Welcome to this week’s Threat Intelligence Roundup! Each week we cover the latest on emerging threats, trends, and top security practices, all tailored just for you.
Threat Intel Thursdays are designed to give you a wider perspective and arm you with the knowledge you need to make smart security decisions.
Threat Intelligence Email Blasts This Week:
Veeam Advises of Critical RCE Flaw in Service Provider Console Veeam has released security updates to address two critical vulnerabilities in its Service Provider Console (VSPC), including a remote code execution (RCE) flaw identified as CVE-2024-42448. This vulnerability allows attackers to execute arbitrary code on unpatched servers from the VSPC management agent machine. Another high-severity issue, CVE-2024-42449, could enable attackers to steal NTLM hashes and delete files on the VSPC server. Both vulnerabilities affect VSPC versions 8.1.0.21377 and earlier. Veeam strongly recommends that teams update to the latest cumulative patch.
This Week’s Roundup:
Chinese Salt Typhoon Hacked Telcos in Dozens of Countries Chinese state-sponsored hackers, identified as Salt Typhoon, have breached telecommunications companies in dozens of countries, including at least eight in the United States. These intrusions have enabled unauthorized access to sensitive data, such as call records and unencrypted text messages, affecting numerous individuals, including senior government officials. The U.S. government is actively collaborating with affected telecom firms to address the breaches and has advised the public to use encrypted communication methods to safeguard their information.
Cisco Urges Immediate Patch for Old WebVPN Flaw Cisco has updated its advisory for a decade-old cross-site scripting (XSS) vulnerability, CVE-2014-2120, in the WebVPN login page of its Adaptive Security Appliance (ASA) software, following reports of active exploitation. This flaw allows unauthenticated, remote attackers to conduct XSS attacks by persuading users to click on malicious links, potentially compromising sensitive information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog in November 2024, mandating federal agencies to apply patches by December 3, 2024.
Solana Web3.js Library Backdoored to Steal Secret Keys The Solana JavaScript SDK was compromised in a supply chain attack, with malicious code added to steal cryptocurrency private keys and drain wallets. The attackers published two backdoored versions of the “@solana/web3.js” library after compromising a publish-access account. Developers are advised to update to the latest version and rotate any potentially affected keys to secure their applications.
CISA Warns of Zyxel Firewall Exploit Abused in Attacks The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about active exploitation of a path traversal vulnerability, designated as CVE-2024-11667, in multiple Zyxel firewall appliances. This high-severity flaw affects the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices, potentially allowing attackers to download or upload files using crafted URLs. Exploitation of this vulnerability has been linked to Helldown ransomware attacks. Zyxel has addressed the issue in firmware version 5.39, released on September 3, 2024, and strongly advises organizations to update as soon as possible.
Critical Exploit Found in Zabbix Network Monitoring Tool A critical SQL injection vulnerability, identified as CVE-2024-42327 with a CVSS score of 9.9, has been discovered in the open-source network monitoring tool Zabbix. This flaw allows non-administrative users with API access to inject arbitrary SQL queries, potentially leading to full system compromise. The affected versions are Zabbix 6.0.0 through 6.0.31, 6.4.0 through 6.4.16, and 7.0.0. Organizations are strongly advised to update to the patched versions—6.0.32rc1, 6.4.17rc1, or 7.0.1rc1.
Corrupted Word Files Fuel New Phishing Campaign A recent phishing campaign has been observed using intentionally corrupted Microsoft Word documents to bypass email security systems. These emails, often masquerading as communications from payroll or HR departments, entice recipients with promises of employee benefits or bonuses, prompting them to open the attached corrupted files. When opened, Microsoft Word’s recovery mode reconstructs the document, displaying instructions to scan a QR code that leads to a fake Microsoft login page designed to harvest user credentials. This tactic effectively evades detection by antivirus software, as the corrupted files appear benign until manually recovered by the user.
Critical MiCollab Flaw Exposing Systems Admin Access A critical path traversal vulnerability, identified as CVE-2024-41713 with a CVSS score of 9.8, has been discovered in the NuPoint Unified Messaging (NPM) component of Mitel’s MiCollab platform. This flaw allows unauthenticated attackers to perform path traversal attacks, potentially leading to unauthorized access and administrative actions on the MiCollab server. Mitel has addressed this issue in MiCollab version 9.8 SP2 (9.8.2.12), released on October 9, 2024, and strongly recommends that teams update as soon as possible.
