- The Cybersecurity Digest Newsletter
- Posts
- The Cybersecurity Digest Podcast Week in Review: 19-23 August 2024
The Cybersecurity Digest Podcast Week in Review: 19-23 August 2024
Greg
August 25, 2024
The Cybersecurity Digest Podcast Week in Review: 19-23 August 2024
Happy monday and welcome to the Cybersecurity Digest Podcast Week in Review! This is the official podcast companion post. If you would like to check out the latest edition of the podcast you can do so by going to our Podcast Site to tune into the latest episode on your platform of choice!
Thank you to everyone who has subscribed to the newsletter so far! If you enjoy the content, I ask that you please share it with someone you know who would benefit from the information that this Newsletter provides! The more subscribers the newsletter gets the easier it will be to continue to provide this FREE resource! Our newsletter comes out Mondays, Wednesdays, and Fridays.
If you haven’t already please subscribe or check out more of our posts to decide if you want to subscribe.
**Please note that Blue Article Titles and words in sections are links directing to source material. Additionally, if the background is too dark for text on mobile, try turning off your phones dark mode.
Upcoming In Today's Issue
Last Weeks Top 10 Stories/Research
The record reports that a hacker recently breached Unicoin’s systems, locking all employees out of their Google G-Suite accounts for four days. The attack, which began on August 9, was resolved by August 13, but left discrepancies in personal data and traces of hacked messages. Unicoin is investigating the incident and its potential financial impact. The breach highlights ongoing concerns about North Korean hackers infiltrating U.S. tech companies, as evidenced by a similar incident involving KnowBe4. Despite no evidence of stolen funds, the attack underscores the persistent threat to cryptocurrency firms.
Unit 42 researchers discovered a campaign where attackers exploited exposed environment variable files (.env files) containing sensitive credentials. The attackers set up their infrastructure within various organizations’ AWS environments, scanning over 230 million targets and compromising 110,000 domains. They exfiltrated data from cloud storage containers and left ransom notes without encrypting the data. The campaign relied on automation and misconfigurations in victim organizations, not vulnerabilities in cloud providers. The attackers used advanced cloud architectural techniques to escalate privileges and perform extensive discovery operations, ultimately leading to data exfiltration and ransom demands.
The North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver, tracked as CVE-2024-38193, to elevate privileges and install the FUDModule rootkit on targeted systems. This vulnerability, a Bring Your Own Vulnerable Driver (BYOVD) attack, allowed the hackers to gain kernel-level access and evade detection by disabling Windows monitoring features. Discovered by Gen Digital researchers, the flaw was patched by Microsoft in August 2024. The Lazarus group, known for targeting financial and cryptocurrency firms, used this method in a campaign linked to Brazilian cryptocurrency professionals, highlighting the ongoing threat posed by sophisticated state-sponsored cyber actors
The article discusses a critical configuration issue affecting as many as 15,000 applications using AWS Application Load Balancer (ALB), potentially exposing them to ALBeast attacks. This issue, identified by Miggo, allows attackers to forge authentication tokens and gain unauthorized access to business resources. AWS has updated its documentation and added new code to help customers prevent these attacks. Users are advised to ensure that apps using ALB authentication check the token signer and accept traffic only from their ALB to mitigate the risk.
Renowned ransomware gang Qilin was recently observed by Sophos to steal stored Google Credentials.
This detailed article from Sygnia discusses the activities of the China-Nexus threat group, Velvet Ant, which has been leveraging a zero-day exploit (CVE-2024-20399) on Cisco Switch appliances to maintain long-term network persistence. Over several years, Velvet Ant has escalated their tactics, moving from legacy Windows systems to network devices like F5 BIG-IP appliances and Cisco Nexus switches. By exploiting a command injection vulnerability in the Cisco NX-OS Software CLI, they gained unauthorized access to the underlying Linux OS, deploying the VELVETSHELL malware. This sophisticated malware, a hybrid of TinyShell and 3proxy, allowed the attackers to execute arbitrary commands, exfiltrate data, and maintain persistent access while evading detection.
New Malware Exploits PHP Vulnerability: Unknown attackers have deployed a new backdoor, Msupedge, on a university’s Windows systems in Taiwan by exploiting the CVE-2024-4577 PHP remote code execution vulnerability. This critical flaw allows unauthenticated attackers to execute arbitrary code, leading to complete system compromise. The malware, dropped as DLL files, uses DNS tunneling to communicate with its command-and-control server, a technique not commonly observed in the wild. Symantec’s Threat Hunter Team discovered the intrusion, noting that multiple threat actors have been scanning for vulnerable systems since the vulnerability was patched in June.
BleepingComputer reports that hackers are actively exploiting a critical vulnerability (CVE-2024-28000) in the LiteSpeed Cache WordPress plugin, which affects versions up to 6.3.0.1. This flaw allows attackers to escalate privileges without authentication by brute-forcing a weak hash value, potentially leading to complete website takeovers. Despite the availability of a patch, only about 30% of the over 5 million sites using the plugin have updated to the safe version, leaving millions vulnerable. Wordfence has already detected and blocked over 48,500 attacks targeting this vulnerability in the past 24 hours. Users are urged to update to version 6.4.1 or uninstall the plugin immediately.
This article describes of a vulnerability that Mandiant recently disclosed to Microsoft. The issue affected Azure Kubernetes Services clusters using “Azure CNI” for network configuration and “Azure” for network policy. An attacker with command execution in a Pod within an affected cluster could escalate privileges, access credentials, and read all secrets within the cluster. Microsoft has since fixed the underlying issue.
Originally speculated to be around 2.7 billion individuals affected by the recent data breach of National Public Data. In a filing with the Maine Attorney General they listed the number at 1.3 million
Prevalent Patches
Ivanti Patches
Product | Advisory | Highest CVSS |
|---|---|---|
Virtual Traffic Manager | 9.8 | |
Ivanti Avalanche | 8.2 | |
Neurons for ITSM | 9.6 |
F5 Networks
Product | Advisory | Highest CVSSv4 |
|---|---|---|
F5 BIG-IP | 8.9 | |
NGINX Plus MQTT | 8.4 | |
BIG-IP MPTCP | 8.2 |
Intel Family Security Updates
Intel has published a fix for 13 CVEs across several of their products. I recommend that you review the attached list to view what all is impacted.
Dell Family Security Updates
Below are Dell’s updates these include two for Dell Digital Delivery that could allow for arbitrary code execution or elevation of privilege.
The fix for Dell SupportAssist fixes a potential privilege escalation vulnerability.
Affected Product | Advisory | Highest CVSS |
|---|---|---|
Dell Digital Delivery versions prior to 5.2.0.0 | 7.0 | |
Dell Digital Delivery versions prior to 5.2.0.0 | 7.0 | |
Dell SupportAssist for Home PCs version 4.0.3 | 7.3 |
Ingress nginx
CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the networking.k8s.io or exte...
SAP
Last week was SAP’s Security Patch Day. They resolved several vulnerabilities across several of their products. Two of the vulnerabilities were for CVEs with a CVSS of 9.1 or higher.
SolarWinds
SolarWinds published a security advisory fixing a Remote Code Execution vulnerability being tracked as CVE-2024-28986. This vulnerability received a CVSS of 9.8. Users should patch ASAP!
Zoom
Zoom published on Tuesday a fix for two different vulenrabilities.
Atlassian Jira
Atlassian published their August security bulletin that patched several vulnerabilities. Vulnerabilities peaked at a CVSS rating of 8.1.
GiveWP WordPress Plugin
Receiving a max CVSS score of 10/10 this is worth looking to see if your WordPress Sites use this plugin, and if so update ASAP.
ManageEngine OPManager
Product(s) | Advisory | CVSS |
|---|---|---|
OPManager OPManager Plus OPManager MSP RMM | 8.8 |
Cisco Patches
Product | Advisory | CVSS |
|---|---|---|
Cisco Unified Communications Manager | 8.6 | |
Cisco Unified Communications Manager | 6.1 | |
Cisco Identity Services Engine | 6.5 | |
Cisco Identity Services Engine | 6.5 | |
Cisco Identity Services Engine | 6.5 | |
Google Chrome
Google published their latest stable channel update for desktop which fixed 37 security issues.
GitHub Enterprise Server
After the release of CVE-2024-6800. GitHub released updates for GitHub Enterprise Server versions: 3.13.3, 3.12.8, 3.11.14, 3.10.16 that fix this vulnerability.
FFmpeg
FFmpeg published an update that resolved a heap-based overflow that was tracked as CVE-2024-7272
CISA Corner of 19-23 August
CISA KEV Additions
CVE-2024-23897 Jenkins Command Line Path Traversal Vulnerability
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
CVE-2021-33044 Dahua IP Camera Authentication Bypass Vulnerability
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
CVE-2021-33045 Dahua IP Camera Authentication Bypass Vulnerability
The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
CVE-2022-0185 Linux Kernel Heap-Based Overflow
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
CVE-2021-31196 Microsoft Exchange Server Information Disclosure Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
CISA ICS Advisories
CISA has published One ICS advisory that is for Five different ICS products. Products Include:
Conclusion:
Thank you for checking out this Podcast Notes Edition of the Cybersecurity Digest Newsletter.
For previous newsletters, announcements, and links please check out our full website
Until next time, Stay Secure!
Reply