Welcome to this week’s Threat Intelligence Roundup! Each week we cover the latest on emerging threats, trends, and top security practices, all tailored just for you.
Threat Intel Thursdays are designed to give you a wider perspective and arm you with the knowledge you need to make smart security decisions.
Threat Intelligence Email Blasts This Week:
Fortinet Advises of New FortiManager Flaw Used in Attacks Fortinet has warned of a critical vulnerability, tracked as CVE-2024-47575, in FortiManager that has been actively exploited in zero-day attacks. This flaw allows remote unauthenticated attackers to execute arbitrary code on affected systems, potentially compromising managed devices and stealing sensitive data such as IP addresses and credentials. Fortinet has released updates and advised workarounds to prevent exploitation. MSPs using FortiManager are particularly at risk, and immediate action is highly recommended.
New Windows Server “WinReg” NTLM Relay Exploit Released A proof-of-concept (PoC) exploit has been released for a vulnerability in Microsoft’s Remote Registry (WinReg) client, tracked as CVE-2024-43532. This flaw allows attackers to perform an NTLM relay attack, potentially leading to domain takeover by exploiting weak authentication fallback mechanisms. The flaw affects Windows Server versions from 2008 to 2022 and Windows 10/11. Researchers have demonstrated how to exploit this vulnerability using the PoC, urging administrators to patch or mitigate the risk.
This Week’s Roundup:
Cisco Patches Exploit Utilized in Brute-Force Campaign Cisco patched a vulnerability, tracked as CVE-2024-20481, in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products that was exploited in a large-scale brute-force campaign. The flaw allows attackers to cause a denial-of-service (DoS) condition by overwhelming the Remote Access VPN service. Cisco is aware of the active exploitation of this issue, which affects devices with VPN services enabled. We strongly advise organizations to apply patches promptly to mitigate the risk.
VMware Addresses RCE Flaw for Second Time VMware failed to fully fix a critical remote code execution (RCE) vulnerability, tracked as CVE-2024-38812, in its vCenter Server. Although a patch was issued, researchers found that the flaw still allows attackers to execute arbitrary code by exploiting certain conditions. This leaves systems vulnerable to potential exploitation, putting critical environments at risk. VMware is expected to issue additional updates to address the incomplete fix, so be sure to stay on top of this situation if you or your clients use VMware products.
CISA Proposes New Security Requirements to Protect Data CISA has proposed new security requirements to protect U.S. government and personal data from threats posed by adversarial states. These measures target organizations that handle sensitive data and include steps such as patching vulnerabilities within specific time frames, enforcing multi-factor authentication, restricting unauthorized hardware, and encrypting critical data. The proposal, part of Executive Order 14117, aims to mitigate risks related to data breaches and cyberattacks from hostile nations.
Recent Microsoft SharePoint RCE Flaw Under Attack CISA has issued a warning about a recent remote code execution (RCE) vulnerability in Microsoft SharePoint Server, tracked as CVE-2024-38094, which has been actively exploited. This flaw allows attackers with authenticated access to inject and execute arbitrary code, putting organizations at risk. Although the vulnerability was patched in July 2024, CISA urges federal agencies and organizations to apply these updates immediately. Failure to address this could result in severe compromises of SharePoint environments.
Threat Actors Exploiting Roundcube Webmail Flaw to Steal Email Attackers are exploiting a stored cross-site scripting (XSS) vulnerability in Roundcube Webmail, tracked as CVE-2024-37383, to steal email credentials. The attack involves sending specially crafted emails that inject malicious JavaScript into the victim’s Roundcube session. This leads to an unauthorized login form appearing, tricking users into submitting their login credentials. The flaw affects certain Roundcube versions, and administrators are urged to update to the latest versions to protect against these attacks.
Popular Android and iOS Apps Expose AWS, Azure Auth Keys Security researchers discovered that several popular Android and iOS apps contain hardcoded AWS and Azure authentication keys, exposing millions of users to potential data breaches. These credentials could give attackers unauthorized access to sensitive user data stored in cloud services like Amazon S3 buckets and Microsoft Azure Blob Storage. The discovery highlights poor security practices in app development, as these keys were left unencrypted in the app code. Developers are urged to update security practices and remove these hardcoded credentials.
6,000 WordPress Sites Hacked to Install Infostealers Over 6,000 WordPress sites have been hacked to install malicious plugins that push infostealer malware. The plugins display fake software updates and error messages, tricking users into running PowerShell scripts that download and install malware. This campaign, named ClickFix, uses compromised admin credentials to install these plugins, which mimic legitimate ones. WordPress administrators are advised to check for unfamiliar plugins and reset admin passwords to secure their sites.