The vulnerability was discovered by Salt Security and has a CVSS score of 9.6
Related Posts
Apple Safari Zero-Day Flaw Exploited At Pwn2Own : Patch Now
Apple Safari Zero-Day Flaw Exploited At Pwn2Own : Patch Now
Apple has released security updates to address a zero-day vulnerability in its Safari web browser that was exploited during this year’s Pwn2Own Vancouver hacking competition.
This issue, identified as CVE-2024-27834, was fixed by enhanced checks on macOS Monterey and macOS Ventura systems.
Master of Pwn winner Manfred Paul reported this vulnerability in collaboration with Trend Micro’s Zero Day Initiative.
Details Of The Apple Safari Zero-Day Flaw
The vulnerability in Safari WebKit is identified as CVE-2024-27834, where an attacker with arbitrary read and write capability may be able to bypass the pointer authentication.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Apple said.
If this vulnerability is successfully exploited, an attacker may be able to bypass security measures, possibly gaining unauthorized access to the system or running malicious code on it.
During Pwn2Own, Manfred Paul used an integer underflow flaw to obtain remote code execution (RCE) and earn $60,000.
This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, Safari 17.5, watchOS 10.5, macOS Sonoma 14.5.
Update Now!
Update to the latest patched versions of iOS 17.5, iPadOS 17.5, tvOS 17.5, Safari 17.5, watchOS 10.5, or macOS Sonoma 14.5 to mitigate this vulnerability.
Apple released several upgrades for its iOS and macOS operating systems to start the May release cycle. The most noteworthy update for iOS 16.7.8 and iPadOS 16.7.8 addresses CVE-2024-23296.
If you’re using a device with an affected OS, make sure you get the update. This flaw is reportedly under active attack.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free
The post Apple Safari Zero-Day Flaw Exploited At Pwn2Own : Patch Now appeared first on Cyber Security News.
North Korea’s Hacker Group Deploys Malicious Version of Python Package in PyPI Repository
North Korea’s Hacker Group Deploys Malicious Version of Python Package in PyPI Repository
ReversingLabs spotted “VMConnect” in early August, a malicious supply chain campaign with two dozen rogue Python packages on PyPI.
It’s been observed that these packages mimicked the following known open-source Python tools:-
vConnector
eth-tester
Databases
Cybersecurity researchers at ReversingLabs recently identified that a North Korean hacker group is actively deploying malicious versions of Python Packages in the PyPI repository.
The security analysts analyzed all the malicious packages, and after successfully decrypting the malicious packages, they linked their roots to Labyrinth Chollima, a branch of the renowned North Korean state-sponsored group Lazarus.
Recent years witnessed malicious actors imitating open-source packages, using tactics like typosquatting to trick busy developers into installing malware.
Malicious packages
Here below, we have mentioned all the malicious packages that the security experts identified:-
tablediter (736 downloads)
request-plus (43 downloads)
requestspro (341 downloads)
The first of the three new packages pretends to be a table editing tool, while the others imitate the ‘requests’ Python library, adding ‘plus’ and ‘pro’ to seem like enhanced legitimate versions.
Malicious Python Package in PyPI Repository
The malicious actors used evasion tactics like typosquatting and mimicked the ‘requests’ package, copying its description and files without any additions.
The malicious packages in the “__init__.py” file were only altered and modified to launch a thread executing a function from the “cookies.py” file after the addition of a few lines of code.
The cookies.py file was altered with malicious functions to gather machine data, sending it via POST to a C2 server URL. It then retrieves a token via a GET HTTP request to another C2 server URL.
Code for communication with C2 server (Source – Reversing Labs)
The infected host receives a double-encrypted Python module with execution parameters, decoding it and downloading the next malware stage from a provided URL.
Similar to the previous VMConnect campaign, the C2 server waited for suitable targets, withholding additional commands, making campaign assessment challenging.
While investigating VMConnect, ReversingLabs aimed to connect it with other malware campaigns, uncovering hints linking it to Lazarus Group, a North Korean APT group.
Further investigation found the py_QRcode package mentioned in a July 2023 JPCERT report (https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html), but it was never on PyPI. This raises questions about how the malware reached victims despite being tied to this package.
Code similarities between VMConnect and JPCERT/CC findings link both to the Lazarus Group, confirming North Korean state sponsorship.
IoCs
Command and control (C2) domains and IP address:
packages-api.test
tableditermanaging.pro
45.61.136.133
PyPI packages:
PyPI packages (Source – Reversing Labs)
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post North Korea’s Hacker Group Deploys Malicious Version of Python Package in PyPI Repository appeared first on Cyber Security News.
Cyber Security News
![Securing secrets: The State Department’s cyber hunt.](https://thecyberwire.com/images/social-media/2024/04/cw-podcast-040424.jpg?#)
Securing secrets: The State Department’s cyber hunt.
Securing secrets: The State Department’s cyber hunt.
The State Department investigates an alleged breach. The FCC looks at regulating connected vehicles. A big-tech consortium hopes to mitigate AI-related job losses. Google aims to thwart cookie-thieves. SurveyLama exposes sensitive info of over four millions users. Omni Hotels & Resorts is recovering from a cyberattack. A national cancer treatment center suffers a breach. How cyber is approached on both sides of the pond. In our Industry Voices segment , George Jones, CISO at Critical Start, discusses strategies for maximizing cybersecurity investments to achieve optimal risk reduction. Playing the identity theft long-game. Read More
The CyberWire