- VulnVerse
- Posts
- [VulnVerse] #5 - RaspAP Root Risk, VMware ESXi Exploit...
[VulnVerse] #5 - RaspAP Root Risk, VMware ESXi Exploit...
Marko Živanović
August 03, 2024
Read Time: 15 minutes
Welcome back to VulnVerse! It's our 5 weekly dispatch, and we've got another jam-packed edition for you. Let's dive into the latest vulnerabilities, exploits, and cyber threats.
Contents
Vulnerabilities and Exploits 🔥: 1 to 18
Data Breaches 💥: 19 to 23
Malware and Ransomware 🐛: 24 to 41
Software and System Issues ⚙️: 42 to 44
Cloud ☁️: 45 to 48
Tools 🛠️: 49
Cybersecurity Measures and Recommendations 🔒️: 50 to 53
Advanced Persistent Threats (APT) 🕵️: 54 to 58
Vulnerabilities and Exploits 🔥
Let’s start with the big one. Vulnerabilities and exploits are the bread and butter of cybersecurity, but they can be daunting to tackle. Staying on top of them requires persistence, curiosity, and a bit of a methodical approach. Below, you’ll find the latest threats you need to be aware of.
A critical vulnerability (CVE-2024-41637) in RaspAP, a tool for turning Raspberry Pi devices into wireless access points, allows attackers to gain root access. This could lead to full system compromise and network breaches. Users are urged to update RaspAP and tighten security settings.
A Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-6922) in Automation Anywhere’s Automation 360 platform could let attackers exploit internal networks. With over 3,500 servers exposed, organizations should urgently update to the latest software version to prevent attacks.
A vulnerability (CVE-2024-34693) in Apache Superset allows attackers to read files on the server, potentially exposing sensitive data. Users should upgrade to the latest version to protect against this risk, which could lead to privilege escalation and further attacks.
Two severe SQL injection vulnerabilities (CVE-2024-7201 and CVE-2024-7202) in the WinMatrix IT management system could allow remote attackers to manipulate databases and steal data. Users should update their systems to the latest version immediately to secure them.
A critical VMware ESXi vulnerability is being exploited by ransomware gangs to gain administrative access and encrypt virtual machines. VMware has released a security update, and administrators are urged to patch it immediately.
Taiwan’s CERT has issued a critical alert for a severe vulnerability (CVE-2024-5670) in Softnext’s Mail SQR Expert and Mail Archiving Expert systems. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to inject OS commands, leading to remote code execution and potential data breaches. Users are strongly advised to update to the latest versions to mitigate this high-risk vulnerability.
A newly discovered vulnerability in multiple hosted email services allows attackers to bypass sender identity verification, enabling email spoofing and impersonation. This flaw undermines security protocols like SPF, DKIM, and DMARC, exposing millions of users to potential phishing attacks and fraud. Authenticated attackers can exploit this vulnerability to send emails that appear to come from trusted domains, risking data breaches and reputational damage. Immediate action is needed from both hosting providers and domain owners to strengthen email security and prevent exploitation.
A vulnerability in popular DVR devices tracked as CVE-2024-7339 exposes over 400,000 devices to unauthorized access. The flaw allows attackers to extract sensitive information and potentially take control of the devices. Users are urged to check for firmware updates and implement strict access controls to mitigate the risk.
Bitdefender has released a critical patch for a vulnerability (CVE-2024-6980) in its GravityZone Update Server that could allow attackers to perform server-side request forgery attacks. This vulnerability, affecting on-premises installations, poses a high risk of unauthorized access and data breaches. Users are strongly advised to update to the latest version to secure their systems.
Palo Alto Networks has discovered 15 vulnerabilities in the Easy! Appointments scheduling software using an AI-powered tool designed to detect BOLA (Broken Object-Level Authorization) vulnerabilities. These flaws allowed unauthorized access to sensitive data and system settings. Users are urged to update to the latest version to protect their systems from potential exploitation.
Vulnerabilities in SMTP servers allow authenticated users to spoof sender information, bypassing DMARC, SPF, and DKIM protections. This could lead to widespread email impersonation and potential reputational damage for affected organizations.
Security researchers have discovered a simple method to bypass Meta’s AI safety shield, Prompt-Guard-86M, designed to prevent AI manipulation. By inserting spaces and removing punctuation in command phrases, attackers can circumvent the model’s protections, highlighting the challenges in securing AI systems against evolving threats. Meta is reportedly working on a fix, but this vulnerability raises concerns about the robustness of AI safety measures.
Researchers have discovered a new technique, SLUBStick, that exploits vulnerabilities in the Linux kernel, potentially allowing attackers to gain control over systems despite modern security defenses. This method significantly increases the success rate of cross-cache attacks, making it a serious threat to Linux-based systems. Users are advised to keep their systems updated and exercise caution when running untrusted code.
Specula, a new tool developed by TrustedSec, exploits an old vulnerability (CVE-2017-11774) in Microsoft Outlook, turning it into a command-and-control hub for cybercriminals. By manipulating registry keys, attackers can execute malicious code through Outlook, making it difficult to detect. Users are urged to ensure their systems are patched and secure against this threat.
A critical vulnerability in the AppImage version of ImageMagick has been discovered, allowing attackers to execute arbitrary code by exploiting how the software handles environment variables. This poses significant risks in environments where ImageMagick processes untrusted files. Users are urged to update to the latest version and avoid running ImageMagick in untrusted directories.
Progress Software has issued a security alert for MOVEit Transfer users, warning of a new vulnerability (CVE-2024-6576) that could allow privilege escalation within the system. The flaw affects several versions of MOVEit Transfer and poses a significant risk to enterprise environments. Users are advised to update to the latest patched versions to secure their systems against potential attacks.
Multiple vulnerabilities in Philips VUE PACS, a medical imaging system, could allow attackers to access sensitive patient data and disrupt medical services. The flaws range from high to critical severity, with several involving deserialization of untrusted data and uncontrolled resource consumption. Philips has released patches, and healthcare organizations are urged to update their systems immediately to protect against potential exploitation.
Over 20,000 Ubiquiti devices are vulnerable to amplification attacks and data leaks due to exposed UDP ports and a lack of authentication. Users are urged to update firmware and enhance security measures.
Data Breaches 💥
Data breaches—those dreaded moments when data slips through the cracks. They’re not just cautionary tales; they’re wake-up calls. Here, we break down recent incidents, helping you learn from others’ misfortunes so you can tighten your own defenses.
Bharat Sanchar Nigam Limited (BSNL), India's state-owned telecom company, has suffered a data breach, with a hacker offering the stolen data for sale on a dark web forum. The breach, confirmed by Indian authorities, involved sensitive information like IMSI and SIM card numbers. BSNL has taken steps to secure its systems, but the breach highlights significant cybersecurity challenges within critical infrastructure.
HealthEquity has reported a data breach affecting 4.3 million users, exposing sensitive personal and financial information. The breach was caused by compromised partner credentials.
The City of Columbus, Ohio, confirmed a ransomware attack on July 18, 2024, which led to disruptions in city services. While the attack was contained without systems being encrypted, the investigation is ongoing to determine the extent of data accessed. The personal information of individuals may have been compromised, and the city is in the process of identifying affected individuals.
Numerous credit card users are reporting unauthorized charges from Shopify-charge.com. These charges appear as $1 or $0 on their statements, even if they did not make any purchases. Shopify confirmed that these charges are unrelated to their recent vendor data breach and are likely a result of card testing fraud.
Fresnillo PLC, the largest silver producer globally, has been hit by a cyberattack affecting its IT systems and data. The company has implemented response measures and is investigating the incident with external experts, while operations continue without major disruptions.
Malware and Ransomware 🐛
Ah, malware—the relentless, ever-evolving adversary. It’s the stuff that keeps us up at night and on our toes. Here, we’ll dive into the latest developments and arm you with the knowledge you need to fend off these persistent threats.
Kaspersky reports an 8% increase in malware attacks targeting small and medium-sized businesses in early 2024. Trojans disguised as legitimate software are the most common threat, emphasizing the need for SMBs to improve cybersecurity awareness and defenses.
Kaspersky researchers have uncovered the return of Mandrake spyware on the Google Play Store, hidden in five apps with over 32,000 downloads. This sophisticated spyware, which has resurfaced with enhanced evasion techniques, targets Android users to steal credentials and data. The apps, including a popular file-sharing tool, managed to bypass Google's security checks. Users are advised to stay vigilant and avoid downloading unfamiliar apps.
A new phishing campaign is targeting users searching for W2 tax forms, redirecting them to fake IRS websites that download malware. The campaign installs Brute Ratel, a post-exploitation tool, and Latrodectus malware, which is capable of exfiltrating data and executing further attacks. Users are advised to verify website authenticity and exercise caution when downloading files online.
BingoMod, a newly discovered Android banking Trojan, targets bank accounts, transfers funds, and wipes devices to cover its tracks. The malware uses accessibility services to steal credentials and intercept SMS messages for verification codes. Users are advised to avoid installing unknown apps and use security protection software to guard against such threats.
A new macOS malware campaign masquerades as the popular file archiving tool "The Unarchiver," stealing sensitive data like passwords and cryptocurrency wallet information. The malware, named "CryptoTrade," is distributed through a convincing phishing website. Users are advised to download software only from trusted sources and verify the authenticity of downloaded files.
RansomHub, a new ransomware group, uses advanced tactics to breach systems and encrypt data. Linked to the Knight ransomware, RansomHub is rapidly becoming a major threat, particularly in Latin America and Europe.
A North Korean hacker has been indicted for using ransomware attacks on U.S. hospitals to fund cyber espionage against military and government targets. The attacks were part of broader state-sponsored cyber activities.
A phishing campaign in Poland, Italy, and Romania led to the installation of various malware, including Agent Tesla and Remcos RAT. Attackers used compromised emails and servers to distribute malicious files through ModiLoader, targeting small and medium-sized businesses.
A widespread Android malware campaign has infected over 107,000 devices in 113 countries, stealing one-time passwords (OTPs) from top global brands. The malware, distributed through deceptive ads and Telegram bots, targets users' SMS messages to bypass two-factor authentication.
APT10's "Cuckoo Spear" campaign uses LODEINFO and NOOPDOOR malware to infiltrate networks and exfiltrate data. The advanced malware allows persistent access, emphasizing the need for robust cybersecurity measures.
The Black Basta ransomware gang has adapted to using custom tools like SilentNight, DawnCry, and PortYard following the QBot botnet takedown. These tools enhance their capability to evade detection and maintain persistent access.
UNC4393, a ransomware gang known for using BASTA ransomware, has evolved from leveraging the QAKBOT botnet to developing custom malware. The group has attacked over 500 victims globally, adapting its tactics and expanding its targets, including healthcare sectors.
SonicWall's mid-year Cyber Threat Report highlights a 107% increase in attacks on IoT devices in 2024. The report also notes a surge in supply chain attacks and the exploitation of PowerShell by cybercriminals, emphasizing the growing threat landscape.
Cybercriminals are using fake Google Authenticator ads in Google Search to distribute malware. The ads lead to fraudulent websites, tricking users into downloading a data-stealing malware called DeerStealer.
Hackers are exploiting an MSHTML vulnerability (CVE-2024-38112) to distribute the Atlantida InfoStealer malware. The attack involves luring users to download archives containing PDF books, which execute the malware. The Atlantida stealer targets login information from various applications, posing a significant threat to user security.
Cybercriminals are exploiting the hype around OpenAI's Sora AI by creating phishing sites that distribute malware. Users are tricked into downloading malicious files, leading to data theft and system compromise.
The Trik botnet, also known as Phorpiex, has resurfaced with advanced capabilities, including evading antivirus detection and spreading through USB drives. The botnet, sold on the dark web, poses a significant threat with its ability to steal cryptocurrency and infect files.
A new phishing campaign tricks OneDrive users into executing malicious PowerShell scripts through fake error messages. Victims are lured into downloading malware disguised as legitimate files, posing a significant threat to data security.
Software and System Issues ⚙️
Even the most secure systems have their hiccups. Whether it’s a software flaw or a system glitch, these issues can create openings for bigger problems. We’ll cover the recent ones you should be aware of.
Researchers have discovered critical vulnerabilities in VoWiFi implementations across major smartphone manufacturers and mobile networks. These flaws could allow attackers to intercept calls, and SMS messages, and even impersonate users. The vulnerabilities stem from outdated encryption algorithms and improper key management, affecting millions of users worldwide. Patches are being rolled out, and users are advised to update their devices and remain vigilant.
A phishing campaign dubbed "EchoSpoofing" exploited weak permissions in Proofpoint's email security service to send millions of spoofed emails impersonating major brands. The campaign, targeting Fortune 100 companies, was shut down after Guardio Labs notified Proofpoint.
Microsoft has released a security update for its Edge browser, addressing 18 vulnerabilities, including two specific to Edge itself. Notably, the update fixes a remote code execution vulnerability (CVE-2024-39379) linked to Adobe software used within Edge. Users are urged to install the update to maintain a secure browsing environment.
Cloud ☁️
The cloud is both a playground and a battlefield. With more data and services migrating to the cloud, the stakes have never been higher. In this section, we’ll explore the latest challenges and solutions in cloud security.
Investigators exploited a misconfigured Rclone file to access the Medusa Ransomware Group's cloud storage, revealing sensitive data from their victims. The incident underscores the importance of securing cloud storage credentials.
Networking solutions provider ZeroTier raised $13.5 million to enhance its virtual networking services. The funds will support innovation and expansion, with the company's software-defined network already supporting over three million devices globally.
Cybercriminals are using the TryCloudflare Tunnel service to distribute malware, including Xworm RAT. This service is being exploited to create ephemeral infrastructure that bypasses traditional security controls. Recent campaigns have delivered malware via URL links and attachments, posing significant threats due to their rapid deployment and evasion capabilities.
A critical vulnerability (CVE-2024-7205) in the eWeLink Cloud Service could allow unauthorized users to take control of shared smart home devices. The flaw exposes sensitive device information when shared, enabling secondary users to gain full control. Users should update to the latest version of the eWeLink app and ensure their devices are secure.
Tools 🛠️
No one tackles cybersecurity unarmed. In this section, we’re showcasing some of the latest and greatest tools that can help you fortify your defenses, streamline your workflows, and maybe even make your life a little easier.
Apple has open-sourced its homomorphic encryption (HE) library used in iOS 18 for Live Caller ID Lookup. This technology allows encrypted data to be used without decryption, enhancing privacy. Apple's implementation aims to protect data while maintaining usability, marking a significant step forward in privacy-enhancing technologies.
Cybersecurity Measures and Recommendations 🔒️
You’ve seen the threats, now what? It’s not enough to just be aware—you need to act. Here’s a rundown of some top-notch cybersecurity measures and recommendations that will help you stay secure, sane, and ahead of the bad guys.
The ECB’s recent cybersecurity stress test found that while European banks are generally prepared for cyberattacks, there are significant areas for improvement, particularly in recovery planning and cyber resilience. Banks are urged to enhance their strategies to better protect against growing threats.
DigiCert will revoke thousands of SSL/TLS certificates due to a DNS validation error. The issue involves a missing underscore in CNAME-based domain validation, violating CABF rules. Affected customers must replace their certificates within 24 hours to avoid disruptions.
Metomic reports that 25% of publicly shared files in healthcare contain PII. Many private files shared externally also contain sensitive data. These practices pose significant risks of data breaches, highlighting the need for stricter data security and DLP tools.
Google has patched a critical vulnerability in Google Workspace that allowed attackers to bypass email verification during account creation, potentially leading to account takeovers. The flaw was quickly addressed, but users are advised to enable multi-factor authentication and monitor their accounts for suspicious activity.
Advanced Persistent Threats (APT) 🕵️
APTs are the silent stalkers of the cyber world—sophisticated, patient, and dangerous. To defend against them, you need a deep understanding of their tactics. We’ll get into the latest on APTs and what you can do to keep them at bay.
China’s APT10 group has been targeting Japanese critical infrastructure in a cyber espionage campaign called “Cuckoo Spear.” The group uses advanced malware to infiltrate and persist in networks, exfiltrating sensitive data.
North Korea’s APT45 group has been conducting cyber espionage and ransomware attacks, stealing sensitive military data and targeting critical infrastructure. Their operations reflect North Korea’s geopolitical goals.
Chinese state-sponsored hacking group APT41 breached a Taiwanese research institute, using advanced techniques and malware like ShadowPad and Cobalt Strike to steal sensitive data. The attack showcased the group's sophistication and persistence in infiltrating high-value targets.
SideWinder, a nation-state hacker group, has launched a cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The group uses spear-phishing and document exploitation techniques to steal sensitive information.
APT10 targets Japanese organizations using LODEINFO and NOOPDOOR malware to steal sensitive information. The campaign, named "Cuckoo Spear," highlights ongoing cyber espionage efforts by Chinese threat actors.
So there you have it! An electrifying overview of the latest vulnerabilities, exploits, data breaches, malware, ransomware, APTs, software and system issues, and practical cybersecurity measures.
Have any questions, comments, or feedback? Feel free to reply directly, I'd love to hear from you. I’m all ears!
If you find this newsletter helpful and think others would too, please consider forwarding it to them. 🙏
Thanks for reading!
exit(0);
Reply