Security News

The Federal Bureau of Investigation warned of an advanced persistent threat compromising FatPipe router clustering and load balancer products to breach targets' networks. "As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021," the FBI said in a flash alert issued this week.

While mostly hidden in private conversations, details sometimes emerge about the parallel economy of vulnerability exploits on underground forums, revealing just how fat of a wallet some threat actors have. If it takes too long, developers may lose the chance to make big money because competitors may come up with an exploit variant, dragging down the price.

A new zero-day vulnerability has been disclosed in Palo Alto Networks GlobalProtect VPN that could be abused by an unauthenticated network-based attacker to execute arbitrary code on affected devices with root user privileges. Successful exploitation of the flaw necessitates that the attacker strings it with a technique known as HTTP smuggling to achieve remote code execution on the VPN installations, not to mention have network access to the device on the GlobalProtect service default port 443.

Google researchers on Thursday disclosed that it found a watering hole attack in late August exploiting a now-parched zero-day in macOS operating system and targeting Hong Kong websites related to a media outlet and a prominent pro-democracy labor and political group to deliver a never-before-seen backdoor on compromised machines. "Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code," Google Threat Analysis Group researcher Erye Hernandez said in a report.

A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft - but an unofficial micropatch from oPatch has hit the scene. "The vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user's original profile folder is damaged or locked for some reason," explained 0Patch's Mitja Kolsek in a Thursday writeup.

Since at least late August, attackers have been using flaws in macOS and iOS - including in-the-wild use of what was then a zero-day flaw - to install a backdoor on the Apple devices of users who visited Hong Kong-based media and pro-democracy sites. In other words, the threat actors threaded malware into the legitimate websites of "a media outlet and a prominent pro-democracy labor and political group" in Hong Kong, according to TAG. The victims' devices were inflicted with what was then a zero day, plus another exploit that used a previously patched vulnerability for macOS that was used to install a backdoor on their computers, according to TAG's report.

Google researchers discovered a MacOS zero-day exploit being used against Hong Kong activists. Google's researchers were able to trigger the exploits and study them by visiting the websites compromised by the hackers.

A free and unofficial patch is now available for a zero-day local privilege escalation vulnerability in the Windows User Profile Service that lets attackers gain SYSTEM privileges under certain conditions. The bad news is that it impacts fully-updated devices running all Windows versions, including Windows 10, Windows 11, and Windows Server 2022.

Researchers have developed a working exploit to gain remote code execution via a massive vulnerability in a security appliance from Palo Alto Networks, potentially leaving more than 70,000 vulnerable firewalls with their goods exposed to the internet. The Randori Attack Team found the zero day a year ago, developed a working exploit and used it against Randori customers over the past year.

During this month's Patch Tuesday, Microsoft has patched an Excel zero-day vulnerability exploited in the wild by threat actors. Microsoft also patched a second Excel security flaw used during the Tianfu Cup hacking contest last month, a remote code execution bug tracked as CVE-2021-40442 and exploitable by unauthenticated attackers.