Crowdstrike's issue creates worldwide outages
A significant issue in Crowdstrike is leading to a shutdown of many systems worldwide. Following a recent FalconSensor update, many Windows users are experiencing a Blue Screen of Death error. Many sectors of activity are deeply impacted (banks, healthcare, transportation, telecom, media and more) and safety concerns have been raised as airflights were grounded, emergency services suspended and hospitals moved back to "pen and pencil". After hours of global panic, Crowdstrike has finally issued a fix, even though to release the affected assets from BSOD loop manual intervention is needed.
Windows upgrades hurt Defender XDR
Microsoft announced that the recent updates on Windows Servers, released during last PatchTuesday on June 11, create issues to some features of Defender XDR (previously known as Microsoft 365 Defender). More specifically, updated servers might encounter problems with network data reporting based upon the NDR service, as with any other feature relying on NDR, such as Incident Response and Device Inventory. The issues concern solely Windows Server 2022.
AT&T large data breach
AT&T reported that last April, a threat actor successfully exfiltrated the logs of calls and texts performed by nearly all their customers between May and October 2022. An AT&T senior later admitted that the intrusion was the result of a compromised Snowflake account. The company paid 370,000 USD ransom for the information being deleted. The hacker behind the attack appears to be an American citizen living in Turkey and who is part of the infamous ShinyHunters network. Moreover, the hacker has been arrested by the Turkish authorities last May for his involvement in the2022 T-Mobile data breach. ShinyHunters recently led largescale Snowflake campaigns against significant companies, including TicketMaster, Santander Bank and Mitsubishi. As a result of the attacks, Snowflake announced a new policy, according to which admins will now be able to enforce mandatory MFA in their organization.
A PHP vulnerability affect Windows with Asian locales
Starting on June 8, multiple threat actors including the TellYouThePass ransomware group have been exploiting a PHP vulnerability (CVE-2024-4577), in some cases for cryptomining operations. The RCE flaw affects Windows installations in CGI mode and primarily ones using Chinese and Japanese locales. As of June 13, 1,000 hosts have been compromised, mostly from China. The attackers used the flaw to execute arbitrary PHP code and running an HTML application file hosted on an attacker-controlled web server. TellYouThePass is known for targeting SMBs and individuals and for exploiting infamous Apache vulnerabilities, such as Log4j (CVE-2021-44228) and ActiveMQ (CVE-2023-46604).
Mitigate it
In Akamai Adaptive Security Engine, make sure Command Injection Attack group (including rules 969151 v1, 959977 v1, 3000155 v1, 3000171 v3) is in “deny” mode.
Internet Explorer is exploited again
The MSHTML vulnerability (CVE-2024-38112) patched a week ago by Microsoft is now also exploited by Void Banshee, a group targeting organizations in the US, Europe, and South Asia for information theft and financial gain. The flaw allows attackers to send a malicious URL to victims which, when clicked upon, will open an HTML application file in Internet Explorer even when Chrome or Edge are defined as the default browser. Void Banshee used it to download the Atlantida infostealer malware.
Mitigate it
Apply Checkpoint IPS protection ““Internet Shortcut File Remote Code Execution”.
GeoServer is compromised
CISA warns of the active exploitation of a new vulnerability in GeoServer (CVE-2024-36401), a popular open-source server for sharing geospatial data. The RCE flaw lies in the incorrect evaluation of feature names as XPath expressions.
Mitigate it
Remove the ‘gt-complex-x.y.jar’ file from the server.
CISA's red team hacked a civilian branch organization
A red team operated by CISA broke into a major civilian executive branch organization by exploiting a2022 vulnerability in Oracle Web Applications Desktop Integrator (CVE-2022-21587), existent in the victim’s Solaris enclave. The exploitation provided access to a backend application server, which was consequently used to deploy of a RAT on multiple internet-exposed servers.
A new flaw in Apache HugeGraph
A new RCE vulnerability in Apache HugeGraph (CVE-2024-27348) is exploited in the wild, as attackers leverage it to bypass sandbox restrictions and execute arbitrary code. HugeGraph is an open-source graph database system that helps users easily build applications based on graph databases.
Hack of ARLL
The American Radio Relay League (ARRL) has admitted a breach of employees’ information, following a cyberattack that occurred last May. The actor behind is apparently a relatively new and small double extortion group named Embargo, eventually a former affiliate of the now dismantled BlackCat.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
- https://supportportal.crowdstrike.com/s/article/Tech-Alert-Windows-crashes-related-to-Falcon-Sensor-2024-07-19
- https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#network-data-reporting-from-microsoft-365-defender-may-be-interrupte
- https://www.404media.co/american-hacker-in-turkey-linked-to-massive-at-t-breach/, https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/, https://www.snowflake.com/blog/snowflake-admins-enforce-mandatory-mfa/
- https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/, https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure, https://censys.com/cve-2024-4577-pt2/
- https://www.securityweek.com/apt-exploits-windows-zero-day-to-execute-code-via-disabled-internet-explorer/
- https://www.securityweek.com/organizations-warned-of-exploited-geoserver-vulnerability/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-193a
- https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/
- https://www.bleepingcomputer.com/news/security/arrl-finally-confirms-ransomware-gang-stole-data-in-cyberattack/