In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.
An employee of cyberweapon manufacturer, NSO Group, tried to sell advanced malware to unauthorized parties for $50-Million, according to an Israeli indictment unsealed last week against the individual in question. About two years ago, Herzliya-based NSO Group developed a powerful cyberweapon called Pegasus, which operated as malware that exploited three previously unknown vulnerabilities in iPhones […]
A Russian zero-day exploit purchase site is interested in tools for hacking of Electric Vehicle Charging Stations. This raises a number of questions. Why would anybody want to hack such targets? Also, why would Russian entities (in particular) be interested in such targets? The best answer to these is “good question!”, and let's put politics aside. Let’s explore the potential cybersecurity risks of electric vehicle charging station, assuming the ability of compromising them at a scale, having some kind of tools. It turns out that this is a fascinating security problem!
By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as “DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC”. After successful validation, it was immediately
Earlier this year, Mandiant identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions:
1) Maintain persistent administrative access to the hypervisor
2) Send commands to the hypervisor that will be routed to the guest VM for execution
3) Transfer files between the ESXi hypervisor and guest machines running beneath it
4) Tamper with logging services on the hypervisor
Circa the beginning of August 2022, while doing security monitoring & incident response services, GTSC SOC team discovered that a critical infrastructure was being attacked, specifically to their Microsoft Exchange application. During the investigation, GTSC Blue Team experts determined that the attack utilized an unpublished Exchange security vulnerability, i.e., a 0-day vulnerability, thus immediately came up with a temporary containment plan.
Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information. ...Read More
Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you’re interested in the full root cause analysis for CVE-2022-22620, we’ve published it here.
With the "Follina" / CVE-2022-30190 0day still hot, i.e., still waiting for an official fix while apparently already getting exploited by nation-backed attackers, another related unfixed vulnerability in Microsoft's Diagnostic Tool (MSDT) bubbled to the surface.
In January 2020, security researcher Imre Rad published an article titled "The trouble with Microsoft’s Troubleshooters," describing a method for having a malicious executable file being saved to user's Startup folder, where it would subsequently get executed upon user's next login. What the user has to do for this to happen is open a "diagcab" file...
At Grapl we believe that in order to build the best defensive system we need to deeply understand attacker behaviors. As part of that goal we're investing in offensive security research. Keep up with our blog for new research on high risk vulnerabilities, exploitation, and advanced threat tactics.
Adobe on Sunday rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products that it said is being actively exploited in the wild.