Welcome to this week’s Threat Intelligence Roundup! Each week we cover the latest on emerging threats, trends, and top security practices, all tailored just for you.
Threat Intel Thursdays are designed to give you a wider perspective and arm you with the knowledge you need to make smart security decisions.
Threat Intelligence Email Blasts This Week:
D-Link Harcoded Password Flaws that Could Lead to RCE D-Link has patched critical security flaws in three popular WiFi 6 routers that could allow attackers to execute remote code or access the devices using hardcoded credentials. The affected models include DIR-X4860, DIR-X5460, and COVR-X1870. These vulnerabilities, rated up to 9.8 in severity, involve stack-based buffer overflows and improper telnet service configurations. D-Link has urged teams to update their devices to the latest firmware to mitigate these risks.
SolarWinds Vulnerabilities That Could Lead to an Attack Chain SolarWinds has released a patch for a critical vulnerability (CVE-2024-28991) in its Access Rights Manager (ARM) software that could allow remote code execution (RCE). The flaw, rated 8.8 in severity, stems from deserialization of untrusted data, potentially allowing an attacker to execute arbitrary code with system privileges. Another medium-severity flaw (CVE-2024-28990) related to hardcoded credentials was also addressed. Organizations are strongly urged to update to the latest version to safeguard their systems.
This Week’s Roundup:
VMware RCE Vulnerability Impacting vCenter Servers VMware has released a patch for a critical vulnerability (CVE-2024-38812) in vCenter Server that allows remote code execution via specially crafted network packets. The flaw, with a severity rating of 9.8, affects versions 7.0 and 8.0. Additionally, a privilege escalation vulnerability (CVE-2024-38813) was also patched. VMware urges all teams to update their systems immediately as they are crucial to preventing potential attacks on affected systems.
Over 1,000 ServiceNow Instances Leaking Corporate KB Data Over 1,000 misconfigured ServiceNow instances have been found leaking sensitive corporate Knowledge Base (KB) data to unauthorized users. The exposed information includes personally identifiable information (PII), user credentials, and access tokens for live systems. Despite security updates in 2023, many KB articles remain vulnerable due to improper access control configurations. Organizations using ServiceNow are advised to review their security settings and implement proper User Criteria and Access Control Lists (ACLs) to protect sensitive information.
PKfail Secure Boot Vulnerability Still a Major Risk Two months after the disclosure of the PKfail Secure Boot bypass vulnerability (CVE-2024-8105), it remains a significant threat. The issue stems from the use of untrusted cryptographic test keys in over 800 device models, including laptops, servers, and medical devices. These test keys allow attackers to bypass Secure Boot protections, enabling the installation of undetectable UEFI malware. Although many vendors have released patches, devices without updates are still vulnerable. Affected organizations are urged to update their firmware to mitigate this risk.
Ivanti ERM Vulnerability Public Proof-of-Concept (PoC) Released Exploit code for a critical remote code execution (RCE) vulnerability (CVE-2024-29847) in Ivanti Endpoint Manager has been released. The flaw allows attackers to execute arbitrary code via deserialization of untrusted data. The public proof-of-concept (PoC) exploit increases the risk of attacks, making it essential for Ivanti users to update their systems immediately.
CISA Adds New Windows and WhatsUp Gold Vulnerabilities to KEV Catalog The U.S. CISA has added several critical vulnerabilities to its Known Exploited Vulnerabilities catalog, including issues in Microsoft Windows’ MSHTML platform and Progress WhatsUp Gold software. These flaws could be exploited to execute arbitrary code or gain elevated privileges. CISA is urging organizations to address these vulnerabilities as they are known to be actively exploited in the wild, which increases the risk of cyberattacks if left unpatched.
Fortinet Confirms Huge Data Breach – 440 GB of Data Leaked Fortinet has confirmed a data breach after a hacker leaked 440 GB of data on a dark web forum. The leaked information includes sensitive company files, which the hacker claimed were obtained from a third-party vendor’s compromised Fortinet VPN. While Fortinet downplayed the scope of the breach, the leak exposed highly confidential data, leading to concerns about the potential exploitation of this information by cybercriminals. The company is taking steps to investigate and mitigate the impact of the breach.