4 min read

Threat Report 12/7/23

Threat Report 12/7/23
Google Workspace Vulnerability Discovered 

Researchers at Hunters have discovered a design flaw in Google Workspace's Domain-Wide delegation feature that can lead to “misuse of existing delegations, potentially enabling privilege escalation and unauthorized access to Workspace APIs without Super Admin privileges.” 

The researchers say the flaw, which they call “DeleFriend,” “could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain.” 

Hunters disclosed the flaw to Google and says it's working with Google's security and product teams to develop mitigations. A Google spokesperson told Dark Reading, “This report does not identify an underlying security issue in our products. As a best practice, we encourage users to make sure all accounts have the least amount of privilege possible (see guidance here). Doing so is key to combating these types of attacks.” 


 

Vulnerability in Apple Products
Could Allow for
Arbitrary Code Execution 
  

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

Affected Systems:

  • Versions prior to macOS Sonoma 14.1.2 
  • Versions prior to iOS 17.1.2 and iPadOS 17.1.2 
  • Versions prior Safari 17.1.2 

Risk:

  • Large and medium business entities: High
  • Small business entities: Medium

Remediation Recommendations

  • Ensure Apple software has the latest version(s) installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References


 
Multiple Vulnerabilities in Mozilla Products
Could Allow for Arbitrary Code Execution
 

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights. 

Affected Systems:

  • Firefox ESR versions prior to 115.5.0 
  • Thunderbird versions prior to 115.5 
  • Firefox for iOS versions prior to 120 
  • Firefox versions prior to 120 


Risk:

  • Large and medium business entities: High
  • Small business entities: Medium

Remediation Recommendations

  • Ensure all Mozilla products have the latest version(s) installed.
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it)
 References

 
Joint Guidelines for Secure AI System Development 

 

In a landmark collaboration, the Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom National Cyber Security Centre (NCSC) released Guidelines for Secure AI System Development. Co-sealed by 23 domestic and international cybersecurity organizations, this publication marks a significant step in addressing the intersection of artificial intelligence (AI), cybersecurity, and critical infrastructure. 

The Guidelines, complementing the US Voluntary Commitments on Ensuring Safe, Secure, and Trustworthy AI, provide essential recommendations for AI system development and emphasize the importance of adhering to Secure by Design principles. The approach prioritizes ownership of security outcomes for customers, embraces radical transparency and accountability, and establishes organizational structures where secure design is a top priority. 

The Guidelines apply to all types of AI systems, not just frontier models. We provide suggestions and mitigations that will help data scientists, developers, managers, decision-makers, and risk owners make informed decisions about the secure design, model development, system development, deployment, and operation of their machine learning AI systems. 

This document is aimed primarily at providers of AI systems, whether based on models hosted by an organization or making use of external application programming interfaces. However, we urge all stakeholders—including data scientists, developers, managers, decision-makers, and risk owners make—to read this guidance to help them make informed decisions about the design, deployment, and operation of their machine learning AI systems. 

CISA invites stakeholders, partners, and the public to explore the Guidelines for Secure AI System Development as well as the recently published Roadmap for AI to learn more about our strategic vision for AI technology and cybersecurity. To access learn more, visit CISA.gov/AI. 






 
Beware of Card Skimming This Holiday Shopping Season

 

The number of reported card skimming incidents increased 20 percent during the first half of 2023 compared to the same period in 2022. Based on this trend, the upcoming holiday shopping season means increased card skimming opportunities for threat actors to capture and steal customer data and financial information through various digital and physical realms, such as stores, restaurants, gas stations, and ATMs. Threat actors continue to seek out better methods to conceal their attacks and evade various security measures. This stolen data has severe consequences for consumers and businesses, including loss in revenue, legal damages, compliance issues, cross-site contamination, identity theft, fraud, and subsequent malicious activity. 

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Once payment card data is stolen, it can be used by the threat actors to make fraudulent purchases or sell on dark web or other marketplaces. These attacks continue to be prevalent, with a new campaign observed abusing 404 error pages and targeting many large organizations in the retail and food industries. Manipulating the website’s default 404 error page to hide malicious code is one of the more advanced obfuscation techniques seen before and creates challenges for detection and mitigation. Similar to the recent uptick in Magecart attacks, the Kritec campaign is ramping up its activity in time for the holiday shopping season based on the number of newly registered domain names attributed to the threat actor. In this skimming campaign, threat actors create compelling customized templates in local languages that make detection difficult. 

Card skimming is not just limited to online transactions. Threat actors can discretely install small card-reading devices in point-of-sale (POS) terminals to steal card information. These devices can be installed at stores, restaurants, and gas stations. This past year, the Walmart retailer has been a frequent target of card skimming at 16 different US locations. Also, skimming devices were found on two gas pumps at a Delaware BP gas station. Threat actors are also targeting ATMs and shifting in terminal types and locations of card compromises. Non-bank ATMs at convenience stores and gas stations are becoming more prevalent than bank ATMs. In September 2023, skimming devices were discovered at an ATM inside a Wawa convenience store in Cinnaminson, NJ, and may have been installed for two months before its discovery. 

 

Threat Report 12/10/24

Threat Report 12/10/24

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution Multiple vulnerabilities have been discovered in Google Android...

Read More
Threat Report 11/21/24

Threat Report 11/21/24

Critical Patches Issued for Microsoft Products Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could...

Read More
Threat Report 11/7/24

Threat Report 11/7/24

Multiple Vulnerabilities in Microsoft Edge (Chromium-Based) Could Allow for Arbitrary Code Execution Multiple vulnerabilities have been discovered...

Read More