Apple Patches Exploited Vulnerability
Apple today released updates for Safari, iOS, iPadOS, MacOS, tvOS, and watchOS. Security details are only available for Safari, iOS, iPadOS, and macOS. One vulnerability being patched across all three operating systems is already being exploited:
CVE-2023-23529: This is a critical vulnerability that is already actively exploited. The type confusion vulnerability in webKit and it is already exploited. It may be exploited by the user visiting a malicious web page. It affects Safari, iPadOS, iOS as well as MacOS.
CVE-2023-23514: A kernel vulnerability that may allow an application installed on the device to execute arbitrary code with kernel privileges. A code achieving command execution via CVE-2023-23529 could use this vulnerability to escalate privileges and escape the Safari sandbox. iPadOS, iOS, and MacOS are affected.
CVE-2023-23522: This vulnerability in Shortcuts may allow an app to observe unprotected user data. It only affects macOS.
Details for tvOS and WatchOS will be released later. These operating systems may be affected by at least the WebKit and the Kernel vulnerability above.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Venmo Phishing Abusing LinkedIn "slink"
Recently, I have seen more and more phishing for Venmo credentials. Venmo does use SMS messages as a "second factor" to confirm logins from new devices but does not appear to offer additional robust authentication options. The 4-digit SMS PIN and the lack of additional account security may make Venmo users an attractive target.
.png)
Thanks to Charles for the latest example. The email isn't all that remarkable. It uses the threat of an unauthorized transaction to create urgency and trigger a click. The initial link leads to a valid LinkedIn URL:
https[:]//www[.]linkedin[.]com/slink?code=edEeg35T*mwmw918508
This "trick" to use "slink"s has been documented at least as far back as 2016. LinkedIn last year in reply to an article by Brian Krebs, stated that they police these links for links to known malicious sites. However, the site this link redirects to has been marked malicious by Safe Browsing for at least half a day. You need to be a LinkedIn business customer to use a "slink" with LinkedIn. It is unclear if the attacker used a compromised LinkedIn account or if they set up an account of their own. I did not see a simple way to look up the "owner" of an slink.
The next step leads to a compromised and likely abandoned WordPress site:
https://transpfunerario.com/wp-css.php?eaea
The victim is immediately redirected again to the actual phishing site:
https[:]//scrtld[.]5e2e9c52158bba90e8ceecf7c-13618[.]sites[.]k-hosting[.]co[.]uk/account/sign-in?key=0762e7ca08a5a93a659bffb6558407d7
k-hosting.co.uk is operated by the low-cost hosting company Krystal.
The phishing, in this case, attempts to capture not just the username and password of the user but also credit card and bank information.
Due to the use of LinkedIn, the Venmo phishing email and link was not flagged as malicious. A user would only be blocked from the imposter's website due to safe browsing blocking the redirect site. LinkedIn and Krystal were notified of the malicious use of their services.
[1] https://krebsonsecurity.com/2022/02/how-phishers-are-slinking-their-links-into-linkedin/
[2] https://www.avanan.com/blog/shortened-linkedin-url-used-for-phishing
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments