A new SolarWinds vulnerability
A new flaw in SolarWinds Web Help Desk (CVE-2024-28986) has been exploited as a zero-day, apparently against the satellite telecommunication giants Viasat and Inmarsat. While the Java deserialization vulnerability allows attackers to run arbitrary code on a host machine, it is unclear whether they need to be first authenticated users.
A PHP flaw affecting Windows with Asian languages
Threat actors exploited a recently discovered PHP vulnerability (CVE-2024-4577) to achieve initial access to a Taiwanese university and install a backdoor in its network. Last June, exploiting this flaw was already part of multiple campaigns, including one led by the TellYouThePass ransomware group. The RCE vulnerability affects Windows installations in CGI mode and primarily ones using Chinese and Japanese locales.
Mitigate it
In Akamai Adaptive Security Engine, make sure Command Injection Attack group (including rules 969151 v1, 959977 v1, 3000155 v1, 3000171 v3) is in “deny” mode.
Lazarus attacks already installed Windows drivers
Since early June, a Windows vulnerability (CVE-2024-38193) has been exploited as a zero-day by the North Korean state actor Lazarus. The flaw leads to privilege escalation in the Windows Ancillary Function Driver (AFD.sys) for WinSock, allowing attackers to achieve SYSTEM access. Rather than using a Bring Your Own Vulnerable Driver (BYOVD) technique, Lazarus leveraged a vulnerable driver already installed on a Windows host. The same concept has been implemented by Lazarus in early 2024, as it exploited a Windows kernel privilege escalation vulnerability (CVE-2024-21338).
Mitigate it
Apply the Checkpoint IPS rule “Microsoft Windows Ancillary Function Driver for WinSock Elevation of Privilege”.
Iran interferes with US upcoming elections
Multiple vulnerabilities in the US election day’s voting machines have been discovered but experts assess that they will not be fixed before November 5. Last week, it has been revealed that the Iranian state actor APT42 has sent phishing emails targeting email accounts of a dozen American individuals affiliated with the campaigns of both Biden-Harris and Trump, with the aim of credential harvesting. In May, another Iranian group, APT33 (aka Peach Sandstorm), had compromised a user with minimal access to a county-level government in a swing state, as part of a broader password spray operation.
Mitigate it
Microsoft apps for Mac
Cisco identified eight new vulnerabilities in different popular Microsoft applications for MacOS. The eight might allow attackers to elevate privilege by injecting unsigned libraries in Microsoft applications, and consequently perform operations such as taking photos and videos without the user's knowledge. In response, Microsoft claimed that the flaws are low risk and refused to fix some of them, arguing that loading unsigned libraries should be allowed.
Ransomware against industrial orgs is growing
A new report shows a resurgence of ransomware operations against industrial organizations, after the early 2024 slowdown mostly caused by the law enforcement operations against LockBit and BlackCat. 29 active groups currently targeting the industrial sector are responsible for 303 ransomware incidents worldwide in 2024 Q2 (210 against manufacturing firms).
Surge in DDoS attacks
A new report shows that the first cause of DDoS attacks in the first half of 2024 was vulnerability exploitation, as it is behind 33% of malicious requests. Indeed, according to the report, multiple threat groups have quickly utilized the HTTP/2 Rapid Reset (CVE-2023-44487) and HTTP/2Continuation Flood flaws (CVE-2024-27316). Moreover, the surge in DDoS attacks seems partly explained by geopolitical motivations, as Ukraine and Israel are among the most targeted countries.
Microsoft makes MFA mandatory for Azure sign-ins
Within the framework of Microsoft’s Secure Future Initiative, the company announced a new policy of mandatory MFA for all Azure sign-ins. It will be implemented from October 2024 for the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. In early 2025, it will be expanded to the Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools. 60-day early notices will be sent by email to all Entra global admins.
Zafran customers: Check in the control gaps module if MFA is disabled for cloud users and follow the provided mitigation steps
More than 400 CNAs
There are now more than 400 CVE Numbering Authorities, i.e. organizations authorized by MITRE to assign CVE IDs and publish CVE Records - the newest ones being Wiz, Proton AG, and WatchDog. However, it appears that an important percentage of the CNAs are not actively reporting new vulnerabilities to NVD and that, when reported, vulnerability information is often partial.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
- https://www.securityweek.com/solarwinds-web-help-desk-vulnerability-possibly-exploited-as-zero-day/, https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-1
- https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38193, https://www.gendigital.com/blog/news/innovation/protecting-windows-users
- https://www.politico.com/news/2024/08/12/hackers-vulnerabilities-voting-machines-elections-00173668, https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/iran-steps-into-us-election-2024-with-cyber-enabled-influence-operations, https://www.securityweek.com/google-confirms-an-iranian-group-is-trying-to-access-emails-linked-to-both-us-presidential-campaigns/
- https://www.securityweek.com/cisco-microsoft-disagree-on-severity-of-macos-app-vulnerabilities/
- https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q2-2024/
- https://www.radware.com/getattachment/fd01c56e-cd62-406d-8cbc-e34311a5ee5c/Radware_H1Global_ThreatAnalysis_Report_2024_RW-551.pdf.aspx
- https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/
- https://socket.dev/blog/mitre-marks-major-milestone-minting-400-cnas-as-nvd-backlog-grows