Exposures, Exposed! Weekly Round-up October 21 – October 27
Exposures, Exposed! XM Cyber’s weekly roundup of the latest cyber breaches, vulnerabilities and exposures. We dive deep into the digital underworld to bring you the most impactful exposures from around the globe. Cyber threats never sleep, and neither do our researchers. Check out this week’s top picks.
Major Vulnerability in macOS Allows Data Exploits, Experts Warn
Microsoft researchers have revealed a serious vulnerability in macOS, potentially allowing attackers to access sensitive user data through Apple’s Safari browser. The flaw, affecting Apple’s Transparency, Consent, and Control (TCC) system, could expose personal data such as camera access and location information. This vulnerability has been addressed in Apple’s latest security update for macOS Sequoia, available since September 16, 2024.
While TCC is intended to secure user data by requiring permissions, Microsoft found that certain configuration files in Safari could be modified, bypassing these protections. This vulnerability, called “HM Surf,” has reportedly been exploited by malware to gain user IDs and track devices.
To counter further risks, Apple has enhanced protections in macOS, and Microsoft is working with other browser vendors to increase platform security.
The Takeaway: Mac users should install the latest update immediately to protect personal data. Learn more here.
Atlassian Releases Security Updates for Six High-Severity Bugs
Atlassian has released security updates addressing six high-severity vulnerabilities in its Bitbucket, Confluence, and Jira Service Management products. The updates for Bitbucket Data Center and Server resolve CVE-2024-21147, a flaw in the Java Runtime Environment that could allow unauthorized access to critical data. Oracle previously patched this bug in July 2024, and Atlassian included the fix in multiple Bitbucket versions.
Confluence updates address four vulnerabilities, including two issues in the Moment.js JavaScript library, CVE-2022-24785 and CVE-2022-31129, which could be exploited without authentication. Additional patches resolve CVE-2024-4367, an XSS bug, and CVE-2024-29131, which could lead to Denial of Service (DoS) attacks.
For Jira Service Management, the update fixes CVE-2024-7254, a buffer overflow flaw that could impact service availability.
The Takeaway: Users should apply these updates immediately to secure their systems. Learn more here.
Fortinet Urges Action Following FortiManager Exploitation Discovery
Fortinet has confirmed a critical security flaw impacting its FortiManager devices, already under active exploitation. The vulnerability, identified as CVE-2024-47575 or “FortiJump,” has a severity score of 9.8. It allows remote attackers to execute arbitrary code by exploiting a missing authentication step in the FortiGate to FortiManager (FGFM) protocol.
This flaw affects FortiManager versions 7.x, 6.x, and select FortiAnalyzer models. Fortinet has issued workarounds tailored to specific versions, emphasizing the use of custom certificates and allowing only verified IP addresses. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply fixes by November 13, 2024.
The Takeaway: Fortinet customers should promptly apply workarounds and stay updated on Fortinet advisories. Learn more here.
Threat Actors Exploit Veeam Backup Vulnerability for Ransomware Attacks
Cybersecurity researchers and federal agencies report active exploitation of a critical vulnerability in Veeam Backup and Replication software, CVE-2024-40711, by ransomware groups. The flaw, with a severity score of 9.8, allows unauthenticated attackers to perform remote code execution, making it a prime target for ransomware variants like Akira and Fog, according to Sophos X-Ops.
Veeam issued a patch in its v12.2 software update on August 28. However, hundreds of Veeam Backup instances remain exposed, particularly in Europe, as observed by researchers from Censys. The U.K.’s National Health Service also issued a cybersecurity alert regarding this vulnerability on October 11.
Sophos linked recent ransomware attacks to initial access through compromised VPNs lacking multifactor authentication, revealing ongoing risk from unpatched instances.
The Takeaway: Veeam users should immediately apply the v12.2 update and enable multifactor authentication. Learn more here.
Critical Vulnerability Found in Open Policy Agent for Windows
Security researchers at Tenable have identified an authentication hash leakage vulnerability in Open Policy Agent (OPA) for Windows, affecting all versions prior to v0.68.0. Designated CVE-2024-8260, the vulnerability enables attackers to manipulate OPA into authenticating with a malicious Server Message Block (SMB) share, potentially leading to the exposure of user credentials and sensitive system data.
Exploitation of this flaw allows attackers to capture and reuse the Net-NTLMv2 hash of the active Windows user, which could then enable unauthorized access to additional systems. Tenable’s report advises users to upgrade to v0.68.0 to mitigate this risk, highlighting the importance of securing open-source software used in enterprise environments.
The Takeaway: Users of OPA for Windows should update to v0.68.0 or later immediately. Learn more here.
VMware Releases Updates for Patched vCenter Server Vulnerability
VMware has issued software updates to address a security flaw in vCenter Server that could enable remote code execution. The vulnerability, tracked as CVE-2024-38812 with a CVSS score of 9.8, is related to a heap-overflow issue in the DCE/RPC protocol. A malicious actor with network access could exploit this vulnerability by sending specially crafted packets to the server.
VMware acknowledged that previous patches released on September 17, 2024, did not completely resolve the issue. Users are encouraged to update to the latest versions of vCenter Server, including 8.0 U3d, 8.0 U2e, and 7.0 U3t, as well as asynchronous patches for VMware Cloud Foundation. There have been no reported exploits of this vulnerability in the wild, but users should remain vigilant.
The Takeaway: Users of vCenter Server should promptly update to the latest available versions to ensure security. Learn more here.
That’s all for this week – have any exposures to add to our list? Let us know!
Read our latest blog "How Digital Twins are Revolutionizing Threat Management":