Take a look at this week's Cyber Weekly Digest where we take a look at the latest zero-day vulnerabilities patched by Apple as well as a vulnerability in a VPN provider which shows the users actual IP address. Keep reading to stay up to date on the latest cyber security news from around the globe.
Apple released emergency security updates to fix two new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users. This brings the total number of zero-days patched by Apple to 13 this year. The bugs were found in the Image I/O and Wallet frameworks and are tracked as CVE-2023-41064 and CVE-2023-41061. Researchers claimed that the CVE-2023-41064 and CVE-2023-41061 bugs were actively abused as part of as part of a zero-click iMessage exploit chain named BLASTPASS that was used to deploy NSO Group's Pegasus mercenary spyware onto fully-patched iPhones (running iOS (16.6) via PassKit attachments containing malicious images.
On Thursday, the CISA warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorised access and establish persistence on compromised systems. The identities of the threat groups behind the attacks have not been disclosed, although the US Cyber Command hinted at the involvement of Iranian nation-state actors. The findings are based on an incident response engagement conducted by CISA at an unnamed aeronautical organisation from February to April 2023, suggesting that the malicious activity started in January.
Johnson & Johnson Health Care Systems has informed its CarePath customers that their sensitive information was compromised by a third-party data breach involving IBM. Johnson & Johnson became aware of a previously undocumented method that could give unauthorised users access to the CarePath database. The firm reported this to IBM, who promptly fixed the security gap and launched an internal investigation to assess if anyone had exploited the flaw. An investigation revealed that CarePath user data, including full names, contact information, health insurance information and medical information, was part of the breach.
Microsoft on Wednesday revealed that a China-based threat actor known as Storm-0558 acquired the inactive consumer signing key to forge tokens and access Outlook by compromising an engineer's corporate account. This enabled the adversary to access a debugging environment that contained information about a crash in the consumer signing system and steal the key. Storm-0558 is a hacking group linked to the breach of approximately 25 organisations using the consumer signing key and obtaining unauthorised access to Outlook Web Access and Outlook.com. The crash dumps redact sensitive information and should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The crash dump was moved to a debugging environment on the internet-connected corporate network, where Storm-0558 is suspected to have acquired the key after infiltrating the engineer's corporate account.
An Atlas VPN zero-day vulnerability affecting the Linux client leaks a user's IP address simply by visiting a website. A researcher describes how the Linux client of Atlas VPN, specifically the latest version, 1.0.3, has an API endpoint that listens on localhost (127.0.0.1) over port 8076. This API offers a command-line interface (CLI) for performing various actions, such as disconnecting a VPN session using the http://127.0.0.1:8076/connection/stop URL. However, this API does not perform any authentication, allowing anyone to issue commands to the CLI, even a website you are visiting. This is a severe privacy breach for any VPN user as it exposes their approximate physical location and actual IP address, allowing them to be tracked and nullifying one of the core reasons for using a VPN provider.