Week 17th April - 21st April 2023

:tada: Welcome to this week’s newsletter, where we explore a common subject that affects us all: cybersecurity and privacy in the digital age. :heart:

In this week ‘In the News’ we explore critical issues from two emergency Google updates in the last 10 days and how the Cyber Resilience Act could affect the open source community, to pre-used routers containing corporate secrets and vulnerabilities in vm2 Java Script Library and Alibaba cloud’s database. These incidents are a reminder to always stay up to date on the latest releases, be mindful of deleting all information before reselling any devices, be vigilant with downloading unknown/malicious attachments, and take proactive steps to stay safe online.

Two critical flaws found in Alibaba cloud’s PostgreSQL databases

Cloud security firm Wiz has reported two critical flaws in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL. Dubbed as BrokenSesame, the vulnerabilities could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers. Wiz reported these flaws in December 2022, but the company fixed them on April 12, 2023. There is no evidence that the vulnerabilities have been the subject of exploitation in the wild.

Date: Apr 20, 2023
Source: The Hacker News
Author: Ravie Lakshmanan
Tag: Cloud Security, Vulnerability

Google fixed the second actively exploited chrome zero-day of 2023

Google has rolled out an emergency patch (tracked as CVE-2023-2136) to address another actively exploited, high-severity, zero-day flaw in Chrome. This was the second patch in the past 10 days. The issue, reported by Clément Lecigne of Google’s Threat Analysis Group, is an Integer overflow in the Skia graphics library. When this issue is exploited, an attacker can potentially perform a sandbox escape via a crafted HTML page. Stay safe by updating to the latest versions (Build numbers 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac).

Date: Apr 19, 2023
Source: Security Affairs
Author: Pierluigi Paganini
Tag: Browser Security, Vulnerability

Critical flaws in vm2 JavaScript library can lead to remote code execution

Security researcher, SeungHyun Lee, has reported two critical flaws (CVE-2023-29199 and CVE-2023-30547) in vm2. The flaws are rated at 9.8 out of 10 on the CVSS system. When exploited, the bugs could be used to break out of sandbox protections and achieve code execution. Lee has also released proof-of-concept exploits for the two issues in question. In an attempt to address the vulnerabilities, a fresh round of patches has been made available for the vm2 JavaScript library with the release of version 3.9.16 and 3.9.17.

Date: Apr 19, 2023
Source: The Hacker News
Author: Ravie Lakshmanan
Tag: Software Security

Used routers often come loaded with corporate secrets

Researchers at security firm ESET, have found that used or secondhand enterprise routers often come loaded with corporate secrets such as network information, credentials and confidential data from previous owners. The researchers stated that enterprises usually contact third parties for e-waste disposal and device-sanitasion services. However, in most cases, these vendors don’t do what they claim to do. Corporate secrets are highly valuable on the dark web market and in the criminal forum. It is therefore important to do your due diligence and wipe all information from your devices before selling them.

Date: Apr 19, 2023
Source: Ars TECHNICA (originally appeared in Wired.com)
Author: Lily Hay Newman
Tag: Encryption, Malware

LockBit ransomware now targeting Apple macOS device

Researchers with the MalwareHunter Team reported that threat actors behind LockBit, a ransomware operation that has ties with Russia, have developed new artefacts that can encrypt files on Arm-powered Macs. This is the first macOS-based payload for the cybercrime crew. While the ransomware requires relying on an invalid signature to sign the executable, it indicates that the LockBit cybercriminals are seeking to expand their operations to newer platforms. The macOS variant has been available since Nov 2022 and has been undetectable until now.

Date: Apr 18, 2023
Source: The Hacker News
Author: Ravie Lakshmanan
Tag: Encryption, Malware

In letter to the EU, open source bodies says Cyber Resilience Act could have ‘chilling effect’ on software development

A group of open source industry organisations have published an open letter to the EU to reconsider aspects of the proposed Cyber Resilience Act (CRA). The letter states that it will have a ‘chilling effect’ on software development if implemented in its current form. It called for greater say in the evolution of the CRA as it progressed through the European Parliament. The act seeks to ensure that products sold in the EU are secure with hefty penalties for non-compliance. But, the open source community is concerned that the CRA will apply to many open source projects that are being developed by individuals or small teams who might not have the assets larger companies do.

Date: Apr 18, 2023
Source: Tech Crunch
Author: Paul Sawers
Tag: Politics, Open Source

New QBot banking trojan campaign hijacks business emails to spread malware

New findings from security firm Kaspersky has discovered a new QBot malware campaign that hijacks business emails to trick unsuspecting victims into installing the malware. QBot is a banking trojan that steals passwords and cookies from web browsers then injects next-stage payloads such as Cobalt Strike or ransomware. It is distributed via anti-phishing campaigns and the malware is packed in anti-vm, anti-debugging, and anti-sandbox techniques to avoid detection.

Date: Apr 17, 2023
Source: The Hacker News
Author: Ravie Lakshmanan
Tag: Malware, Cyber Risk/Cyber Threats

Conclusion

We hope you find these cybersecurity articles both informative and insightful. The ever-growing challenges of cybersecurity are constantly evolving, so staying informed and aware of the latest news can help individuals and organisations protect themselves from cyber-attacks. As always, our goal is to educate users and encourage our community to be vigilant in the safeguarding of their digital and personal information.

Feel free to contribute any interesting articles you come across in passbolt’s ‘In The News’ category of the community forum. Share your thoughts and experiences on the developing cybersecurity and data privacy standards. We’d love to connect and talk more about topics that are relevant to us. :partying_face: :tada: