Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Due to overwhelming privacy concerns, Meta’s Twitter competitor, Threads, will not be releasing in the EU. Ireland’s Data Protection Commission revealed this in a recent report, which stated that the service would not be made available to countries within the European Union “at this point”. There has been no official statement on plans for a future rollout but expect the application to be unavailable at least for the foreseeable future.
These privacy concerns were initially raised over the amount of data being collected by Meta, but the latest update from Instagram’s chief executive indicates that the launch has been delayed due to “complexities with complying with some of the laws coming into effect next year,”.
Recent reports have discovered the use of malvertising, in advertisements on Bing and Google when searching for “WinSCP download" (or similar), an open-source Windows file transfer application. The malicious advertisements forward the victim to a website cloned from a legitimate site called winsccp[.]com as a method to encourage the user to download the software onto their machine.
From this point, an ISO file is downloaded from an infected WordPress webpage, containing an executable called setup.exe which performs tasks to maintain persistence on the machine and loads an obfuscated version of Cobalt Strike beacon that connects to a command-and-control server. Ultimately, this will lead to the malware collecting information about the permissions, device, and environment and collecting files of interest. Other steps include dropping a KillAV BAT script onto the device to disable or bypass anti-virus and installing the AnyDesk remote management tool to further maintain persistence.
Users of the solar power monitoring system, SolarView, are being urged to update their application following the active exploitation of three critical RCE flaws, all of which have been assigned a CVSS scores of 9.8 out of 10. Palo Alto researchers first discovered that the Mirai gang were exploiting these vulnerabilities to expand their botnet, but it has now been confirmed that a number of amateur hackers are also taking advantage of the critical bugs.
It is believed that, if exploited correctly, “the attacker is able to leverage control of the compromised monitoring system to do greater damage or get deeper into the environment.”. This comes from a statement given by the senior technical engineer at Vulcan Cyber, Mike Parkin.
It has also been reported that “Less than one-third of 600 internet-facing SolarView systems found on Shodan are patched”.
All three vulnerabilities were addressed in version 8.00 of SolarView, and we urge all users to apply the latest update as soon as possible. More details on the research into these vulnerabilities can be found here.
Fortinet, a cyber security company providing hardware and software solutions, has warned its customers of a critical vulnerability related to their FortiGate firewalls. Tracked as CVE-2023-27997 and with a CVSS of 9.8 out of 10 this vulnerability relates to a heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. Fortinet reported that this “may have been exploited in a limited number of cases” and was “targeted at government, manufacturing, and critical infrastructure.” There are 490,000 known FortiGate SSL VPN interfaces exposed to the internet, 69% of which are unpatched. All organisations using a FortiGate firewall are advised to update immediately to the latest patch to be protected from this critical vulnerability.
Tracked as CVE-2023-3269, StackRot is a serious vulnerability involving Linux kernel’s memory management subsystem which manages virtual memory, paging and memory allocation, and mapping files into the processes address space. The vulnerability specifically involves the kernel's handling of stack expansion within its memory management system where a weakness in its “maple tree” (a new data structure used for virtual memory areas) allowed for a use-after-free attack that could be used to elevate privileges. StackRot impacts all kernel configurations on Linux versions 6.1 to 6.4 however a patch is available, and users are advised to update to be protected from this vulnerability.
And that’s it for this week’s round-up, please do check in next week for our new batch of security news and posts.
Stay Safe, Secure and Healthy!
Edition #242 – 7th July 2023
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Ironshare is a provider of Information and Cyber Security services.