Apple Patches Exploited Vulnerability

Published: 2023-02-13
Last Updated: 2023-02-13 20:47:36 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple today released updates for Safari, iOS, iPadOS, MacOS, tvOS, and watchOS. Security details are only available for Safari, iOS, iPadOS, and macOS. One vulnerability being patched across all three operating systems is already being exploited:

CVE-2023-23529: This is a critical vulnerability that is already actively exploited. The type confusion vulnerability in webKit and it is already exploited. It may be exploited by the user visiting a malicious web page. It affects Safari, iPadOS, iOS as well as MacOS.

CVE-2023-23514: A kernel vulnerability that may allow an application installed on the device to execute arbitrary code with kernel privileges. A code achieving command execution via CVE-2023-23529 could use this vulnerability to escalate privileges and escape the Safari sandbox. iPadOS, iOS, and MacOS are affected.

CVE-2023-23522: This vulnerability in Shortcuts may allow an app to observe unprotected user data. It only affects macOS.

Details for tvOS and WatchOS will be released later. These operating systems may be affected by at least the WebKit and the Kernel vulnerability above.

 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)

Venmo Phishing Abusing LinkedIn "slink"

Published: 2023-02-13
Last Updated: 2023-02-13 17:53:56 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Recently, I have seen more and more phishing for Venmo credentials. Venmo does use SMS messages as a "second factor" to confirm logins from new devices but does not appear to offer additional robust authentication options. The 4-digit SMS PIN and the lack of additional account security may make Venmo users an attractive target.

Thanks to Charles for the latest example. The email isn't all that remarkable. It uses the threat of an unauthorized transaction to create urgency and trigger a click. The initial link leads to a valid LinkedIn URL:

https[:]//www[.]linkedin[.]com/slink?code=edEeg35T*mwmw918508

This "trick" to use "slink"s has been documented at least as far back as 2016. LinkedIn last year in reply to an article by Brian Krebs, stated that they police these links for links to known malicious sites. However, the site this link redirects to has been marked malicious by Safe Browsing for at least half a day. You need to be a LinkedIn business customer to use a "slink" with LinkedIn. It is unclear if the attacker used a compromised LinkedIn account or if they set up an account of their own. I did not see a simple way to look up the "owner" of an slink.

The next step leads to a compromised and likely abandoned WordPress site:

https://transpfunerario.com/wp-css.php?eaea

The victim is immediately redirected again to the actual phishing site:
 

https[:]//scrtld[.]5e2e9c52158bba90e8ceecf7c-13618[.]sites[.]k-hosting[.]co[.]uk/account/sign-in?key=0762e7ca08a5a93a659bffb6558407d7

k-hosting.co.uk is operated by the low-cost hosting company Krystal. 

The phishing, in this case, attempts to capture not just the username and password of the user but also credit card and bank information.

Due to the use of LinkedIn, the Venmo phishing email and link was not flagged as malicious. A user would only be blocked from the imposter's website due to safe browsing blocking the redirect site. LinkedIn and Krystal were notified of the malicious use of their services.

[1] https://krebsonsecurity.com/2022/02/how-phishers-are-slinking-their-links-into-linkedin/
[2] https://www.avanan.com/blog/shortened-linkedin-url-used-for-phishing

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: linkedin slink venmo
0 comment(s)
ISC Stormcast For Monday, February 13th, 2023 https://isc.sans.edu/podcastdetail.html?id=8366

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
6 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
6 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives