Winson Digital Techniques

  The Russia-linked   APT29   (aka Cozy Bear) threat actor has been attributed to an ongoing cyber espionage campaign targeting foreign ministries and diplomatic entities located in NATO member states, the European Union, and Africa. According to Poland's Military Counterintelligence Service and the CERT Polska team, the observed activity shares tactical overlaps with a cluster tracked by Microsoft as Nobelium, which is known for its high-profile attack on SolarWinds in 2020. Nobelium's operations have been attributed to Russia's Foreign Intelligence Service (SVR), an organization that's tasked with protecting "individuals, society, and the state from foreign threats." That said, the campaign represents an evolution of the Kremlin-backed hacking group's tactics, indicating persistent attempts at improving its cyber weaponry to infiltrate victim systems for intelligence gathering. "New tools were used at the same time and independently of each othe...

  It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix   a total of 97 flaws   impacting its software, one of which has been actively exploited in ransomware attacks in the wild. Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevations of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month. The security flaw that's come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue. CVE-2023-28252 is the fourth privilege escala...

  Threat actors using hacking tools from an Israeli surveillance ware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East. According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021. The names of the victims were not disclosed. It's also suspected that the company abused a zero-click exploit dubbed  ENDOFDAYS  in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been used after March 2021. ENDOFDAYS "appears to make use of invisible iCloud calendar invitations sent from the spyware's operator to victims," the researchers said, adding the .ics files contain invites to two backdated and overlapping events so as to not alert the users. The attacks are suspected to have leveraged a quirk in iOS 14 t...

  A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code. "It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said. The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts. According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key. "Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its...

  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added   five security flaws   to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021. CVE-2021-27876 (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability CVE-2021-27877 (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability CVE-2021-27878 (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability Google-owned Mandiant, in a report published last week, revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation is tar...

  The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcodes. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on Friday. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," vm2 disclosed in an advisory. The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions. vm2 is a popular library that's used to run untrusted code in an isolated environment on Node.js. It has nearly four million weekly downloads and is used in...

  Taiwanese PC company MSI (short for Micro-Star International) officially confirmed it was the victim of a cyber attack on its systems. The company said it "promptly" initiated incident response and recovery measures after detecting "network anomalies." It also said it alerted law enforcement agencies of the matter. That said, MSI did not disclose any specifics about when the attack took place and if it entailed the exfiltration of any proprietary information, including source code. "Currently, the affected systems have gradually resumed normal operations, with no significant impact on financial business," the company said in a brief notice shared on Friday. In a regulatory filing with the Taiwan Stock Exchange, it said that it's setting up enhanced controls of its network and infrastructure to ensure the security of data. MSI is further urging users to obtain firmware/BIOS updates only from its official website and refrain from downloading files from...