Multiple Vulnerabilities in Sophos Firewall
Could Allow for Remote Code Execution
Multiple Vulnerabilities have been discovered in Sophos Firewall, the most severe of which could allow for remote code execution. Sophos Firewall is a network security solution. Successful exploitation of the most severe of these vulnerabilities could allow for unauthorized access to the system. Depending on the privileges associated with the system, an attacker could then view, change, or delete data.
Affected Systems:
- Sophos Firewall v21.0 GA (21.0.0) and older
Risk
- Large and medium business entities: High
- Small business entities: Medium
Remediation Recommendations
References
Phishing Campaign Compromised
at Least 35 Browser Extensions
BleepingComputer reports that a phishing campaign targeting Chrome browser extension developers resulted in the compromise of at least 35 extensions collectively used by around 2.6 million people. The phishing emails purport to come from Google, informing developers that their extensions violate Chrome Web Store policies. The emails contain a link to a legitimate login page on Google's domain designed to grant permissions to a malicious OAuth application.
One of the compromised extensions belonged to the cybersecurity firm Cyberhaven. The company has published a postmortem of the incident, noting that the attack used "the standard authorization flow for granting access to third-party Google applications." Cyberhaven's employee had multifactor authentication enabled and did not need to enter his credentials to grant access to the malicious OAuth application.
Once the attackers accessed the extensions, they inserted code designed to steal data from Facebook accounts and republished the extensions to the Chrome Web Store.
Mirai Variant Targets Router Zero-Days
A new variant of the Mirai botnet is exploiting zero-day vulnerabilities affecting industrial routers and smart home devices, Infosecurity Magazine reports. Researchers at Chinese security firm Qi'anxin XLab have been tracking the Mirai variant since February 2024, noting that it began exploiting zero-days in November. The botnet targets more than 20 vulnerabilities, including zero-days affecting Four-Faith industrial routers (CVE-2024-12856), Neterbit routers, and Vimar smart home devices. The botnet currently consists of approximately 15,000 active IPs and is used to launch DDoS attacks.
Apple WilL Pay $95 Million to Settle Proposed Privacy Lawsuit
Apple will pay $95 million to settle a proposed class-action lawsuit that alleged the company violated users' privacy by allowing contractors to listen to device owners' conversations, according to the Record.
The Guardian reported in 2019 that some Siri recordings were sent to contractors for product improvement, including instances in which Siri had been unintentionally activated. Apple told the Guardian at the time, "A small portion of Siri requests are analyzed to improve Siri and dictation. User requests are not associated with the user’s Apple ID. Siri responses are analyzed in secure facilities and all reviewers are under the obligation to adhere to Apple’s strict confidentiality requirements."
Apple hasn't commented on the settlement, but the company included its denial of wrongdoing as a settlement term.
Threat Actors Stole $2.2 Billion-Worth
of Cryptocurrency in 2024
Researchers at Chainalysis found that hackers have stolen $2.2 billion in cryptocurrency over the past year, with a majority (61%) of the thefts linked to North Korean threat actors. The researchers found that North Korean "attacks between $50 and $100 million, and those above $100 million occurred far more frequently in 2024 than they did in 2023, suggesting that the DPRK is getting better and faster at massive exploits."
Chainalysis observed a noticeable drop in DPRK cryptocurrency theft following a meeting between Vladimir Putin and Kim Jong Un in late June, during which the two leaders signed a mutual defense pact that freed up millions of dollars in North Korean assets previously frozen by Russia. The researchers note, "[A]mounts stolen by the DPRK dropped by approximately 53.73% after the summit, whereas non-DPRK amounts stolen rose by approximately 5%. It is therefore possible that, in addition to redirecting military resources toward the conflict in Ukraine, the DPRK — which has dramatically increased its cooperation with Russia in recent years — may have altered its cybercriminal activity as well."
The blockchain analysis firm adds, "Private key compromises accounted for the largest share of stolen crypto in 2024, at 43.8%. For centralized services, ensuring the security of private keys is critical, as they control access to users’ assets. Given that centralized exchanges manage substantial amounts of user funds, the impact of a private key compromise can be devastating."
