Cyber Security Weekly Recap (27.March-02.April)

Cyber Security Weekly Recap (27.March-02.April)

Wi-Fi Protocol Security Flaw Puts Millions of Devices at Risk

A newly discovered security flaw in the Wi-Fi protocol standard, which affects Linux, FreeBSD, Android, and iOS devices, could be used by attackers to hijack TCP connections or intercept client and web traffic. Researchers from Northeastern University and KU Leuven have disclosed the fundamental design flaw, which takes advantage of power-save mechanisms in endpoint devices to trick access points into leaking data frames in plaintext or encrypting them with an all-zero key. Successful exploitation of the flaw could also result in denial-of-service attacks by forcing the queue frames intended for a specific client.

Although Cisco referred to the vulnerabilities as an “opportunistic attack” and said that the information gained by attackers would have minimal value in a secure network configuration, the company did acknowledge that the attack could be successful against Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities.

Security experts recommend implementing transport layer security (TLS) to encrypt data in transit and applying policy enforcement mechanisms to restrict network access to reduce the probability of such attacks. The vulnerability poses a significant threat, considering that the Wi-Fi protocol is widely used, and millions of devices could be impacted. Thus, the industry must act quickly to implement security measures and mitigate potential threats.

New Supply Chain Attack Affects Millions of 3CX Desktop App Users

3CX, a leading provider of voice and video conferencing software, is working on a software update for its desktop app after multiple cybersecurity vendors warned of an active supply chain attack. This attack uses digitally signed and rigged installers of the 3CXDesktopApp to target downstream customers.

SentinelOne researchers have identified the attack as a Trojanized 3CX desktop app, which is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub, ultimately leading to a third-stage infostealer DLL. The cybersecurity firm has named the attack “SmoothOperator”. It has been active since at least February 2022, with indications that it started on March 22, 2023.

3CX claims to have over 600,000 customers and 12 million users in 190 countries, including some of the biggest names in business such as American Express, BMW, Honda, Ikea, Pepsi, and Toyota. Cybersecurity firm CrowdStrike attributes the attack with high confidence to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.

3CX is in the process of issuing a new build of the app to prevent this issue from happening again. 3CX’s CEO Nick Galea has confirmed that Android and iOS versions of the app are not affected. In the meantime, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.

New MacStealer Malware Targets macOS Devices

Researchers have discovered a new information-stealing malware targeting Apple’s macOS operating system. Dubbed MacStealer, the malware primarily affects devices running macOS versions Catalina and later with M1 and M2 CPUs. It uses Telegram as a command-and-control (C2) platform to exfiltrate data. According to Uptycs researchers, MacStealer can steal documents, cookies from the victim’s browser, and login information.

MacStealer is a work in progress, and its authors plan to add features to capture data from Apple’s Safari browser and the Notes app. In its current form, MacStealer is designed to extract iCloud Keychain data, passwords, and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It also features support for harvesting Microsoft Office files, images, archives, and Python scripts.

To mitigate such threats, it’s recommended that users keep their operating system and security software up to date and avoid downloading files or clicking links from unknown sources.

Hackers Exploit WordPress Elementor Pro Vulnerability

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The vulnerability, described as a case of broken access control, affects versions 3.11.6 and earlier, which the plugin maintainers addressed in version 3.11.7 released on March 22. The premium plugin is estimated to be used on over 12 million sites.

Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled. Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, the latest version, as soon as possible to mitigate potential threats.

To avoid such attacks, it is recommended that WordPress users keep their sites updated and use reputable plugins and themes. They should also enforce strong passwords, use two-factor authentication, and restrict access to the site’s administration area.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment