The Cybersecurity Digest Podcast Week in Review: 26-30 Aug 2024

Tickler, Voldemort, and Roblox Supply Chain Attack

Author

Greg
September 02, 2024

The Cybersecurity Digest Podcast Week in Review: 26-30 Aug 2024

Happy monday and welcome to the Cybersecurity Digest Podcast Week in Review! This is the official podcast companion post. If you would like to check out the latest edition of the podcast you can do so by going to our Podcast Site to tune into the latest episode on your platform of choice!

Thank you to everyone who has subscribed to the newsletter so far! If you enjoy the content, I ask that you please share it with someone you know who would benefit from the information that this Newsletter provides! The more subscribers the newsletter gets the easier it will be to continue to provide this FREE resource! Our newsletter comes out Mondays, Wednesdays, and Fridays.

If you haven’t already please subscribe or check out more of our posts to decide if you want to subscribe.

**Please note that Blue Article Titles and words in sections are links directing to source material. Additionally, if the background is too dark for text on mobile, try turning off your phones dark mode.

Upcoming In Today's Issue

Last Weeks Top 10 Stories/Research

Image generated by DALL-E

USDoD Hacker Behind $3 Billion SSN Leak Reveals Himself as Brazilian Citizen

Follow us on Twitter (X) @Hackread - Facebook @ /Hackread

PythonAnywhere Cloud Platform Abused for Hosting Ransomware

Razr ransomware is exploiting PythonAnywhere to distribute and encrypt files with AES-256. ANY.RUN's analysis reveals its behaviour, C2 communication, and

Taking the Crossroads: The Versa Director Zero-Day Exploitation - Lumen

Executive Summary The Black Lotus Labs team at Lumen Technologies discovered active exploitation of a zero-day vulnerability in Versa Director servers, identified as CVE-2024-39717 and publicly announced on August 22, 2024. This vulnerability is found in Versa software-defined wide area network (SD-WAN) applications and affects all Versa Director versions prior to 22.1.4. Versa Director servers BLL discovered an active 0day exploit in a popular SD-WAN device that is used by many ISPs, we attribute this to Volt Typhoon based on TTPs and some of their router control network

WPML Multilingual CMS Authenticated Contributor+ Remote Code Execution (RCE) via Twig Server-Side Template Injection (SSTI)

tldr; Server-Side Template Injection (SSTI) is one of my favorite vulnerabilities, but rarely do I see it outside of CTF competitions... The WPML Multilingual CMS Plugin for WordPress used by over 1 million sites is susceptible to an Authenticated (Contributor+) Remote Code Execution (RCE) vulnerability through a Twig server-side template

The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” | Proofpoint US

Key findings  Proofpoint researchers identified an unusual campaign delivering malware that the threat actor named “Voldemort”.   Proofpoint assesses with moderate confidence the goal of the activi...

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations | Microsoft Security Blog

Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab […]

Threat Actors Target the Middle East Using Fake Palo Alto GlobalProtect Tool

Threat actors are targeting users in the Middle East by distributing sophisticated malware disguised as the Palo Alto GlobalProtect tool.

Malicious npm Packages Targeting Roblox Users

New malicious packages continue to appear, some of which are still active on the NPM registry at the time of publication

So-Phish-ticated Attacks

GuidePoint Security has been tracking a highly sophisticated threat actor, with skilled social engineering, phishing and intrusion capabilities that could put users at risk of ransomware.

PoC Exploit for Zero-Click Vulnerability Made Available to the Masses

The exploit can be accessed on GitHub and makes it easier for the flaw to be exploited by threat actors.

Prevalent Patches

Image generated by Dall-E

GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6

Learn more about GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

WPML Multilingual CMS <= 4.6.12 - Authenticated (Contributor+) Remote Code Execution via Twig Server-Side Template Injection

DSA-2024-354: Security Update for a Dell Client Platform BIOS for a Use of Default Cryptographic Key Vulnerability | Dell US

Cisco Released Several Patches

Affected Product(s)

Advisory

CVSS

NX-OS

CVE-2024-20446

8.6

APIC and Cloud Network Controller

CVE-2024-20478

6.5

NX-OS

CVE-2024-20284

5.3

NX-OS

CVE-2024-20289

4.4

SQL Injection Vulnerability in Password Manager Pro and PAM360

Insecure Default in FileCatalyst Workflow 5.1.6 Build 139 (and earlier)

This patche resolves a vulnerability that exists within the following SAP BEx Java Runtime Web Service:

  • BI-BASE-E version 7.5

  • BI-BASE-B version 7.5

  • BI-IBC version 7.5

  • BI-BASE-S version 7.5

  • BIWEBAPP version 7.5

CISA Corner of 26-30 August

Image generated by Dall-E

CISA KEV Additions

CVE-2024-39717 Versa Director Dangerous File Type Upload

The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image file. This is possible only after a user with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin has successfully authenticated and logged in. Severity: HIGH Exploitation Status: Versa Networks is aware of one confirmed customer reported instance where this vulnerability was exploited because the Firewall guidelines which were published in 2015 & 2017 were not implemented by that customer. This non-implementation resulted in the bad actor being able to exploit this vulnerability without using the GUI. In our testing (not exhaustive, as not all numerical versions of major browsers were tested) the malicious file does not get executed on the client. There are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date.

CVE-2024-7971 Google Chromium V8 Type Confusion Vulnerability

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2024-38856 Apache OFBiz Incorrect Authorization Vulnerability

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

CVE-2024-7965 Google Chromium V8 Inappropriate Implementation Vulenrability

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CISA ICS Advisories

Other CISA Advisories

RansomHub recently was linked to the attack on Haliburton. One of the items in response was CISA putting out this advisory.

CISA and others warn of attacks being enabled by Iran-based threat actors on US sectors such as education, healthcare, finance, and defense sectors.

Conclusion:

Thank you for checking out this Podcast Notes Edition of the Cybersecurity Digest Newsletter.

For previous newsletters, announcements, and links please check out our full website

Until next time, Stay Secure!

Reply

or to participate.