- The Cybersecurity Digest Newsletter
- Posts
- Midweek Security Spotlight: Critical Updates, New Threats, and Review Worthy Research - August 21, 2024
Midweek Security Spotlight: Critical Updates, New Threats, and Review Worthy Research - August 21, 2024
Greg
August 21, 2024
The Cybersecurity Digest Newsletter
Date: 21 Aug 2024
Happy Humpday and welcome to the Cybersecurity Digest! We are halfway through the week!
Thank you to everyone who has subscribed to the newsletter so far! If you enjoy the content, I ask that you please share it with someone you know who would benefit from the information that this Newsletter provides! The more subscribers the newsletter gets the easier it will be to continue to provide this FREE resource! This newsletter I have decided to separate out the Research from the News. Please let me know your thoughts by sending me an email or commenting on the newsletter!
In addition to this newsletter, we have a weekly podcast which will be published on Mondays that recaps the top 10 stories from the previous week.
**Please note that Blue Article Titles and words in sections are links directing to source material. Additionally, if the background is too dark for text on mobile, try turning off your phones dark mode.
Upcoming In Today's Issue
Notable News
The article discusses a recent attack on poorly protected PostgreSQL databases running on Linux machines, where cryptojacking attackers brute-forced access credentials to compromise the systems. Once access was gained, the attackers created a new user role with high privileges, stripped the compromised role of superuser privileges, and deployed two payloads: PG_Core and PG_Mem. PG_Core removed cron jobs and killed processes related to other cryptomining malware, while PG_Mem deployed the XMRIG cryptominer.
BleepingComputer discusses a critical vulnerability in GitHub Enterprise Server (GHES), identified as CVE-2024-6800, which allows attackers to bypass authentication and gain administrator privileges. This flaw, rated 9.5 in severity, is linked to an XML signature wrapping issue in SAML authentication with certain identity providers. GitHub has released updates for GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16 to address this and two other medium-severity vulnerabilities. Administrators are advised to apply these updates despite potential configuration errors and check the ‘Known issues’ section for additional guidance.
New Malware Exploits PHP Vulnerability: Unknown attackers have deployed a new backdoor, Msupedge, on a university’s Windows systems in Taiwan by exploiting the CVE-2024-4577 PHP remote code execution vulnerability. This critical flaw allows unauthenticated attackers to execute arbitrary code, leading to complete system compromise. The malware, dropped as DLL files, uses DNS tunneling to communicate with its command-and-control server, a technique not commonly observed in the wild. Symantec’s Threat Hunter Team discovered the intrusion, noting that multiple threat actors have been scanning for vulnerable systems since the vulnerability was patched in June.
The article discusses a critical security flaw in Microsoft’s Copilot Studio, identified as CVE-2024-38206, with a CVSS score of 8.5. This vulnerability, caused by a server-side request forgery (SSRF) attack, allowed authenticated attackers to access sensitive information by bypassing SSRF protection. The flaw enabled attackers to retrieve instance metadata and obtain managed identity access tokens, potentially affecting multiple customers. Microsoft has addressed the issue, requiring no customer action.
The article discusses a critical configuration issue affecting as many as 15,000 applications using AWS Application Load Balancer (ALB), potentially exposing them to ALBeast attacks. This issue, identified by Miggo, allows attackers to forge authentication tokens and gain unauthorized access to business resources. AWS has updated its documentation and added new code to help customers prevent these attacks. Users are advised to ensure that apps using ALB authentication check the token signer and accept traffic only from their ALB to mitigate the risk.
The North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver, tracked as CVE-2024-38193, to elevate privileges and install the FUDModule rootkit on targeted systems. This vulnerability, a Bring Your Own Vulnerable Driver (BYOVD) attack, allowed the hackers to gain kernel-level access and evade detection by disabling Windows monitoring features. Discovered by Gen Digital researchers, the flaw was patched by Microsoft in August 2024. The Lazarus group, known for targeting financial and cryptocurrency firms, used this method in a campaign linked to Brazilian cryptocurrency professionals, highlighting the ongoing threat posed by sophisticated state-sponsored cyber actors.
SecurityWeek discusses a new phishing technique identified by ESET that targets iOS and Android users through Progressive Web Applications (PWAs) and WebAPKs, which mimic legitimate banking apps to steal login credentials. These malicious apps bypass security protections by appearing as regular native apps, leading users to unknowingly install them. Once installed, the apps prompt users to enter their banking credentials, which are then sent to the attackers’ command-and-control servers. The attacks, which began around November 2023, have primarily targeted mobile banking users in the Czech Republic, Hungary, and Georgia. ESET warns that the attackers may expand their tactics with more sophisticated copycat applications.
BleepingComputer reports that Microchip Technology Incorporated recently disclosed a cyberattack that disrupted operations across multiple manufacturing facilities. The incident, detected on August 17, 2024, led to the shutdown and isolation of affected systems. By August 19, the company confirmed that an unauthorized party had disrupted certain servers and business operations. While the full scope and impact of the attack are still under investigation, the company is working with external cybersecurity experts to restore normal operations..
Recent Research
Palo Alto published some recent research looking at DNS Traffic
Cisco published research taking a deeper look at the MoonPeak malware from North Korean Threat Actors
HudsonRock Takes a deep dive into MacOS Malware named Banshee Stealer
Proofpoint discusses how Iranian Threat Actor TA453 has been targeting figures with a fake podcast interview invitation.
Prevalent Patches
F5 Networks
Product | Advisory | Highest CVSSv4 |
|---|---|---|
F5 BIG-IP | 8.9 | |
NGINX Plus MQTT | 8.4 | |
BIG-IP MPTCP | 8.2 |
Intel Family Security Updates
Intel has published a fix for 13 CVEs across several of their products. I recommend that you review the attached list to view what all is impacted.
Dell Family Security Updates
Below are Dell’s updates these include two for Dell Digital Delivery that could allow for arbitrary code execution or elevation of privilege.
The fix for Dell SupportAssist fixes a potential privilege escalation vulnerability.
Affected Product | Advisory | Highest CVSS |
|---|---|---|
Dell Digital Delivery versions prior to 5.2.0.0 | 7.0 | |
Dell Digital Delivery versions prior to 5.2.0.0 | 7.0 | |
Dell SupportAssist for Home PCs version 4.0.3 | 7.3 |
Ingress nginx
SAP
Last week was SAP’s Security Patch Day. They resolved several vulnerabilities across several of their products. Two of the vulnerabilities were for CVEs with a CVSS of 9.1 or higher.
SolarWinds
SolarWinds published a security advisory fixing a Remote Code Execution vulnerability being tracked as CVE-2024-28986. This vulnerability received a CVSS of 9.8. Users should patch ASAP!
Zoom
Zoom published on Tuesday a fix for two different vulenrabilities.
Atlassian Jira
Atlassian published their August security bulletin that patched several vulnerabilities. Vulnerabilities peaked at a CVSS rating of 8.1.
GiveWP WordPress Plugin
Receiving a max CVSS score of 10/10 this is worth looking to see if your WordPress Sites use this plugin, and if so update ASAP.
CISA Corner
Since Monday CISA has added FOUR new additions to its Known Exploited Vulnerability Catalog. The vulnerabilities are as follows:
CVE-2021-33044 Dahua IP Camera Authentication Bypass Vulnerability
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
CVE-2021-33045 Dahua IP Camera Authentication Bypass Vulnerability
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
CVE-2022-0185 Linux Kernel Heap-Based Overflow
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
CVE-2021-31196 Microsoft Exchange Server Information Disclosure Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Conclusion:
Thank you for reading this edition of the Cybersecurity Digest Newsletter. If you enjoyed this newsletter please share with someone you know who would benefit from this information.
For previous newsletters, announcements, and links please check out our full website
Before you go here is your Dad Joke:
What kind of tea do you drink with a princess?
Royaltea!
Until next time, Stay Secure!
Reply