In this week’s Cyber Weekly Digest we explore some of the critical vulnerabilities patched by WhatsApp as well as a new actively exploited zero-day in Microsoft Exchange Servers. Keep reading to stay up to date on the biggest cyber security news from the week.
WhatsApp has released security updates to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices. One of them concerns CVE-2022-36934, which has a CVSS score of 9.8, a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call. The issue impacts the WhatsApp and WhatsApp Business for Android and iOS prior to versions 188.8.131.52. The second vulnerability patched is an integer underflow bug, with a CVSS score of 7.8.
The Cyber Security Response Team of American Airlines found out about a recently disclosed data breach from the targets of a phishing campaign using an employee’s compromised Microsoft 365 account. The airline claimed that after receiving these phishing reports, access into the company’s MS 360 environment was discovered by the American’s CIRT. This led to a data breach of around 1700 customers’ and team members’ information, however, it is not evident that the data breach led to any personal information being leaked.
The North Korean APT called Lazarus is now using fake “Crypto.com” job offers to hack developers and artists in the crypto space, likely with a long-term goal of stealing digital assets and cryptocurrency. Crypto.com is one of the internet’s largest cryptocurrency exchange platforms. The Lazarus threat group has been targeting people in the cryptocurrency industry in an operation dubbed “Operation In(ter)ception”, since 2020. These targets become the victims of phishing attacks where the threat actors trick cryptocurrency employees to open malicious files with hidden scripts that gain persistence, this is used later for reconnaissance and data exfiltration to steal digital assets and cryptocurrency.
Threat actors have found a new method to gain persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux whilst avoiding detection. The attackers were able to utilize malicious vSphere Installation Bundles, two backdoors named VirtualPita and VirtualPie by researchers were installed to install on the bare-metal hypervisor servers. The researchers also uncovered a unique malware sample that they called VirtualGate, which includes a dropper and payload. Security threat researchers at cyber threat intelligence company Mandiant found that an actor, suspected to have ties with China, used malicious vSphere Installation Bundles (VIBs) to deliver the VirtualPita and VirtualPie malware. However, these attacks require the threat actor to have admin-level privileges to the hypervisor, but an attacker is still very much capable of using this to reach valuable assets or extend their presence.
Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems. The two vulnerabilities, which are formally yet to be assigned CVE identifiers, are being tracked by the Zero Day Initiative as ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3). Successful exploitation of the flaws could be abused to gain a foothold in the victim's systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network. Security researchers have reported that the attacks are likely originating from a Chinese hacking group owing to the web shell's encoding in simplified Chinese.