company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

Android

Malware

WhatsApp

loading..
loading..
loading..

YoWhatsApp: Modded WhatsApp spotted stealing users' access keys

Modded WhatsApp replicating the original one stealthily stealing access keys of its users to gain remote access…

13-Oct-2022
3 min read

Related Articles

loading..

Vulnearbility

Google reassigns CVE-2023-5129, a critical libwebp vulnerability initially mista...

In a significant development in the world of cybersecurity, Google has officially reclassified a zero-day security vulnerability, initially identified as a Chrome weakness (CVE-2023-4863), as a critical flaw in the open-source libwebp library. The new CVE ID assigned to this vulnerability is CVE-2023-5129. This move has far-reaching implications for various web browsers and applications relying on the libwebp library. The zero-day vulnerability came to light on Wednesday, September 6, when it was jointly reported by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School. Google swiftly addressed the issue, releasing a patch in less than a week. However, the decision to categorize it as a Chrome bug initially sparked confusion and debate within the cybersecurity community. Security researchers at Citizen Lab have a proven track record of uncovering zero-day vulnerabilities that are often exploited in targeted spyware campaigns, typically attributed to state-sponsored threat actors. These campaigns primarily target high-risk individuals such as journalists and opposition politicians. Notably, Ben Hawkes, founder of a prominent security consulting firm and former leader of Google's Project Zero team, connected CVE-2023-4863 to the CVE-2023-41064 vulnerability, which Apple addressed on September 7. This vulnerability was abused as part of a zero-click iMessage exploit chain known as BLASTPASS, used to compromise fully patched iPhones with NSO Group's Pegasus commercial spyware. However, the situation took a significant turn as Google reassessed the vulnerability. CVE-2023-5129 is now marked as a critical issue in the libwebp library, carrying a maximum severity rating of 10/10. This reclassification underscores the gravity of the vulnerability, particularly for projects that utilize the libwebp open-source library. The vulnerability itself involves a heap buffer overflow in WebP, impacting Google Chrome versions preceding 116.0.5845.187. It resides within the Huffman coding algorithm used by libwebp for lossless compression. Attackers can exploit this vulnerability to execute out-of-bounds memory writes using maliciously crafted HTML pages, potentially leading to crashes, arbitrary code execution, and unauthorized access to sensitive information. The significance of this reclassification cannot be overstated, as numerous projects rely on libwebp, including popular applications and browsers such as 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers. The revised critical rating emphasizes the urgency of addressing this security vulnerability, now tracked under multiple CVE IDs with different severity ratings. Despite attempts to seek clarification, a Google spokesperson remained unavailable for comment when contacted by BleepingComputer. In the face of this evolving cybersecurity landscape, organizations and users alike are urged to stay vigilant, promptly applying patches and updates to safeguard their data and privacy against emerging threats.

loading..   26-Sep-2023
loading..   3 min read
loading..

Cl0p

MOVEit

Healthcare

BORN Ontario Child Registry Healthcare Data Breach Affects 3.4 Million People ...

BORN Ontario, the provincial perinatal, newborn, and child registry, recently fell victim to a massive healthcare data breach. The data breach was attributed to a global vulnerability within the MOVEit data transfer software by Progress Software through the cybersecurity community. In this [Threatfeed](https://www.secureblink.com/cyber-security-news), we delve into the technical details of the incident and its implications for the affected parties. ## MOVEit Vulnerability Late evening on May 31, 2023, BORN Ontario [learned](https://www.bornincident.ca/) of a critical vulnerability within the [MOVEit](https://www.secureblink.com/cyber-security-news/clop-ransomware-exploits-mov-eit-targeting-u-s-banks-and-universities) data transfer software, a widely used tool for secure file transfers. This software is utilized not only by BORN but also by governments, private sector organizations, and multinationals globally. The vulnerability tracked as [CVE-2023-34362](https://nvd.nist.gov/vuln/detail/CVE-2023-34362) enabled unauthorized malicious actors to access and copy personal health information files. ### Exploitation The attackers, exploiting this zero-day vulnerability, accessed the MOVEit FTP Server. The affected server was subsequently decommissioned, and file transfer operations ceased until the system's safety could be ensured. It is crucial to highlight that the BORN Information System (BIS) was not compromised during this breach. ## Data Exposed The breach impacted files being transferred through MOVEit, potentially compromising the personal health information of approximately 3.4 million individuals. These individuals primarily include those who had sought prenatal or pregnancy care and newborns between January 2010 and May 2023. The exposed data includes: - Full names - Home addresses - Postal codes - Dates of birth - Health card numbers Depending on the type of care received, additional clinical information such as dates of service, lab test results, pregnancy risk factors, type of birth, procedures, and pregnancy and birth outcomes may have been exposed. ## Extent of Impact To put the scale of this breach into perspective, it affected 1.4 million individuals seeking prenatal or pregnancy care and 1.9 million newborns and children. The impact is substantial, and it raises concerns regarding patient privacy and data security. ## Response and Mitigation BORN Ontario took immediate action to mitigate the breach's impact and prevent further unauthorized access. Here are some of the critical steps taken: ### Isolation and Containment The affected server was isolated and taken offline to prevent further exploitation. ### Investigation Third-party cybersecurity experts were engaged to conduct a thorough investigation into the breach's scope and nature. ### Law Enforcement and Reporting BORN Ontario reported the incident to law enforcement agencies and the Privacy Commissioner of Ontario, ensuring that relevant authorities were informed. ### Data Partners Collaboration BORN Ontario collaborated with data partners to address the breach's consequences and identify the individuals affected. ## The MOVEit Zero-Day Vulnerability The specific details of the zero-day vulnerability in MOVEit Transfer have not been disclosed publicly. However, cybersecurity firm Rapid7 suggests that it is a SQL injection vulnerability leading to remote code execution. ### Attack Vector This vulnerability allowed attackers to execute arbitrary code remotely, potentially gaining control over the affected systems. ### Affected Systems Rapid7's research indicates that approximately 2,500 MOVEit Transfer servers are exposed, primarily in the United States. All compromised systems were found to have a webshell named 'human2.asp,' located in the public HTML folder. ### Exploitation Details When accessed with the correct password, this webshell allowed attackers to execute various commands, including: - Retrieving lists of stored files, their uploaders, and file paths. - Creating and deleting MOVEit Transfer users. - Accessing information about the Azure Blob Storage account, potentially enabling data theft from the victim's Azure Blob Storage containers. ## Patching and Mitigation Progress Software has released patches to address the zero-day vulnerability for various MOVEit Transfer versions. Organizations using this software should apply the relevant patch immediately. Until then, they should follow specific mitigation steps. ### Port Blocking To prevent exploitation, administrators are advised to block external traffic to ports 80 and 443 on the MOVEit Transfer server. However, this may affect some functionalities, including web UI access. ### Forensic Analysis Organizations that have been breached should conduct a thorough forensic examination to determine if data was stolen or systems compromised. ## Threat Landscape The MOVEit zero-day vulnerability has resulted in mass exploitation and data theft. The attacks began on May 27, 2023, during the long US Memorial Day holiday when security monitoring was reduced. This attack is reminiscent of previous incidents involving managed file transfer (MFT) platforms. ### Potential Extortion While extortion has not yet begun, organizations affected by this breach should prepare for the possibility of extortion and the publication of stolen data. ## Conclusion The BORN Ontario data breach serves as a stark reminder of the ever-evolving threat landscape in the cybersecurity domain. A critical vulnerability in widely used software can have far-reaching consequences, affecting millions of individuals and organizations. In response to this incident, swift action was taken to contain the threat, investigate the breach, and inform the relevant authorities. The release of patches and mitigation steps is a positive step towards preventing further exploitation of the MOVEit vulnerability. As the investigation unfolds, the cybersecurity community closely monitors the situation for any signs of data misuse or extortion attempts. This incident underscores the need for constant vigilance and robust cybersecurity measures to protect sensitive data in an increasingly digital world.

loading..   25-Sep-2023
loading..   5 min read
loading..

Finance

Ransomware

Supply Chain

Clorox, a household brand, grapples with financial repercussions post-cyberattac...

In mid-August, Clorox, a household cleaning product manufacturer, suffered a severe security breach, leading to significant disruptions in its operations. This breach has far-fetched consequences not only for Clorox but also for end users. ## Overview of the Data Breach The breach at Clorox was initially detected when unusual activity was observed on the company's IT systems. While the exact date of the breach remains undisclosed, it's evident that Clorox took immediate action upon detection. As a proactive measure, certain systems were taken offline, which, though disruptive, was considered necessary to prevent further damage. ## Intrusion's Impact on Operations The consequences of the intrusion were significant. Clorox's operations suffered widescale disruption, leading to a lower order processing rate. This disruption, in turn, contributed to elevated levels of consumer product availability issues. One critical aspect to note is that the company believes the unauthorized activity is contained. This suggests that the immediate threat has been mitigated. However, the extent of the financial and operational impact was enough for Clorox to take this breach seriously. ## Supply Chain Implications The repercussions of this breach have now rippled out into the supply chain. Some Clorox factories are still struggling to produce and ship products in sufficient quantities. Consequently, stores have started running low on essential items like bleach and cat litter. ## Financial Implications and Business Continuity The financial impact of the breach is substantial, as acknowledged in Clorox's [filing](https://d18rn0p25nwr6d.cloudfront.net/CIK-0000021076/ae1fd2f2-142b-4a99-bed8-e7bfeb8a2bb7.pdf) to the Securities and Exchange Commission (SEC). While specific figures are yet to be disclosed, the breach is expected to have a material impact on Clorox's first-quarter financial results. The recovery timeline remains uncertain, with the return to normal automated order processing targeted for September 25th. Clorox's response involved activating business continuity plans and implementing manual order processing procedures—this phased approach aimed to address customer needs during the disruption, prioritizing consumer in-stock. While the company has resumed production at most sites, it cannot yet provide an estimate for when normal operations will fully recover. ## Ransomware Suspicions Though Clorox has not officially [confirmed](https://www.cloroxco-updates.com/) it, many observers suspect this is another ransomware attack. This would not be surprising, as previous ransomware victims have reported disruptions and losses totaling hundreds of millions of dollars. ### Clorox's Response Clorox is diligently addressing the situation, working to restore its IT infrastructure and re-integrate systems taken offline. They are gradually transitioning back to automated order processing but have not provided a definite timeline for a return to normal operations. The financial impact, while certain to be substantial for the first quarter, remains uncertain in the long term as the recovery process continues. ### Progress Updates Clorox has been providing regular updates on the situation: **August 23, 2023 - 5:18 PM** The company acknowledges that they are still on the path to restoring its offline systems, using interim manual processing solutions. They aim to prioritize consumer in-stocks and work closely with customers to meet immediate needs. **September 5, 2023 - 1:15 PM** While making progress, Clorox still cannot broadly ship its complete product portfolio until more systems return online. They appreciate customers' patience and are committed to providing updates as the situation evolves. **August 17, 2023 - 9:33 AM** Clorox shares their plan to manually process orders starting from the week of August 21 until systems are fully restored. They anticipate that returning to normal service levels will take time. **August 15, 2023 - 5:14 PM** Clorox announces its careful, systematic approach to restoring offline systems and activating business continuity plans. They reiterate their commitment to servicing consumers. **August 14, 2023 - 3:15 PM** The initial detection of unusual activity prompted Clorox to take certain systems offline. They are still in the early stages of investigating the breach's nature and scope, working diligently to restore systems. ### Insights from Clorox's Statement Clorox's own statements provide key insights into their response and the challenges they face: 1. **Elevated Product Availability Issues**: The breach has led to an elevated level of consumer product availability issues, indicating that the impact extends beyond Clorox's internal operations. 2. **Financial Impact**: Clorox acknowledges the material impact on first-quarter financial results, reflecting the severity of the breach. However, determining the longer-term impact remains premature. 3. **Restoration Efforts**: Clorox's systematic approach to restoring systems emphasizes the need for caution and thoroughness in cybersecurity recovery. 4. **Communication**: The company is committed to keeping stakeholders informed throughout the recovery process, showcasing transparency and accountability. ### Broader Context This breach at Clorox highlights the pervasive threat of cyberattacks in today's interconnected world. It serves as a stark reminder to organizations across industries, especially those in the cybersecurity domain, of the ever-evolving nature of cyber threats.

loading..   22-Sep-2023
loading..   5 min read