Uncategorized

Citizen Lab discovered a zero-day zero-click exploit against Apple’s iMessage. Dubbed FORCEDENTRY, it’s a zero-day exploit that targets Apple’s image rendering library, and is effective against Apple iOS, MacOS and WatchOS devices. They’ve attributed the exploit to the Israeli cyber mercenary group, NSO Group, that is responsible for creating the Pegasus spyware used in numerous high profile exploitations of celebrity, politician, and world leader mobile devices.

A new vulnerability in MSHTML (Part of MS Office) is being actively exploited by malicious actors. This can enable malware execution through the MSHTML “web engine” functionality present in Office applications. The simplicity of opening a specially crafted MS Office document makes it ideal bait for phishing and spear-phishing attempts.

In 2019, FortiGate firewalls had a zero-day vulnerability that was exploited globally, allowing attackers to harvest user VPN credentials, usernames and passwords, remotely. This vulnerability has been addressed and patched by Fortinet in 2019, however, recently, a database of more than 87,000 FortiGate SSL VPN credentials harvested in 2019 has been leaked to the Internet. Researchers have noted that while some of the credentials will no longer work, there are some that still do.

Google has issued a warning regarding a serious vulnerability in their Chrome browser (affecting Windows, Mac, and Linux) that could potentially allow a malicious actor to take full control over a machine. Google urges users to update their browsers immediately. Currently it’s estimated that about 2 billion Chrome browser installs are vulnerable.