Weekly Threat Landscape Digest – Week 49
This week’s cybersecurity digest delves into critical vulnerabilities and emerging threat actor activities, underscoring the urgent need for proactive security measures and timely mitigations to safeguard against evolving cyber threats.
Vulnerabilities
- Jenkins: Patches Issued for Multiple Vulnerabilities
Jenkins has patched significant flaws, including Denial of Service (DoS), Cross-Site Scripting (XSS), and Path Traversal vulnerabilities, which could severely disrupt its environments.
Key Vulnerabilities:
- CVE-2024-47855 (DoS): Attackers can exploit the json-lib library to block legitimate users by consuming HTTP threads.
- CVE-2024-54003 (Stored XSS): The Simple Queue Plugin allows malicious script injection, leading to data theft or unauthorised actions.
- CVE-2024-54004 (Path Traversal): The Filesystem List Parameter Plugin enables enumeration of sensitive files.
Impact:
Service unavailability, data leakage, and potential system compromise.
Recommendations:
- Update Jenkins and Plugins: Upgrade to Weekly 2.487, LTS 2.479.2, and the latest plugin versions.
- Audit Configurations: Regularly review user permissions and monitor for anomalies.
- CleanTalk Anti-Spam Plugin: Critical Flaws Affecting 200,000+ Websites
The CleanTalk plugin for WordPress is vulnerable to severe flaws that allow attackers to bypass authentication and execute malicious actions.
Key Vulnerabilities:
- CVE-2024-10542: Reverse DNS spoofing lets attackers install unauthorized plugins.
- CVE-2024-10781: Missing API key validation permits unauthorized administrative access.
Impact:
Remote code execution, website compromise, and data theft.
Recommendations:
- Upgrade Immediately: Update to version 6.45 or later.
- Implement Safeguards: Use a Web Application Firewall (WAF) and restrict plugin permissions.
- QNAP Notes Station 3: Multiple Critical Vulnerabilities
QNAP’s Notes Station 3 application, used in QNAP NAS systems, is affected by severe flaws that could allow unauthorized access and code execution.
Key Vulnerabilities:
- CVE-2024-38643 (Critical): Missing authentication for critical functions.
- CVE-2024-38645 (Critical): SSRF enabling unauthorised data access.
- CVE-2024-38644/38646 (High): Command injection and permission flaws leading to arbitrary code execution.
Impact:
Unauthorized access, data exposure, and full system compromise.
Recommendations:
- Update: Upgrade Notes Station 3 to version 3.9.7 or later.
- PHP: Critical Vulnerabilities Addressed
PHP has released urgent patches to resolve multiple vulnerabilities that expose systems to severe risks.
Key Vulnerabilities:
- CVE-2024-8932 (Critical): Out-of-bounds access in ldap_escape leading to remote code execution.
- CVE-2024-8929 (Medium): Buffer over-read causing sensitive data leakage.
Impact:
Remote code execution, data exposure, and service disruptions.
Recommendations:
- Update PHP: Upgrade to versions 8.1.31, 8.2.26, or 8.3.14.
- VMware Aria Operations: High-Severity Privilege Escalation and XSS Flaws
VMware’s Aria Operations platform has patched multiple vulnerabilities that could lead to privilege escalation and cross-site scripting (XSS) attacks.
Key Vulnerabilities:
- CVE-2024-38830/38831: Privilege escalation to root on the affected appliance.
- CVE-2024-38832/38833/38834: Stored XSS vulnerabilities enabling unauthorized script execution.
Impact:
Root-level compromise and malicious script injection.
Recommendations:
- Upgrade Systems: Update Aria Operations to version 8.18.2 or later.
- Mozilla: Security Updates Across Multiple Products
Mozilla has addressed several vulnerabilities in Firefox, Thunderbird, and other products.
Key Vulnerabilities:
- CVE-2024-11691: Memory corruption via WebGL operations.
- CVE-2024-53975: SSL padlock spoofing causing false secure connection indicators.
Impact:
Arbitrary code execution and user exploitation through misleading indicators.
Recommendations:
- Update to Secure Versions: Firefox 133, Thunderbird 133, and Firefox ESR 128.5.
- WinZip: High-Severity Vulnerability Discovered
A flaw in WinZip’s handling of the “Mark-of-the-Web” (MotW) feature could enable attackers to bypass security checks.
Key Vulnerability:
- CVE-2024-8811 (High): Removal of MotW flags allow malicious payloads to execute unnoticed.
Impact:
Malware execution, data breaches, and system compromise.
Recommendations:
- Upgrade: Install WinZip version 76.8 or later.
- ProjectSend: Critical Authentication Bypass Actively Exploited
ProjectSend, an open-source file-sharing platform, has an active authentication bypass vulnerability being exploited in the wild.
Key Vulnerability:
- CVE-2024-11680 (Critical): Attackers can bypass authentication to modify configurations, create accounts, and deploy malicious scripts.
Impact:
System compromise and persistent backdoor access.
Recommendations:
- Upgrade Now: Move to ProjectSend version r1750 or later.
- Windows Driver Use-After-Free Vulnerability (CVE-2024-38193)
A critical use-after-free vulnerability, CVE-2024-38193, in the afd.sys Windows driver allows attackers to gain full system privileges. The issue stems from a race condition in the RIO extension, enabling unauthorised memory access.
Impact:
- Privilege escalation to NT AUTHORITY\SYSTEM.
- Complete system compromise.
Recommendations:
- Apply Microsoft’s August 2024 Patch Tuesday updates.
- Enable automatic updates and monitor systems for anomalies.
Reference: https://cybersecuritynews.com/windows-driver-use-after-free-vulnerability/
Threat Actor Activities
- WolfsBane and FireWood: New Linux Threats Identified
ESET researchers have discovered two Linux-based malware strains, WolfsBane and FireWood, linked to the Gelsemium APT group. These malware variants target Linux servers, facilitating persistent access and data theft.
Key Details:
- WolfsBane: A Linux variant of the Gelsevirine backdoor, employing a modified rootkit for stealth.
- FireWood: Connected to Project Wood, leveraging TEA encryption and similar C&C mechanisms.
Indicators of Compromise (IoCs):
- Domains: dsdsei[.]com.
- File Extensions: .k2, .v2.
- IOCs
Mitigation:
- Apply the latest patches to Linux servers.
- Monitor for IoCs associated with WolfsBane and FireWood.
- FrostyGoop/BUSTLEBERM: OT-Centric Malware Threat
FrostyGoop, also known as BUSTLEBERM, is a new malware targeting Industrial Control Systems (ICS) via the Modbus TCP protocol. This threat has been linked to attacks on critical infrastructure and highlights the evolving risks to OT environments.
Key Details:
- Functionality: Manipulates ICS device registers and performs Modbus read/write operations.
- Compromise: Exploits vulnerabilities in MikroTik routers or exposed OT devices.
Indicators of Compromise (IoCs):
- File Hashes:
- 5d2e4fd08f81e3b2eb2f3eaae16eb32ae02e760afc36fa17f4649322f6da53fb (3.7 MB).
- a63ba88ad869085f1625729708ba65e87f5b37d7be9153b3db1a1b0e3fed309c (2.4 MB).
- 2fd9cb69ef30c0d00a61851b2d96350a9be68c7f1f25a31f896082cfbf39559a (3.4 MB).
- c64b67c116044708e282d0d1a8caea2360270a7fc679befa5e28d1ca15f6714c (2.0 MB).
- 91062ed8cc5d92a3235936fb93c1e9181b901ce6fb9d4100cc01167cdc08745f (2.5 MB).
- a25f91b6133cb4eb3ecb3e0598bbab16b80baa40059e623e387a6b1082d6f575 (2.5 MB).
- 9cf30d82a86a9485f7bbd0786a5de207cf4902691a3efcfc966248cb1e87d5b7 (1.8 MB).
- 06919e6651820eb7f783cea8f5bc78184f3d437bc9c6cde9bfbe1e38e5c73160 (0.4 KB JSON config file).
Mitigation:
- Patch ICS devices and ensure robust authentication.
- Monitor network traffic on Modbus TCP (port 502) and Telnet (port 23) for suspicious activity.
- Earth Estries: Long-Term Cyber Espionage Operations
The Chinese APT group Earth Estries has launched persistent cyber espionage attacks, targeting industries including telecommunications, government, and NGOs.
Key Exploits:
- Vulnerabilities in Ivanti Connect Secure VPN (CVE-2023-46805), Fortinet FortiClient, and Microsoft Exchange (ProxyLogon).
- Advanced malware tools like GHOSTSPIDER, SNAPPYBEE, and MASOL RAT.
Indicators of Compromise (IoCs):
- Full list of IoCs available via IOC.
Mitigation:
- Apply the latest patches for Ivanti, Fortinet, and Microsoft Exchange.
- Use intrusion detection systems (IDS) to monitor for known IoCs.
- Weaponized Resume Attack Targets Organisational Servers
TA4557 (FIN6) employed a weaponised resume to compromise organisational servers, using advanced exploitation techniques.
Key Details:
- Initial Access: Malicious .zip files containing .lnk shortcut files disguised as resumes.
- Malware: more_eggs backdoor for persistence, Cobalt Strike for lateral movement.
Indicators of Compromise (IoCs):
- Domains:
- johnshimkus[.]com, annetterawlings[.]com, davidopkins[.]com, lisasierra[.]com.
- File Hashes:
- Weaponised Resume (John Shimkus.zip): ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f.
- Cobalt Strike payload (payload_cr1.dll): 408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f.
- Cloudflared tunnelling executable: 4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608.
- C2 Servers:
- pin.howasit[.]com (IP: 108.174.197[.]15).
- shehasgone[.]com (IP: 144.208.127[.]15).
Mitigation:
- Patch Veeam software vulnerabilities (CVE-2023-27532).
- Educate employees to identify phishing attempts disguised as resumes.