VMware fixed four flaws in its Workstation and Fusion desktop hypervisors, including three zero-days exploited at the Pwn2Own Vancouver 2024

VMware addressed four vulnerabilities in its Workstation and Fusion desktop hypervisors, including three zero-day flaws demonstrated at the Pwn2Own Vancouver 2024.

Below are descriptions of the flaws addressed by the virtualization giant

• CVE-2024-22267 (CVSS score: 9.3) – A use-after-free vulnerability in the Bluetooth device. A threat actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
• CVE-2024-22268 (CVSS score: 7.1) – A heap buffer-overflow vulnerability in the Shader functionality. A threat actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition.
• CVE-2024-22269 (CVSS score: 7.1) – An information disclosure vulnerability in the Bluetooth device. A threat actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
• CVE-2024-22270 (CVSS score: 7.1) – An information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

The vendor also provided temporary workarounds, such as disabling Bluetooth support and 3D acceleration, until patches can be applied to address vulnerabilities like CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270. The company doesn’t provide any mitigations to address CVE-2024-22270.

STAR Labs SG and Theori demonstrated these vulnerabilities during the Pwn2Own hacking contest in March 2024.

“VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG working with the Pwn2Own 2024 Security Contest for independently reporting this issue to us.” reads the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The non-profit technology organization MITRE released the EMB3D threat model for embedded devices used in critical infrastructure.

MITRE announced the public release of its EMB3D threat model for embedded devices used in various industries (i.e. Automotive, healthcare, and manufacturing), including critical infrastructure.

The threat model provides a knowledge base of cyber threats to embedded devices. EMB3D serves as a valuable resource for various industries, including critical infrastructure, IoT, automotive, healthcare, and manufacturing, providing insights to vendors, asset owners/operators, test organizations, and security researchers to enhance the security of embedded devices.

Multiple partners have contributed to the design of the threat model, including Red Balloon Security, Narf Industries, and Niyo ‘Little Thunder’ Pearson of ONE Gas.  

The framework can allow vendors, asset owners and operators to improve the security of embedded devices.

“The threat model is intended to be a resource to help vendors, asset owners/operators, test organizations, and security researchers to improve the overall security of embedded devices’ hardware and software. This threat model aims to serve as a central repository of information, defining known threats to embedded devices and their unique device features/properties that enable specific threat actions.” reads the announcement. “By mapping the threats to the associated device features/properties, the user can easily enumerate threat exposure based on the known device features.”

EMB3D was designed as a dynamic framework that will continuously evolve over time, including new threats and mitigations as they are identified by threat actors and security researchers.

It operates as a public community resource, allowing open access to all information and enabling contributions and revisions from the security community. This collaborative approach ensures that EMB3D remains up-to-date and comprehensive, serving as a valuable resource for enhancing the security of embedded devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mitre)

Google released emergency security updates to address an actively exploited Chrome zero-day vulnerability.

Google has released emergency security updates to address a high-severity zero-day vulnerability vulnerability, tracked as CVE-2024-4761, in the Chrome browser.

The vulnerability is an out-of-bounds write issue that resides in the V8 JavaScript engine of the Google web browser.

The company confirmed that the flaw is exploited in attacks in the wild.

“CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09″ reads the advisory. “Google is aware that an exploit for CVE-2024-4761 exists in the wild.”

The company addressed the zero-day flaw with the release of 124.0.6367.207/.208 for Mac/Windows and 124.0.6367.207 for Linux. Google will roll out updates to all users over the coming days/weeks.

The vulnerability CVE-2024-4671 is the sixth zero-day exploited in attacks fixed by the IT giant this year.

As usual, Google did not publish details about the attacks exploiting the vulnerability.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed” continues the advisory.

Below is the list of actively exploited zero-day flaws in the Chrome browser that have been fixed this year:

• CVE-2024-0519: an out of bounds memory access in the Chrome JavaScript engine. (January 2024)
• CVE-2024-2887:  a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024. (March 2024)
• CVE-2024-2886: a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024. (March 2024)
• CVE-2024-3159: an out-of-bounds memory access in V8 JavaScript engine. The flaw was demonstrated by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks during the Pwn2Own 2024 on March 22, 2024. (March 2024)
• CVE-2024-4671: a use-after-free issue that resides in the Visuals component (May 2024). 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

Experts reported that since April, the Phorpiex botnet sent millions of phishing emails to spread LockBit Black ransomware.

New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) reported that since April, threat actors used the the Phorpiex botnet to send millions of phishing emails as part of a LockBit Black ransomware campaign.

The botnet has been active since at least 2016, it was involved in sextortion spam campaigns, crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in the clipboard with the attacker’s wallet address during a transaction) and ransomware attacks in the past

In August 2021 the criminal organization behind the Phorpiex botnet have shut down their operations and put the source code of the bot for sale on a cybercrime forum in on a dark web.

In December 2021, experts at Check Point Research observed the resurgence of the Phorpiex botnet.

The new variant, dubbed “Twizt,” could operate without active C2 servers in peer-to-peer mode. Each of the infected computers can act as a server and send commands to other bots in a chain. Experts estimated that in one year it allowed to steal crypto assets worth of 500,000 dollars.

The emails sent in the April campaign contain ZIP attachments and were sent by the same addresses, “JennyBrown3422[@]gmail[.]com,” and “Jenny[@]gsd[.]com.”

The ZIP archives contain a compressed executable payload that, if executed, will start the encryption process with LockBit Black ransomware.

“Observed instances associated with this campaign were accompanied by the Phorpiex (Trik) botnet, which delivered the ransomware payload. Over 1,500 unique sending IP addresses were identified, many of which were geolocated to Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries.” states the report published by the NJCCIC. “Identified IPs hosting LockBit executables were 193[.]233[.]132[.]177 and 185[.]215[.]113[.]66. Subject lines included “your document” and “photo of you???”. All associated emails were blocked or quarantined.”

To defend against ransomware campaign like this one, NJCCIC provided the following recommendations:

1. Security Awareness Training: Engage in security awareness training to enhance defense mechanisms and recognize potential signs of malicious communications.
2. Password Management: Use strong, unique passwords and implement multi-factor authentication (MFA) whenever possible, prioritizing authentication apps or hardware tokens over SMS text-based codes.
3. System Updates: Keep systems updated and apply patches promptly after thorough testing to address vulnerabilities.
4. Endpoint Security: Install endpoint security solutions to fortify defenses against malware attacks.
5. Monitoring and Detection: Utilize monitoring and detection solutions to identify suspicious login attempts and abnormal user behavior.
6. Email Filtering: Implement email filtering solutions such as spam filters to block malicious messages. Reference the provided resources for establishing DMARC authentication.
7. Ransomware Mitigation: Refer to available resources for ransomware mitigation techniques and strategies.
8. Phishing Reporting: Report phishing emails and other malicious cyber activities to relevant authorities like the FBI’s IC3 and the NJCCIC.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Phorpiex botnet)

Apple rolled out urgent security updates to address code execution vulnerabilities in iPhones, iPads, and macOS.

Apple released urgent security updates to address multiple vulnerabilities in iPhones, iPads, macOS. The company also warns of a vulnerability patched in March that the company believes may have been exploited as a zero-day.

The issue impacts older iPhone devices, it is tracked as CVE-2024-23296 and is a memory corruption flaw in the RTKit.

The Real-Time Kernel is a component of the operating system responsible for managing and executing tasks with strict timing requirements.

“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections.” reads the advisory published by Cupertino firm. “Apple is aware of a report that this issue may have been exploited.”

The IT giant fixed the memory corruption bug with improved validation, it released iOS 16.7.8 and iPadOS 16.7.8.

The company also addressed a logic issue, tracked as CVE-2024-27789, in the Foundation framework. The flaw can be exploited by an app to access user-sensitive data.

The flaw was reported by Mickey Jin (@patch1t), the company addressed the vulnerability with improved checks.

Security patches are available for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

Apple released security patches to fix other issues in multiple products. The vulnerabilities fixed by the vendor can lead to arbitrary code execution, privilege escalation, denial-of-service attacks, and unauthorized access to data. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The City of Helsinki suffered a data breach that impacted tens of thousands of students, guardians, and personnel.

The Police of Finland is investigating a data breach suffered by the City of Helsinki, the security breach occurred during the night of 30 April 2024.

The data breach impacted the City’s Education Division’s computer network. The City of Helsinki reported the incident to the police and the investigation is still ongoing to determine the extent and impact of the incident.

“The volume of data under investigation is significant. Unfortunately, we are currently unable to provide an accurate assessment of what data the perpetrator may have accessed. What we can tell you about at this time are the possible risks, so that personnel and customers of the Education Division can prepare for them. This procedure is in line with data protection law,” says Satu Järvenkallas, Executive Director of the Education Division.

“The victim of the crime is currently the City of Helsinki, from which the police will receive all necessary information for the investigation of the case. City residents do not need to contact the police”, said the Deputy Police Commissioner Heikki Kopperoinen. 

The City already implemented various security measures in response to the security breach. 

“We previously announced that the party behind the data breach has gained access to student and personnel usernames and email addresses. Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division. Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” says the City of Helsinki’s Chief Digital Officer Hannu Heikkinen.

The incident exposed tens of millions of files, most of them contain ordinary personal information, but the City believes that the opportunity for abuse of this information is minor. However, some of the compromised documents include confidential information or sensitive personal information.  

“These include information about fees (and the grounds thereof) for customers of early childhood education and care, sensitive information about the status of children, such as information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, as well as the sick leave records of Education Division personnel.” reads the statement published by the City of Helsinki. “We cannot rule out the possibility of the perpetrator gaining access to data of persons under a non-disclosure restriction.”  

The data in the incident include information dating back several years, potentially compromising individuals who were not current customers or staff members of the Education Division.

According to the announcement, threat actors exploited a vulnerability in the Education Division network server to remotely access it. Although a patch to fix this vulnerability was available, it was not installed on the server for unknown reasons. Hannu Heikkinen stated that their security controls and procedures were inadequate, but measures have been implemented to prevent a similar breach in the future. No evidence suggests that the threat actors accessed networks or data from other divisions, but all City of Helsinki networks are being closely monitored.

“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply. Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians. The breach also affects all of our personnel, as the perpetrator gained access to all personnel usernames and email addresses,” says City Manager Jukka-Pekka Ujula. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city´s senior management,” Ujula continues.  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

A group of hackers that defines itself as “first-class Russian hackers” claims the defacement of hundreds of local and regional British newspaper websites.

A group claiming to be “first-class Russian hackers” defaced numerous local and regional British newspaper websites owned by Newsquest Media Group. The group defaced the home pages of the targeted websites and posted the message “PERVOKLASSNIY RUSSIAN HACKERS ATTACK.”

The following image shows an archived version of the East Lothian Courier, which is one of the impacted newspapers, that was published by Reported Future News.

Newsquest Media Group Limited is the second-largest publisher of regional and local newspapers in the United Kingdom. It is owned by the American mass media holding company Gannett. It has 205 brands across the UK, publishing online and in print (165 newspaper brands and 40 magazine brands) and reaches 28 million visitors a month online and 6.5 million readers a week in print. Based in London, Newsquest employs a total of more than 5,500 people across the UK.

Local media websites in the UK are vulnerable to cyber attacks, threat actors can target them to spread fake news.

In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.

“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye.

According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The attackers used to replace existing legitimate articles on the sites with the fake content, instead of creating new posts.

The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.

According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russian hackers)