Weekly Security News – 24th June 2024

UEFI vulnerabilities affecting Intel CPU's and phishing targeting financial firms... welcome to this week's Security News!

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi

VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution. The vendor released fixes for three vulnerabilities, namely CVE-2024-37079, CVE-2024-37080, CVE-2024-37081, summarized as follows:

  • CVE-2024-37079 & CVE-2024-37080 (CVSS scores: 9.8) – Multiple heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol that could allow a bad actor with network access to vCenter Server to achieve remote code execution by sending a specially crafted network packet.
  • CVE-2024-37081 (CVSS score: 7.8) – Multiple local privilege escalation vulnerabilities in VMware vCenter arising due to the misconfiguration of sudo that an authenticated local user with non-administrative privileges could exploit to obtain root permissions.

Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs

Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the “UEFIcanhazbufferoverflow” vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code. “The vulnerability allows a local attacker to escalate privileges and gain code execution within the UEFI firmware during runtime,” supply chain security firm Eclypsium said in a report shared with The Hacker News.

Cyber Attacks

AMD Investigating Breach Claims After Hacker Offers to Sell Data

Chip giant AMD has launched an investigation after a notorious hacker announced selling sensitive data allegedly belonging to the company. The hacker known as IntelBroker announced earlier this week on the BreachForums cybercrime forum — which in the past years was shut down and resurrected several times — that he was “selling the AMD.com data breach”. The data offered for sale allegedly includes information on future AMD products, customer and employee databases, datasheets, source code, property files, firmware, and financial documents. The employee database allegedly includes information such as name, job role, phone number, and email address.

ONNX phishing service targets Microsoft 365 accounts at financial firms

A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts for employees at financial firms using QR codes in PDF attachments. The platform can target both Microsoft 365 and Office 365 email accounts and operates via Telegram bots and features two-factor authentication (2FA) bypass mechanisms. Researchers at EclecticIQ who discovered the activity believe that ONNX is a rebranded version of the Caffeine phishing kit managed by the Arabic-speaking threat actor MRxC0DER. Mandiant discovered caffeine in October 2022, when the platform targeted Russian and Chinese platforms instead of Western services.

In Other News...

Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw

Crypto exchange Kraken revealed that an unnamed security researcher exploited an “extremely critical” zero-day flaw in its platform to steal $3 million in digital assets and refused to return them. Details of the incident were shared by Kraken’s Chief Security Officer, Nick Percoco, on X (formerly Twitter), stating it received a Bug Bounty program alert from the researcher about a bug that “allowed them to artificially inflate their balance on our platform” without sharing any other details Within minutes of receiving the alert, the company said it identified a security issue that essentially permitted an attacker to “initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”

Highly Evasive SquidLoader Malware Targets China

A recently discovered malware loader dubbed SquidLoader is linked to an unknown threat actor that has been targeting Chinese-speaking victims for two years, LevelBlue Labs (formerly AT&T Alien Labs) reports. SquidLoader was first observed at the end of April, but LevelBlue Labs believes that it had been active for at least a month before. The threat actor using it, however, has been focusing on entities in China for much longer. The recently observed attacks start with phishing emails delivering malware loaders masquerading as documents intended for Chinese organizations. When executed, the loaders fetched and executed shellcode payloads in the loader process’ memory. “Due to all the decoy and evasion techniques observed in this loader, and the absence of previous similar samples, LevelBlue Labs has named this malware ‘SquidLoader’,” LevelBlue explains.