Cisco fixes flaws in NX-OS and FXOS software
Among the flaws that Cisco fixed this past week are three of high severity, found in NX-OS and FXOS software that had the potential to lead to denial of service. The three, part of a collection that formed part of Cisco’s semiannual FXOS and NX-OS Software Security Advisory Bundled Publication released last Wednesday, are numbered CVE-2023-20200 that resides in the Simple Network Management Protocol (SNMP) service of Cisco FXOS Software for Firepower appliances, 20169, which affects Nexus 3000 and 9000 Series Switches, and 20168, the TACACS+ and RADIUS remote authentication for NX-OS software. Cisco states it is not aware of any of these vulnerabilities being actively exploited in the wild.
Windows preview updates bring blue screen of death
The Windows 11 and 10 preview updates that were released by Microsoft last week brought an old friend along. The updates, numbered KB5029351 and KB5029331 for Windows 11 and 10 respectively, triggered a blue screen with the Stop Code ‘UNSUPPORTED_PROCESSOR’. Affected users stated the updates were automatically rolled back after a few reboots. Microsoft is investigating.
FBI warns Barracuda bug still has bite
The FBI states that Barracuda Networks Email Security Gateway appliances that have been patched against a recent Zero-Day bug continue to be at risk of potential compromise from suspected Chinese hacking groups. It calls the recent fixes “ineffective” and that it “continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.” The bug is numbered CVE-2023-2868 (CVSS score: 9.8) and is thought to have been active more than seven months before the fix was delivered.
New Chinese hacking group spying on Taiwanese organizations
Microsoft has named this new group Flax Typhoon and states that its goal is to “not only perform espionage on targeted Taiwanese entities but maintain access to organizations across a broad range of industries for as long as possible.” The reach of this campaign also stretches to Africa and North America. Microsoft describes the group’s technique as one that “gains initial access by exploiting vulnerabilities in public-facing servers before deploying a VPN connection and collecting credentials from victim systems.” They further stated that the group’s traffic is nearly indistinguishable from legitimate HTTPS traffic, which most network security appliances would not block.”
And now a word from our sponsor, AppOmni
Whiffy Recon uses WiFi to sniff out infected systems
According to the Secureworks Counter Threat Unit, the malware called SmokeLoader is being used to drop Whiffy Recon onto compromised Windows computers. This code triangulates the positions of the vulnerable systems through the use of nearby Wi-Fi access points and Google’s geolocation API. In its statement, Secureworks stated, “it is unclear how the threat actors use this data. Demonstrating access to geolocation information could be used to intimidate victims or pressure them to comply with demands.”
(Security Affairs and SecureWorks)
Kroll data breach caused by SIM swapping
The NYC-based financial and risk advisory firm states in an advisory dated last Friday, that the incident, which occurred on August 19, happened because, “T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor’s phone at their request.” This gave the unidentified assailant access to files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX, and Genesis. The company noted that it took immediate steps to secure the three affected accounts and notified impacted individuals by email. While an investigation is underway, Kroll said it found no evidence to indicate that other systems or accounts have been affected.
(The Hacker News and Kroll advisory)
LockBit 3.0 ransomware builder helps create numerous variants
Kaspersky says it has noticed a number of ransomware intrusions that used a variation of LockBit but with different ransom demand procedures accompanying it. This is apparently a result of the leak of LockBit 3.0 ransomware that occurred last year. These new demands ask for specific amounts and provide email addresses for communication, something that LockBit never did. Kaspersky adds that of 396 LockBit samples under its observation, 312 were created using the leaked builders, 77 samples making no reference to LockBit in the ransom note. Researchers suggest these may have been developed “for urgent needs or possibly by lazy actors.”
Government agency in France suffers data breach
The unemployment registration and financial aid agency arm of the government of France, Pôle emploi, has confirmed a data breach that affects an estimated 10 million people. The breach involves full names and social security numbers, but not email addresses, phone numbers, passwords, or banking information. Emsisoft has listed Pôle emploi on its MOVEit page, but the Clop ransomware behind the massive MOVEit hacking spree has not yet published the French agency on its extortion site.