Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Earlier this year, Google announced that it would be offering their new “passkey” technology as an authentication alternative to standard passwords. This new feature was originally with the intention of eventually replacing passwords. This week, Google announced that passkeys would become the default authentication method for all accounts, with passwords being relegated to a secondary option.
Many Google users may be unfamiliar with passkeys and how they work. Your passkey will live on your smartphone; when attempting to sign in on your computer, you will be prompted to unlock your phone – this will then grant you access on your computer. The idea is to eventually eliminate the use of passwords entirely, and use this new technology to replace passwords, security questions, multi-factor authentication, and more.
If you are still curious and want to know more about how passkeys work, please see this Google article that answers all the questions you may have about the feature.
By wired.com
The Web User Interface for Cisco’s IOS XE software is currently affected by a critical vulnerability that, if successfully exploited, allows an attacker to create an account with privilege level 15 access. This flaw is already being actively exploited in the wild and affects any physical or virtual devices that have the IOS XE Web UI exposed to the internet. With this flaw only affecting devices that have the HTTP or HTTPS Server feature enabled for IOS XE, Cisco have made the following recommendation:
“Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.”
For a more detailed breakdown of these mitigation steps, please consult this Cisco Security Advisory (CVE-2023-20198).
By blog.talosintelligence.com
Meta announced this week that they will now support the use of multiple WhatsApp accounts on a single device. Until now, individuals that use WhatsApp for work and personal purposes were forced to choose between carrying two phones, or constantly switching accounts. With this new feature, users will be able to configure a second account in the WhatsApp settings and easily move between the two.
More details on the privacy and configuration options for this feature can be found here.
By bleepingcomputer.com
A vulnerability in Atlassian Confluence Data Center and Server tracked as CVE-2023-22515 and with the highest CVSS score of 10, has been seen actively being exploited in the wild by the nation-state threat actor tracked as Storm-0062. If successfully exploited, the vulnerability can allow attackers to create admin accounts and modify configurations. A joint cyber security advisory from CISA, FBI, and Multi-State Information Sharing and Analysis Center has warned all users to apply the necessary patch to be protected.
The advisory reads:
"On October 5, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities Catalogue based on evidence of active exploitation […] Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks."
All users should update to the latest version and manually determine if any admin accounts have been unknowingly created.
By theregister.com
WinRAR, a popular file archiver tool, has been exploited by Russian-backed threat actors. Google’s Threat Analysis Group (TAG) has reported observation of multiple threat actors exploiting the vulnerability (tracked as CVE-2023-38831 since early 2023).
The vulnerability causes “extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces. The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file” reports TAG.
Campaigns from multiple threat actors have been identified attempting to exploit this vulnerability on the victim’s machines however an update is available and is advised so that the user can be protected from this attack.
By blog.google
The Noth Korea-linked Lazarus Group has been observed targeting job seekers in the defence and nuclear industry via fake interviews to get victims to download malware-infected Virtual Network Computing (VNC) applications. This application acts as a backdoor and dropper to help further compromise a victim’s machine.
"The threat actor tricks job seekers on social media into opening malicious apps for fake job interviews," reported Kaspersky while Mandiant said “Different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS".
By thehackernews.com
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #255 – 20th October 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
