End of Week Cybersecurity Digest: 23 Aug 2024

SolarWinds Blunder, Hackers hitting LiteSpeed Cache Plugin, Haliburton Hit by Cyber Attack, and More!

Author

Greg
August 23, 2024

The Cybersecurity Digest Newsletter

Date: 23 Aug 2024

Happy Friday! We made it to the end of this work week and I hope you are all doing well as we head into this weekend!

Thank you to everyone who has subscribed to the newsletter so far! If you enjoy the content, I ask that you please share it with someone you know who would benefit from the information that this Newsletter provides! The more subscribers the newsletter gets the easier it will be to continue to provide this FREE resource! In addition to this newsletter, we have a weekly podcast which will be published on Mondays that recaps the top 10 stories from the previous week.

**Please note that Blue Article Titles and words in sections are links directing to source material. Additionally, if the background is too dark for text on mobile, try turning off your phones dark mode.

Notable News

SolarWinds had to release another hotfix to address the recent critical vulnerability that was within their Web Help Desk product. This hotfix was needed due to them accidentally omitting a Hardcoded Credential from their previous hotfixes. Yikes! Hopefully this is the last hotfix that Solar Winds needs to publish for this! If you haven’t already, please patch this one ASAP!

BleepingComputer reports that hackers are actively exploiting a critical vulnerability (CVE-2024-28000) in the LiteSpeed Cache WordPress plugin, which affects versions up to 6.3.0.1. This flaw allows attackers to escalate privileges without authentication by brute-forcing a weak hash value, potentially leading to complete website takeovers. Despite the availability of a patch, only about 30% of the over 5 million sites using the plugin have updated to the safe version, leaving millions vulnerable. Wordfence has already detected and blocked over 48,500 attacks targeting this vulnerability in the past 24 hours. Users are urged to update to version 6.4.1 or uninstall the plugin immediately.

SecurityAffairs discusses a recent cyberattack on Halliburton, a major oilfield services company. The attack, attributed to a sophisticated threat actor, involved the deployment of ransomware that encrypted critical systems and disrupted operations. The attackers demanded a significant ransom for the decryption key. Halliburton’s IT team is working to restore affected systems, and the incident has been reported to relevant authorities. The breach highlights the ongoing vulnerabilities in the energy sector and the increasing frequency of targeted cyberattacks on critical infrastructure.

DarkReading discusses a prompt injection flaw in Slack AI, discovered by PromptArmor, which could allow attackers to steal data from private Slack channels or perform phishing attacks. This vulnerability arises because Slack AI’s large language model (LLM) cannot distinguish between legitimate and malicious instructions. The flaw is exacerbated by Slack AI’s ability to ingest documents and files, increasing the attack surface.

In this article BleepingComputer discusses a wave of cyberattacks starting in July 2024 that utilize a technique called AppDomain Manager Injection to deploy CobaltStrike beacons. This method, which leverages the .NET Framework’s AppDomainManager class, is stealthier and more versatile than traditional DLL side-loading. The attacks, tracked by NTT, targeted government agencies in Taiwan, the military in the Philippines, and energy organizations in Vietnam. The attackers used a ZIP archive containing a malicious MSC file to execute code via the GrimResource technique, exploiting a cross-site scripting vulnerability. Although the attribution to the Chinese state-sponsored group APT 41 is not confirmed, the sophistication of the techniques suggests a high level of expertise.

This detailed article from Sygnia discusses the activities of the China-Nexus threat group, Velvet Ant, which has been leveraging a zero-day exploit (CVE-2024-20399) on Cisco Switch appliances to maintain long-term network persistence. Over several years, Velvet Ant has escalated their tactics, moving from legacy Windows systems to network devices like F5 BIG-IP appliances and Cisco Nexus switches. By exploiting a command injection vulnerability in the Cisco NX-OS Software CLI, they gained unauthorized access to the underlying Linux OS, deploying the VELVETSHELL malware. This sophisticated malware, a hybrid of TinyShell and 3proxy, allowed the attackers to execute arbitrary commands, exfiltrate data, and maintain persistent access while evading detection.

Recent Research

In this report published by CADO security they talk about a newly discovered malware-as-a-service targeting macOS users that is named Cthulhu Stealer.

This research takes a look at a newer malware that impacts Android devices. This malware relays NFC data from victims’ stored payments on their devices, to the attacker’s devices.

Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.

Aaron Lee, Praveeth DSouza

Renowned ransomware gang Qilin was recently observed by Sophos to steal stored Google Credentials.

Prevalent Patches

ManageEngine OPManager

Product(s)

Advisory

CVSS

OPManager

OPManager Plus

OPManager MSP

RMM

CVE-2024-5466

8.8

Cisco Patches

Product

Advisory

CVSS

Cisco Unified Communications Manager

CVE-2024-20375


8.6

Cisco Unified Communications Manager

CVE-2024-20488

6.1

Cisco Identity Services Engine

CVE-2024-20466

6.5

Cisco Identity Services Engine

CVE-2024-20417

6.5

Cisco Identity Services Engine

CVE-2024-20486

6.5

Google Chrome

Google published their latest stable channel update for desktop which fixed 37 security issues.

GitHub Enterprise Server

After the release of CVE-2024-6800. GitHub released updates for GitHub Enterprise Server versions: 3.13.3, 3.12.8, 3.11.14, 3.10.16 that fix this vulnerability.

FFmpeg

FFmpeg published an update that resolved a heap-based overflow that was tracked as CVE-2024-7272

CISA Corner

Since Wednesday’s Newsletter CISA has published One ICS advisory that is for Five different ICS products. Products Include:

Conclusion:

Thank you for reading this edition of the Cybersecurity Digest Newsletter. If you enjoyed this newsletter please share with someone you know who would benefit from this information. Our top 10 podcast from this week will be releasing Monday morning!

For previous newsletters, announcements, and links please check out our full website

Before you go here is your Dad Joke:

Why do archaelogists get all the girls?

They have the best dating techniques!

Until next time, Stay Secure!

Reply

or to participate.