Several critical vulnerabilities have been discovered in industrial control systems (ICS) products from Siemens, Rockwell Automation, and Delta Electronics. These vulnerabilities could allow attackers to execute arbitrary code, trigger denial-of-service conditions, or gain unauthorized access to sensitive information. One of the most concerning vulnerabilities is CVE-2024-41798, affecting Siemens’ SENTRON 7KM PAC3200 power monitoring device. This vulnerability exposes the device to brute-force attacks and unauthorized access through its Modbus TCP interface. Organizations using these ICS products are urged to prioritize patching and implementing robust security measures to mitigate the risks.
Pwn2Own Ireland 2024, the first Pwn2Own event held in Ireland, has announced a comprehensive schedule for the four-day contest. The event features a diverse range of targets, including smart speakers, printers, network attached storage devices, surveillance cameras, and mobile phones. Researchers and security experts from around the world are competing to identify and exploit vulnerabilities in these devices, showcasing the latest in vulnerability research and hacking techniques. The contest is expected to attract significant attention from the cybersecurity community and provide valuable insights into the evolving threat landscape.
A vulnerability in the open-source Roundcube webmail software has been exploited in phishing attacks. The flaw, tracked as CVE-2024-37383, allows attackers to steal user credentials by sending malicious emails that appear to be from legitimate sources. The vulnerability has been patched, but users of Roundcube webmail are advised to update their software immediately. Threat actors targeted user accounts of Roundcube Webmail users, specifically with the goal of stealing their login credentials. The attack involved sending emails with malicious links that, when clicked, would redirect users to a fake website designed to look like the real Roundcube login page. Users who entered their credentials on the fake website had them stolen by the attackers, compromising their accounts and potentially exposing sensitive data.
A cross-site scripting (XSS) vulnerability, tracked as CVE-2024-37383, was exploited in a phishing campaign targeting a government organization in a CIS country. The attackers used an email with a concealed attached document and embedded tags to execute arbitrary JavaScript code. This allowed them to steal credentials and potentially gain control of the victim’s account. The vulnerability affects Roundcube Webmail versions prior to 1.5.7 and 1.6.x versions before 1.6.7. This incident highlights the importance of patching known vulnerabilities promptly and implementing robust security measures to prevent such attacks.
Microsoft Threat Intelligence has discovered a new macOS vulnerability, dubbed “HM Surf”, that allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to protected user data. The vulnerability involves removing TCC protection for the Safari browser directory and modifying a configuration file to access user data, including browsing history, camera, microphone, and location, without user consent. Microsoft has reported the vulnerability to Apple, which has released a fix as part of a macOS security update. Users are urged to install the update as soon as possible to mitigate the risk. This vulnerability highlights the importance of keeping operating systems and applications updated to protect against emerging threats and the persistent challenges of maintaining robust security in complex software environments.
This research delves into a specific threat involving the exploitation of vulnerable drivers to gain kernel privileges. It focuses on BYOVD, Bring Your Own Vulnerability Device, a technique where attackers use existing vulnerabilities in drivers to elevate their privileges on the system. This analysis explores the techniques used by attackers, the impact of such exploits, and recommendations for mitigation.
A critical vulnerability (CVE-2024-40711) has been discovered in Veeam Backup & Replication, enabling attackers to execute arbitrary code remotely without authentication. This flaw has been exploited by Akira and Fog ransomware groups, potentially leading to data breaches and system takeovers. The vulnerability affects various Veeam products, including Veeam Backup & Replication, Veeam ONE, and Veeam Agent for Linux, among others. Organizations should prioritize patching affected systems to mitigate the risk of exploitation.
Microsoft has acknowledged a significant security incident that resulted in the loss of customer security logs for a month. The incident, attributed to a vulnerability, impacted various Microsoft services, including Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform.
This incident underscores the importance of robust security measures and the need for companies to promptly disclose security incidents to their customers. The lack of security logs during this period could pose significant risks for organizations relying on these services for security monitoring and threat detection.
A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2024-28988, affects SolarWinds Web Help Desk (WHD), a widely used IT service management software. This vulnerability stems from a Java deserialization flaw, potentially enabling a remote, unauthenticated attacker to execute arbitrary code on vulnerable WHD instances. The flaw could allow an attacker to gain full control of the affected system, potentially leading to data theft, system compromise, and other malicious activities. SolarWinds has released a hotfix to address this vulnerability, and organizations using WHD are strongly advised to apply the patch immediately to mitigate the risk.
A design flaw in older Windows operating systems, specifically Windows NT 4.0 through Windows 7, allows kernel shellcode to persist and be launched during system boot by writing specially crafted data to the system registry. This vulnerability is due to the incomplete fix for a vulnerability in the RtlQueryRegistryValues function. The function can be used to query multiple registry values with a single call, but the way it handles values of unexpected types can lead to a buffer overflow, which can be exploited to execute malicious code. The vulnerability was exploited in a targeted attack in 2018, and researchers at Kaspersky GReAT discovered that it was only partially fixed by Microsoft, making it possible for attackers with administrator privileges to stealthily store and execute kernel shellcode. The vulnerability was exposed in a challenge at the SAS CTF, an international cybersecurity competition organized by Kaspersky GReAT.
Perfctl, a stealthy and persistent Linux malware, has been circulating since at least 2021, infecting thousands of machines. It leverages a range of tactics, including exploiting common misconfigurations and known vulnerabilities, to gain access to vulnerable systems. The malware, which has a high success rate in avoiding detection, uses a naming convention similar to common Linux tools to blend in with legitimate processes. The attackers exploit vulnerabilities like CVE-2023-33246 in Apache RocketMQ, a widely used messaging and streaming platform, to establish a foothold. Perfctl is primarily used for cryptocurrency mining, stealing processing power from infected machines.
A critical vulnerability, CVE-2024-45409, affecting the Ruby-SAML library, allows attackers to forge SAML responses and bypass authentication. The vulnerability stems from an incorrect XPath selector that prevents proper verification of the SAML response signature. This flaw impacts Ruby-SAML versions up to 1.12.2 and between 1.13.0 and 1.16.0. Attackers can exploit the vulnerability by crafting a SAML Response or Assertion that bypasses authentication and potentially gain unauthorized access to sensitive data and critical systems. GitLab was impacted by the vulnerability, and the company issued an important security update to address it.
A critical vulnerability in Ivanti’s Cloud Service Appliance (CSA) has been actively exploited by attackers. The flaw, tracked as CVE-2024-8190, allows attackers to gain unauthorized access to sensitive data and execute arbitrary commands on vulnerable systems. The vulnerability exists in the CSA’s authentication mechanism and can be exploited by attackers who can send specially crafted requests to the CSA. This attack vector allows attackers to bypass the CSA’s security measures and gain access to the underlying operating system. The vulnerability has been exploited in the wild by a suspected nation-state adversary. There are strong indications that China is behind the attacks. Organizations using Ivanti CSA should prioritize patching the vulnerability immediately to reduce their risk of being compromised.