Welcome to this week’s Threat Intelligence Roundup! Each week we cover the latest on emerging threats, trends, and top security practices, all tailored just for you.
Threat Intel Thursdays are designed to give you a wider perspective and arm you with the knowledge you need to make smart security decisions.
Threat Intelligence Email Blasts This Week:
Zyxel Releases Emergency RCE Patch for NAS Devices Zyxel has issued an emergency patch for end-of-life NAS devices to address a critical remote code execution (RCE) vulnerability identified as CVE-2024-29972 as well as patches for vulnerabilities CVE-2024-29973 and CVE-2024-29974. These vulnerabilities are already being actively exploited in the wild, posing significant risks to affected devices. Organizations are urged to apply the necessary patch immediately or consider replacing these end-of-life devices if possible.
Polyfill Supply Chain Attack Impacting Over 100k Websites A supply chain attack on the popular JavaScript library Polyfill has affected over 100,000 websites. This attack is currently being exploited by threat actors to inject malicious code into websites using the compromised JavaScript library. Users are being redirected to sports betting or adult domains, likely based on location. It is critical for teams to review and update their dependencies to minimize the danger of this attack.
This Week’s Roundup:
Mailcow Zero-Day Vulnerabilities Put Your Email Server at Risk Mailcow has patched critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) that allowed attackers to execute malicious code via Cross-Site Scripting (XSS) and file overwrite flaws. Businesses are strongly advised to update to Mailcow 2024-04 (Moopril Update) to secure their email servers from potential remote code execution attacks. Regular updates and caution with unknown emails are recommended for continued security.
“GrimResource” Dubbed the New Command Execution Technique A new attack technique called “GrimResource” exploits MSC files and an unpatched Windows XSS flaw (apds.dll) to execute malicious code through the Microsoft Management Console (MMC). This method, known for deploying Cobalt Strike, remains unflagged by antivirus engines and is actively being exploited. We advise you to monitor for suspicious MMC activity and file operations involving apds.dll to mitigate the risk for you and your organization.
Authentication Bypasses in MOVEit Transfer and MOVEit Gateway New authentication bypass vulnerabilities (CVE-2024-5806 and CVE-2024-5805) have been found in MOVEit Transfer and MOVEit Gateway, allowing attackers to bypass SFTP authentication and gain unauthorized access. These flaws are actively being exploited, so we strongly advise you to apply the latest patches immediately. Additionally, blocking public RDP access and limiting outbound access to trusted endpoints are recommended to enhance security.
Fortra FileCatalyst Workflow App Reported to have Critical SQLi Vulnerability A critical SQL injection (SQLi) vulnerability identified as CVE-2024-5276 has been found in the MySQL database, carrying a CVSS score of 9.8. This vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to data breaches and complete system compromise. Teams are advised to apply the necessary updates to version 5.1.6 build 139 immediately to protect impacted devices.
Hackers Compromise Multiple WordPress Plugins to Create Administrator Accounts Several WordPress plugins, including “Advanced Custom Fields,” “WooCommerce,” “Contact Form 7,” “Slider Revolution,” and “Yoast SEO,” have been compromised in a recent attack. The attackers injected malicious code into these plugins, potentially exposing sites to data breaches and unauthorized access. Any organizations utilizing WordPress are advised to audit and update their plugins immediately to protect their sites from these security vulnerabilities.
Kaspersky Antivirus Banned in US Over Security Concerns The United States has banned the use of Kaspersky antivirus software over security concerns, citing risks associated with the company’s ties to the Russian government. The decision is aimed at protecting national security by preventing potential espionage and cyber threats linked to Kaspersky’s software. This move reinforces the government’s caution towards foreign technology with potential security implications.
