopping records are not only used by hackers to defraud money, but also cognitive warfare attacks. A well-known social activist once bought books on the Eslite website, but received a call last weekend pretending to be the company to conduct market research. But what is rare is that the other party did not claim that the deduction was wrong or other reasons for financial fraud, but continued to promote and express the idea that “China will unify Taiwan by force.”

Toyota’s information security accident again! This time it was a case of improper configuration of cloud services, and the information was exposed for 7 to 10 years. And this is not the company’s fault for improper configuration—in October 2022, they said that nearly 300,000 users of the mobile application T-Connect were made public due to the exposure of GitHub’s confidential account data.

Vulnerability attacks related to the printing management system PaperCut are also worthy of attention. Following the successive abuse of this vulnerability by ransomware hackers Clop and LockBit, it is also reported that Iranian hackers APT35, Muddywater, and ransomware hacker Bl00dy are also launching attacks related attacks.

[May 16]The electronic invoice platform of the Ministry of Finance reported a security loophole, which may expose the business information of listed companies

Among the systems provided by the public sector to enterprises, not only common default passwords are used, but also weak passwords! The Ministry of Finance reported that in the account provided to the company on the electronic invoice platform, the account name is the company’s unified number, and the default password is a weak password that is extremely easy to guess. Once anyone tries to use this password to match the company’s unified code, It is possible to check the company’s invoice information, because the company’s compilation is quite easy to find, such account secrets are equivalent to public information. Following two media reports this week, the Finance Ministry said today that they had eased the situation.

Following the data leakage accident reported by Guoguang Passenger Transport, another passenger transport operator was attacked. According to domestic media reports such as Sanli News Channel, Liberty Times, and Central News Agency, Tonglian Passenger Transport was suspected of leaking personal data last week, causing passengers to receive fraudulent calls. The company suspended its online booking system and mobile app booking services. The Highway Administration of the Ministry of Communications, the competent authority, also confirmed this matter.

There have also been new developments recently regarding the revision of the Personal Data Law. Today, the Legislative Yuan passed some of the new provisions for the third reading, which mainly have clear new norms for the specialized agencies, the amount of fines and the methods.

[May 17]Hackers using Cobalt Strike developed by the Go language to launch attacks heats up

In order to avoid the detection of information security systems, hackers used the penetration testing tool Cobalt Strike extensively in the past, and later switched to Brute Ratel C4 (BRC4). The attack has intensified on a penetration testing tool called Geacon, which was created by rewriting Cobalt Strike in the Go language.

It is becoming more and more common for hackers to use the leaked ransomware Babuk source code to create their own attack tools. Previously, researchers pointed out that 10 ransomware families have used this to develop programs targeting VMware ESXi. A hacker organization named RA Group followed suit, creating its own ransomware and invading 4 organizations within a week.

Attacks against home routers are also worthy of our attention. A researcher revealed an attack on TP-Link routers, and pointed out that the backdoor program Horse Shell used by hackers may also be used to infect routers of other brands.

[May 18]The ransomware that asked the victim organization to do public welfare reappeared, this time locking the Zimbra mail system

Ransomware hackers want to steal from the rich and help the poor, and ask the victims to do charity in exchange for the decryption key. One year ago, there was an organization called GoodWill. The victims had to follow the instructions to help the poor and disclose it publicly before they had a chance to recover the files. . Recently, hacker organizations with similar behaviors appeared. They targeted the mail server Zimbra and left extortion messages asking the victim organizations to donate to specific non-profit organizations.

The attack on the ransomware “BianLian” is also quite noteworthy. These hackers are focusing on extorting the victim organization through the stolen data, and deactivating the anti-virus software in the process to achieve the purpose of stealing data.

The vulnerability of the smart power plug cannot be fixed because the manufacturer stopped supporting product maintenance! Researchers revealed the vulnerability CVE-2023-27217 of Belkin’s 2nd generation Wemo Mini smart power plug. Attackers may use this to launch command injection attacks, but the developer Belkin stated that the product life cycle has ended (EOL) and indicated that it will not deal with it .

[May19]Malicious emails and malware attacks doubled and exploded in early April in Taiwan

China has continued to intimidate Taiwan with physical and military attacks, and cyber attacks have also increased. Among them, Trellix, an information security company, disclosed two large-scale attacks that occurred in early April. In just 2 to 3 days, hackers spread several times more malicious emails and malware to Taiwan than usual, and targeted Come from all walks of life.

Apple once again patched the zero-day vulnerability. It is worth noting that the scope of the impact is not only mobile phones, tablets, and Mac computers, but also smart watches, Apple TV and other devices. Since these vulnerabilities have been used in attacks, users should update their operating systems as soon as possible.