Threat Intel: Thursday, June 6

Welcome to this week’s Threat Intelligence Roundup! Each week we cover the latest on emerging threats, trends, and top security practices, all tailored just for you.

Threat Intel Thursdays are designed to give you a wider perspective and arm you with the knowledge you need to make smart security decisions.

Threat Intelligence Email Blasts This Week:

Linux Kernel High Vulnerability CISA Warning The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned about an actively exploited privilege elevation flaw in the Linux kernel, tracked as CVE-2024-1086. This vulnerability, found in the netfilter framework, allows attackers to gain root-level access by exploiting a use-after-free issue. We strongly advise you to patch your systems as soon as possible.

ShrinkLocker Ransomware Using BitLocker to Encrypt Your Data The new ShrinkLocker ransomware uses Windows BitLocker to lock files by creating a new boot partition. It targets specific Windows versions, disables remote desktop connections, and enforces encryption without needing a TPM chip. After encrypting the drives, it removes the recovery options, making it difficult to retrieve the files without paying the ransom. This new attack emphasizes the importance of securely storing encryption recovery keys as well as maintaining and testing your offline data backups.

This Week’s Roundup:

TicketMaster Breach May Be Just the Beginning Recent data breaches at Ticketmaster, Santander, and Ticketek have been linked to credentials stolen from a Snowflake employee. The threat actor claims to have accessed Snowflake’s systems using these credentials to exfiltrate data from customer accounts.

We included this news in last week’s Threat Thursday, but there is evidence that this breach could be just the iceberg of other breaches on various companies. Please note that your information could be at serious risk.

Progress Telerik Servers Zero-Day Vulnerability Researchers have released an exploit for a critical authentication bypass vulnerability in Progress Telerik Report Server, allowing remote code execution. The flaw, CVE-2024-4358, enables attackers to create admin accounts without authorization and execute arbitrary commands using specially crafted payloads. We strongly urge you to update to version or later to address these issues and review your user list for any unauthorized accounts.

Windows Announces Deprecation of NTLM Authentication Protocol Microsoft has deprecated the NTLM authentication protocol, urging developers to transition to more secure alternatives like Kerberos or Negotiation. NTLM, first introduced in 1993, has been extensively abused in cyberattacks, and despite improvements, it is considered outdated by modern security standards. Microsoft has advised administrators to audit their systems and switch to more secure authentication methods to avoid potential security risks.

Okta Warning Customers on Credential Stuffing Attacks Okta has warned of credential stuffing attacks targeting its Customer Identity Cloud’s cross-origin resource sharing (CORS) feature. Attackers use stolen credentials to access Okta accounts, exploiting the CORS feature to send authentication calls. Okta has advised customers to review logs for suspicious activity, implement multi-factor authentication, and disable unused cross-origin authentication to mitigate these attacks.

Millions of Cox Modems Vulnerable to Remote Hacking Attacks Cox Communications recently fixed several vulnerabilities that could have allowed hackers to remotely control millions of their modems. The flaws included an API authorization bypass that could give attackers the same access as Cox’s tech support, allowing them to change settings and execute commands on the devices. Cox was very proactive and released a patch the next day, if you are using these products you need to update those machines as soon as you can.

Zyxel Issues Updates for Multiple Critical RCE Zero-Day Vulnerabilities Zyxel released an emergency patch for three critical vulnerabilities affecting their end-of-life NAS devices, NAS326 and NAS542, which could allow remote code execution and command injection. These flaws enable attackers to execute OS commands via specially crafted HTTP requests. We strongly advise applying the latest patches to your devices, as well as considering upgrading due to the fact that these are no longer officially supported by Zyxel.

Leave a Reply