Security News
Like almost all Apple security fixes, the update arrived without any sort of warning, but unlike most Apple updates, only a single bug was listed on the "Fix list," and even by Apple's brisk and efficient bug-listing standards, the information published was thin. All we know is that Apple says that it "Is aware of a report that this issue may have been actively exploited".
Apple on Monday rolled out an urgent security update for iOS, iPadOS, and macOS to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year. CVE-2021-30661 - Processing maliciously crafted web content may lead to arbitrary code execution.
The spyware vendor was also formally identified as the commercial surveillance company that Google's Threat Analysis Group revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto's Citizen Lab. "Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers said.
A set of unique spyware strains created by an Israeli firm and allegedly used by governments around the world to surveil dissidents has been defanged by Microsoft, the software giant said. The spyware exploits two elevation-of-privilege security vulnerabilities in Windows, CVE-2021-31979 and CVE-2021-33771, both of which were addressed in Microsoft's July Patch Tuesday update this week.
Have you noticed that lately we've been hearing more about in-the-wild attacks exploiting 0-day vulnerabilities? "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year - 11 more than the total number from 2020," researchers with Google's Threat Analysis Group have pointed out in a recent blog post. TAG analysts Maddie Stone and Clement Lecigne have shared information about several attack campaigns exploiting 0-day vulnerabilities that TAG discovered this year, and in some of them they believe the 0-day exploits were sourced from the same commercial surveillance company.
Microsoft on Tuesday disclosed that the latest string of attacks targeting SolarWinds Serv-U managed file transfer service with a now-patched remote code execution exploit is the handiwork of a Chinese threat actor dubbed "DEV-0322.". While it was previously revealed that the attacks were limited in scope, SolarWinds said it's "Unaware of the identity of the potentially affected customers."
U.S. technology firm Kaseya, which is firefighting the largest ever supply-chain ransomware strike on its VSA on-premises product, ruled out the possibility that its codebase was unauthorizedly tampered with to distribute malware. While initial reports raised speculations that REvil, the ransomware gang behind the attack, might have gained access to Kaseya's backend infrastructure and abused it to deploy a malicious update to VSA servers running on client premises, in a modus operandi similar to that of the devastating SolarWinds hack, it has since emerged that a never-before-seen security vulnerability in the software was leveraged to push ransomware to Kaseya's customers.
Amidst the massive supply-chain ransomware attack that triggered an infection chain compromising thousands of businesses on Friday, new details have emerged about how the notorious Russia-linked REvil cybercrime gang may have pulled off the unprecedented hack. The Dutch Institute for Vulnerability Disclosure on Sunday revealed it had alerted Kaseya to a number of zero-day vulnerabilities in its VSA software that it said were being exploited as a conduit to deploy ransomware.
There is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can't or won't upgrade to the latest operating system. At issue is a remote code execution flaw residing in all Western Digital network attached storage devices running MyCloud OS 3, an operating system the company only recently stopped supporting.