Threat Alerts

Your place for the latest CyberProof cyber threat intelligence alerts and updates

Speak with an Expert
All

Mozilla Patches Critical Firefox Zero-Day Bugs Exploited at Hacking Competition

25-Mar-2024
Label: Vulnerability
Threat Level: Medium

Mozilla addressed two critical vulnerabilities in Firefox that attackers exploited during the Pwn2Own 2024 hacking contest. These zero-day bugs allowed attackers to potentially execute malicious code on vulnerable devices.

The first vulnerability, designated CVE-2024-29943, allowed threat actors to bypass a security measure in Firefox and achieve remote code execution. This flaw involved manipulating a JavaScript object out-of-bounds by exploiting a weakness in the browser’s handling of range checks.

The second critical issue, identified as CVE-2024-29944, resided in how Firefox handles event handlers. An attacker could potentially exploit this flaw to execute malicious code with elevated privileges within the main Firefox process.

Atlassian Releases Fixes for Over 20 Flaws, Including Critical Bamboo Bug

25-Mar-2024
Label: Vulnerability
Threat Level: Medium

Atlassian recently released patches to address over 20 security vulnerabilities, among which is a critical flaw impacting Bamboo Data Center and Server. This vulnerability, identified as CVE-2024-1597 and with a maximum CVSS score of 10.0, poses a significant risk as it can be exploited without any user interaction. The flaw, categorized as an SQL injection vulnerability, is attributed to a dependency known as org.postgresql:postgresql. Despite its critical nature, Atlassian has deemed it to present a lower assessed risk.

The vulnerability associated with the org.postgresql:postgresql dependency allows unauthenticated attackers to potentially expose sensitive assets within the environment. This exposure could lead to severe consequences, including high impacts on confidentiality, integrity, and availability. The exploitation requires no user interaction and is facilitated by the PostgreSQL JDBC Driver (pgjdbc), particularly when using PreferQueryMode=SIMPLE.

Versions of the driver preceding 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 (also addressed in 42.2.28.jre7) are susceptible to SQL injection if configured with preferQueryMode=simple and coupled with application code featuring vulnerable SQL queries that negate parameter values. However, it is crucial to note that there is no vulnerability in the driver when utilizing the default query mode. Users who have not overridden the query mode remain unaffected.

Regarding Atlassian’s Bamboo Data Center and Server, the vulnerability (CVE-2024-1597) was introduced in specific versions, including 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0. However, Atlassian assured that other Data Center products, including Bamboo, are not impacted by this vulnerability since they do not employ PreferQueryMode=SIMPLE in their SQL database connection configurations.

Critical Flaw in Ivanti Standalone Sentry Leads to RCE

25-Mar-2024
Label: Vulnerability
Threat Level: Medium

A new critical remote code execution vulnerability has been discovered in the Ivanti Standalone Sentry, designated as CVE-2023-41724 (with a CVSS score of 9.6). Ivanti Standalone Sentry (formerly known as MobileIron Sentry) is the standalone version of Ivanti’s software component that manages and secures traffic between devices and back-end enterprise systems. Exploiting this vulnerability, a remote attacker could gain unauthorized access to the target system and execute arbitrary commands.

The issue affects several versions of the software—9.17.0, 9.18.0, and 9.19.0, including older versions—but Ivanti has released patches (9.17.1, 9.18.1, and 9.19.1) to mitigate the risk.

While Ivanti has not observed any instances of customers being compromised by this vulnerability, it should be noted that the issue cannot be exploited over the internet by actors without a valid TLS client certificate enrolled through Ivanti’s EPMM. Ivanti strongly recommends upgrading to the latest versions of Sentry to ensure access to the most recent security and stability fixes.

PhantomBlu Campaign Employes New Methods to Distribute NetSupport RAT

25-Mar-2024
Label: Malware
Threat Level: Medium

Security researchers have recently identified a sophisticated malware campaign called “PhantomBlu”, aimed at organizations in the United States. This campaign uses advanced evasion techniques to deploy the NetSupport Remote Access Trojan (RAT).

The NetSupport RAT, originally derived from a legitimate remote support application, is designed for surveillance and control, allowing attackers to perform a range of malicious activities such as monitoring user actions, capturing keystrokes, and transferring files. A standout feature of PhantomBlu is its exploitation of Microsoft Windows Object Linking and Embedding (OLE) templates — a method not previously recorded in email-based delivery of NetSupport RAT. This technique, known as OLE template manipulation, executes malicious code hidden within document templates without detection, only activating upon user interaction with seemingly benign document features.

The initial phase of the campaign involves phishing emails that masquerade as communications from an accounting service, prompting recipients to download an attached document allegedly containing their “monthly salary report”. This document tricks users into enabling an OLE package disguised as a clickable element within the document. Upon interaction, this triggers a PowerShell dropper designed to retrieve and execute further malicious payloads, ultimately installing the NetSupport RAT on the user’s system. By utilizing reputable email delivery services and exploiting legitimate document features, the attackers conceal their malicious intentions, showcasing the campaign’s complexity and the sophistication of its evasion tactics.

New ‘Loop DoS’ Attack Could Impact Up to 300,000 Online Systems

25-Mar-2024
Label: Trends
Threat Level: Medium

Researchers recently discovered a denial-of-service attack named ‘Loop DoS,’ which exploits UDP to cause persistent communication loops, thus generating heavy traffic. The attack is made possible by a UDP protocol vulnerability, CVE-2024-2169, which allows for IP spoofing.

Currently, an estimated 300,000 hosts are vulnerable, with Broadcom, Cisco, Honeywell, Microsoft, and MikroTik confirming affected products. The exploit is straightforward but has not yet been observed in the wild.

Protection involves promptly updating software patches, discontinuing outdated products, and minimizing UDP usage. Security can be enhanced by implementing firewall restrictions, access-control lists, and anti-spoofing techniques like BCP38 and uRPF. Quality-of-Service (QoS) settings can also mitigate traffic issues from DoS attacks.

Protecting Against Attacks on NTLM Authentication

25-Mar-2024
Label: Trends
Threat Level: Medium

Recently, there have been multiple incidents related to the exploitation of the Windows New Technology LAN Manager (NTLM) protocol. Microsoft, during its latest “Patch Tuesday” security update, addressed a critical vulnerability in the Microsoft Exchange server, designated as CVE-2024-21410. This critical flaw is rooted in the NTLM authentication protocol, allowing attackers to execute NTLM relay attacks. Through such attacks, unauthorized parties can capture and relay NTLM authentication requests, impersonating legitimate users to gain access to restricted data and systems.

The exposure of CVE-2024-21410 was brought to attention after active exploits were detected in the wild. While the specifics of these exploitations are currently unknown, it is known that Russian state-affiliated groups like APT28 have previously exploited similar vulnerabilities in Microsoft Outlook to carry out NTLM relay attacks.

Earlier this month, a phishing campaign was reported where attackers specifically targeted NTLM authentication details. Windows NTLM is a collection of security protocols from Microsoft, intended to authenticate user identity while safeguarding the integrity and confidentiality of their activities. NTLM functions as a single sign-on (SSO) system, utilizing a challenge-response mechanism for user verification without the need for password submission.

The latest attack campaign introduces a new method, using “thread-jacking” phishing techniques to deliver tailored zipped HTML attachments to each intended victim. Once NTLM challenge/response values are captured, they can be utilized to compromise victim credentials, take over accounts, access sensitive data, and potentially escalate privileges. Attackers could then expand their foothold, moving laterally within the network to compromise additional systems if they have already infiltrated an organization’s network.

NEWS AND RESOURCES

What’s on at CyberProof

Speak with a cybersecurity expert

Speak with an expert

Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.

SPEAK WITH AN EXPERT