Weekly Security News – 18th March 2024

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

SolarWinds Releases Critical Security Updates for Access Rights Manager

SolarWinds has released security updates addressing five remote code execution (RCE) vulnerabilities in Access Rights Manager (ARM). Path traversal vulnerabilities, CVE-2024-23476 and CVE-2024-23479, are both rated as critical with a CVSSv3 score of 9.6. An unauthenticated attacker could exploit these vulnerabilities, which could lead to RCE. The updates also address a third critical vulnerability due to deserialization of untrusted data, CVE-2024-40057, with a CVSS score of 9.0. An authenticated attacker could exploit this vulnerability, which could lead to RCE.

VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk

VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw. Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug. “A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs),” the company said in an advisory.

Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft

Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent. The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3. “A shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, stating it was fixed with “additional permissions checks.”

Multiple Vulnerabilities in PaperCut MF/NG Servers

PaperCut has released a security update to address multiple vulnerabilities (CVE-2024-1222, CVE-2024-1654, CVE-2024-1882 ) in PaperCut MF/NG Application Servers and Site Servers, including three high severity ones. PaperCut MF/NG is a comprehensive print management system. Another four vulnerabilities, rated medium severity or below, include a Server Side Request Forgery (SSRF) vulnerability, a reflected cross-site scripting vulnerability, incorrect authorisation controls, and improper access controls, and are addressed by this advisory.

Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software

Fortinet has warned of a critical security flaw impacting its FortiClientEMS software that could allow attackers to achieve code execution on affected systems. The vulnerability, tracked as CVE-2023-48788, carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions –
FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above)
FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above)

Microsoft Releases March 2024 Security Updates

Microsoft has released security updates to address 61 vulnerabilities, including two that are critical issues impacting Windows Hyper-V that could lead to denial-of-service (DoS) and remote code execution. Of the 61 vulnerabilities, two are rated Critical, 58 are rated Important, and one is rated Low in severity. None of the flaws are listed as publicly known or under active attack at the time of the release, but six of them have been tagged with an “Exploitation More Likely” assessment.

Meta Patches Facebook Account Takeover Vulnerability

Meta recently patched a critical vulnerability that could have been exploited to take control of any Facebook account, according to a cybersecurity researcher. Details of the flaw were disclosed this week by Nepal-based researcher Samip Aryal, who is currently listed at the top of Facebook’s bug bounty program hall of fame for 2024. According to Aryal, the vulnerability impacted Facebook’s password reset process, specifically an option where a six-digit unique authorization code is sent to a different device the user is logged into. This code is provided to confirm the user’s identity and is used to complete the password reset process.

Cisco Patches High-Severity Vulnerabilities in Data Center OS

Technology giant Cisco has released its semi-annual FXOS and NX-OS security advisory bundle with information on four vulnerabilities, including two high-severity flaws in NX-OS software. The first of the high-severity bugs, CVE-2024-20321, exists because External Border Gateway Protocol (eBGP) traffic “is mapped to a shared hardware rate-limiter queue”, allowing an unauthenticated, remote attacker to send large amounts of traffic and cause a denial-of-service (DoS) condition. Last Wednesday, Cisco also announced patches for two medium-severity flaws impacting its FXOS and NX-OS software. 

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28’s MooBot Threat

In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember. The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia’s Main Directorate of the General Staff (GRU), is known to be active since at least 2007. APT28 actors have “used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” the authorities said.

Cisco Patches High-Severity Vulnerabilities in VPN Product

Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user. The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. Arising as a result of insufficient validation of user-supplied input, a threat actor could leverage the flaw to trick a user into clicking on a specially crafted link while establishing a VPN session.

VMware Releases Critical Security Updates for Multiple Products

VMware has released multiple security updates to address multiple vulnerabilities in VMware ESXi, VMware Workstation Pro/Player, VMware Fusion Pro/Fusion, and VMware Cloud Foundation. All platforms are affected by the vulnerabilities CVE-2024-22252, CVE-2024-22253 and CVE-2024-22255. VMware ESXi and the ESXi component of VMware Cloud Foundation are also vulnerable to CVE-2024-22254, an out-of-bounds write vulnerability with a CVSSv3 score of 7.9. A local attacker could exploit this vulnerability to escape the sandbox onto the host machine. Affected organisations are encouraged to review VMware Security Advisory VMSA-2024-0006 and apply any relevant updates.

Apple fixes two new iOS zero-days exploited in attacks on iPhones

Apple released emergency security updates to fix two iOS zero-day vulnerabilities that were exploited in attacks on iPhones. “Apple is aware of a report that this issue may have been exploited,” the company said in an advisory issued on Tuesday. The two bugs were found in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), both allowing attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections. The company says it addressed the security flaws for devices running iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6 with improved input validation.

Cyber Attacks

Hackers abuse Google Cloud Run in massive banking trojan campaign

Security researchers are warning of hackers abusing the Google Cloud Run service to distribute massive volumes of banking trojans like Astaroth, Mekotio, and Ousaban. Google Cloud Run lets users deploy frontend and backend services, websites or applications, handle workloads without the effort of managing an infrastructure or scaling. Cisco Talos researchers observed a massive uptick in the misuse of Google’s service for malware distribution starting September 2023, when Brazilian actors launched campaigns using MSI installer files to deploy malware payloads.

Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks

Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation. The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages.

Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks

The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts. The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of Patch Tuesday updates. “To exploit this vulnerability, an attacker would first have to log on to the system,” Microsoft said. “An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

Threat hunters have discovered a new Linux malware called GTPDOOR that’s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX). The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications. GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network (PLMN).

Hacked WordPress Sites Abusing Visitors’ Browsers for Distributed Brute-Force Attacks

Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal. The attacks, which take the form of distributed brute-force attacks, “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors,” security researcher Denis Sinegubko said. The activity is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware.

Spoofed Zoom, Skype, Google Meet Sites Delivering Malware

Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023. “The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” Zscaler ThreatLabz researchers said. The spoofed sites are in Russian and are hosted on domains that closely resemble their legitimate counterparts, indicating that the attackers are using typo-squatting tricks to lure prospective victims into downloading the malware.

DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack

A DarkGate malware campaign observed in mid-January 2024 leveraged a recently patched security flaw in Microsoft Windows as a zero-day using bogus software installers. “During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers,” Trend Micro said.

Cybercriminals Deploying VCURMS and STRRAT Trojans via AWS and GitHub

A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader. “The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware,” Fortinet FortiGuard Labs researcher Yurren Wan said.


FTC Accuses Avast of Selling Customer Browsing Data to Advertisers

A complaint from the Federal Trade Commission (FTC) accused the European security company of unfairly collecting consumer web browsing data through its browser extension and anti-virus software and “and sold it without adequate notice and without consumer consent.” The agency also plans to slap Avast with a $16.5 million fine and an order to stop selling or licensing any web browsing data for advertising purposes. The complaint alleges that Avast sold that data to more than 100 third parties through its Jumpshot subsidiary.

Discount Retail Giant Pepco Loses €15 Million to Cybercriminals

European discount retailer Pepco Group this week revealed that its Hungarian business has lost a significant amount of money to cybercriminals. The UK-based company reported losing €15.5 million (roughly $16.8 million) in cash as a result of a “sophisticated fraudulent phishing attack”. An investigation has been launched and Pepco is working with banks and the police to recover the money, but the company says it’s currently unclear whether the funds can be recovered. “At this stage, the incident does not appear to have involved any customer, supplier or colleague information or data,” the Pepco Group said.

FBI: Cybercrime Losses Exceeded $12.5 Billion in 2023

The FBI’s Internet Crime Complaint Center (IC3) has published its annual report for 2023, which reveals that the number of cybercrime complaints received by the agency increased by nearly 10% compared to the previous year. Cybercrime victims in the United States filed more than 880,000 complaints with the FBI in 2023, with reported losses totaling over $12.5 billion, which represents a 22% increase from 2022. Over the past five years, the law enforcement agency received nearly 3.8 million complaints over losses totalling $37.4 billion.

43 Million Possibly Impacted by French Government Agency Data Breach 

A recent data breach at France’s government unemployment agency could impact as many as 43 million people, authorities announced this week. The affected agency, France Travail, formerly known as Pole Emploi, was targeted in a cyberattack that resulted in the theft of personal information between February 6 and March 5, 2024, according to the country’s Cybermalveillance cybercrime prevention initiative.