- VulnVerse
- Posts
- [VulnVerse] #3 - PDF.js Vulnerability, MSI Data Breach, APT41 Threats...
[VulnVerse] #3 - PDF.js Vulnerability, MSI Data Breach, APT41 Threats...
Marko Živanović
July 20, 2024
Welcome back to VulnVerse! It's our third weekly dispatch, and we've got another jam-packed edition for you. Let's dive into the latest vulnerabilities, exploits, and cyber threats.
Contents
Vulnerabilities and Exploits: 1 to 23
Data Breaches: 24 to 32
Malware and Ransomware: 33 to 45
Software and System Issues: 46 to 52
Cybersecurity Measures and Recommendations: 53 and 54
Advanced Persistent Threats (APT): 55 and 56
Vulnerabilities and Exploits
We’re kicking things off with the latest vulnerabilities and exploits. In the fast-paced world of cybersecurity, staying ahead of these threats is vital. Here are the critical updates you need to arm yourself with:
Fabasoft has addressed a high-severity vulnerability (CVE-2024-4367) in the PDF.js library, which could allow attackers to execute arbitrary JavaScript code through malicious PDF files. This vulnerability affects Fabasoft's eGov-Suite and Mindbreeze Enterprise products. This flaw could lead to data breaches and unauthorized access to sensitive information in organizations using these solutions. Organizations should apply the provided hotfixes for eGov-Suite and update Mindbreeze Enterprise to the latest versions. Additional security measures recommended by Fabasoft should also be implemented.
ReversingLabs has uncovered a sophisticated malicious campaign targeting the NuGet package manager, utilizing homoglyphs and code injection techniques to distribute malware. Developers should verify package authenticity and use advanced security tools to detect hidden threats. Regular security reviews and employing tools like ReversingLabs Spectra Assure are essential to mitigate such risks.
Forcepoint X-Labs has discovered a new ransomware strain called ShadowRoot, targeting Turkish businesses via phishing emails with malicious PDF attachments. Organizations should implement robust email security measures, educate employees on phishing tactics, and regularly back up data. Advanced threat detection systems can help identify and block such attacks before they cause damage.
Mitel has issued advisories for a severe PHP argument injection vulnerability (CVE-2024-4577) affecting several of its products. This vulnerability can result in data breaches and service disruptions. Mitel customers should update affected products to the latest versions and implement additional security measures, such as limiting public exposure and restricting access to trusted IP addresses.
Netgear has released firmware updates for several router models, addressing vulnerabilities including authentication bypass, cross-site scripting, and command injection. These vulnerabilities could allow attackers to gain unauthorized access and control network devices. Users must update their router firmware to the latest versions. Changing default passwords, enabling automatic updates, and using strong encryption protocols are also essential steps to secure network devices.
Supermicro has disclosed a critical remote code execution vulnerability (CVE-2024-36435) in its BMC web server component, affecting a wide range of products. Users should update their BMC firmware to the latest versions and follow the recommended security practices provided by Supermicro, including configuring session timeouts and restricting access to BMC interfaces.
A severe vulnerability (CVE-2024-6744) in Cellopoint Secure Email Gateway could allow unauthenticated attackers to execute arbitrary code, posing a critical risk to organizations. This flaw could lead to data breaches, system takeovers, and significant operational disruptions. Organizations should apply the latest patch released by Cellopoint immediately. Continuous monitoring and applying security best practices are crucial to protect against such vulnerabilities.
A severe vulnerability (CVE-2024-6345) in Setuptools, a popular Python library, exposes systems to remote code execution. This flaw can be exploited during package installation, leading to system compromise. Users should upgrade to version 70.0 of Setuptools to address this vulnerability and ensure system security.
A critical vulnerability (CVE-2024-6695) in the Profile Builder WordPress plugin could allow attackers to gain administrative control of websites without an existing user account. Website owners should update to version 3.11.9 of the plugin to mitigate this risk and protect their sites from potential exploitation.
A critical vulnerability (CVE-2024-34102) in Magento/Adobe Commerce is being actively exploited, allowing attackers to gain full control over systems. Merchants should update their systems, rotate encryption keys, and implement monitoring to detect unauthorized changes.
A critical SQL Injection vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin affects over 100,000 online stores. Attackers can inject rogue SQL queries, leading to data breaches and full control over databases. Store owners should update to version 1.3.6.1 or newer and enhance their web application firewall (WAF) settings to block SQL injection attempts.
Apache Airflow versions 2.4.0 to 2.9.2 are vulnerable to code execution via the doc_md parameter. Exploitation can compromise the scheduler context, risking unauthorized access and workflow disruption. Users should upgrade to version 2.9.3 and ensure Airflow environments are isolated, with robust monitoring and logging to detect and respond to potential attacks.
Ivanti has addressed a SQL Injection flaw in its Endpoint Management (EPM) software, potentially allowing arbitrary code execution. Users should apply the Security Hot Patch immediately and follow Ivanti's detailed instructions for patching. Using PowerShell scripts provided for automated updates can ensure comprehensive protection.
SolarWinds has patched several high-severity vulnerabilities in Access Rights Manager (ARM), including directory traversal, remote code execution, and authentication bypass vulnerabilities. Users must update to version 2024.3 and audit their access control settings, ensuring least privilege principles are applied.
A critical vulnerability in Cisco Secure Email Gateway allows file overwriting, leading to unauthorized user creation and remote code execution. Administrators should update to the latest Content Scanner Tools package included in Cisco AsyncOS for Cisco Secure Email Software releases 15.5.1-055 and later. Regularly reviewing and updating security policies for email attachments can enhance protection.
A critical vulnerability in Cisco Smart Software Manager allows attackers to change user passwords and gain full access. Users must upgrade to Cisco SSM On-Prem Release 8-202212 or later immediately. Implementing strict access controls and regularly auditing user accounts can help prevent unauthorized access.
FutureNet devices, including routers and switches, are vulnerable to several critical flaws. Exploits can lead to unauthorized access, command execution, and denial-of-service conditions. Users should apply firmware updates or replace unsupported devices. Disabling telnet, enabling SSH, and configuring firewalls to restrict access to management interfaces are recommended.
HPE has patched a critical authentication bypass vulnerability in the 3PAR Service Processor, potentially allowing unauthorized access. Users should update to version 5.1.2 immediately. Implementing multi-factor authentication and regularly reviewing access logs can provide additional security layers.
A critical vulnerability in Oracle WebLogic Server allows for server takeovers via T3 and IIOP protocols. Users should apply the latest patches and restrict protocol access if patching is not immediately feasible. Network segmentation and strict access control policies can help mitigate risks.
Progress Telerik Report Server contains an authorization bypass vulnerability, allowing attackers to create rogue admin users. Users are advised to apply vendor mitigations and FortiGuard's IPS signature for protection. Regularly updating software and applying security patches are critical for maintaining secure systems.
Squarespace has warned customers about a domain hijacking campaign exploiting vulnerabilities during the migration of Google Domains. Customers should enable two-factor authentication, review and update DNS records, and consider transferring domains to different registrars. Continuous monitoring for unauthorized changes is also recommended.
Mitel has issued an urgent security advisory regarding a critical vulnerability discovered in its Unify OpenScape 4000 communication system. This command injection flaw, with a CVSS score of 9.8, could allow unauthenticated attackers to execute arbitrary commands, potentially leading to unauthorized access, data breaches, and system disruptions. Mitel recommends applying the available patches immediately and has provided temporary workarounds.
Broadcom has issued a critical security advisory for Symantec Privileged Access Manager (PAM), urging users to apply the latest cumulative hotfix (4.1.7.50) to protect against multiple severe vulnerabilities. These flaws could allow attackers to execute remote commands, bypass authentication, escalate privileges, and exploit various other security weaknesses.
Data Breaches
Next, we plunge into the murky waters of recent data breaches. These incidents are more than just headlines – they’re lessons in what can go wrong and how to fortify your defenses.
MSI has experienced a significant data breach, exposing over 600,000 users' detailed information due to improperly configured server permissions. This breach exposes customers to identity theft and other malicious activities, damaging MSI's reputation. MSI needs to improve its server configurations and ensure proper access controls. Affected users should be notified, and steps should be taken to secure their data. Continuous security audits and employee training on security best practices are crucial.
A hacker known as “Tchao1337” has allegedly leaked a database containing 60 million rows of Pinterest user data. Pinterest users should change passwords, enable two-factor authentication, and remain vigilant for suspicious activity. Monitoring linked accounts and staying informed about official communications from Pinterest is crucial.
Threat actors have claimed responsibility for a massive data breach involving 1.1TB of Disney’s internal Slack chats, exposing sensitive information like unreleased projects and internal API links. Disney users should change passwords, enable two-factor authentication, and monitor for suspicious activity. Disney should enhance security measures for internal communication tools to prevent future breaches.
Rite Aid has confirmed a data breach following a cyberattack by the RansomHub ransomware group, which claimed to have stolen 10 GB of customer information. Rite Aid should notify affected customers and strengthen its cybersecurity measures to prevent future incidents.
AT&T reportedly paid a hacker $370,000 to delete stolen customer data, including call and text metadata. Despite the payment, residual risks persist, and customers should remain vigilant for potential threats. AT&T needs to enhance its cybersecurity measures to prevent similar breaches in the future.
Spyware vendor mSpy suffered a significant data breach, exposing millions of customers' data, including names, email addresses, and customer support tickets. This is the third major breach for mSpy since 2010.
A massive data breach has exposed 361 million unique emails, usernames, and passwords for sale on dark web forums. Users are advised to change passwords, enable two-factor authentication, and monitor accounts for suspicious activity. This incident highlights the importance of using strong, unique passwords for different services.
Over 15 million Trello user email addresses were leaked via an unsecured API. Atlassian, Trello's owner, secured the API in January, but the leaked data poses risks of targeted phishing and doxxing. Users should be cautious of unsolicited emails and consider updating their account security settings.
MediSecure, an Australian prescription delivery service provider, revealed that roughly 12.9 million people had their personal and health information stolen in an April ransomware attack. Users are advised to be cautious of scams referencing the MediSecure data breach and not to respond to unsolicited contacts.
Malware and Ransomware
Brace yourself as we explore the sinister world of malware and ransomware. These threats are evolving at breakneck speed, and knowing the latest can be the difference between security and catastrophe.
Researchers at Cyble Research and Intelligence Labs have uncovered a .NET-based shellcode loader named “Jellyfish Loader,” potentially linked to state-sponsored hackers. Organizations should enhance their malware detection capabilities and monitor for suspicious activity to protect against such threats.
The SEXi ransomware operation has rebranded as APT INC, continuing to use Babuk and LockBit 3 encryptors to target VMware ESXi servers and Windows systems. Organizations should implement robust backup and recovery plans and monitor for signs of ransomware activity.
The Iranian-backed MuddyWater hacking group has switched to using a new custom malware implant called BugSleep, which targets systems worldwide. Organizations should enhance their phishing defenses and monitor for suspicious activity to protect against such attacks.
Cybersecurity researchers have identified a new version of HardBit ransomware that uses passphrase protection and enhanced obfuscation techniques to evade detection. Organizations should strengthen their ransomware defenses and regularly update security protocols.
Ransomware groups are exploiting a vulnerability (CVE-2023-27532) in Veeam Backup & Replication, allowing attackers to gain access to backup infrastructure hosts. Organizations should update Veeam software and implement strong security measures to protect against such attacks.
The prevalence of infostealer malware, which extracts sensitive data like cryptocurrency wallets and saved passwords, poses significant risks. Organizations should deploy advanced security solutions, educate employees on cybersecurity best practices, and regularly monitor systems for signs of compromise.
Sysdig reports a significant increase in CRYSTALRAY's operations, using tools like SSH-Snake, asn, zmap, httpx, and nuclei to exploit vulnerabilities and plant backdoors. Organizations should enhance network security measures, regularly update software, and monitor for unusual activity to prevent such attacks.
A new phishing scam targeting employees’ Microsoft credentials has been uncovered by Cofense. The scam masquerades as an official HR communication, directing recipients to a fake Microsoft login page to steal credentials. This attack can lead to unauthorized access to sensitive corporate data. Organizations should enhance email security measures and educate employees about phishing tactics to mitigate such risks.
Researchers have identified two malicious npm packages that concealed backdoor code in image files. Developers should scrutinize open-source libraries for hidden threats and use advanced security tools to detect malicious packages.
The cybercrime group Scattered Spider has incorporated ransomware strains RansomHub and Qilin into its arsenal, targeting VMware ESXi servers and deploying sophisticated social engineering schemes. Organizations should enhance their cybersecurity defenses and follow best practices to prevent ransomware attacks.
Following the recent CrowdStrike Falcon sensor issue, threat actors are actively exploiting the incident to target CrowdStrike customers through phishing campaigns, social engineering, disinformation, and malicious software distribution. Organizations are advised to verify communication channels, follow official guidance, remain vigilant, and educate employees about these new threats.
Phylum Research Team uncovered a cyberattack targeting developers using the npm package registry. Malicious packages concealed harmful code within JPEG files. Developers must implement robust monitoring and verification processes for open-source libraries to prevent such attacks.
Researchers identified Android malware "BadPack," which uses tampered headers to evade traditional security analysis tools. This technique complicates reverse engineering, making it difficult to counter the malware. Users must remain vigilant and avoid installing apps from unverified sources.
Software and System Issues
Even the most secure systems can have flaws. Here’s a look at some recent software and system issues you should be aware of:
Microsoft has provided a temporary workaround for a known issue preventing the Microsoft Photos app from launching on some Windows 11 systems. Administrators should apply the provided fix and monitor for updates from Microsoft for a permanent solution.
Windows Server updates from June have broken some Microsoft 365 Defender features, impacting network data reporting. Administrators should monitor affected systems and await further updates from Microsoft.
Google’s Gemini 1.5 Flash model significantly improves malware analysis speed and accuracy, processing files in an average of 12.72 seconds. Organizations should consider integrating such advanced AI models to enhance their cybersecurity defenses.
SonicWall warns that a recently patched Splunk Enterprise vulnerability, CVE-2024-36991, is more severe than initially considered and can be exploited with a simple GET request. Users are advised to update their Splunk Enterprise on Windows installations as soon as possible or disable Splunk Web to mitigate the vulnerability.
A critical crash error in CrowdStrike’s Falcon Sensor platform caused widespread IT disruptions across the globe, affecting services like 911 call centers, airlines, banks, and major media outlets. The crashes were linked to a recent content deployment. CrowdStrike has issued a workaround for systems still experiencing crashes and unable to receive the updated changes.
Cisco has issued a security advisory for a vulnerability in their RV340 and RV345 Dual WAN Gigabit VPN routers, allowing authenticated attackers to remotely execute arbitrary code. As no software updates will be released due to end-of-life status, users are advised to replace the affected routers with newer models to mitigate the risk.
The NHS England CSOC has issued a cyber alert following new intelligence from CrowdStrike regarding the CVE-2023-6548 vulnerability in Citrix’s NetScaler Gateway and NetScaler ADC devices. The vulnerability, initially rated less severe, is now classified as critical. Organizations are strongly recommended to update to the latest software versions to mitigate the risk.
Cybersecurity Measures and Recommendations
But what can you do about all these threats? Here’s a rundown of some top-tier cybersecurity measures and recommendations to help you stay one step ahead:
Organizations targeted by OilAlpha should implement strong security measures, including robust password protocols, multi-factor authentication, and regular training on phishing and social engineering attacks.
Given the speed at which vulnerabilities are exploited, organizations must employ AI-assisted detection and rapid patch deployment to mitigate risks. Cloudflare's report highlights the need for combining human-written signatures with machine learning for effective threat response.
Advanced Persistent Threats (APT)
Finally, we’re zeroing in on Advanced Persistent Threats (APTs). These stealthy, prolonged cyber-attacks require a nuanced understanding to effectively counter. Get ready to arm yourself with knowledge that could thwart these persistent adversaries.
APT41, a prolific China-based hacking group, has infiltrated networks in multiple countries, targeting sectors like shipping, logistics, media, entertainment, technology, and automotive. The group has maintained prolonged access, enabling them to extract sensitive data. Organizations should enhance their cybersecurity defenses and follow best practices to prevent such sophisticated attacks.
MirrorFace threat actors have shifted from spear phishing to exploiting vulnerabilities in Array AG and FortiGate products. They deploy NOOPDOOR malware to exfiltrate data using advanced obfuscation techniques. Security teams should ensure all external assets are patched and monitor for unusual network activity.
So there you have it! An electrifying overview of the latest vulnerabilities, exploits, data breaches, malware, ransomware, APTs, software and system issues, and practical cybersecurity measures.
Have any questions, comments, or feedback? Feel free to reply directly, I'd love to hear from you!
If you find this newsletter helpful and think others would too, please consider forwarding it to them. 🙏
Thanks for reading!
exit(0);
Reply