WEEKLY TOP TEN: October 14, 2024, 16:00 GMT
- Use-After-Free Vulnerability in Multiple Qualcomm Chips
Qualcomm has released security updates for a use-after-free bug that was discovered by security researchers at Google’s Project Zero and was confirmed to be actively exploited in the wild by Amnesty International Security Lab. This use-after-free bug is being tracked in CVE-2024-43047 and impacts the digital signal processor service in the FASTRPC driver on Qualcomm chipsets. Even though the patch for this vulnerability is available, it is up to the OEMs to deploy the patch. - American Water Under Attack Forced to Shut Down Systems
The utility company American Water was forced to shut down some of their system in response to a cyberattack on Thursday, October 3rd. Currently a third party is investigating the impact of the breach, but it is speculated that Russian-backed APTs could be behind this attack, due to a recent advisory put out by WaterISAC. - Ukrainian National Pled Guilty to Involvement in Raccoon Stealer
The Ukrainian national Mark Sokolovsky was arrested in the Netherlands in March 2022 for his involvement in the distribution of Raccoon Stealer, after this arrest the threat group suspended their operations but has been relaunched and updated with new features twice since then. Mark has recently pleaded guilty in U.S federal court to his involvement with the distribution of Raccoon Stealer and has agreed to pay restitutions of at least $910,844.61 and a forfeiture money judgment of $23,975. - Mamba 2FA PHaaS Platform targets Microsoft 365 Services
The phishing-as-a-service platform Mamba 2FA has been targeting Microsoft 365 services using adversary-in-the-middle (AiTM) attacks to spoof login pages to capture authentication tokens and bypass MFA protections. To accomplish this, Maba 2FA uses proxy servers sourced from IPRoyal to mask their IP address when connecting to authentication servers to make blacklisting their IPs more challenging. - 31 million Accounts Leaked in Security Breach Against the Internet Archive
On Wednesday, October 9th, an attacker added a JavaScript alert to the Internet Archive’s webpage saying they stole 31 million unique records from the user authentication database and will be giving it to Troy Hunt of Have I Been Pwned. Troy confirmed that he received the SQL database file the threat actor exfiltrated and found that it contained registered users email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.
The most recent password change timestamp in the data base was on September 29th, making it likely that this is the date the database was stolen. After the threat actor disclosed to the public they stole these records, a hacktivist group BlackMeta began a DDOS attack against the website taking it down, it is currently believed that these two attacks are not connected. - Firefox Critical Vulnerability Actively Exploited
The security researcher Damien Schaeffer of ESET discovered a use-after-free vulnerability in Firefox’s animation timelines. A threat actor can use this vulnerability to perform remote code execution in the content process. This vulnerability is being tracked un CVE-2024-9680 and has been patched in the newest version of Firefox. In the advisory Mozilla released about this CVE they stated they have had reports of this vulnerability being actively exploited in the wild. - Three Vulnerabilities Discovered for LiteSpeed Cache
The freelance security researcher TaiYou discovered an unauthenticated XXS vulnerability in one of WordPress most popular caching plug-in called LiteSpeed Cache. This vulnerability is being tracked under CVE-2024-47374 and allows an attacker to send a single http request to perform an attack from info stealing to privilege escalation. After the developers of this plug-in Patchstack were notified of this vulnerability along with 2 other vulnerabilities an XXS and a path-traversal, they released version 6.5.1 to fix these vulnerabilities. - GitLab Vulnerability Allows Unauthorized CI/CD Execution
A fourth critical vulnerability impacting Gitlab was discovered that allows for arbitrary pipeline execution. This new vulnerability is being tracked under CVE-2024-9164 and affects all versions of the enterprise edition. An attacker could use this to trigger any CI/CD pipelines on any branch of a repository unauthorized. In GitLab’s security bulletin they urge their customers to update their Gitlab version to 17.4.2, 17.3.5, or 17.2.9 as these versions have been patched. - CISA Warns F5 BIG-IP Cookies to Map Internal Networks
CISA has observed threat actors abusing the unencrypted persistent cookies that are managed by BIG-IP Local Traffic Manager (LTM) module, in efforts to enumerate non-internet facing devices on the network. CISA recommends following the F5 documentation to enable encrypted persistent cookies to mitigate enumeration using this method, and notes that F5 released a diagnostic tool called BIG-IP iHealth designed to help administrators detect misconfigurations in the product. - Veeam RCE Vulnerability Discovered and Observed Being Used by Akira and Fog Ransomware
Security researcher Florian Hauser from Code White found a RCE vulnerability in Veeam Backup & Replication servers that is being tracked as CVE-2024-40711. This vulnerability has been picked up by the ransomware Akira and Fog and being used together with previously compromised credentials. Veeam released a patch for this vulnerability on September 9th, and later watchTowr Labs released POC code on September 15th.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: