WEEKLY TOP TEN: August 12, 2024, 16:00 GMT
- Progress WhatsUp critical RCE Vulnerability Actively Exploited
The threat monitoring organization Shadowserver Foundation reported that since August 1st, six distinct IP addresses have been attempting to exploit a recently patched RCE vulnerability tracked as CVE-2024-4885 that affects Progress WhatsUp Gold 23.1.2 and older. This vulnerability has publicly available Proof-of-Concept (PoC) exploit code that targets WhatsUp Gold ‘/NmAPI/RecurringReport’ endpoints. This vulnerability allows unauthenticated users to execute commands with the privileges of the ‘iisapppool\\nmconsole’ user, which is not an admirative account but still has elevated privileges. - Cisco Critical Vulnerability has Public Exploit Code
Cisco released a public announcement that they are aware of exploit code for the critical vulnerability CVE-2024-20419 impacting Cisco’s SSM On-Prem’s authentication system. An unauthenticated threat actor exploiting this vulnerability could remotely change any user password.
Since version 8-202212 was released in July, no one has observed this vulnerability being exploited in the wild. - North Korea-linked Threat Actor Targets Universities
The cybersecurity firm Resilience identified in late July 2024 that the threat actor group named Kimsuky, which is linked to North Korea, was targeting various universities. This group targets these institutions through spear-phishing campaigns with the objective of delivering custom tools for recon, data exfil, and persistence
The researchers at Zimperium believe these apps would sign your phone number up for services, made possible due to the OTP code access. Google says users are automatically protected against this malware via Google Play Protect. - StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms
Volexity researchers found evidence of an attack by the APT group StormBamboo, which has connections to China. They detected multiple systems being infected with a backdoor, deploying a malicious browser extension.
StormBamboo accomplished this via a DNS poisoning attack to exploit software vendor update mechanisms after compromising an internet service provider. StormBabmoo targeted insecure software that used HTTP and did not properly validate the signatures of installers. - Critical 1PASSWORD Flaws May Allow Hackers to Snatch Your Passwords (Cve-2024-42219, Cve-2024-42218)
Old versions of 1Password is allowing malware to steal passwords stored in the extension. During a security assessment of 1Password for Mac, researchers from the Robinhood Red Team discovered both vulnerabilities. The vulnerabilities both depend on the end user having an outdated version of 1Password installed. These vulnerabilities only affect MacOS, and a fix has been released as of version 8.10.38. - Windows Downdate: Downgrade Attacks Using Windows Updates
Security researcher Alon Leviev has developed a novel Windows zero-day attack called Windows Downdate. This tool leverages a few Windows vulnerabilities to downgrade a Windows version to an insecure state. A flaw in the Windows Update process allows a threat actor to take full control of the process. Significantly, when attacked by this technique, Windows will still report that its current version is up to date, allowing an invisible attack. Leviev also found additional attack vectors in the downgrade process, allowing him access to Windows DLLs, drivers, and the NT kernel. Microsoft is aware of these issues but is still developing an update to mitigate the vulnerabilities. - Microsoft Discloses Office Zero-Day, Still Working on a Patch
Another Microsoft zero-day has been disclosed at DEFCON 32; this affects multiple Microsoft Office products. This vulnerability (CVE-2024-38200) allows an unauthorized user to access protected information such as system status or configuration data.
Microsoft explained in an advisory that for an attacker to gain access, they would need an end-user to click on a link, download and run a malicious file. More information will be shared at DEFCON later this week. Microsoft is still working on a patch. - Exploring Anti-Phishing Measures in Microsoft 365
Microsoft’s third vulnerability this week involves bypassing phishing protection in Office 365. William Moody from Certitude has discovered a flaw in Outlook that allows phishers to bypass Microsoft’s alerts and protections when receiving an email from a new sender.
When receiving an email from a new sender, Office 365 will place a warning banner stating, “You don’t often get email from [sender]”. Moody has discovered that this banner is prepended to the body of the email, which enables crafty CSS editing to remove the warning. When this issue was reported to Microsoft, they decided it did not warrant immediate servicing. - Ransomware Gang Targets It Workers With New SharpRhino Malware
Hunters International, one of the top 10 ransomware gangs worldwide has been observed targeting IT technicians with a RAT named SharpRhino. The RAT is deployed by typosquatting on open-source IT tools such as IP scanners. When downloaded, the malicious executable masquerades as the IP scanner, allowing infection of IT personnel who usually have elevated privileges. - New AMD SinkClose Flaw Helps Install Nearly Undetectable Malware
AMD has discovered a new vulnerability (CVE-2023-31315) in its CPUs, impacting EPYC, Ryzen, and Threadripper lines. The vulnerability allows attackers to gain Ring -2 privileges, leading to nearly undetectable malware installation. Ring -2 privilege level allows for modification of the System Management Mode (SSM) settings, which are isolated from the operating system.
The flaw has been dubbed SinkClose and could have been used for at least 20 years. The only way to detect malware installed by SinkClose is to physically connect the CPU to a memory scanner. AMD has released patches for EPYC and Ryzen lines of CPUs, with additional fixes coming soon.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: