WEEKLY TOP TEN: July 2, 2024, 15:01 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Threat Actors Abusing MSC files and Windows XSS Flaw in Phishing Attacks
When Microsoft disabled macros by default in office in July 2022, threat actors have started to experiment with other file types to gain an initial foothold in a network. The research team at Elastic discovered a new technique using an “msc” file that then exploits an unpatched XSS flaw within apds.dll allowing the threat actors to execute arbitrary JavaScript using a crafted URL when launching apds.dll. - SneakyChef APT Targeting Government Ministries
Cisco Talos released information on a new APT group called SneakyChef that has been targeting different ministries in multiple countries, such as India, Angola, Kazakhstan, and Saudi Arabia. SneakyChef has been utilizing self-extracting RAR files for their initial infection method which allows the attackers a higher chance of a successful infection due to this method not needing extra software. - Dormant P2PInfect Botnet Becomes Active and Attacks Redis Servers
P2PInfect was first discovered in July 2023 by Palo Alto’s Unit42 researchers and was originally dormant with unclear motives. Since it was discovered, the botnet has been growing in size by targeting Redis Servers using known vulnerably. As well as being updated with new features then on May 16th , 2024 P2PInfect received a new command that downloaded and executed the ransomware payload rsagen. - RCE Vulnerability in Ollama AI Infrastructure Tool
The cloud security firm Wiz disclosed a new remote code execution vulnerability discovered in Ollama on May 5th, 2024. The flaw existed in the api endpoint “/api/pull”, which is used to download a model from the official registry or from a private repository. A threat actor can craft a HTTP request to this api that can lead to arbitrary file access, and using this access the actor could modify the “/etc/ld.so.preload” configuration file to have code execution on the server. This flaw was patched May 7th, 2024, in version 0.1.34 only 2 days after the initial disclosure. - Polyfill.io Supply Chain Attack Affects Over 100K Sites
Cybersecurity company Sansec disclosed that the new owners of Polyfill a Chinese company called ‘Funnull’ introduced malicious code with-in their hosted scripts that over 100 thousand websites use. The new owners transferred all previous scripts to their own CDN that is hosted in China with the new malicious code added. Which redirect visitors of sites that have implement Polyfill to unwanted sites, such as scam sites using a fake Google analytics domain(‘www.googie-anaiytics.com’). - New MOVEit Transfer Vulnerabilities Discovered
Two new security vulnerabilities were publicly disclosed CVE-2024-5806 which impacts a wide range of version of Progress MOVEit Transfer. As well as CVE-2024-5805 affecting MOVEit Gateway version 2024.0.0. A successful exploitation of the flaws allows attackers to bypass SFTP authentication which can be used to impersonate any user on the MOVEit server. Progress Software has made a statement saying that no evidence has been seen that these vulnerabilities have been successfully exploited but has seen evidence of attempted attacks against public facing MOVEit servers. - Critical Vulnerability Discovered in Fortra FileCatalyst Workflow
Security researchers at Tenable discovered a SQL injection vulnerability in Fortra FileCatalyst Workflow and is being tracked as CVE-2024-5276. Tenable released their POC that exploits this flaw, the scripts show the flaw lies within the ‘findJob’ method and performs a SQL Injection via the ‘JobID’ parameter. Fortra released a bulletin explaining that this exploit only allows actors to create new admin users as well as modify the database and is not viable as a means of data exfiltration. - Prompt Injection Discovered in Vanna.ai
Cyber security researchers at JFrog disclosed a vulnerability within the vanna.ai library, currently tracked as CVE-2024-5565. The vulnerability can allow users to manipulate the “ask” function to force the library into executing arbitrary commands remotely, by using prompt injection techniques to force the LLM to ignore the safeguards put in place. - Unfurling Hemlock New Malware Campaign
Researchers at Outpost24’s KrakenLabs discovered a new threat actor group named Unfurling Hemlock and their new malware campaign. This new campaign uses a shotgun style of approach when attempting to infect a system. The attack first begins by having a file named ‘WEXTRACT.EXE’ executed which contains nested compressed cabinet files, with each launch step containing a new malware sample and another compressed file. This file arrives on the target device by either a malicious email or malware loaders. - Critical GitLab Bug Discovered Allows Pipelines Triggered by Another User
A critical vulnerability tracked as CVE-2024-5655 affects multiple versions of GitLab community and enterprise edition. This bug allows an attacker to trigger a pipeline as another user, only under undisclosed special instances. This vulnerability has been patched in the most recent release, this patch broke a few features; pipelines no longer automatically run on merge request, and CI_JOB_TOKEN is now disabled by default for GraphQL authentication.lol