Weekly Security News – 22nd January 2024

Welcome to this week’s Security News. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft

Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification. Referred to as PixieFail by Quarkslab, the nine issues are found in the TianoCore EFI Development Kit II (EDK II) and could be exploited for remote code execution, denial-of-service (DoS), DNS cache poisoning, and leakage of sensitive information. The vulnerabilities impact UEFI firmware from AMI, Intel, Insyde, and Phoenix Technologies, highlighting potential risks in widely used UEFI implementations. It’s crucial for affected vendors and users to apply relevant patches to mitigate these vulnerabilities.

GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

GitHub has rotated some keys in response to a security vulnerability that had the potential to be exploited to access credentials within a production container. The Microsoft-owned company was alerted to the issue on December 26, 2023, and promptly addressed it on the same day. As a precautionary measure, GitHub also rotated all potentially exposed credentials to mitigate any potential risks associated with the vulnerability. This incident underscores the importance of swift detection and response to security vulnerabilities, as well as proactive measures to enhance overall cybersecurity.

Google fixes actively exploited Chrome zero-day (CVE-2024-0519)

In the latest stable release of the Chrome browser, Google has addressed three security vulnerabilities affecting the V8 engine, including one zero-day vulnerability (CVE-2024-0519) with an existing exploit. Zero-day vulnerabilities are those for which there is an active exploit in the wild at the time of public disclosure. Google’s prompt response to fix these vulnerabilities is crucial for maintaining the security of Chrome users and protecting against potential threats. Users are strongly advised to update their Chrome browser to the latest version to benefit from the security patches and ensure a safer browsing experience.

Cyber Attacks

Npm Trojan Bypasses UAC, Installs AnyDesk with “Oscompatible” Package

A malicious package named “oscompatible” was discovered on the npm registry, deploying a sophisticated remote access trojan on compromised Windows machines. The package, uploaded on January 9, 2024, garnered 380 downloads before being removed. “oscompatible” contained peculiar binaries, including a single executable file, a dynamic-link library (DLL), an encrypted DAT file, and a JavaScript file. This incident underscores the importance of vigilance and security measures in the software supply chain to detect and mitigate potential threats posed by malicious packages. Users are advised to exercise caution and regularly update their software dependencies from trusted sources.

TeamViewer abused to breach networks in new ransomware attacks

Ransomware actors have once again been observed using TeamViewer as a method to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder. While TeamViewer is a legitimate remote access tool widely used in the enterprise, it is also exploited by scammers and ransomware actors for unauthorized access to remote desktops, allowing them to drop and execute malicious files. This highlights the ongoing challenges in securing remote access tools and emphasizes the importance of implementing strong security measures to protect against unauthorized access and potential ransomware attacks.

Vast botnet hijacks smart TVs for prime-time cybercrime

Security researchers have identified a DDoS botnet that has infected potentially millions of smart TVs and set-top boxes, linking it to an eight-year-old cybercrime syndicate named Bigpanzi. At its peak, the campaign had at least 170,000 bots running daily. The infection primarily occurred through pirated apps and firmware updates on Android-based TVs and other streaming hardware. Users visiting suspicious streaming sites on their smartphones were directed to download associated malicious apps onto their Android-based smart TVs, leading to the infection. This highlights the risks associated with downloading apps from untrusted sources and the need for users to exercise caution.

Kremlin cyber spies move into malware with a custom backdoor

Russian cyberspies associated with the Kremlin’s Federal Security Service (FSB), known as COLDRIVER or Star Blizzard, have evolved from their typical credential phishing tactics. Google’s Threat Analysis Group (TAG) has identified that the group has developed a custom backdoor delivered through email since November 2022. COLDRIVER/Star Blizzard has a history of targeting academia, military, government organizations, NGOs, think tanks, and politicians in the US, the UK, and other NATO countries. The group’s activities highlight the ongoing threat posed by state-sponsored actors and the need for robust cybersecurity measures to defend against such sophisticated threats.

Articles

Researcher uncovers one of the biggest password dumps in recent history

Nearly 71 million unique credentials, including those for websites such as Facebook, Roblox, eBay, and Yahoo, have been circulating on the Internet for at least four months, according to Troy Hunt, the operator of the Have I Been Pwned? breach notification service. The massive dataset was posted on a well-known underground market that facilitates the sale of compromised credentials. While Hunt typically pays little attention to such dumps that recycle previously published passwords, the sheer volume and persistence of this data raise concerns about the security of user credentials and the need for individuals to adopt strong, unique passwords and consider multi-factor authentication where possible.

Microsoft tests instant access to Android photos in Windows 11

Microsoft is planning to offer Windows 11 users almost instant access to photos and screenshots taken on their Android smartphones. Users can click on a Windows system tray alert that appears immediately after capturing a new snapshot on their Android device, which will open the image in the Snipping Tool app on their PC. This feature aims to streamline the process of accessing and editing recent photos and screenshots from an Android mobile device within the Snipping Tool on Windows 11, enhancing user convenience and integration between PC and smartphone.