Critical Vulnerabilities in Cisco Webex
IBM Research Team discovered vulnerabilities in the Cisco Webex app that could be exploited to allow an attacker to join a meeting and eavesdrop on conversations as a “ghost” without being discovered. Vulnerabilities could be exploited if an attacker knows the Webex meeting URL or users’ Personal Room. Cisco has already released fixes that are available in the latest version of the product.
Critical vulnerabilities in a number of ICS systems
Technology companies Real Time Automation, Paradox, Sensormatic Electronics and Schneider Electric warned about critical vulnerabilities in their products. The highest CVSS score of 9.8 out of 10 was for a buffer overflow vulnerability (CVE-2020-251590) in Real Time Automation software.
New attack by the Lazarus faction
ESET Researchers uncovered new Lazarus attack on the supply chain using legitimate WIZVERA VeraPort software. WIZVERA VeraPort is designed to integrate and manage installation programs related to Internet banking in South Korea. The attackers compromised several sites that support VeraPort and tampered with the installation packages. The malware was downloaded to the victims’ computers by using the WIZVERA VeraPort software flaw when verifying the signature. As a result of the attack, VeraPort downloaded malware unnoticed by users.