Weekly Threat Landscape Digest – Week 47
In today’s fast-evolving cybersecurity environment, organizations must stay ahead of emerging risks and vulnerabilities. From sophisticated zero-day exploits to novel malware campaigns, this week’s Hawkeye Security Advisory brings you actionable insights into the latest threats and how to mitigate them. This digest delves into major incidents, critical vulnerability updates, and emerging threats, ensuring you have a comprehensive view of the evolving cyber landscape.
Top Security Updates
1. BrazenBamboo APT Exploiting FortiClient Zero-Day
The BrazenBamboo APT group is actively exploiting an unpatched zero-day vulnerability in Fortinet’s FortiClient VPN software for Windows. The group deploys the modular malware framework DEEPDATA to target sensitive credentials and infiltrate organizational systems.
Key Points
- Capabilities: The malware extracts VPN credentials, keystroke logs, audio recordings, and files. It also targets messaging apps, email clients, and browsers.
- Affected Versions: All FortiClient versions, including the latest (v7.4.0).
- Mitigation:
- Restrict VPN usage to trusted environments.
- Monitor for updates from Fortinet.
- Implement robust endpoint protection tools.
Reference: https://cybersecuritynews.com/brazenbamboo-apt-forticlient-zero-day/
2. Telecommunications Regulatory Authority (UAE) Database Breach
The hacking group Breachachu claims to have breached the UAE Telecommunications Regulatory Authority (TRA) database. The leaked data reportedly includes sensitive user information such as names, credentials, supplier details, and internal KPIs.
Key Points
- Impact: The leaked data could lead to identity theft, fraud, and misuse of regulatory data.
- Mitigation: Organizations should enhance database encryption, restrict access, and monitor sensitive data for potential misuse.
3. VMware vCenter Server RCE Vulnerability (CVE-2024-5311)
A critical remote code execution (RCE) vulnerability in VMware vCenter Server allows attackers to execute arbitrary commands without authentication. This vulnerability could be used to compromise virtual infrastructure, steal sensitive data, or deploy ransomware.
Key Points
- Impact: Full system compromise and data exfiltration.
- Mitigation: Update VMware vCenter Server to version 8.0 U3d or 7.0 U3t.
Reference: https://cybersecuritynews.com/vmware-vcenter-server-rce-vulnerability-2/
4. Fake Bitwarden Ads Push Info-Stealing Extensions
Malicious Facebook ads mimicking Bitwarden’s branding distribute a fake Chrome extension, designed to steal sensitive user credentials stored in browsers.
Key Points
- IoCs:
- Malicious Domain: https://chromewebstoredownload.com
- Mitigation:
- Install extensions only from verified sources.
- Train users to recognize phishing ads.
5. QuickBooks Popup Scam Delivered via Google Ads
A malvertising campaign targeting QuickBooks users leverages fraudulent Google ads to distribute malware. Victims are tricked into downloading a fake installer embedding backdoor executables.
Key Points
- IoCs:
- Installer: QuickBooks_Installer.msi
(9e0b46194dc1c034422700b02c6aca01290d144735e48c4a83eea34773be5f52) - Backdoor: zeform.exe
(0c3f5f7bed8efbb6b1de3e804d22397a8bdf442b83962444970855fc9606c9f5) - Malicious Domain: https://bizzgrowthinc.com
- Installer: QuickBooks_Installer.msi
- Mitigation:
- Download QuickBooks only from Intuit’s official site.
- Employ endpoint security to block malicious downloads.
Major Vulnerability Updates
1. Palo Alto PAN-OS Zero-Days
Two zero-day vulnerabilities (CVE-2024-0012 and CVE-2024-9474) were exploited in attacks linked to the Operation Lunar Peek campaign.
Key Points
- IoCs:
- Malicious IPs:
- https://136.144.17.*
- https://173.239.218.251
- https://216.73.162.*
- Malicious IPs:
- Mitigation: Update to PAN-OS versions 10.2.12-h2, 11.0.6-h1, or higher.
2. Microsoft Patch Tuesday (November 2024)
Microsoft addressed 89 vulnerabilities, including two actively exploited zero-days, across its product suite.
Key Points
- Notable CVEs:
- CVE-2024-43451: NTLM Hash Disclosure.
- CVE-2024-49039: Task Scheduler Privilege Escalation.
- Mitigation: Apply updates via Windows Update immediately.
Reference: https://msrc.microsoft.com/update-guide/releaseNote/2024-Nov
3. Fortinet Vulnerability Fixes
Fortinet patched multiple critical vulnerabilities in FortiOS, FortiClient, and FortiAnalyzer products.
Key Points
- Notable CVEs: CVE-2023-50176, CVE-2024-47574, CVE-2024-36513.
- Mitigation:
- Update all affected Fortinet products.
- Regularly review system logs.
Reference: https://fortiguard.fortinet.com/psirt/FG-IR-24-144
4. Ivanti Security Updates
Ivanti addressed vulnerabilities in Endpoint Manager and Secure Access Client products, including SQL injection and remote code execution.
Key Points
- Notable CVEs:
- CVE-2024-50330: SQL Injection.
- CVE-2024-38655: Remote Code Execution.
- Mitigation: Update to the latest Ivanti versions.
Reference: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM 2024-and-EPM-2022?_gl=1*pchng3*_gcl_au*ODM2NTAyMzg1LjE3MjY2NjkwMTg
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-Multiple-CVEs-Q4 2024-Release?_gl=1*pchng3*_gcl_au*ODM2NTAyMzg1LjE3MjY2NjkwMTg
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple CVEs?_gl=1*6ap9xw*_gcl_au*ODM2NTAyMzg1LjE3MjY2NjkwMTg
5. GitLab Patches
GitLab resolved critical vulnerabilities in Kubernetes agents and analytics dashboards.
Key Points
- Notable CVEs: CVE-2024-9693 (Unauthorized Access to Kubernetes Agents).
- Mitigation: Update to GitLab versions 17.5.2, 17.4.4, or 17.3.7.
Reference: https://about.gitlab.com/releases/2024/11/13/patch-release-gitlab-17-5-2-released/
Emerging Threats
1. DEEPDATA Malware Campaign
The BrazenBamboo APT group deploys DEEPDATA malware to steal credentials, exfiltrate files, and record user activity.
DEEPDATA malware exhibits advanced capabilities that go beyond traditional credential theft. It targets high-value information through a combination of stealthy persistence mechanisms and aggressive data collection methods.
Key Features of DEEPDATA:
- Credential Theft: Extracts sensitive data from messaging platforms (e.g., WhatsApp, Telegram), browsers, and email clients.
- System Surveillance: Records keystrokes and system audio, giving attackers access to private communications.
- Data Exfiltration: Transfers stolen information to command-and-control (C2) servers while bypassing detection.
This malware campaign has primarily targeted entities in critical infrastructure sectors, exploiting the widespread use of FortiClient VPN software to infiltrate secure networks.
Mitigation Steps:
- Restrict VPN usage to trusted environments.
- Monitor VPN logs for unusual activities.
- Deploy robust endpoint protection solutions capable of detecting modular malware.
Reference: https://www.hunters.security/en/blog/veildrive-microsoft-services-malware-c2