CVE-2024-4761 Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.
CVE-2024-4671 Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
The flaw was reported by an anonymous researcher on May 7, 2024.
“Google is aware that an exploit for CVE-2024-4671 exists in the wild.” reads the advisory published by Google. As usual, the IT giant has not revealed details about the attacks exploiting this vulnerability.
North Korea-linked Kimsuky APT group employs rogue Facebook accounts to target victims via Messenger and deliver malware.
Researchers at Genius Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & Security Agency (KISA) for analysis and response. The nation-state actor attack used a fake account posing as a South Korean public official in the North Korean human rights sector. The APT group aimed at connecting with key individuals in North Korean and security-related fields through friend requests and direct messages.
The attack chain starts with the theft of the identity of a real person in South Korea, then the victims were contacted via Facebook Messenger.
Threat actors pretended to share private documents they had written with the victims.
“The initial individual approach is similar to an email-based spear phishing attack strategy. However, the fact that mutual communication and reliability were promoted through Facebook Messenger shows that the boldness of Kimsuky APT attacks is increasing day by day.” reads the report published by GSC. “The Facebook screen used in the actual attack has a background photo that appears to have been taken at a public institution. Threat actors disguised as public officials try to win the favor of their targets by pretending to share private documents they have written.”
The messages included a link to a decoy document hosted on OneDrive. The file is a Microsoft Common Console document that masquerades as an essay or content related to a trilateral summit between Japan, South Korea, and the U.S. One of the decoy documents (‘NZZ_Interview_Kohei Yamamoto.msc’) employed in the attacks was uploaded to the VirusTotal from Japan on April 5, 2024.
The malware had zero detection rate on VT at the upload time.
The experts speculate the APT group was targeting people in Japan and South Korea.
“This is the first time that a suspected attack against Japan was first observed, and then a variant was detected in Korea shortly after.” reads the analysis. “And if you compare the two malicious file execution screens, you can see the same pattern. Although the file name leading to execution is different, both used the name ‘Security Mode’.”
Upon launching the MSC file and allowing it to open it using Microsoft Management Console (MMC), victims are displayed a console screen containing a Word document. If the victims launch it the multi-stage attack chain starts.
The malicious file, named “Console Root task window ‘Security Mode’,” hid certain window styles and tabs. It misled users by labeling a task as “Open” with a description “My_Essay.docx,” making it appear as a document execution screen. Clicking “Open” triggers a malicious command. This command line involves ‘cmd.exe’ with various parameters and attempts to connect to the C2 host ‘brandwizer.co[.]in,’ registered by Whiteserver hosting in India and linked to the IP address ‘5.9.123.217’ in Germany.
The malware maintains persistence by registering a scheduled task named ‘OneDriveUpdate,’ which repeats every 41 minutes indefinitely. This interval is consistent with the timing used in previous Kimsuky group campaigns, such as ‘BabyShark‘ and ‘ReconShark.’
The malware gathered information and exfiltrated it to the C2 server, it can also harvest IP addresses, User-Agent strings, and timestamp information from the HTTP requests. The malware can also drop additional payloads on the infected machines.
“Among the APT attacks reported in Korea in the first quarter of this year, the most representative method is spear phishing attack. In addition, the method of combining shortcut (LNK) type malicious files is steadily becoming popular. Although not commonly reported, covert attacks through social media also occur.” concludes the report.
Electronic prescription provider MediSecure in Australia suffered a ransomware attack likely originate from a third-party vendor.
MediSecure is a company that provides digital health solutions, particularly focusing on secure electronic prescription delivery services in Australia.
The company was forced to shut down its website and phone lines following a cyber attack, but it did not mention a ransomware attack.
Threat actors gained access to the personal and health information of an undisclosed number of individuals.
“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.” reads the statement published by the company. “While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.”
The company is still investigating the security breach with the help of the National Cyber Security Coordinator, however, it revealed that early indicators suggest the incident originated from one of its third-party vendors.
Yesterday afternoon I was advised by a commercial health information organisation that it was the victim of a large-scale ransomware data breach incident.
I am working with agencies across the Australian Government, states and territories to coordinate a whole-of-government… pic.twitter.com/mool7LNLRZ
— National Cyber Security Coordinator (@AUCyberSecCoord) May 16, 2024
The electronic prescription provider also notified the Office of the Australian Information Commissioner and other relevant authorities.
The Australian broadcaster ABC reported that MediSecure “is the health organisation at the centre of the large-scale ransomware data breach announced by the national cyber security coordinator on Thursday.”
“MediSecure was one of two companies awarded contracts by the federal government to provide PBS e-script services until late last year, when the tender was granted exclusively to another company, eRx.” reported ABC. “In October last year, the ACCC granted authorisation for MediSecure to transfer all publicly- funded electronic prescriptions and data to eRx.”
In November 2022, Medibank announced that personal data belonging to around 9.7M of current and former customers were exposed due to a ransomware attack that occurred in October 2022.
Medibank is one of the largest Australian private health insurance providers with approximately 3.9 million customers.
Google released security updates to address a new actively exploited Chrome zero-day vulnerability, the third in a week.
Google has released a new emergency security update to address a new vulnerability, tracked as CVE-2024-4947, in the Chrome browser, it is the third zero-day exploited in attacks that was disclosed this week.
The vulnerability CVE-2024-4947 is a type confusion that resides in V8 JavaScript engine. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.
This week the IT giant fixed other two actively exploited Chrome zero-day issues, respectively tracked CVE-2024-4671 and CVE-2024-4761.
Below is the list of actively exploited zero-day vulnerabilities in the Chrome browser that have been fixed this year:
CVE-2024-0519: an out of bounds memory access in the Chrome JavaScript engine. (January 2024)
CVE-2024-2887: a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024. (March 2024)
CVE-2024-2886: a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024. (March 2024)
CVE-2024-3159: an out-of-bounds memory access in V8 JavaScript engine. The flaw was demonstrated by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks during the Pwn2Own 2024 on March 22, 2024. (March 2024)
CVE-2024-4671: a use-after-free issue that resides in the Visuals component (May 2024).
CVE-2024-4761: an out-of-bounds write issue that resides in the V8 JavaScript engine (May 2024).
Google also addressed the following vulnerabilities:
[TBD][333414294] High CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
[$7000][326607001] Medium CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-02-24
[$1000][40065403] Low CVE-2024-4950: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-06-06
The Spanish bank Santander disclosed a data breach at a third-party provider that impacted customers in Chile, Spain, and Uruguay.
The Spanish financial institution Santander revealed a data breach involving a third-party provider that affected customers in Chile, Spain, and Uruguay.
The bank recently became aware of unauthorized access to one of its databases hosted by a third-party provider.
The company announced that it immediately implemented measures to contain the incident. The company blocked the compromised access to the database and established additional fraud prevention controls to protect affected customers.
“We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider.” reads the statement published by the bank. “Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed. Customer data in all other Santander markets and businesses are not affected.”
The compromised database contained information on all current and some former employees.
The bank pointed out that the database did not store transactional data, online banking details, passwords, or other data that would allow someone to conduct transactions.
“No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords. The bank’s operations and systems are not affected, so customers can continue to transact securely.” continues the statement.
The financial institution hasn’t provided technical details of the incident or what kind of data was exposed. It’s unclear how many individuals are impacted.
An international law enforcement operation coordinated by the FBI led to the seizure of the notorious BreachForums hacking forum.
BreachForums is a cybercrime forum used by threat actors to purchase, sell, and exchange stolen data, including credentials, and personal and financial information. The authorities also seized the Telegram page for the hacking forum
The website currently displays a message that informs visitors it was seized by law enforcement. The site also shows the logos of the law enforcement agencies that ware involved in the operation, including the UK NCA, the Australian Federal Police, the New Zealand Police, and the Swiss police.
“This website has been taken down by the FBI and DOJ with assistance from international partners,” reads the message published on the seized site. “We are reviewing the site’s backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us.”
According to the statement published by law enforcement on the site breachforums.ic3.gov, the FBI states that it is investigating the criminal hacking forums known as BreachForums and Raidforums.
From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc) was run by the notorious actor ShinyHunters.
From March 2022 until March 2023, a separate version of BreachForums (hosted at breached.vc/.to/.co) was run by the threat actor Pompompurin. In July 2023, the owner of the BreachForums Conor Brian Fitzpatrick, aka Pompompurin, pleaded guilty to hacking charges.
In March 2023, U.S. law enforcement arrested Pompompurin, the agents spent hours inside and outside the suspect’s home and were seen removing several bags of evidence from the house.
The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices. Fitzpatrick was released on a $300,000 bond signed by his parents.
The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET. pompompurin always declared that he was ‘not affiliated with RaidForums in any capacity,’
Raidforums (hosted at raidforums.com and run by Omnipotent) was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022.
People who have information to assist in any of the investigations against BreachForums v2, BreachForums v1, or Raidforums can fill out the questionnaire on the website.
One of the developers of the Tornado Cash cryptocurrency mixer has been sentenced to 64 months in prison.
Alexey Pertsev (29), one of the main developers of the Tornado Cash cryptocurrency mixer has been sentenced to 64 months in prison for helping launder more than $2 billion worth of cryptocurrency.
The mixers are essential components for cybercriminals that use them for money laundering, it was used to launder the funds stolen from the victims.
The FIOD arrested the man in Amsterdam in August 2022, it is accused of concealing criminal financial flows and facilitating money laundering using Tornado Cash. The FIOD aims to ensure financial safety in the Netherlands and investigates the impact of cryptocurrency-related activities.
The Financial Advanced Cyber Team (FACT) speculates Tornado Cash has been used to conceal large-scale criminal money flows.
According to the indictment published in August 2023, Tornado Cash service allowed crooks to launder high volumes of criminal proceeds.
Tornado Cash was used to launder more than $7 billion worth of virtual currency since its creation in 2019, reported the OFAC. The Lazarus APT group laundered over $455 million stolen during the largest known virtual currency heist to date. Tornado Cash was also used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the recent Nomad crypto heist.
In August 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service Tornado Cash used by North Korean-linked Lazarus APT Group.
Pertsev argued that his work at the Tornado Cash platform aimed to offer privacy to the cryptocurrency community and avoid involvement in criminal activities. However, the court dismissed his claims, noting that Tornado Cash lacked anti-abuse measures and the developers failed to prevent money laundering. The court also criticized Pertsev’s behavior who did not cooperate with authorities regarding the illegal activities. He also claimed an inability to address the issue.
“Research shows that 1.2 billion U.S. dollars were laundered this way in so called Ether (a cryptocurrency). These Ether are derived from 36 different thefts (hacks). Because of the used parameters in selecting these hacks, 36 is the lower limit.” reported de Rechtspraak. “Without using these parameters it becomes clear that 2.2 billion U.S. dollars, proceeding from criminal Ether, have been laundered. Furthermore, the court does not rule out that cryptocurrency has also been laundered deriving from other crimes.”
The court has sentenced the defendant to 5 years and 4 months in prison, in accordance with the prosecutor’s request. The court additionally decided not to return the defendant’s seized Porsche and approximately 1.9 million euros worth of cryptocurrency.
The vulnerabilities were reported by the following experts and research team:
Mark Vincent Yason (markyason.github.io) working with Trend Micro Zero Day Initiative – CVE-2024-30284, CVE-2024-34094, CVE-2024-34095, CVE-2024-34096, CVE-2024-34097
The Singing River Health System revealed that the ransomware attack that hit the organization in August 2023 impacted 895,204 people.
At the end of August 2023, the systems at three hospitals and other medical facilities operated by Singing River Health System (SRHS) were hit by a Rhysida ransomware attack.
The Singing River Health System runs 3 hospitals and 10 clinics and is the second largest employer on the Mississippi Gulf Coast.
“The Singing River Health System’s three hospitals – Pascagoula Hospital, Ocean Springs Hospital, and Gulfport Hospital, as well as its dozen-plus medical clinics – are affected by the incident, which began over the weekend. The health system employs about 3,800 people.” reported BankInfoSecurity.
Several services at the impacted hospitals, including laboratory and radiology testing, suffered a significant IT systems outage. At the time, Singing River said it was working to process all paper-ordered lab tests and radiology exams as quickly as possible, based on priority.
On September 13, 2023, the healthcare organization disclosed a data breach and in December 2023, it announced that the incident impacted 252,890 individuals.
Potentially compromised information includes name, date of birth, address, Social Security number, medical information, and health insurance information.
SRHS is offering impacted individuals access to credit monitoring services provided by IDX identity theft protection for twelve months at no cost. The company is also providing guidance on preventing identity theft and fraud, including steps to report suspicious incidents and placing fraud alerts or security freezes on credit files. Additionally, they are sharing information on safeguarding against tax fraud, contacting consumer reporting agencies, and obtaining free credit reports. Singing River Health System recommends the impacted individuals to be vigilant by reviewing account statements and monitoring credit reports. Individuals are encouraged to report any incidents of identity theft or fraud to relevant authorities, including the Federal Trade Commission, state Attorney General, and law enforcement.
Microsoft Patch Tuesday security updates for May 2024 fixed 59 flaws across various products including an actively exploited zero-day.
Microsoft Patch Tuesday security updates for May 2024 addressed 59 vulnerabilities in Windows and Windows Components; Office and Office Components; .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband.
Only one of the vulnerabilities addressed by the IT giant this month is rated Critical, 57 are rated Important, and one is rated Moderate in severity.
Two of the vulnerabilities fixed by Microsoft this month are actively exploited, and one was a publicly disclosed zero-day.
The two actively exploited zero-day vulnerabilities are:
CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability
This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls.
An attacker can trigger this issue by tricking a user into loading a malicious file onto a vulnerable system, often through deceptive means like email or instant messenger messages. The attacker then convinces the user to manipulate the file, without necessarily requiring them to click or open it directly.
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user.” reads the advisory.
CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability
An attacker can exploit this vulnerability to gain SYSTEM privileges.
Microsoft doesn’t share details about the attacks exploiting the above vulnerabilities.
The full list of flaws addressed by Microsoft with the release of Patch Tuesday security updates for May 2024 is available here.
VMware fixed four flaws in its Workstation and Fusion desktop hypervisors, including three zero-days exploited at the Pwn2Own Vancouver 2024
VMware addressed four vulnerabilities in its Workstation and Fusion desktop hypervisors, including three zero-day flaws demonstrated at the Pwn2Own Vancouver 2024.
Below are descriptions of the flaws addressed by the virtualization giant
CVE-2024-22267 (CVSS score: 9.3) – A use-after-free vulnerability in the Bluetooth device. A threat actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
CVE-2024-22268 (CVSS score: 7.1) – A heap buffer-overflow vulnerability in the Shader functionality. A threat actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition.
CVE-2024-22269 (CVSS score: 7.1) – An information disclosure vulnerability in the Bluetooth device. A threat actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
CVE-2024-22270 (CVSS score: 7.1) – An information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.
The vendor also provided temporary workarounds, such as disabling Bluetooth support and 3D acceleration, until patches can be applied to address vulnerabilities like CVE-2024-22267, CVE-2024-22269, and CVE-2024-22270. The company doesn’t provide any mitigations to address CVE-2024-22270.
STAR Labs SG and Theori demonstrated these vulnerabilities during the Pwn2Own hacking contest in March 2024.
“VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG working with the Pwn2Own 2024 Security Contest for independently reporting this issue to us.” reads the advisory.
The non-profit technology organization MITRE released the EMB3D threat model for embedded devices used in critical infrastructure.
MITRE announced the public release of its EMB3D threat model for embedded devices used in various industries (i.e. Automotive, healthcare, and manufacturing), including critical infrastructure.
The threat model provides a knowledge base of cyber threats to embedded devices. EMB3D serves as a valuable resource for various industries, including critical infrastructure, IoT, automotive, healthcare, and manufacturing, providing insights to vendors, asset owners/operators, test organizations, and security researchers to enhance the security of embedded devices.
Multiple partners have contributed to the design of the threat model, including Red Balloon Security, Narf Industries, and Niyo ‘Little Thunder’ Pearson of ONE Gas.
The framework can allow vendors, asset owners and operators to improve the security of embedded devices.
“The threat model is intended to be a resource to help vendors, asset owners/operators, test organizations, and security researchers to improve the overall security of embedded devices’ hardware and software. This threat model aims to serve as a central repository of information, defining known threats to embedded devices and their unique device features/properties that enable specific threat actions.” reads the announcement. “By mapping the threats to the associated device features/properties, the user can easily enumerate threat exposure based on the known device features.”
EMB3D was designed as a dynamic framework that will continuously evolve over time, including new threats and mitigations as they are identified by threat actors and security researchers.
It operates as a public community resource, allowing open access to all information and enabling contributions and revisions from the security community. This collaborative approach ensures that EMB3D remains up-to-date and comprehensive, serving as a valuable resource for enhancing the security of embedded devices.
Google released emergency security updates to address an actively exploited Chrome zero-day vulnerability.
Google has released emergency security updates to address a high-severity zero-day vulnerability vulnerability, tracked as CVE-2024-4761, in the Chrome browser.
The vulnerability is an out-of-bounds write issue that resides in the V8 JavaScript engine of the Google web browser.
The company confirmed that the flaw is exploited in attacks in the wild.
“CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09″ reads the advisory. “Google is aware that an exploit for CVE-2024-4761 exists in the wild.”
The company addressed the zero-day flaw with the release of 124.0.6367.207/.208 for Mac/Windows and 124.0.6367.207 for Linux. Google will roll out updates to all users over the coming days/weeks.
The vulnerability CVE-2024-4671 is the sixth zero-day exploited in attacks fixed by the IT giant this year.
As usual, Google did not publish details about the attacks exploiting the vulnerability.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed” continues the advisory.
Below is the list of actively exploited zero-day flaws in the Chrome browser that have been fixed this year:
CVE-2024-0519: an out of bounds memory access in the Chrome JavaScript engine. (January 2024)
CVE-2024-2887: a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024. (March 2024)
CVE-2024-2886: a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024. (March 2024)
CVE-2024-3159: an out-of-bounds memory access in V8 JavaScript engine. The flaw was demonstrated by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks during the Pwn2Own 2024 on March 22, 2024. (March 2024)
CVE-2024-4671: a use-after-free issue that resides in the Visuals component (May 2024).
Experts reported that since April, the Phorpiex botnet sent millions of phishing emails to spread LockBit Black ransomware.
New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) reported that since April, threat actors used the the Phorpiex botnet to send millions of phishing emails as part of a LockBit Black ransomware campaign.
The botnet has been active since at least 2016, it was involved in sextortion spam campaigns, crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in the clipboard with the attacker’s wallet address during a transaction) and ransomware attacks in the past
In December 2021, experts at Check Point Research observed the resurgence of the Phorpiex botnet.
The new variant, dubbed “Twizt,” could operate without active C2 servers in peer-to-peer mode. Each of the infected computers can act as a server and send commands to other bots in a chain. Experts estimated that in one year it allowed to steal crypto assets worth of 500,000 dollars.
The emails sent in the April campaign contain ZIP attachments and were sent by the same addresses, “JennyBrown3422[@]gmail[.]com,” and “Jenny[@]gsd[.]com.”
The ZIP archives contain a compressed executable payload that, if executed, will start the encryption process with LockBit Black ransomware.
“Observed instances associated with this campaign were accompanied by the Phorpiex (Trik) botnet, which delivered the ransomware payload. Over 1,500 unique sending IP addresses were identified, many of which were geolocated to Kazakhstan, Uzbekistan, Iran, Russia, China, and other countries.” states the report published by the NJCCIC. “Identified IPs hosting LockBit executables were 193[.]233[.]132[.]177 and 185[.]215[.]113[.]66. Subject lines included “your document” and “photo of you???”. All associated emails were blocked or quarantined.”
To defend against ransomware campaign like this one, NJCCIC provided the following recommendations:
Security Awareness Training: Engage in security awareness training to enhance defense mechanisms and recognize potential signs of malicious communications.
Password Management: Use strong, unique passwords and implement multi-factor authentication (MFA) whenever possible, prioritizing authentication apps or hardware tokens over SMS text-based codes.
System Updates: Keep systems updated and apply patches promptly after thorough testing to address vulnerabilities.
Endpoint Security: Install endpoint security solutions to fortify defenses against malware attacks.
Monitoring and Detection: Utilize monitoring and detection solutions to identify suspicious login attempts and abnormal user behavior.
Email Filtering: Implement email filtering solutions such as spam filters to block malicious messages. Reference the provided resources for establishing DMARC authentication.
Ransomware Mitigation: Refer to available resources for ransomware mitigation techniques and strategies.
Phishing Reporting: Report phishing emails and other malicious cyber activities to relevant authorities like the FBI’s IC3 and the NJCCIC.
Apple rolled out urgent security updates to address code execution vulnerabilities in iPhones, iPads, and macOS.
Apple released urgent security updates to address multiple vulnerabilities in iPhones, iPads, macOS. The company also warns of a vulnerability patched in March that the company believes may have been exploited as a zero-day.
The issue impacts older iPhone devices, it istracked as CVE-2024-23296 and is a memory corruption flaw in the RTKit.
Apple documents at least 16 vulnerabilities on iPhones and iPads and called special attention to CVE-2024-23296, a memory corruption bug in RTKit that the company says “may have been exploited” prior to the availability of patches
The Real-Time Kernel is a component of the operating system responsible for managing and executing tasks with strict timing requirements.
“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections.” reads the advisory published by Cupertino firm. “Apple is aware of a report that this issue may have been exploited.”
The IT giant fixed the memory corruption bug with improved validation, it released iOS 16.7.8 and iPadOS 16.7.8.
The company also addressed a logic issue, tracked as CVE-2024-27789, in the Foundation framework. The flaw can be exploited by an app to access user-sensitive data.
The flaw was reported by Mickey Jin (@patch1t), the company addressed the vulnerability with improved checks.
Security patches are available for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Apple released security patches to fix other issues in multiple products. The vulnerabilities fixed by the vendor can lead to arbitrary code execution, privilege escalation, denial-of-service attacks, and unauthorized access to data.
The City of Helsinki suffered a data breach that impacted tens of thousands of students, guardians, and personnel.
The Police of Finland is investigating a data breach suffered by the City of Helsinki, the security breach occurred during the night of 30 April 2024.
The data breach impacted the City’s Education Division’s computer network. The City of Helsinki reported the incident to the police and the investigation is still ongoing to determine the extent and impact of the incident.
“The volume of data under investigation is significant. Unfortunately, we are currently unable to provide an accurate assessment of what data the perpetrator may have accessed. What we can tell you about at this time are the possible risks, so that personnel and customers of the Education Division can prepare for them. This procedure is in line with data protection law,” says Satu Järvenkallas, Executive Director of the Education Division.
“The victim of the crime is currently the City of Helsinki, from which the police will receive all necessary information for the investigation of the case. City residents do not need to contact the police”, said the Deputy Police Commissioner Heikki Kopperoinen.
The City already implemented various security measures in response to the security breach.
“We previously announced that the party behind the data breach has gained access to student and personnel usernames and email addresses. Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division. Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” says the City of Helsinki’s Chief Digital Officer Hannu Heikkinen.
The incident exposed tens of millions of files, most of them contain ordinary personal information, but the City believes that the opportunity for abuse of this information is minor. However, some of the compromised documents include confidential information or sensitive personal information.
“These include information about fees (and the grounds thereof) for customers of early childhood education and care, sensitive information about the status of children, such as information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, as well as the sick leave records of Education Division personnel.” reads the statement published by the City of Helsinki. “We cannot rule out the possibility of the perpetrator gaining access to data of persons under a non-disclosure restriction.”
The data in the incident include information dating back several years, potentially compromising individuals who were not current customers or staff members of the Education Division.
According to the announcement, threat actors exploited a vulnerability in the Education Division network server to remotely access it. Although a patch to fix this vulnerability was available, it was not installed on the server for unknown reasons. Hannu Heikkinen stated that their security controls and procedures were inadequate, but measures have been implemented to prevent a similar breach in the future. No evidence suggests that the threat actors accessed networks or data from other divisions, but all City of Helsinki networks are being closely monitored.
“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply. Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians. The breach also affects all of our personnel, as the perpetrator gained access to all personnel usernames and email addresses,” says City Manager Jukka-Pekka Ujula. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city´s senior management,” Ujula continues.
A group of hackers that defines itself as “first-class Russian hackers” claims the defacement of hundreds of local and regional British newspaper websites.
A group claiming to be “first-class Russian hackers” defaced numerous local and regional British newspaper websites owned by Newsquest Media Group. The group defaced the home pages of the targeted websites and posted the message “PERVOKLASSNIY RUSSIAN HACKERS ATTACK.”
Newsquest Media Group Limited is the second-largest publisher of regional and local newspapers in the United Kingdom. It is owned by the American mass media holding company Gannett. It has 205 brands across the UK, publishing online and in print (165 newspaper brands and 40 magazine brands) and reaches 28 million visitors a month online and 6.5 million readers a week in print. Based in London, Newsquest employs a total of more than 5,500 people across the UK.
Local media websites in the UK are vulnerable to cyber attacks, threat actors can target them to spread fake news.
In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.
“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye.
According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
The attackers used to replace existing legitimate articles on the sites with the fake content, instead of creating new posts.
The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.
According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.
Firstmac Limited disclosed a data breach after the new Embargo extortion group leaked over 500GB of data allegedly stolen from the company.
Firstmac Limited, one of the largest non-bank lenders in Australia, disclosed a data breach.
Firstmac Limited is an Australian owned company with experience in home and investment loans. They have a range of market insurance products backed by international company, Allianz Group. International ratings agency Standard & Poors gives Firstmac its highest possible ranking (strong) for loan serviceability abilities.
The Embargo extortion group this week leaked over 500GB of data allegedly stolen from the company.
The company is notifying the impacted customers.
“Firstmac recently experienced a cyber incident where an unauthorised third party accessed a part of our IT System.” reads the notice of data breach sent to the impacted individuals and published by the popular researcher Troy Hunt. “As soon as we detected thè incident, we took steps to immediately secure our System. We also engaged cyber security experts to assist us with our investigation. Unfortunately, our investigation has identified that an unauthorised third party has accessed some customer information.”
Contact Information (residential address, email address and/or phone number)
Date of Birth
External bank account information (BSB and account number only)
Driver’s licence number
The Australian non-bank lender added that there is no evidence of an impact on the accounts of current customers, it also remarked that their funds are secure.
“It is important to note that our systems are secure. We already have robust security processes in place for any account access changes, which will require you to confirm your identity using either Biometrics or Two Factor Authentication.” continues the notice.
Firstmac Limited provides impacted customers with IDCare identity theft protection services, it also recommends being vigilant and checking their bank accounts for any suspicious activity.
Pro-Russia hackers targeted government websites in Kosovo in retaliation for the government’s support to Ukraine with military equipment.
Pro-Russia hackers targeted Kosovo government websites, including the websites of the president and prime minister, with DDoS attacks. The attacks are a retaliation for Kosovo’s support of Ukraine with military equipment. Defense Minister Ejup Maqedonci claimed that Russian hackers launched a cyberattack against Kosovo in retaliation for his statement supporting Ukraine at the Defence 24 conference in Poland.
The attacks caused temporary disruption, however, the government’s Information Society Agency restored the websites. The attack is part of a hybrid war aimed at destabilizing Kosovo’s security, stability, and welfare institutions, Prime Minister Albin Kurti told local media.
“We were informed by the relevant institutions that some government websites have been the target of DDoS attacks. For a short time the websites were not functioning,” a Government spokesperson told Balkan Insight.
“The attack was carried out by Russian hackers in retaliation for our support of Ukraine with military equipment,”
Foreign Minister Donika Gervalla-Schwarz announced on Tuesday that Kosovo was under a hybrid attack from Russia, following Kosovo’s announcement of support for Ukraine’s defense against Russian aggression.
Russia is attacking in a hybrid attack today, following our announcement of support in military equipment for Ukraine in its justified defense against Russian genocidal aggression. We know from Serbia's genocide against that only military means do halt genocide. pic.twitter.com/DfSAzUMG2u
— Donika Gërvalla-Schwarz (@gervallaschwarz) May 7, 2024
Russia and Pro-Russia groups have targeted in the past multiple European governments that expressed their support to Ukraine.
NATO and the European Union early this month condemned cyber espionage operations carried out by the Russia-linked threat actor APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) against European countries.
The German Federal Government condemned in the strongest possible terms the long-term espionage campaign conducted by the group APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.
In March 2024, the Moldovan national intelligence agency warned of hybrid attacks from Russia ahead of the upcoming elections.
Since the beginning of the Russian invasion of Ukraine, pro-Russia threat actors hit Moldava due to its support to Kiev.
The Pro-Russia group Killnet group launched multiple DDoS attacks against governments that expressed support for Ukraine, including Moldova, Italy, Romania, the Czech Republic, Lithuania, Norway, and Latvia.
In October 2022, another wave of attacks targeted tens of Moldovan institutions with distributed denial-of-service (DDoS) attacks.
In October 2023, the French National Agency for the Security of Information Systems ANSSI (Agence Nationale de la sécurité des systèmes d’information) warned that the Russia-linked APT28 group has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks.
The French agency noticed that the threat actors used different techniques to avoid detection, including the compromise of low-risk equipment monitored and located at the edge of the target networks. The Government experts pointed out that in some cases the group did not deploy any backdoor in the compromised systems.
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
Black Basta ransomware affiliates have breached over 500 organizations between April 2022 and May 2024, FBI and CISA reported.
The FBI, CISA, HHS, and MS-ISAC have issued a joint Cybersecurity Advisory (CSA) regarding the Black Basta ransomware activity as part of the StopRansomware initiative.
Black Basta has targeted at least 12 critical infrastructure sectors, including Healthcare and Public Health. The alert provides Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) obtained from law enforcement investigations and reports from third-party security firms.
Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, it impacted several businesses and critical infrastructure entities across North America, Europe, and Australia. As of May 2024, Black Basta has impacted over 500 organizations worldwide.
“Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.” reads the CSA.
In December 2023, Elliptic and Corvus Insurance published a joint research that revealed the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall.
The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.
In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.
The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.
“Black Basta is a Russia-linked ransomware that emerged in early 2022. It has been used to attack more than 329 organizations globally and has grown to become the fourth-most active strain of ransomware by number of victims in 2022-2023.” reads the Elliptic’s report.“Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million.”
Most of the victims are in the manufacturing, engineering and construction, and retail sectors. 61,9% of the victims are in the US, 15.8% in Germany, and 5.9% in Canada.
Some of the victims’ ransom payments were sent by both Conti and Black Basta groups to the gang behind the Qakbot malware.
The US agencies recommend critical infrastructure organizations implement several mitigations. These align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST, providing a minimum set of practices to protect against common threats. Recommendations provided in the report include installing updates promptly, using phishing-resistant multi-factor authentication (MFA), securing remote access software, making backups, and applying mitigations from the #StopRansomware Guide.
The cyber attack on the Ohio Lottery on Christmas Eve exposed the personal data of over 538,000 individuals.
On Christmas Eve, a cyberattack targeting the Ohio Lottery resulted in the exposure of personal data belonging to 538,959 individuals. The organization is notifying the impacted people.
Attackers gained access to names or other personal identifiers in combination with Social Security Numbers of the impacted individuals.
“On or about December 24, 2023, the Ohio Lottery detected unauthorized access to our internal office network as a result of a cybersecurity incident that resulted in the exposure of the data we maintain. The incident did not impact the gaming network,” reads the notice of data breach sent to the impacted individuals. “After an extensive forensic investigation and our manual document review, we learned on April 5, 2024 that certain files containing your personal information was subject to unauthorized access.”
Ohio Lottery is providing impacted individuals free credit monitoring and identity theft protection services through IDX.
The company added that there is no evidence that the stolen information had been abused in fraudulent activities.
The DragonForce ransomware group claimed responsibility for the attack and the theft of 94GB of data.
“Long negotiations that seem to have led to nothing, about 1.500.000 records that contain (SSN, DOB) Ohio Lottery clients. This is about 12% of the population of the state of Ohio and these are just our conservative estimates.” reads the message published by the group on its Tor leak site. “Especially for your convenience, we have exported records from the database into a convenient CSV format, and you also have the opportunity to download full copies of the databases. Ohio Lottery themselves were warned that people could suffer, which in general apparently does not bother them at all, these are the consequences of negligence.”
Notorius threat actor IntelBroker claims that Europol has suffered a data breach that exposed FOUO and other classified data.
The threat actor IntelBroker announced on the cybercrime forum Breach the hack of the European law enforcement agency Europol.
The hacker said that the compromised data includes FOUO (For Official Use Only) and other classified data, such as Alliance employees, files related to recon and guidelines
IntelBroker added that the security breach occurred in May 2024, he said that impacted agencies are the CCSE (Joint Center for European Security), EC3, the Europol Expert Platform, the Law Enforcement Form, and the SIRIUS system. SIRIUS is an EU-funded project that helps law enforcement and judicial authorities access cross-border electronic evidence in the context of criminal investigations and proceedings.
“Hello BreachForums Community, Today, I am selling the entire data breach belonging to Europol. Thanks for reading, enjoy!” announced the hacker. “In May 2024, Europol suffered a data breach and lead to the exposure of FOUO and classified data.”
The seller accepts only payments in Monero cryptocurrency.
This week IntelBroker also announced on a Breach Forums the sale of the access to “one of the largest cyber security companies.” IntelBroker did not reveal the name of the compromised security firm, but the threat actor announced in the BF ShoutBot that the company is ZScaler.
IntelBroker has offered to sell “confidential and highly critical logs packed with credentials”, including SMTP access, PAuth access, and SSL passkeys and certificates, for a total price of $20,000 in cryptocurrency.
“Hello BreachForums Community. Today Im sellng access to one of the largest cyber security companies. Revenue: $1.8 Billion Access includes: Confidential and highly critical logs packed with credentials SNITP Access Muth Pointer Auth Access SSL Passkeys S. SSL Certificates some others (will be on contact)” reads the announcement published by IntelBroker who is demanding $20K in XMR or ETH.
The seller added that the sale is covered by escrow, he will sell the access only to reputable forum members that will provide proof of funds.
A cyberattack hit the US Healthcare giant Ascension and is causing disruption of the systems at hospitals in the country.
Ascension is one of the largest private healthcare systems in the United States, ranking second in the United States by the number of hospitals as of 2019.
The organization was hit by a ransomware attack that severely impacted operations at hospitals in the country.
Impacted systems include electronic health records system, MyChart (which enables patients to view their medical records and communicate with their providers), some phone systems, and various systems utilized to order certain tests, procedures and medications.
The company detected the unusual activity on its network on May 8 and determined that it was the result of a cyber attack.
Ascension launched an investigation into the incident with the help of external forensics experts and is working to contain the attack and restore impacted systems. The company pointed out that the attack investigation and restoration activities will take time to complete.
The healthcare organization has temporarily suspended some non-emergent elective procedures, tests and appointments.
“We have implemented established protocols and procedures to address these particular system disruptions in order to continue to provide safe care to patients.” reads the notice of security incident. “Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately.
The notice doesn’t include details about the incident, it is unclear if threat actors have stolen information from Ascension.
However the impacts of the security breach and the emergency response procedures launched by the company suggests it was hit by a ransomware attack.
Since the start of the year, Google released an update to fix the fifth actively exploited zero-day vulnerability in the Chrome browser.
Google this week released security updates to address a zero-day flaw, tracked as CVE-2024-467, in Chrome browser. The vulnerability is the fifth zero-day flaw in the Google browser that is exploited in the wild since the start of the year.
The vulnerability is a use-after-free issue that resides in the Visuals component. The flaw was reported by an anonymous researcher on May 7, 2024.
“Google is aware that an exploit for CVE-2024-4671 exists in the wild.” reads the advisory published by Google. As usual, the IT giant has not revealed details about the attacks exploiting this vulnerability.
The company addressed the vulnerability with the release of 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux, with the updates rolling out over the coming days/weeks.
Below is the list of actively exploited zero-day in the Chrome browser that have been fixed this year:
CVE-2024-0519: an out of bounds memory access in the Chrome JavaScript engine. (January 2024)
CVE-2024-2887: a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024. (March 2024)
CVE-2024-2886: a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024. (March 2024)
CVE-2024-3159: an out-of-bounds memory access in V8 JavaScript engine. The flaw was demonstrated by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks during the Pwn2Own 2024 on March 22, 2024. (March 2024)
CERT Polska warns of a large-scale malware campaign against Polish government institutions conducted by Russia-linked APT28.
CERT Polska and CSIRT MON teams issued a warning about a large-scale malware campaign targeting Polish government institutions, allegedly orchestrated by the Russia-linked APT28 group.
The attribution of the attacks to the Russian APT is based on similarities with TTPs employed by APT28 in attacks against Ukrainian entities.
“the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions.” reads the alert. “Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”
The threat actors sent emails designed to pique the recipient’s interest and encourage them to click on a link.
Upon clicking on the link, the victims are redirected to the domain run.mocky[.]io, which is a free service used by developers to create and test APIs. The domain, in turn, redirects to another legitimate site named webhook[.]site which allows logging all queries to the generated address and configuring responses.
Threat actors in the wild increasingly rely on popular services in the IT community to evade detection and speed up operations.
The attack chain includes the download of a ZIP archive file from webhook[.]site, which contains:
a Windows calculator with a changed name, e.g. IMG-238279780.jpg.exe, which pretends to be a photo and is used to trick the recipient into clicking on it,
script .bat (hidden file),
fake library WindowsCodecs.dll (hidden file).
If the victim runs the file fake image file, which is a harmless calculator, the DLL file is side-loaded to run the batch file.
The BAT script launches the Microsoft Edge browser and loads a base64-encoded page content to download another batch script from webhook.site. Meanwhile, the browser shows photos of a woman in a swimsuit with links to her genuine social media accounts, aiming to appear credible and lower the recipient’s guard. The downloaded file, initially saved as .jpg, is converted to .cmd and executed.
Finally, the code retrieves the final-stage script that gathers information about the compromised host and sends it back.
“This script constitutes the main loop of the program. In the loop for /l %n in () it first waits for 5 minutes, and then, similarly as before, downloads another script using the Microsoft Edge browser and the reference to webhook.site and executes it. This time, the file with the extension .css is downloaded, then its extension is changed to .cmd and launched.” continues the report. “The script we finally received collects only information about the computer (IP address and list of files in selected folders) on which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the attackers receive a different set of the endpoint scripts.”
The CERT Polska team recommends network administrators to review recent connections to domains like webhook.site and run.mocky.io, as well as their appearance in received emails. These sites are commonly used by programmers, and traffic to them may not indicate infection. If your organization does not utilize these services, it’s suggested to consider blocking these domains on edge devices.
Regardless of whether your organization uses these websites, it’s also advised to filter emails for links to webhook.site and run.mocky.io, as legitimate use of these links in email content is very rare.
The Federal Government condemned in the strongest possible terms the long-term espionage campaign conducted by the group APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.
“The Federal Government’s national attribution procedure regarding this campaign has concluded that, for a relatively long period, the cyber actor APT28 used a critical vulnerability in Microsoft Outlook that remained unidentified at the time to compromise numerous email accounts.” reads the announcement published by the German Bundesregierung.
The nation-state actor exploited the zero-day flaw CVE-2023-23397 in attacks against European entities since April 2022. The Russia-linked APT also targeted NATO entities and Ukrainian government agencies.
The Czech Ministry of Foreign Affairs also condemned long-term cyber espionage activities by the group APT28. The Ministry’s statement also confirmed that Czech institutions have been targeted by the Russia-linked APT28 exploiting the Microsoft Outlook zero-day from 2023.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
Citrix urges customers to manually address a PuTTY SSH client flaw that could allow attackers to steal a XenCenter admin’s private SSH key.
Versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR used PuTTY, a third-party component, for SSH connections to guest VMs. However, PuTTY inclusion was deprecated with XenCenter version 8.2.6, and any versions after 8.2.7 will not include PuTTY.
The security flaw, tracked as CVE-2024-31497, affects multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which includes PuTTY.
The flaw resides in the code that generates signatures from ECDSA private keys which use the NIST P521 curve. An attacker can exploit the vulnerability to recover NIST P-521 private keys.
“An issue has been reported in versions of PuTTY prior to version 0.81; when used in conjunction with XenCenter, this issue may, in some scenarios, allow an attacker who controls a guest VM to determine the SSH private key of a XenCenter administrator who uses that key to authenticate to that guest VM while using an SSH connection.” reads the advisory.
The company recommends customers who do not want to use the “Open SSH Console” functionality to remove the PuTTY component. Customers who wish to use the functionality should replace the PuTTY version installed on their XenCenter system with an updated version (with a version number of at least 0.81).
The vulnerability CVE-2024-31497 was discovered by researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum. Bäumer explained that the vulnerability stems from the generation of biased ECDSA cryptographic nonces, which could allow full secret key recovery.
“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.” Baumer explained. “The nonce generation for other curves is slightly biased as well. However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements).”
The following products include an affected PuTTY version and are therefore are also impacted by the flaw:
FileZilla (3.24.1 – 3.66.5)
WinSCP (5.9.5 – 6.3.2)
TortoiseGit (2.4.0.2 – 2.15.0)
TortoiseSVN (1.10.0 – 1.14.6)
The flaw has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. TortoiseSVN users are recommended to configure TortoiseSVN to use Plink from the latest PuTTY 0.81 release when accessing a SVN repository via SSH until a patch becomes available.
Any product or component using ECDSA NIST-P521 keys impacted by the flaw CVE-2024-31497 should be deemed compromised. These keys should be revoked by removing them from authorized_keys, GitHub repositories, and any other relevant platforms.
The company launched an investigation into the incident that involved a Dell portal, which contains a database with limited types of customer information related to purchases from IT firm. The company downplayed the risk for the impacted individuals given the type of information involved.
“Dell Technologies takes the privacy and confidentiality of your information seriously. We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved” reads the data breach notification sent to the impacted customers.
Compromised data include customers’ names, physical addresses, and hardware and order information, including service tags, item descriptions, dates of order and related warranty information.
The company added that financial or payment information, email address, telephone number or any highly sensitive customer information were not exposed.
The IT giant did not share further details about the security breach.
Threat actors exploit recently disclosed Ivanti Connect Secure (ICS) vulnerabilities to deploy the Mirai botnet.
Researchers from Juniper Threat Labs reported that threat actors are exploiting recently disclosed Ivanti Connect Secure (ICS) vulnerabilities CVE-2023-46805 and CVE-2024-21887 to drop the payload of the Mirai botnet.
In early January, the software firm reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.
The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.
The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.
An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands.
“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.
The Juniper Threat Labs researchers observed threat actors exploiting the CVE-2023-46805 vulnerability to gain access to the end point “/api/v1/license/key-status/;” Then the attackers exploited the command injection issue to inject their payload.
Below is the request employed in the attacks observed by the experts:,
GET /api/v1/totp/user-backup-code/../../license/keys-status/{Any Command}
“Others have observed instances in the wild where attackers have exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems. More recently, we have encountered Mirai payloads delivered through shell scripts.” reads the analysis published by the experts.
One of the requests observed by the researchers includes an encoded URL that, when decoded, reveals a command sequence attempting to wipe files, download a script from a remote server, set executable permissions, and execute the script.
Then script navigates through system directories, downloads a file from a specific URL, grants permission to execute it, and runs it with a specific argument. The researchers analyzed the payloads and identified them as Mirai bots.
“The increasing attempts to exploit Ivanti Pulse Secure’s authentication bypass and remote code execution vulnerabilities are a significant threat to network security. The discovery of Mirai botnet delivery through these exploits highlights the ever-evolving landscape of cyber threats. The fact that Mirai was delivered through this vulnerability will also mean the deployment of other harmful malware and ransomware is to be expected. Understanding how these vulnerabilities can be exploited and recognizing the specific threats they pose is crucial for protecting against potential risks.”
Login
remains up-to-date and comprehensive, serving as a valuable resource for enhancing the security of embedded devices.
