Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 8/22/2022

    Serious TikTok Security Risks

    Overview

    Forbes has reported a serious security risk associated with the popular social media app TikTok. When users enter a website through a TikTok link, the app will insert specialized code that can monitor keystrokes and access clipboard content. This allows for the capturing of user data, passwords, usernames, activities, and even credit card information if purchases are made. The company has confirmed the ability of this code embedded in the app’s browser but has strongly insisted that the aforementioned data is used purely to detect bots or spam software.

    Potential Impact

    This revelation comes during the height of current security concerns with the highly downloaded app, primarily stemming from government bodies and military organizations. In July, a report by Australian-US security firm Internet 2.0 published findings indicating that the app collects ‘excessive’ and ‘concerning’ amounts of data from its users. The capabilities range from user contact lists, calendar appointments, and even the ability to scan hard drives and geolocate registered devices. 

    Recommended Actions

    To protect from potential sensitive information disclosure, organizations should restrict user ability to download and install the TikTok app on any organization-owned devices. This includes both corporate issued phones as well as laptop/desktop computers. Organizations should also educate personnel on the potential security risks of having TikTok installed on their personal devices.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Industry - select one:

      Lazarus Groups Targeting MacOS users via Fake Job Ads

      Overview

      The North Korean ransomware group Lazarus has been recently reported targeting MacOS users via fake job ads/offers. The security research team at ESET has tracked the group’s new attack vector to crypto-trading company Coinbase Inc. After conducting interview processes, targeted users are sent malicious attachments in ‘follow-up’ emails containing ransomware and various other malware droppers.

      Potential Impact

      The Lazarus ransomware is a highly sophisticated strain that has had a high level of success in 2022. Should this strain find its way onto a corporate network, it can have a catastrophic impact.

      Recommended Actions

      Although this attack vector is highly targeted to job-seekers, other ransomware gangs have also been seen attaching malicious documents to fake job applications to major organizations. This form of phishing is often more successful as it is an effective social engineering attack playing on end users’ trust in normal job seeking activity. 

      To limit the efficacy of these attacks, organizations should conduct routine social engineering tests and phishing training for their employees. Additionally, organizations should leverage sophisticated tactics, such as malicious job applications and promotional material, for these testing activities.

      Sources
      https://www.independent.co.uk/news/world/americas/crime/north-korean-lazarus-hackers-mac-b2148846.html?&web_view=true
      https://www.oodaloop.com/technology/2022/08/19/infamous-lazarus-hacking-group-targeting-mac-users-with-fake-job-listings/

      Google Chrome Security Fixes, Including Chrome Web Intents Zero-day

      Overview

      Google has released security fixes for eleven vulnerabilities. Among them is a zero-day vulnerability tracked as CVE-2022-2856 (“Insufficient validation of untrusted input in Intents”, per the official description), for which a vulnerability exists in the wild. Chrome Web Intents are mechanisms for triggering apps directly from a web page, in which data on the web page is fed into an external application. Other vulnerabilities are related to Chrome memory mismanagement. 

      Potential Impact

      Though Google has not released many details about CVE-2022-2856 – such as which applications or types of data that target this vulnerability – it seems exploitation could occur if a user encounters a malicious site that could send malicious data to a local application through Google Chrome; this could subsequently lead to code execution.

      Recommended Actions

      Administrators should ensure that Chrome is configured to automatically install updates and/or urge users to update as quickly as possible. This can be done by clicking the three dots in the top right, clicking Help, selecting ‘About Google Chrome’, and then clicking ‘Update Google Chrome’.

      Sources
      https://thehackernews.com/2022/08/new-google-chrome-zero-day.html
      https://nakedsecurity.sophos.com/2022/08/17/chrome-browser-gets-11-security-fixes-with-1-zero-day-update-now/

      Thousands of Exposed VNC Servers Found Without Passwords

      Overview

      Recently security researchers at Cyble have discovered at least 9,000 exposed Virtual Network Computing (VNC) severs accessible without authentication. VNC servers are meant to facilitate platform-independent remote connection to Windows, macOS, and *NIX systems. Threat actors can exploit remotely accessible VNC servers to gain subsequent access to corporate networks, especially if the VNC server is without authentication, as found by Cyble researchers. These servers have primarily been found in China and Sweden; however, they have been found in the United States, Spain, and Brazil as well. In addition, some of these exposed systems were found to be industrial control systems (ISC), posing a significantly greater threat.

      Potential Impact

      Threat actors can exploit remote access to conduct post-exploitation activities such as data exfiltration, lateral movement, and domain privilege escalation. This can be particularly difficult to detect if a threat actor can gain access without the need for remote exploitation – i.e., logging into a VNC server without authentication – as this will reduce the chance for security alerts to populate.

      Recommended Actions

      VNC servers being set without authentication is normally a result of negligence, error, or improper security policies. Organizations must practice security best practices and be hyper-aware of the configurations(s) for any internet-exposed systems in their corporate environment. Additionally, organizations should conduct regular vulnerability assessments and external penetration tests to uncover any potential access points into the internal network.

      Sources
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22536
      https://thehackernews.com/2022/08/cisa-adds-7-new-actively-exploited.html
      https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/

      Apple Patches Zero-day Vulnerabilities in Both macOS and Apple iOS

      Overview

      On August 17, 2022, Apple released macOS Monterey 12.5.1, and iOS 15.6.1 and iPadOS 15.6.1, which patched two zero-day vulnerabilities in affected products.  CVE-2022-32893 addresses a WebKit vulnerability (WebKit is the engine behind Apple’s Safari browser).  CVE-2022-32894 addresses an “out -of-bounds write” vulnerability in both macOS and Apple iOS.  Both vulnerabilities are reported to be under active exploitation.

      Potential Impact

      Exploitation of the referenced vulnerabilities can lead to device takeover, which may give attackers a foothold to launch additional attacks against corporate resources. 

      According to Apple, exploitation of CVE-2022-32893  by “Processing maliciously crafted web content may result in arbitrary code execution”.   Apple discloses similar information regarding CVE-2022-32894: “An application may be able to execute arbitrary code with kernel privileges.”  “Arbitrary code execution” means that an attacker has some level of control over the exploited device.  “Kernel privileges” means that attackers have full control over the local device.  

      Recommended Actions

      Apply patches to Apple devices as soon as possible.  For organizations not actively managing Apple devices, communicate with users to ensure that they patch their own devices. Consider the importance of patching iPhones; i.e., stealing of credentials and Multi-Factor-Authentication (MFA) information can defeat corporate security controls.

      Sources
      https://support.apple.com/en-us/HT213412
      https://support.apple.com/en-us/HT213413
      https://www.darkreading.com/vulnerabilities-threats/patch-apple-zero-days-exploited

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us