Microsoft has uncovered a phishing campaign by a threat actor named Storm-0978, which specifically targeted defence and government entities in Europe and North America. The attack involved exploiting a remote code execution vulnerability, known as CVE-2023-36884, in Word documents even before it was disclosed to Microsoft. The attackers utilized lures related to the Ukrainian World Congress to deceive their targets.
Storm-0978 is a cybercriminal group based in Russia, referred to as RomCom by other vendors due to their backdoor's name. They are known for engaging in opportunistic ransomware and extortion operations, as well as targeted campaigns aimed at gathering credentials likely to support intelligence activities. The group is responsible for the development and distribution of the RomCom backdoor, and they also deploy the Underground ransomware, which shares similarities with the Industrial Spy ransomware observed in May 2022.
The latest campaign carried out by Storm-0978 in June 2023 involved the abuse of CVE-2023-36884 to deliver a backdoor that bears resemblances to RomCom. Storm-0978 typically targets organizations by offering trojanized versions of popular legitimate software, leading to the installation of RomCom. Their operations have had a notable impact on government and military entities in Ukraine, as well as organisations in Europe and North America that may have connections to Ukrainian affairs. The group has also targeted industries such as telecommunications and finance with ransomware attacks.
Microsoft 365 Defender has been successful in detecting multiple stages of Storm-0978's activity. Customers using Microsoft Defender for Office 365 are safeguarded against attachments attempting to exploit CVE-2023-36884. Additionally, customers using Microsoft 365 Apps (Versions 2302 and later) are protected against the exploitation of this vulnerability through Office.
Google announced the official release of Chrome 115 in the stable channel. This update comes with fixes for a total of 20 vulnerabilities, out of which 11 were reported by external researchers.
Among the externally reported security flaws, four are considered to be of 'high severity.' Notably, CVE-2023-3727 and CVE-2023-3728 are two use-after-free issues in WebRTC that earned the researchers a bug bounty reward of $7,000 each.
Another high-severity vulnerability addressed in Chrome 115 is a use-after-free bug found in Tab Groups, known as CVE-2023-3730, which was rewarded with a bug bounty of $2,000.
The fourth high-severity issue, identified as CVE-2023-3732, involves an out-of-bounds memory access problem in Mojo. However, no bug bounty will be issued for this particular bug, following Google's policies, as it was discovered by one of their own researchers from Project Zero, Mark Brand.
Additionally, Chrome 115 tackles six medium-severity vulnerabilities reported by external researchers. These include flaws in WebApp Installs, Picture In Picture, Web API Permission Prompts, Custom Tabs, Notifications, and Autofill components, which were categorized as inappropriate implementation issues.
Furthermore, this browser update resolves a low-severity bug related to insufficient validation of untrusted input in Themes.
In total, Google has awarded bug bounty rewards worth $34,000 to the researchers who reported these vulnerabilities.
Google has not disclosed any information suggesting that these fixed vulnerabilities were exploited in any malicious attacks.
As per their usual practice, Google will keep the technical details of the resolved vulnerabilities undisclosed until most users have installed the latest Chrome update.
Recently, two Adobe ColdFusion vulnerabilities were disclosed, and it seems that both have been exploited in the wild. Adobe informed customers about three critical vulnerabilities and provided patches for two of them on July 11. These were CVE-2023-29298, an improper access control flaw leading to a security feature bypass, and CVE-2023-29300, a deserialization issue allowing arbitrary code execution. On July 14, Adobe released patches for CVE-2023-38203, another deserialization vulnerability that also enables arbitrary code execution.
Cosmetics company Estée Lauder recently disclosed a data breach following claims from two ransomware groups about stealing substantial amounts of company data. In their statement on July 18, Estée Lauder admitted that an unauthorised third party had gained access to some of its systems and obtained data. The extent of the compromised data is still under evaluation, and the company has engaged external cybersecurity experts to aid in the investigation. Law enforcement has also been notified about the incident.
The ransomware groups involved are the Cl0p gang and the BlackCat/Alphv gang. Cl0p claimed to have stolen over 130 gigabytes of data through the MOVEit hack, impacting numerous organisations worldwide. Meanwhile, the BlackCat group asserted that they still had access to Estée Lauder's systems despite the involvement of Microsoft and Mandiant in the incident response. They threatened to disclose more stolen files if the company did not respond.
This is not the first time Estée Lauder has experienced a data breach. In 2020, a researcher discovered that the company had exposed 440 million records on the internet through an unprotected database.
*Subscribe to our newsletter
.svg)
.png)
.png)
