Microsoft vulnerabilities on top of the chart - When CrowdStrike outage is a table top practice for Chinese disruptive attack

Weekly Report
Threat Research Team
August 15, 2024

Microsoft Patch Tuesday includes six exploited vulnerabilities

Microsoft patched six actively exploited vulnerabilities, among them a memory corruption RCE flaw in the Windows Scripting Engine (CVE-2024-38178), that requires user interaction and is apparently leveraged by state actors; a RCE in Microsoft Project (CVE-2024-38189), exploitable when the ”Block macros from running in Office files from the Internet” policy is disabled; and a new security bypass flaw in SmartScreen (CVE-2024-38213), exploited by a DarkGate campaign since March.

Mitigate it

Enable the ”Block macros from running in Office files from the Internet” policy or, at least, enable VBA Macro Notification Settings (for CVE-2024-38189).

A new Ipv6 flaw

Microsoft assessed that a new critical RCE vulnerability in the TCP/IP protocol (CVE-2024-38063) is “more likely” to be exploited. By sending crafted IPv6 packets to a target, attackers might use the flaw to trigger a buffer overflow leading to code execution on Windows systems enabling IPv6 by default, specifically Windows 10, Windows 11 and Windows servers.

Mitigate it

Turn off IPv6 on vulnerable machines or block incoming IPv6 traffic in the firewall.

A CLFS vulnerability leads to system crashes

A new bug in the Windows Common Log File System (CLFS) driver (CVE-2024-6768) can be very easily exploited to crash various versions of Windows. The flaw lies in an improper validation of quantities in input data which triggers system crashes. Microsoft added a signature for the exploit to its Defender products, but denied the existence of the vulnerability and apparently will not release a patch for it.

Earth Baku goes West

Earth Baku, a sub-group of the cyberespionage Chinese state actor APT41, is now targeting organizations in Europe, Africa and the Middle East – in a pivot aimed at expanding cyber activities beyond Asia. Earth Baku is known for crafting specific tools to exploit vulnerabilities for initial access, including the ProxyLogon flaw (CVE-2021-26855).

Log4j exploitation is surging

A new report reveals a 61% increase in attempts of exploitation of the Log4j vulnerability (CVE-2021-44228) over the last few months; and a 79% increase for the Oracle WebLogic vulnerability (CVE-2020-14883). The reports also put a spotlight on IntelBroker who is described as one of the most active threat actors currently.

Use the Zafran dashboard to check your exposure to infamous vulnerabilities like Log4shell

Crowdstrike and China

One day after it published a root cause analysis of its recent bug, Crowdstrike denied accusations made by a Chinese security firm according to the reason of the BSOD loop is a memory corruption vulnerability which might be exploited in the future. In parallel, CISA’s director claimed that the Crowdstrike global outage was “a useful exercise” to understand future Chinese cyberattacks, especially from the Chinese APT Volt Typhoon.

Mitigate it

Mitigate it

Mitigate it

Mitigate it

Mitigate it

Sources

Previous Exploitation Reports

September 4, 2024

An unreal week of exploitation: China Targets MSPs and ISPs to get to the victims, DPRK exploiting 0day for cryptomining, Russia deploys ransomware, Iran Partners with Russian cybercrime

August 29, 2024

Iran targets disruption of US elections - Chinese threat groups zero day on prem exploits

August 21, 2024

Lazarus exploits a driver flaw for kernel manipulation (again) - Iran's interference in US election - Surge in DDoS

ProductLearnAboutCareersGet a Demo
© ZAFRAN, 2024, All rights reserved   |    Privacy Policy   |    Terms of Service