Keeping up with cybersecurity’s latest is key to avoiding becoming a victim of ever-evolving cyber threats. We are here with another weekly update of the latest cybersecurity news and incidents from around the world to help you achieve awareness and protect yourself from severe cyber threats. Here is this week’s cybersecurity bulletin:
Data Breach Exposes 2.5 Million Student Loan Accounts
Following a data breach at Nelnet Servicing, data from OSLA (Oklahoma Student Loan Authority) and EdFinancial has exposed the details of 2.5 million student loan accounts. The organizations used Nelnet Servicing and provided a web portal to students for digital access to loan accounts.
The threat artists exploited a vulnerability at Nelnet and exposed the data of 2,501,324 students. Nelnet blocked the attack immediately after discovering the breach and investigated the particulars that had been exposed.
The name, physical address, email address, phone number, and social security numbers of those affected by the breach are exposed. Although no financial information was exposed, the law firm “Markovits, Stock, & DeMarco” launched an investigation into the incident on the grounds of the makings of a class action lawsuit.
EdFinancial and OSLA have offered those impacted by the data breach free access to a 2-year identity theft protection service through Experian. EdFinancial has also reassured its clients that not all of its clientele is hosted by Nelnet and is safe from exposure. Following the breach, monitoring bank accounts, and requesting a credit report are the best steps students can take.
Privilege Escalation Vulnerability in VMware
VMware released patches to address a severe vulnerability in the VMware tools. Tracked as CVE-2022-31676, the vulnerability impacted the VMware Tools suite of utilities.
Any threat actor with local access to the guest operating system could trigger said vulnerability to escalate their privileges on the system. After escalating their privileges, threat actors could access sensitive systems and access managed data to perform malicious activities.
VMware released a security advisory, and the vulnerability was given a score of 7.0 with no workarounds other than the patched, fixed version released.
The flaw impacted both Windows and Linux platforms and has been patched in 12.1.0 for Windows and 10.3.25 for Linux systems. Individuals should download the security patch and update VMware Tools for the best protection.
Fake Chrome Extension Installed over 200,000 times
A google chrome extension called the “Internet Download Manager,” present on the Chrome Web Store since 2019, was reportedly installed by over 200,000 users.
The extension installs a known and legitimate download manager with unwanted behavior, such as opening spam websites, default browser settings, and numerous pop-ups for patches and unwanted programs. The malicious extension by “IDM Integration Module” imitated a similar extension by Tonec. The counterfeit Chrome extension is operated and maintained by “Puupnewsapp” and claims a 500% download speed boost.
On installing the extension, users are prompted to install a Windows patch and an executable by Puupnewsapp. The executable contains 32 and 64-bit versions of NodeJS and executes code to alter browser registry settings on the victim’s system. Furthermore, the extension alters search engines, such as smartwebfinder[.]com, shows frequent pop-ups for installing additional extensions and launches third-party websites in the web browser.
Following Tonec’s website, the FAQ section clarifies that all IDM extensions found on the Google Store are fake and should be avoided. The reviews for the extension make it clear that it is spam and hijacks browsers.
Still, over 200,000 users downloaded the extension. The same week, McAfee’s threat analysts discovered five extensions downloaded 1.4 million times that stole browsing activities. Users are advised to use legitimate software from authentic sources and follow the reviews before downloading any extension.
Chrome OS Flaw Discovered by Microsoft
Microsoft shared specifics of a severe flaw in Chrome OS. The vulnerability in Chrome OS, tracked as CVE-2022-2587, was given a CVSS (Common Vulnerability Scoring System) score of 9.8.
Any threat actor could exploit the Chrome OS vulnerability to trigger a DoS (Denial of Service) condition and achieve RCE (Remote Code Execution) in particular cases. The vulnerability is a memory corruption vulnerability in the Chrome OS component that can be triggered remotely. Microsoft discovered and reported the Chrome OS flaw to Google in April; Google addressed the cybersecurity issue in June.
The MSVR (Microsoft Security Vulnerability Research) tracked the vulnerability further and released a detailed report of its findings. Microsoft focuses on research-driven protections and collaboration and recommends close monitoring of all devices, operating systems, and platforms for discovering vulnerabilities.
One-Click TikTok Account Hijacking in Android Devices
The Microsoft 365 Defender research team discovered a significant vulnerability in the popular video sharing platform TikTok’s application on Android phones. The vulnerability is a chained exploit to hijack TikTok user accounts.
The threat actors could use the vulnerability to bypass TikTok’s deeplink verification, allowing them to target users using crafted links and hijack their accounts. By forcing TikTok to load arbitrary URLs (Uniform Resource Locator) to the application’s WebView, and using the URL to access the WebView’s JavaScript bridges and grant functionality, threat actors could carry out account hijacking.
Threat actors could bypass server-side checks by adding just two parameters to the deeplink. TikTok has patched the vulnerability, but Microsoft made it clear in their report that threat actors can utilize JavaScript interfaces to execute code using any application’s ID and privileges.
The coordinated approach of this attack is a prime example of how threat actors work around security and employ sophisticated techniques for malicious purposes. Individuals are advised to open URLs in default browsers if they are absent from the approved lists and update these lists regularly.
Australian Government Victim of Chinese ScanBox Malware
Chinese threat actors have been using the ScanBox malware against Australian government agencies for quite some time. Chinese threat actors have also targeted wind turbine fleets in the South China Sea by directing victims to fake Australian news media portals.
The threat actors employ the Scanbox reconnaissance framework to send phishing emails impersonating Gmail and Outlook in several waves. The emails come from “Australian Morning News” employees with phishing URLs with unique values for each target, leading victims to a fake news portal with a malicious payload in the form of a ScanBox framework.
The framework includes a keylogger, browser plugins, browser fingerprinting, peer connection, and security checks that are loaded once the framework is downloaded and assembled. It then set up C2 (Command and Control) communications and shared victim data for espionage activities.
Individuals should privy themselves to phishing tactics and avoid opening malicious links to stay safe against such payload deliveries and always cross-check websites for their authenticity.