Welcome to this week’s Threat Intelligence Roundup! Each week we cover the latest on emerging threats, trends, and top security practices, all tailored just for you.
Threat Intel Thursdays are designed to give you a wider perspective and arm you with the knowledge you need to make smart security decisions.
Threat Intelligence Email Blasts This Week:
New OpenSSH Vulnerability “regreSSHion” Giving Root Access On Linux Servers A new OpenSSH vulnerability, dubbed “regreSSHion” (CVE-2024-6387), allows unauthenticated remote code execution, granting root access on glibc-based Linux systems. Discovered by Qualys, the flaw is due to a signal handler race condition in sshd which could lead to complete system takeover. Every organization should update their OpenSSH immediately as there is a heightened risk of this being exploited due to the visibility and the popularity of OpenSSH.
Blast-RADIUS Exploit Bypasses Popular RADIUS Authentication Protocol The new Blast-RADIUS attack (CVE-2024-3596) exploits a vulnerability in the RADIUS protocol, allowing attackers to bypass authentication via an MD5 collision attack. This enables them to gain administrative access to network devices without brute-forcing or stealing credentials. The attack can be executed in 3 to 6 minutes and is highly parallelizable for faster execution with advanced hardware. Teams are advised to use RADIUS over TLS, multihop deployments, and isolate RADIUS traffic as steps of protecting yourselves against this dangerous exploit.
This Week’s Roundup:
Popular Ghostscript Library RCE Vulnerability Actively Exploited A remote code execution vulnerability (CVE-2024-29510) in the widely used Ghostscript library, often used for processing PDF, PostScript, and EPS files, is being actively exploited. The flaw allows attackers to bypass the dSAFER sandbox, leading to command execution and file I/O via malicious EPS files disguised as JPGs. We advise your organization to update to Ghostscript version 10.03.1 immediately.
High-Severity Microsoft Zero-Day Patched After Year Of Abuse A Windows MSHTML zero-day vulnerability (CVE-2024-38112) has finally been patched after being exploited for over a year to deliver malware. This flaw allowed attackers to use Internet Explorer to open malicious URLs via Internet Shortcut Files, bypassing security features and installing password-stealing malware. The vulnerability has been fixed by Microsoft in the July 2024 Patch Tuesday updates and emphasizes the importance of making sure systems are up to date and patched properly.
GitLab Releases Patch For Critical Bug That Allows Attackers To Run Pipelines As Other Users GitLab has warned of a critical vulnerability (CVE-2024-6385) that allows attackers to run pipelines as an arbitrary user via scheduled security scan policies. This could lead to unauthorized code execution and data breaches. GitLab has released updates to address this flaw and is advising all admins to upgrade right away.
VMware Releases Patch For Aria Automation SQL-Injection Flaw VMware has patched a critical SQL injection vulnerability (CVE-2024-22280) in its Aria Automation platform, previously known as vRealize Automation. This flaw, which scored 8.5 on the CVSS scale, could allow authenticated attackers to gain unauthorized access to remote organizations and workflows. VMware has already released new patches to address this issue and updating should be a priority.
Critical NetScaler Console Exploit Patched By Citrix Citrix has released patches for a critical vulnerability (CVE-2024-6235) in NetScaler ADC and NetScaler Gateway that could lead to sensitive information disclosure. This flaw can be exploited without authentication on appliances configured as a Gateway or AAA virtual server. Citrix advises updating to the latest versions to mitigate this vulnerability. Additionally, patches address a high-severity denial-of-service flaw (CVE-2024-6236) in the same products.
WordPress Calendar Plugin “Modern Events” Vulnerability Impacting 150,000 Websites Hackers are exploiting a vulnerability in the Modern Events Calendar WordPress plugin, affecting over 150,000 sites. The flaw (CVE-2024-5441) allows attackers to upload and execute arbitrary files, potentially taking over the website. The vulnerability stems from insufficient file type validation in the ‘set_featured_image’ function. WordPress sites utilizing this plugin should upgrade to version 7.12.0 immediately to mitigate the risk, as attackers are actively targeting this flaw.
Compilation Of 10 Billion Passwords Leaked Dubbed “RockYou2024” A compilation known as “RockYou2024” containing 10 billion passwords has been leaked online. This massive dataset includes passwords from various previous breaches and could facilitate credential-stuffing attacks. This leak emphasizes the importance of using unique, complex passwords and enabling multi-factor authentication on accounts to limit your exposure to breaches like these.
Shopify Denies Breach, States Third Party Cause Of Data Leak Shopify has denied claims of a data breach after a threat actor began selling customer data allegedly stolen from its network. According to Shopify, the data loss was caused by a third-party app, and not a breach of their systems. The app developer is expected to notify affected customers. The stolen data includes personal information such as Shopify IDs, names, emails, and purchase details.