The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
CVE-2024-32896 is an elevation of privilege vulnerability in the Pixel Firmware, which has been exploited in the wild as a zero-day.
CVE-2024-26169 is an elevation of privilege issue in the Microsoft Windows Error Reporting Service that can be exploited to could gain SYSTEM privileges.
CVE-2024-4358 is an authentication bypass vulnerability that an unauthenticated attacker can exploit to gain access to Telerik Report Server restricted functionality.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by July 4, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Android Pixel)
On Monday, the City of Cleveland announced it was the victim of a cyber attack and was forced to take some of its systems offline to contain the threat.
The City is still working to restore impacted services, it added that emergency services and utilities were not affected. The incident did not expose taxpayer information held by the CCA and customer information held by Public Utilities.
𝗖𝗶𝘁𝘆 𝗼𝗳 𝗖𝗹𝗲𝘃𝗲𝗹𝗮𝗻𝗱 𝗖𝘆𝗯𝗲𝗿 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗨𝗽𝗱𝗮𝘁𝗲
— City of Cleveland (@CityofCleveland) June 10, 2024
(1/7) We are still investigating the nature and scope of the incident. The City is collaborating with several key partners who provide expert knowledge and deep experience in this work. pic.twitter.com/fyJWllidMj
City Hall and Erieview are closed today June 10, except for essential staff, as we investigate a cyber incident. We have shut down affected systems to secure and restore services. Emergency services and utilities are not affected. Updates will be provided as available. pic.twitter.com/3yAHoz7Ae2
— City of Cleveland (@CityofCleveland) June 10, 2024
City Hall and Erieview will be closed for the entire week, the City Hall reopened only for the employees on June 12, 2024.
“Basic City services are functioning normally. Despite adapting to limited IT capabilities, public safety, public works, public utilities, and airport teams are actively working for City residents.” the City wrote on X, the platform used to provide updates on the incident to the citizens.
The City of Cleveland is investigating the incident with the help of law enforcement and key partners to determine the scope of the security incident.
The city did not share information about the attack; however, the shutdown of the IT systems in response to the incident suggests the involvement of ransomware. As of this writing, no ransomware group has claimed responsibility for the attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cyber attack)
Ukraine’s security service, the SBU, detained two individuals who are accused of supporting Russian intelligence in spreading pro-Russia propaganda. They are also accused of hacking the phones of Ukrainian soldiers.
The arrests result from an investigation conducted by SBU officers in collaboration with the Ministry of Defense’s Intelligence Directorate and the National Police.
The SBU uncovered two bot farms in Zhytomyr and Dnipro that were spreading Russian propaganda and hacking soldiers’ phones. The bot farms spread Russian propaganda posing as Ukrainian citizens.
The SBU discovered that a Zhytomyr resident registered over 600 virtual mobile numbers and anonymous Telegram accounts that were used by Russian operatives. Then the accounts were sold or rented through Russian online platforms, the suspect received payments in cryptocurrency. According to the Ukrainian security service, Russian agents employed the numbers in phishing campaigns targeting Ukrainian military personnel to deliver spyware on their phones.
The second man (30), a Dnipro resident, registered nearly 15,000 fake social media and messenger accounts using Ukrainian SIM cards.
Then he sold the fake accounts on dark web forums to Russian intelligence. The Ukrainian authorities charged the man with violating Ukraine’s territorial integrity.
In July 2023, the Cyber Police Department of the National Police of Ukraine dismantled a massive bot farm and seized 150,000 SIM cards.
A gang of more than 100 individuals used fake social network accounts to conduct disinformation and psychological operations in support of the Russian government and its narrative on the invasion of Ukraine.
The gang used a massive bot farm to distribute illegal content, personal data of Ukrainian citizens and commit frauds.
The cyber police discovered that the group used special equipment and software to register thousands of bot accounts in multiple social networks.
In August 2022, the Ukrainian cyber police (SSU) dismantled a massive bot farm composed of 1,000,000 bots that was spreading disinformation and Russian propaganda through social networks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – Russian propaganda, bot farm)
Google warned of an elevation of privilege vulnerability, tracked as CVE-2024-32896, in the Pixel Firmware, which has been exploited in the wild as a zero-day.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation.” reads the advisory.
As usual, the IT giant did not provide technical information about attacks exploiting the above issue.
The Pixel Update Bulletin provides details of security vulnerabilities and functional improvements for supported Google Pixel devices. The company addressed all the flaws detailed in the bulletin with the release of the security patch levels of 2024-06-05 or later and the June 2024 Android Security Bulletin.
Seven out of 50 security vulnerabilities are rated as critical:
| CVE | References | Type | Severity | Subcomponent |
|---|---|---|---|---|
| CVE-2024-32891 | A-313509045 * | EoP | Critical | LDFW |
| CVE-2024-32892 | A-326987969 * | EoP | Critical | Goodix |
| CVE-2024-32899 | A-301669196 * | EoP | Critical | Mali |
| CVE-2024-32906 | A-327277969 * | EoP | Critical | avcp |
| CVE-2024-32908 | A-314822767 * | EoP | Critical | LDFW |
The company addressed multiple information disclosure flaws impacting GsmSs, ACPM, and Trusty and multiple DoS issues in the modem.
In April, Google addressed 28 vulnerabilities in Android and 25 flaws in Pixel devices. Two issues fixed by the IT giant, tracked as CVE-2024-29745 and CVE-2024-29748, were actively exploited in the wild.
CVE-2024-29745 is a High severity Information disclosure issue in the bootloader, while CVE-2024-29748 is a High severity elevation of privilege issues in the Pixel Firmware.
“There are indications that the following may be under limited, targeted exploitation.” reads the advisory.
The company did not provide details about the attacks, but in the past, such kinds of bugs were actively exploited by nation-state actors or commercial spyware vendors.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google Pixel)
Fortinet addressed multiple vulnerabilities in FortiOS and other products, including some code execution flaws.
The company states that multiple stack-based buffer overflow vulnerabilities in the command line interpreter of FortiOS [CWE-121], collectively tracked as CVE-2024-23110 (CVSS score of 7.4), can be exploited by an authenticated attacker to achieve code or command execution via specially crafted command line arguments
“Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the command line interpreter of FortiOS may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments” reads the advisory published by the company.
Gwendal Guégniaud of Fortinet Product Security team discovered the vulnerabilities.
The flaws impact the following versions of the Fortinet FortiOS :
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
| FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
| FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
The company also fixed a low-severity issue tracked as CVE-2024-21754.
The company did not reveal if one of the above issues was actively exploited in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fortinet FortiOS)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.” reads the advisory published by the company. “Arm is aware of reports of this vulnerability being exploited in the wild. Users are recommended to upgrade if they are impacted by this issue”
Bifrost and Valhall GPU Kernel Driver r41p0, which were released on November 24, 2022, address the vulnerability.
A local non-privileged attacker can prepare the system’s memory to issue improper GPU memory processing operations to gain access to already freed memory.
The company recommends users upgrade if this issue impacts them.
The vulnerability CVE-2024-4577 resides in the Best-Fit feature of encoding conversion within the Windows operating system. An attacker can exploit the flaw to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack, allowing attackers to take control of vulnerable servers.
Since the disclosure of the vulnerability and publicly availability of a PoC exploit code, multiple actors are attempting to exploit it, reported Shadowserver and GreyNoise researchers.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by July 3rd, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)
The Ukraine cyber police arrested a Russian man (28) for his role in developing a crypter used in Conti and LockBit ransomware operations.
The man was arrested in Kyiv on April 18, 2024, as part of the international law enforcement operation called ‘Operation Endgame.’
A crypter is a software used to obfuscate or encrypt malicious code to prevent detection by antivirus programs and other security tools. Crypters achieve this by converting the malware into an unreadable form and then packaging it with a decryption routine that will restore the original malicious code when executed. Crypters play a significant role in the cybercrime ecosystem by enabling malware authors to bypass security defenses.
“The police found out that the young man specialized in the development of cryptors (from the English crypt – hiding place) – special software for masking computer viruses under the guise of safe files.” reads the report published by Ukraine cyber police. “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses.”
The Ukrainian law enforcement was supported by the Dutch police who responded to a ransomware attack that hit a Dutch company.
The police identified the Russian hacker group who was paid with cryptocurrency to disguise the “Conti-malware” encryptor. By the end of 2021, a cybercrime gang deployed the ransomware in the network of companies in the Netherlands and Belgium and demanded a ransom for decrypting the infected systems.
“The police were tipped off by the NCSC (National Cyber Security Center) and, after further investigation, discovered that the Ukrainian man infected the computer networks of a company in the Netherlands with Conti’s malware in 2021; a hacker group that offers ransomware for sale. As a result, company data was encrypted and made inaccessible.” states the Dutch Police. “The group then demanded a ransom for making the company data accessible again and not leaking it. The Dutch company filed a report with the police in 2021 and on this basis Team High Tech Crime was able to continue with the investigation.”
The cyber police discovered that the Russian hacker helped the Russian cybercrime groups “LockBit” and “Conti.” The police, along with the “TacTeam” special unit, conducted a search in Kyiv and, following an international request from Dutch law enforcement, another search in the Kharkiv region. The police seized computer equipment, mobile phones, and draft records.
The investigation is still ongoing, the man was charged under part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. The man can face up to 15 years of imprisonment. Additional legal qualifications are possible.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LockBit ransomware)
JetBrains warned customers to address a critical vulnerability, tracked as CVE-2024-37051, that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens.
The flaw impacts IntelliJ-based IDEs version 2023.1 and later, where the JetBrains GitHub plugin is enabled and configured/used.
“A new security issue was discovered that affects the JetBrains GitHub plugin on the IntelliJ Platform, which could lead to disclosure of access tokens to third-party sites. The issue affects all IntelliJ-based IDEs as of 2023.1 onwards that have the JetBrains GitHub plugin enabled and configured/in-use.” reads the advisory published by the company.
On the 29th of May 2024, the company received an external security report for the vulnerability potentially affecting its IDE product.
The report demonstrates that specially crafted content in a pull request to a GitHub project, when handled by IntelliJ-based IDEs, would expose access tokens to a third-party host.
JetBrains addressed the flaw with the release of IDEs version 2023.1 or later. Users are strongly recommended updating to the latest version.
Those customers that have used GitHub pull request functionality in the IDE are strongly advised to revoke any GitHub tokens used by the plugin. For OAuth integration, revoke access for the JetBrains IDE Integration application via Applications → Authorized OAuth Apps. For Personal Access Tokens (PAT), delete the token issued for the plugin on the Tokens page, typically named “IntelliJ IDEA GitHub integration plugin,” though custom names may also be used.
Below is the
“If you have not updated to the latest version, we strongly urge you to do so,” concludes the advisory.
The company did not reveal if the vulnerability has been actively exploited in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GitHub)
Microsoft Patch Tuesday security updates for June 2024 addressed 49 vulnerabilities in Windows and Windows Components; Office and Office Components; Azure; Dynamics Business Central; and Visual Studio. Eight of these bugs were reported through the ZDI program.
Only one of these issues is rated Critical and 48 are rated Important in severity.
Only one of these vulnerabilities is listed as publicly known. Fortunately, none are being actively exploited in the wild.
The most severe issue is a Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability tracked as CVE-2024-30080 (CVSS score 9.8).
Remote, unauthenticated attackers can exploit this issue to execute arbitrary code with elevated privileges of systems where MSMQ is enabled. The flaw is wormable between those servers where MSMQ is disabled.
“To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.” reads the advisory.
The publicly disclosed zero-day vulnerability, tracked as CVE-2023-50868 (CVSS score 7.5), is regarding a vulnerability in DNSSEC validation. An attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users. MITRE created this CVE on their behalf.
Another interesting issue addressed by Microsoft Patch Tuesday security updates for June 2024 is a Windows Wi-Fi Driver Remote Code Execution vulnerability tracked as CVE-2024-30078 (CVSS score 8.8). An unauthenticated attacker can exploit this vulnerability to execute code on an affected system by sending the target a specially crafted network packet. The target would need to be in Wi-Fi range of the attacker and using a Wi-Fi adapter.
“Exploiting this vulnerability requires an attacker to be within proximity of the target system to send and receive radio transmissions.” reads the advisory. “An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution.”
The full list of vulnerabilities addressed by Microsoft for June 2024 is available here:
https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Patch Tuesday)
Login