New SolarWinds WHD Flaw Exposes Systems
Following last week's disclosure of a critical vulnerability (CVE-2024-28986) in SolarWinds Web Help Desk (WHD), a second critical flaw (CVE-2024-28987) has now been identified. This latest vulnerability stems from the use of hardcoded credentials, which could allow a remote, unauthenticated attacker to gain unauthorized access to WHD and potentially alter data.
Mitigate it
Implement a strict IP access control list (ACL) in the firewalls protecting WHD hosts to limit access, until the necessary patches can be applied.
Iranian Hackers Target U.S. Admins on WhatsApp
Similarly, following last week’s report on the Iranian state actor APT42 sending phishing emails, Meta revealed that the same group also attempted to compromise the WhatsApp accounts of staff members from the administrations of President Joe Biden and former President Donald Trump. Meta discovered this network of hackers, who impersonated tech support agents from companies like AOL, Microsoft, Yahoo, and Google, after recipients of the suspicious WhatsApp messages reported them.
Use the Zafran Defenses page to understand exposure to APT42
Microsoft Copilot Vulnerability Risks Data Leak
Tenable researchers have discovered a server-side request forgery (SSRF) vulnerability in Microsoft's Copilot Studio tool (CVE-2024-38206). This vulnerability allows attackers to exploit the tool's ability to send HTTP requests to arbitrary endpoints, potentially accessing sensitive information about internal services within Microsoft’s cloud environment. The flaw could be leveraged to target internal metadata and service details, which may result in data exposure across multiple tenants. This vulnerability has been fully remediated by Microsoft.
Mitigate it
Slack AI Bug Could Lead to Data Theft
Researchers at PromptArmor identified an injection flaw in the AI-based feature of the popular Slack workforce collaboration platform. The feature allows users to query Slack messages in natural language. The flaw stems from the language model's inability to detect malicious instructions as illegitimate. They outlined two potential abuses: an attacker with workspace access could steal data from private channels, and another could phish users within the workspace. Slack has acknowledged the issue, confirmed that there is no evidence of the vulnerability being exploited, and has released a security update to address it.
Mitigate it
'Velvet Ant' Exploits Cisco Switches with Zero-Day
Sygnia has observed 'Velvet Ant' (also known as UNC3886), a threat group with ties to China, using a zero-day exploit (CVE-2024-20399) to gain control over on-premises Cisco Switch appliances. This exploit enables an attacker, who possesses valid administrator credentials for the Switch management console, to bypass the NX-OS command line interface (CLI) and execute arbitrary commands on the underlying Linux operating system. After exploiting this vulnerability, 'Velvet Ant' deploys custom malware that operates on the underlying OS.
Mitigate it
Implement strict firewall rules and access control lists (ACLs) to prevent switches from creating outbound connections to the internet; Block the known IP addresses used by ‘Velvet Ant’: 202.61.136[.]158, 103.138.13[.]31
Ransomware Attack Exploits VPN for Credential Theft
During a Qilin ransomware investigation, the Sophos X-Ops team discovered that attackers exploited a VPN portal without multifactor authentication (MFA), which allowed them to harvest credentials stored in Google Chrome across multiple network endpoints, posing broader risks beyond the initial victim.
BlackByte Hacks via VPN and VMware Flaws
In line with the previous point, the BlackByte ransomware group was also found to use a VPN portal for initial access, which is believed to allow authentication without multi-factor authentication (MFA) if the target account had a specific Active Directory configuration. Talos IR has also observed BlackByte deviating from their usual methods by exploiting a newly disclosedauthentication bypass vulnerability (CVE-2024-37085) in VMware ESXi and using the victim’s authorized remote access mechanism.
Critical WordPress Plugin Bug Endangers Sites
A critical server-side template injection (SSTI) vulnerability (CVE-2024-6386) in the WPML multilingual plugin for WordPress, a widely used translation plugin supporting over 65 languages and multi-currency features, could put over one million websites at risk of remote code execution (RCE) by attackers with contributor-level permissions. A researcher has also released proof-of-concept code demonstrating how this vulnerability can be exploited.
Mitigate it
Mitigate it
Mitigate it
Sources
