Microsoft: Office 2013 will reach end of support in April 2023
Microsoft Office 2013 is approaching its end of support next year on April 11, 2023. Microsoft has advised customers to switch to a newer version in order to reduce their exposure to security risks. This means there will be no new security updates for this version, which, in addition to security risks, may also impact an organization’s ability to meet compliance obligations.” Also, connecting Office 2013 clients to Microsoft 365 might lead to performance or reliability issues.
Stolen OAuth tokens used to download data from dozens of organizations
Threat actors have been abusing stolen OAuth user tokens that were issued to two third-party OAuth integrators, Heroku and Travis-CI. They have been using them to download data from dozens of organizations, including npm. Microsoft-owned GitHub denies that the attacker obtained these tokens via a compromise of GitHub or its systems, saying, “the stolen tokens used to access the repositories are not stored by GitHub in their original, usable formats.” GitHub is still investigating the compromise and is notifying affected organizations.
Mute button in conferencing apps may not actually mute your mic
A new study, conducted by a team of researchers at the University of Wisconsin-Madison and the Loyola University in Chicago, shows that pressing the mute button on popular video conferencing apps may not actually work like you think it should, with apps still listening in on your microphone. More specifically, pressing mute does not prevent audio from being transmitted to the apps’ servers. The apps tested in this phase of the study included Zoom, Slack, MS Teams/Skype, Google Meet, Cisco Webex, GoToMeeting, Discord and others. Zoom, was found to actively track if the user is talking even while they were in mute mode. The worst case, according to the study, was Cisco Webex, which continued to receive raw audio data from the user’s microphone and transmitted it to the vendor’s servers in precisely the same way it did when unmuted.
Enemybot, a new DDoS botnet appears on the threat landscape
Enemybot has already targeted several routers and web servers by exploiting known vulnerabilities, say researchers from Fortinet who discovered it. The botnet targets architectures such as arm, bsd, x64, and x86. The Fortinet team have identified the cybercrime group Keksec, which focuses on DDoS-based extortion, as the botnet’s owner. Borrowing code in part from the infamous Mirai botnet, Enemybot uses a list of hardcoded username/password combinations to login into devices in the attempt to access systems using weak or default credentials.
Thanks to our episode sponsor, Votiro
Cisco vulnerability lets hackers craft their own login credentials
The critical vulnerability with a CVSS v3 score of 10.0, and tracked as CVE-2022-20695, impacts the Wireless LAN Controller (WLC) software, allowing remote attackers to “log in to target devices through the management interface without using a valid password. The bug involves the improper implementation of the password validation algorithm, making it possible to bypass the standard authentication procedure on non-default device configurations.” According an advisory published by Cisco, products affected by this flaw are those that run Cisco WLC Software 8.10.151.0 or Release 8.10.162.0 and have “macfilter radius compatibility” configured as “Other.”
Lazarus Group behind Axie Infinity crypto hack
The U.S. Treasury Department is pointing at North Korea-backed Lazarus Group as the culprit in the theft of $540 million from video game Axie Infinity’s Ronin Network, a story we reported on last month. On Thursday, the Department “tied the Ethereum wallet address that received the stolen funds to the threat actor, and sanctioned the funds by adding the address to the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) List.” The heist, which is the second-largest cyber-enabled theft to date, involved the “siphoning of 173,600 Ether (ETH) and 25.5 million USD Coins from the Ronin cross-chain bridge, which allows users to transfer their digital assets from one crypto network to another, on March 23, 2022…The attacker used hacked private keys in order to forge fake withdrawals,” the Ronin Network explained in its disclosure report a week later after the incident came to light.
Sophisticated spyware attack targets top EU legal officials’ iPhones
The NSO spyware story continues with reports from Reuters that the phones of at least five EU officials were hacked with invasive malware between February and September of 2021. Belgian politician Didier Reynders, the EU’s European Justice Commissioner since 2019, (equivalent to the Attorney General in the United States) was one of those targeted. Reuters adds that at least four other members of the Justice and Consumers commission were also spied on. NSO has denied that it had any involvement in this case, saying the hacking of the EU officials “could not have happened with NSO’s tools.”
(Gizmodo)
Several vulnerabilities allow disabling of Palo Alto Networks products
Palo Alto Networks has informed customers about vulnerabilities that could allow a malicious actor to disable its products, based on information from security researcher “mr.d0x” who described how its Cortex XDR Agent “can be bypassed by an attacker with elevated privileges by modifying a registry key, leaving the endpoint exposed to attacks,” something that the product’s anti-tampering feature is unable to prevent. “Mr.d0x also discovered that there is a default uninstall password that — if it hasn’t been changed by the admin — can also be used to disable the XDR agent. Several cybersecurity vendors have been assessing the impact of this flaw on their products.”