Security Week Review - VulnVerse #9
Welcome back to VulnVerse! It's our 9th weekly dispatch, and we've got another jam-packed edition for you. Let's dive into the latest vulnerabilities, exploits, and cyber threats.
Contents
Vulnerabilities and Exploits 🔥
Let’s start with the big one. Vulnerabilities and exploits are the bread and butter of cybersecurity, but they can be daunting to tackle. Staying on top of them requires persistence, curiosity, and a bit of a methodical approach. Below, you’ll find the latest threats you need to be aware of.
Cisco NX-OS Software vulnerability (CVE-2024-20270) affects devices with DHCPv6 relay enabled. It can cause a DoS by crashing the dhcp_snoop process. Cisco advises upgrading or disabling DHCPv6 relay.
A Dell BIOS vulnerability (CVE-2024-39584) allows local attackers to bypass Secure Boot and execute arbitrary code. Dell urges updating affected Alienware models’ BIOS to versions released on August 27-28, 2024.
Malware exploiting CVE-2024-7029 affects discontinued AVTECH IP cameras. The 5-year-old RCE flaw allows remote attacks via crafted requests. No patch is available. Users should replace these end-of-life cameras.
cpanm downloads code via insecure HTTP. No patch available; use HTTPS mirrors or alternative clients.
Akamai SIRT identifies CVE-2024-7029, a zero-day in AVTECH CCTV cameras, exploited by a Mirai botnet variant. The vulnerability allows remote code execution. Full details and IOCs provided.
RedTeam Pentesting's blog details exploiting a remote code execution vulnerability in Moodle, where user input via PHP’s eval() was improperly sanitized, allowing remote code execution. Fixed in versions 4.4.2 and others.
Hitachi Energy's MicroSCADA X SYS600 has critical vulnerabilities. Update to version 10.6. For more details or support, contact Hitachi Energy via their contact page.
BlackByte ransomware evolves, using new vulnerabilities like CVE-2024-37085 in VMware ESXi. It now employs techniques such as appending a unique file extension and dropping more vulnerable drivers. This group's adaptability poses increased security challenges.
CVE-2024-39717 in Versa Director allows attackers to upload malicious files posing as images, leading to system admin access. A patch is available; FortiGuard Labs has blocked related malware and can assist with compromises.
Google’s TAG found that Russian-backed APT29 and commercial vendors Intellexa and NSO reused exploits in recent attacks on Mongolian government sites, affecting both iOS and Android. Unpatched devices are still at risk. TAG highlights the need for timely updates to address these threats.
Sam Curry and Ian Carroll found a SQL injection vulnerability in FlyCASS, a system managing airport security access. This flaw allowed unauthorized users to bypass security and access cockpit systems. The issue was disclosed to DHS, who disconnected FlyCASS, but subsequent TSA statements misrepresented the problem.
Marcus Hutchins delves into CVE-2024-38063, a critical Windows kernel vulnerability involving IPv6. His detailed analysis uncovers how a patch altered the kernel driver tcpip.sys, and the intricate process to exploit this flaw.
A quishing campaign targets Office 365 users using Microsoft Sway to host phishing pages. Attackers use QR codes leading to fake Microsoft login pages to steal credentials, leveraging Sway’s link-sharing feature.
Trend Micro reveals that attackers exploit the CVE-2023-22527 vulnerability in Atlassian Confluence using the Godzilla fileless backdoor. This advanced, in-memory malware avoids traditional detection methods by leveraging AES encryption.
RedTeam Pentesting GmbH's blog post on Moodle exposes a severe remote code execution flaw. By exploiting insecure use of PHP’s eval() in Moodle’s calculated questions, attackers can bypass input sanitization and execute arbitrary commands. This vulnerability was patched in recent Moodle updates.
Microsoft 365 Copilot had a serious vulnerability allowing personal data theft. Exploits used prompt injection, automatic tool invocation, and ASCII smuggling to exfiltrate sensitive information via manipulated emails and documents. Full details and mitigations are discussed.
In our latest blog, we discuss discovering vulnerabilities in µC/OS protocol stacks through fuzzing. We detail creating a custom fuzzer, overcoming challenges, and testing HTTP and TCP/IP servers in industrial control systems.
Our latest article explores how prompt injection attacks impact LLM-based systems, including agent architectures like LangChain. We discuss the risks, mitigation strategies, and traditional vulnerabilities affecting AI agents.
Our research highlights significant security risks in publicly exposed GenAI development services, including data leakage and vulnerabilities in vector databases and LLM tools. We provide mitigation strategies to safeguard your systems.
A critical UEFI vulnerability, PKfail, involves hard-coded Platform Keys (PK), allowing attackers to bypass Secure Boot and manipulate system settings. Update firmware and use tools from Binarly for impact assessment and mitigation.
Data Breaches 💥
Data breaches—those dreaded moments when data slips through the cracks. They’re not just cautionary tales; they’re wake-up calls. Here, we break down recent incidents, helping you learn from others’ misfortunes so you can tighten your own defenses.
The Park'N Fly breach exposed the data of 1 million customers, including personal information but not financial details. Security measures have been enhanced, and customers are advised to monitor for phishing and change passwords.
The MOVEit breach exposed the personal data of over 500,000 TDECU members, including names, Social Security numbers, and financial details. The breach, discovered in July 2024, has sparked concerns about data security and response practices.
Young Consulting (now Connexure) notified nearly 1 million individuals of a data breach involving BlackSuit ransomware, which stole sensitive data like Social Security numbers and insurance claims.
The U.S. Marshals Service denies a breach by the Hunters International ransomware gang, stating the alleged data is from a previously reported incident and not new or undisclosed.
In April 2024, Sport 2000 suffered a breach exposing 3.2M unique email addresses and personal data, later listed on a hacking forum.
In August 2024, Lookiero's March 2024 breach surfaced, exposing 5M email addresses and personal data on a hacking forum.
Malware and Ransomware 🐛
Ah, malware—the relentless, ever-evolving adversary. It’s the stuff that keeps us up at night and on our toes. Here, we’ll dive into the latest developments and arm you with the knowledge you need to fend off these persistent threats.
The Poortry/BurntCigar toolkit, used by ransomware gangs, now includes an EDR-killing feature, evolving into a sophisticated rootkit capable of deleting endpoint protection software, according to a Sophos report.
RansomHub, a ransomware-as-a-service (RaaS) group, has expanded its affiliate program and now employs advanced techniques like data exfiltration and network propagation to execute high-impact attacks. Their recent activity highlights growing RaaS trends.
SonicWall Capture Labs discovered an AutoIT bot targeting Gmail accounts. The malware, named "File.exe," captures keystrokes and reads clipboard data, operating across major browsers and evading detection through obfuscation.
The HZ Rat backdoor for macOS targets DingTalk and WeChat users, replicating its Windows counterpart. It uses shell scripts for payloads, collects extensive user data, and communicates with C2 servers.
In December 2023, a Cobalt Strike beacon led to BlackSuit ransomware deployment. Tools used included Sharphound, Rubeus, and SystemBC, with C2 traffic hidden through CloudFlare.
In August 2024, unauthorized access due to misconfiguration led to a Mallox ransomware attack. The ransomware, targeting various systems, used a RaaS model and deployed via tools like Cobalt Strike and PowerShell scripts.
A new Snake Keylogger variant, distributed via phishing emails with malicious Excel attachments, uses the CVE-2017-0199 vulnerability for delivery. It logs keystrokes and captures sensitive data, evading detection with encryption.
Iranian hackers, known as Pioneer Kitten, are collaborating with ransomware gangs like NoEscape and ALPHV to extort organizations. They sell network access and directly assist in encryption operations.
The Play ransomware group has leaked over 5GB of data allegedly stolen from Microchip Technology, impacting operations. The group threatens to release more unless the company pays the ransom.
Scammers are using a Zoom-themed phishing site to trick victims into downloading ScreenConnect, which allows remote access to their computers. The same infrastructure also scams Social Security Administration (SSA) beneficiaries.
Recommended by LinkedIn
The 7777 botnet, using compromised TP-LINK, ASUS, and other routers, has expanded to include RUCKUS and Zyxel devices. With around 16,000 infected devices, it conducts low-profile brute force attacks on Microsoft 365 accounts.
A phishing and vishing campaign targeting over 130 US firms involves attackers posing as IT staff to steal VPN credentials via fake login pages and SMS links.
Fraudsters are using fake Canva home pages to trick users into clicking links that lead to browser hijacks with fake Microsoft alerts. The scheme leverages deceptive ads and cloned web designs.
Software and System Issues ⚙️
Even the most secure systems have their hiccups. Whether it’s a software flaw or a system glitch, these issues can create openings for bigger problems. We’ll cover the recent ones you should be aware of.
Fortra has addressed a critical hardcoded password vulnerability (CVE-2024-6633) in FileCatalyst Workflow, allowing unauthorized access to internal databases. Users must upgrade to version 5.1.7 or later to secure their systems.
A Microsoft 365 Copilot vulnerability allowed attackers to steal user data through prompt injection and ASCII smuggling. The flaw was patched by Microsoft after being reported in January 2024.
An audit revealed significant security gaps in the FBI’s management of electronic storage media, including poor tracking, inadequate classification labeling, and physical security issues. The FBI is working on corrective measures.
Cloud ☁️
The cloud is both a playground and a battlefield. With more data and services migrating to the cloud, the stakes have never been higher. In this section, we’ll explore the latest challenges and solutions in cloud security.
Trustwave's investigation into a Mallox ransomware attack reveals the malware's sophisticated methods and wide-ranging impact. The attack exploited a misconfigured server, using ransomware-as-a-service to encrypt and threaten data exposure.
Leaders must shift focus to SaaS and cloud breach mitigation, given the inevitability of attacks. With 80% of breaches in these environments, adopting integrated, automated security measures is crucial for effective defense.
Red Canary leverages AWS API Gateway and SQS for handling webhooks efficiently. API Gateway receives webhook requests, responds immediately, and sends data to SNS and SQS for reliable, asynchronous processing and future handling.
At Red Hat Summit 2024, the OpenShift Commons Security SIG workshop highlighted the crucial role of security in OpenShift environments. Engaging discussions and real-time surveys emphasized the need for improved security practices and collaboration within the community.
AI tools like ChatGPT and Claude often generate cloud provisioning code with critical security flaws, such as hard-coded passwords and poor randomness. Cloud providers and AI vendors should address these issues to improve security.
Replicate card payment keys across AWS Regions using AWS Payment Cryptography for enhanced security and disaster recovery. Explore serverless architecture and AWS PrivateLink for secure key transport and storage.
Tools 🛠️
No one tackles cybersecurity unarmed. In this section, we’re showcasing some of the latest and greatest tools that can help you fortify your defenses, streamline your workflows, and maybe even make your life a little easier.
Bitwarden has enhanced its browser extension with improved inline autofill for credit cards and personal identities, offering a more secure and efficient way to manage payment details and form submissions online.
Velociraptor’s Offline Collector lets you gather forensic data from systems not connected to the network. You can import these ZIP files into Velociraptor's GUI for analysis, regardless of the operating system.
Automating CVE hunting can be streamlined by running static analysis on a large number of plugins. By leveraging tools like Semgrep and focusing on breadth over depth, you can efficiently identify and triage high-impact vulnerabilities in WordPress plugins.
RISCPoint Advisory Group’s RADAR platform integrates AI-driven vulnerability detection and expert-led penetration testing. It offers real-time threat discovery, continuous compliance monitoring, and actionable insights to enhance proactive security and risk management.
Frost & Sullivan named Wiz a leader in Cloud Security Posture Management (CSPM) for its rapid growth, innovative Security Graph, and robust CNAPP features. The report highlights Wiz's effectiveness in visualizing cloud risk and integrating across diverse environments.
Cybersecurity Measures and Recommendations 🔒️
You’ve seen the threats, now what? It’s not enough to just be aware—you need to act. Here’s a rundown of some top-notch cybersecurity measures and recommendations that will help you stay secure, sane, and ahead of the bad guys.
Mandiant and Google Cloud reveal how digital analytics tools are exploited by attackers. From link shorteners to IP geolocation services, these tools are weaponized to evade detection and enhance malicious campaigns. Learn strategies for defending against such tactics.
Gartner's 2024 Hype Cycle introduces new CTEM categories—Threat Exposure Management, Exposure Assessment Platforms (EAP), and Adversarial Exposure Validation (AEV)—to enhance security operations by improving threat exposure management and validation.
The EU's Digital Operational Resilience Act (DORA) mandates enhanced cybersecurity measures for financial institutions, including regular penetration testing and ICT risk management. Compliance is required by January 2025, focusing on improving digital resilience and operational stability.
Palo Alto Networks explored 19 newly released TLDs, finding significant abuse, including phishing, malware, and torrenting. Their graph-based detection system revealed correlations between TLD launches and malicious activities.
Gift card and loyalty program abuse involve unauthorized access, account takeover, and balance theft. Fraudsters exploit APIs and apps, causing financial losses and damaging customer trust. Cequence’s security solutions help mitigate these risks.
Advanced Persistent Threats (APT) 🕵️
APTs are the silent stalkers of the cyber world—sophisticated, patient, and dangerous. To defend against them, you need a deep understanding of their tactics. We’ll get into the latest on APTs and what you can do to keep them at bay.
Google's Threat Analysis Group reveals that a Russian hacking group, APT29, is using exploits initially developed by commercial spyware vendors. This highlights the ongoing sophistication and influence of commercial surveillance tools.
APT29, a Russian hacking group, is using iOS and Android exploits originally created by spyware vendors, discovered by Google’s Threat Analysis Group. These exploits target unpatched devices through watering hole attacks.
Hackers are exploiting a zero-day vulnerability in Versa Director software, targeting IT infrastructure providers. Researchers link these attacks to China’s Volt Typhoon, aiming to disrupt U.S. communications.
Despite size or type, organizations face threats seeking access to their information. Non-profits and small entities, due to their focus or clientele, are vulnerable to espionage. Huntress recently uncovered a four-year intrusion into a Vietnamese human rights defender's system, linked to APT32/OceanLotus, highlighting advanced threat actors' strategies for information gathering.
APT-Q-12, also known as Pseudo Hunter, targets East Asia, including China and the Korean Peninsula. Identified first by QiAnXin in 2021, this group utilizes sophisticated email probes to collect detailed information about targets' software and platforms, facilitating 0day attacks. For protection, QiAnXin recommends using Skyrocket EDR and cloud-checking functions.
Mandiant has detailed an Iranian counterintelligence operation targeting Farsi speakers through fake recruitment sites posing as Israeli firms. This campaign, active since 2017, collects personal data to identify and monitor individuals collaborating with adversaries of Iran.
Between April and July 2024, Microsoft identified the Iranian threat actor Peach Sandstorm using a new malware, Tickler, in attacks targeting sectors like satellite communications and government. The malware's deployment involves custom multi-stage backdoor techniques and abuse of Azure infrastructure.
Russia's APT29 exploited former zero-day flaws in Apple WebKit and Google Chrome, targeting Mongolian government websites in a series of attacks. Google TAG's report links these exploits to commercial spyware vendors.
Iranian cybercriminals, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), are targeting WhatsApp users in a spear phishing campaign. This group, known for previous disinformation efforts, posed as tech support to deceive users.
Google's Threat Analysis Group (TAG) has reported on a series of sophisticated exploit campaigns targeting Mongolian government websites. These campaigns, linked to the Russian-backed APT29, have utilized exploits similar to those used by commercial surveillance vendors Intellexa and NSO Group.
So there you have it! An electrifying overview of the latest vulnerabilities, exploits, data breaches, malware, ransomware, APTs, software and system issues, and practical cybersecurity measures.
Have any questions, comments, or feedback? Feel free to reply directly, I'd love to hear from you. I’m all ears!
If you find this newsletter helpful and think others would too, please consider forwarding it to them. 🙏
Thanks for reading!
exit(0);