Weekly Security News – 27th May 2024

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Veeam Releases Security Advisory

Veeam has released a security advisory addressing four vulnerabilities affecting Veeam Backup Enterprise Manager. The critical vulnerability CVE-2024-29849 has a CVSSv3.1 score of 9.8 and could allow an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user. Three further vulnerabilities, two high and one low, were also addressed. Affected organisations are encouraged to review the Veeam Advisory kb4581 and apply the relevant updates. Vulnerability testing was only performed against actively supported versions of Veeam Backup & Replication.

Broadcom Releases Security Updates for VMware ESXi, Workstation, Fusion, and vCenter Server

Broadcom has released an advisory that addresses three security vulnerabilities in VMware ESXi, VMware vCenter Server, VMware Cloud Foundation, VMware Workstation, and VMware Fusion. VMware ESXi is an enterprise-class hypervisor, VMware vCenter server is a centralised virtual machine manager, and Cloud Foundation is a platform for the provision of cloud environments. Workstation is a line of desktop hypervisor products that let users run virtual machines, containers, and Kubernetes clusters and VMware Fusion is the hypervisor developed for macOS systems. Affected organisations are encouraged to review Broadcom’s VMware advisory VMSA-2024-0011 and apply the relevant updates.

Chrome 125 Update Patches High-Severity Vulnerabilities

Google on Tuesday announced a Chrome 125 update that resolves six vulnerabilities, including four high-severity bugs reported by external researchers. The first issue, tracked as CVE-2024-5157, is a use-after-free flaw in Scheduling that was reported by Looben Yang a month ago. The researcher received an $11,000 bug bounty reward for the discovery. Google has been battling use-after-free issues in Chrome for several years, as these types of bugs can lead to sandbox escape if an attacker can target a vulnerability in the underlying operating system or in a privileged Chrome process. On Tuesday, Google also patched CVE-2024-5158, a type of confusion bug in the V8 JavaScript engine, announcing that it has paid out a $10,000 bug bounty reward to Zhenghang Xiao, who reported the security defect in early May.

Cyber Attacks

Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern

Ransomware attacks targeting VMware ESXi infrastructure follow an established pattern regardless of the file-encrypting malware deployed, new findings show. “Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat actors to abuse,” cybersecurity firm Sygnia said in a report shared with The Hacker News. The Israeli company, through its incident response efforts involving various ransomware families like LockBit, HelloKitty, BlackMatter, RedAlert (N13V), Scattered Spider, Akira, Cactus, BlackCat and Cheerscrypt, found that attacks on virtualization environments adhere to a similar sequence of actions.

55,000 Impacted by Cyberattack on California School Association

The Association of California School Administrators (ACSA) is informing nearly 55,000 individuals that their information may have been compromised because of a cyberattack. ACSA describes itself as the largest umbrella association for school leaders in the United States, serving more than 17,000 California educators, including superintendents, principals, vice-principals, and classified managers. The incident occurred last year. ACSA discovered on September 24, 2023, that some files in its environment had been encrypted, which indicates that the organization was targeted in a ransomware attack. An investigation revealed that a threat actor had gained access to ACSA systems between September 23 and 24, and they accessed and possibly exfiltrated certain types of information.


The End of an Era: Microsoft Phases Out VBScript for JavaScript and PowerShell

Microsoft on Wednesday outlined its plans to deprecate Visual Basic Script (VBScript) in the second half of 2024 in favor of more advanced alternatives such as JavaScript and PowerShell. “Technology has advanced over the years, giving rise to more powerful and versatile scripting languages such as JavaScript and PowerShell,” Microsoft Program Manager Naveen Shankar said. “These languages offer broader capabilities and are better suited for modern web development and automation tasks”. The announced deprecation plan consists of three phases, with the first phase kicking off in the second half of 2024, at which point VBScript will be available as an on-demand feature in Windows 11 24H2.

Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report

Two key takeaways from 2023 are the continuing rise in zero-day exploits, and the growth in mass compromise events – often combined. “For the second time in three years, we saw an increase in mass compromise events,” said Condon. MOVEit (exploited in late May, known in early June 2023), Barracuda ESG (probably first exploited in 2022, but exploding in 2023), and Citrix Bleed (exploited from August 2023) immediately come to mind. This is already known – supply chain attacks have been increasing for many years.