This Week in Cyber 28st October 2022

Apple Releases Patch For Ninth Zero-Day Vulnerability This Year

Tech Giant Apple on Monday released its patch for the 9th zero-day vulnerability this year, with Apple stating that it ‘may have been actively exploited’ in the wild. The vulnerability, tracked as CVE-2022-42827, is an out-of-bounds write issue within the Kernel, which could be used by threat actors to corrupt data, crash applications or the phone itself and execute malicious code through a memory leak / corruption. Although Apple acknowledged that they were ‘aware of a report that this issue may have been actively exploited’, they refrained from going into more detail. Apple users should immediately carry out a software upgrade on their iPhones (iPhone 8 and later) and iPads (iPad air 3rd gen and later, iPad 5th gen and later, and iPad mini 5th gen and later) to prevent actors from gaining access.

The FBI and CISA have warned of Daixin Team Hackers targeting health organisations with Ransomware

A joint effort between multiple departments of the US government have issued a warning to health organisations that the hacking team Daixin are primarily targeting them with ransomware. The hacking team have been active for at least 4 months and have previously ransomed Oakbend Medical Center on September 1st. The hacking team have opted to exfiltrate the data as well as encrypt it, this serves as leverage for the organisations to pay the ransom. The Oakbend case saw 3.5GB worth of data exfiltrated consisting of personal details, health records, social security numbers and many other identifiable information types. The Daixin team have been seen exploiting flaws in unpatched VPN servers or using credentials obtained via phishing to gain access. Following gaining access, the team have been seen using SSH and RDP to move laterally to gather as much information as possible. Healthcare organisations have notoriously insecure networks that rely on many legacy systems therefore preventing breaches becomes much more difficult. Some mitigations that have been suggested is to require multi-factor authentication, implement network segmentation and periodically back up servers. 

22-Year-Old Vulnerability Discovered in SQLite Database

A 22-year-old high severity issue has been found by software security company Trail of Bits, in the hugely popular SQLite database library, which could allow attackers to execute malicious code on the victim system. The vulnerability is being tracked as CVE-2022-35737 with a CVSS score of 7.5 and affects versions from 1.0.12 to 3.39.1. Trail of Bits researcher Andreas Kellas explained the exploit: "On vulnerable systems, CVE-2022-35737 is exploitable when large string inputs are passed to the SQLite implementations of the print functions”. It can also occur when string formatting is used and will crash the program. Andreas continues with: “it is possible to achieve arbitrary code execution in the worst case, or to cause the program to hang and loop (nearly) indefinitely”. SQLite users should update to version 3.39.2 or higher where this vulnerability has been patched.

Tata Energy Hacked Data Leaked by Hive Ransomware Group

The Hive ransomware-as-a-service (RaaS) group has admitted they were responsible for a cyber attack on Mumbai based Tata Power on October 3rd, which the energy company disclosed on October 14th. During the attack, the ransomware group had been observed leaking data that was exfiltrated prior to encrypting the network as part of its double extortion scheme. Among the leaked data was Personally Identifiable Information (PII) of the Tata employees, including their Aadhaar numbers, driver’s license, salary, PAN numbers (Permanent Account Numbers) and engineering drawings. Due to the leak, its assumed that any ransomware negotiations broke down and Tata refused to pay to stop the data being made public on the HiveLeaks dark web page. The cyber attack group notably upgraded their tools to the Rust programming language back in July to deliver more sophisticated encryption.