Welcome to this week’s Threat Intelligence Roundup! Each week we cover the latest on emerging threats, trends, and top security practices, all tailored just for you.
Threat Intel Thursdays are designed to give you a wider perspective and arm you with the knowledge you need to make smart security decisions.
Threat Intelligence Email Blasts This Week:
Windows SmartScreen Flaw Enables Data Theft A significant vulnerability in Windows SmartScreen has been exploited by cybercriminals to facilitate data theft through major stealer attacks. The flaw allows attackers to bypass security warnings, enabling the execution of malicious payloads without alerting the user. This exploit is being actively used in various malware campaigns, posing a substantial risk to Windows users. The attackers can leverage this vulnerability to steal sensitive data, including credentials and personal information, highlighting the need for teams to ensure their systems are fully updated.
New Telegram Zero-Day Creates Doorway To Malware A zero-day vulnerability in Telegram’s Windows client was exploited by cybercriminals for several months, enabling them to deliver malware without detection. The exploit uses a right-to-left override character to disguise malicious files as harmless images or documents. This allowed attackers to trick users into downloading and executing malware, leading to system compromise and data theft. The vulnerability was primarily exploited by Russian cybercriminals before it was discovered and patched by Telegram. All organizations utilizing Telegram are advised to update their Telegram clients and be cautious of unexpected file downloads.
Crowdstrike Outage update:
Crowdstrike has stated the recent CrowdStrike outage was caused by a bug in the ‘Content Validator’ that allowed a faulty update to pass checks, resulting in widespread system crashes. Microsoft has released a tool to fix the resulting issues on Windows systems, which can be found here. The outage impacted thousands of systems globally, causing significant disruptions for businesses relying on CrowdStrike’s services and has led to prolonged downtime.
Teams are advised to work with CrowdStrike directly on resolving issues, as fake fixes and websites are being reported as delivering malware and stealing data. Threat actors are abusing this event for calculated phishing attempts.
This Week’s Roundup:
Docker Engine Flaw Allows Attackers to Auth Bypass A critical flaw in Docker Engine, tracked as CVE-2024-41110 with a CVSS severity of 10.0, allows attackers to bypass authorization plugins using a crafted API request, potentially leading to privilege escalation. This vulnerability affects multiple Docker Engine versions and was originally discovered in 2018 but re-emerged in later versions. Docker has addressed the issue in recent updates, and all teams are advised to apply the latest patches to Docker immediately.
CISA Adds New Vulnerabilities to the KEV Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog: a decade-old Internet Explorer flaw (CVE-2012-4792) and a Twilio Authy information disclosure bug (CVE-2024-39891). The vulnerabilities pose significant risks due to active exploitation, and federal agencies are required to address them by August 13, 2024.
Google Abandons Plan to Phase Out Third-Party Cookies in Chrome Google has decided not to phase out third-party cookies in Chrome, instead opting to introduce a user-choice prompt allowing users to manage their cookie preferences. This change follows criticism and regulatory concerns regarding the Privacy Sandbox initiative, which aimed to balance online privacy and ad-supported internet models. The decision underscores the complexity of achieving consensus in the industry.
Magento Sites Being Targeted with Credit Card Skimmers Magento e-commerce sites are being targeted by a sneaky credit card skimmer that uses swap files to hide malware and steal payment information. The malware, which exfiltrates data to a domain resembling Amazon’s, can survive multiple cleanup attempts, making it particularly persistent and hard to detect. Site owners are advised to restrict access to protocols like FTP and SSH to trusted IPs and ensure their systems are up-to-date.
Linux Ransomware Targeting VMware ESXi Servers A new Linux ransomware variant by the Play ransomware group is targeting VMware ESXi servers, using double extortion tactics. The ransomware verifies if it’s running on an ESXi environment before executing and has managed to evade security measures, posing a significant threat to enterprise infrastructure by potentially disrupting multiple virtual machines simultaneously.