Weekly Security News – 17th June 2024

Patches galore for Microsoft, Veeam, Chrome, Firefox and many others... welcome to this week's Security News!

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Microsoft Releases June 2024 Security Updates

Microsoft Patch Tuesday’s June 2024 edition addressed 58 vulnerabilities, including one critical and 50 important severity vulnerabilities. In this month’s security updates, Microsoft has addressed one zero-day vulnerability known to be exploited in the wild. Microsoft also addressed seven vulnerabilities in Microsoft Edge (Chromium-based). The vulnerabilities have been patched earlier this month. Microsoft Patch Tuesday, June edition includes updates for vulnerabilities in Microsoft Office and Components, Visual Studio, Windows Server Service, Windows Kernel, Windows DHCP Server, Azure Storage Library, Azure File Sync, and more. Microsoft has fixed several flaws in multiple software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE).

Exploit for critical Veeam auth bypass available, patch now

A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates. Veeam Backup Enterprise Manager (VBEM) is a web-based platform for managing Veeam Backup & Replication installations via a web console. It helps control backup jobs and perform restoration operations across an organization’s backup infrastructure and large-scale deployments. Veeam issued a security bulletin about the critical flaw on May 21, warning about a critical vulnerability enabling remote unauthenticated attackers to log in to VBEM’s web interface as any user. The vendor urged its customers to address the problem by upgrading to VBEM version, while also sharing mitigation tips for those unable to apply the update immediately.

Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities

Google and Mozilla on Tuesday announced the release of Chrome 126 and Firefox 127 to the stable channel with patches for multiple high-severity memory safety vulnerabilities. Chrome 126 includes 21 security fixes, including 18 for defects reported by external researchers. The reporting researchers, Google notes in its advisory, received over $160,000 in bug bounty rewards for their findings. The browser update also resolves eight other medium-severity bugs reported by external researchers, including five use-after-free, a policy bypass, an inappropriate implementation, and a heap buffer overflow issue.

Firefox 127 was released on Tuesday with patches for 15 vulnerabilities, including four high-severity issues, three of which are memory safety bugs. Tracked as CVE-2024-5687, the first high-severity flaw resulted in an incorrect principal being used when opening new tabs if a specific sequence of actions was performed. The issue is specific to Firefox for Android. Firefox 127 also addresses a high-severity use-after-free bug in JavaScript object transplant (CVE-2024-5688) and memory safety bugs (CVE-2024-5700 and CVE-2024-5701) that could potentially be exploited to execute arbitrary code.

Cyber Attacks

Ransomware Group May Have Exploited Windows Vulnerability as Zero-Day

A known ransomware group may have exploited a recently patched Windows privilege escalation vulnerability before Microsoft released a fix, Symantec reported on Wednesday. The flaw in question, tracked as CVE-2024-26169 and classified as ‘important’, has been described as a Windows error reporting service privilege escalation vulnerability that can allow an attacker to obtain System privileges. Microsoft’s advisory for CVE-2024-26169, which the tech giant released on March 12 when it patched the vulnerability, indicates that the company is not aware of malicious exploitation. In addition, the security bug has an exploitability assessment of ‘less likely’. However, Broadcom’s Symantec says it has found evidence suggesting that the Black Basta ransomware group (aka Cardinal, Storm-1811 and UNC4393) may have exploited this vulnerability as a zero-day.

China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally

State-sponsored threat actors backed by China gained access to 20,000 Fortinet FortiGate systems worldwide by exploiting a known critical security flaw between 2022 and 2023, indicating that the operation had a broader impact than previously known. “The state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet disclosed the vulnerability,” the Dutch National Cyber Security Centre (NCSC) said in a new bulletin. “During this so-called zero-day period, the actor alone infected 14,000 devices.” The campaign targeted dozens of Western governments, international organizations, and a large number of companies within the defense industry. The names of the entities were not disclosed.

In Other News...

Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Google has warned that a security flaw impacting Pixel Firmware has been exploited in the wild as a zero-day. The high-severity vulnerability, tagged as CVE-2024-32896, has been described as an elevation of privilege issue in Pixel Firmware. The company did not share any additional details related to the nature of attacks exploiting it but noted “there are indications that CVE-2024-32896 may be under limited, targeted exploitation.” The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets. Some of the notable issues patched include denial-of-service (DoS) issue impacting Modem, and numerous information disclosure flaws affecting GsmSs, ACPM, and Trusty. The updates are available for supported Pixel devices, such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold.

New Phishing Campaign Deploys WARMCOOKIE Backdoor Targeting Job Seekers

Cybersecurity researchers have disclosed details of an ongoing phishing campaign that leverages recruiting- and job-themed lures to deliver a Windows-based backdoor named WARMCOOKIE. “WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional payloads,” Elastic Security Labs researcher Daniel Stepanic said in a new analysis. “Each sample is compiled with a hard-coded [command-and-control] IP address and RC4 key.” The backdoor comes with capabilities to fingerprint infected machines, capture screenshots, and drop more malicious programs. The company is tracking the activity under the name REF6127.