Threat Alerts
Your place for the latest CyberProof cyber threat intelligence alerts and updates
Speak with an ExpertSecurity Update for Apache OFBiz Addresses High-Severity Flaws Allowing Remote Code Execution
New security flaws have been updated by Apache OFBiz, a popular open-source enterprise resource planning system, to mitigate a high-severity vulnerability that poses risks of unauthenticated remote code execution across Linux and Windows platforms.
The issue, identified as CVE-2024-45195 (CVSS 7.5), was present in all versions prior to 18.12.16. It allowed attackers without valid credentials to bypass view authorization checks in the web application, thereby executing arbitrary code on the server.
The significance of CVE-2024-45195 lies in its ability to circumvent previously patched vulnerabilities—CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856—that were not comprehensively resolved, leading to an ongoing risk of exploit attempts in the wild, including the deployment of the Mirai botnet malware.
In addition to CVE-2024-45195, the latest update from Apache OFBiz, version 18.12.16, also addresses a critical server-side request forgery (SSRF) vulnerability tagged as CVE-2024-45507 (CVSS 9.8). This particular flaw could potentially enable threat actors to gain unauthorized access and compromise the system by manipulating specially crafted URLs.
New Critical RCE Flaw in Veeam Backup & Replication Software
Veeam has disclosed a new critical Remote Code Execution flaw, identified as CVE-2024-40711 (CVSS score 9.8). This vulnerability allows attackers to execute arbitrary code on affected systems without authentication. If successfully exploited, it could lead to full system compromise, allowing attackers to manipulate or delete data and potentially move laterally within a network.
Once exploited, attackers could gain unauthorized control over the backup infrastructure, disrupt critical processes, and use the compromised system as a foothold to access additional resources within the organization.
While it is currently unknown if this vulnerability is being actively exploited, it is expected to attract ransomware operators and other threat actors aiming to compromise backup systems and disrupt data recovery processes.
The Innovative Techniques of Cicada3301 Ransomware
Researchers have recently identified Cicada3301, a new Rust-based ransomware that has been targeting various sectors with alarming precision and success. While its methods are reminiscent of the BlackCat ransomware in some respects, Cicada3301 distinguishes itself with unique approaches to system infiltration and data encryption.
The technical execution of Cicada3301 ransomware is complex, utilizing Rust for its underlying structure, which has become a popular choice among threat actors for its speed and cross-platform capabilities. It demonstrates a multi-faceted approach to system compromise, which includes the utilization of a temporary disc-written, renamed version of a Microsoft-signed Sysinternals tool known as psexec, to carry out remote commands. It’s a strategy seen in various forms of cyber-attacks, balancing the line between legitimate administrative tools and malicious exploitation.
The most notable technical innovation within Cicada3301 is its use of embedded compromised credentials in the ransomware payload. The embedded credentials are employed to execute psexec, which allows the ransomware to spread laterally across the network, illustrating a sophisticated level of attack customization. This capability, along with the ransomware’s ability to personalize the ransom demand for each victim, showcases a leap forward in the tactical approach of threat actors, enhancing the potency and potential impact of their attacks.
Critical Vulnerabilities Patched in Cisco Smart Licensing Utility
Cisco has recently patched two critical security vulnerabilities in its Smart Licensing Utility that could potentially allow attackers to gain unauthorized access with administrative privileges and obtain sensitive information.
The first vulnerability, identified as CVE-2024-20439 (CVSS score:9.8), issue arises from the presence of an undocumented static credential in an administrative account that could potentially permit unauthorized system access. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application.
The second vulnerability, CVE-2024-20440 (CVSS score:9.8), arises from debug log file that retains an excessive amount of detail, thereby exposing the system to a risk where attackers could retrieve sensitive data, including crucial API access credentials, by issuing a specifically crafted HTTP request.
Espionage Campaigns Intensify as KTLVDoor Malware Targets Multiple Sectors
A new cross-platform malware named KTLVDoor has been identified in an espionage campaign conducted by the Earth Lusca APT group. This malware targets both Windows and Linux systems, posing a significant threat to public and private sector entities across multiple regions, including Asia, Australia, Europe, and North America. The campaign highlights Earth Lusca’s evolving tactics and capabilities in compromising high-value global targets.
KTLVDoor incorporates complex command-and-control (C2) interactions, enabling it to bypass firewall rules and network segmentation policies. Additionally, the malware has self-updating capabilities, allowing it to adapt to changing network conditions and evade signature-based detection methods.
Moreover, KTLVDoor is a modular backdoor that enables attackers to execute various malicious actions, such as running commands, stealing sensitive information, and maintaining persistent access to compromised systems. Earth Lusca, known for its espionage operations, uses this malware to infiltrate networks, exfiltrate data, and covertly monitor victim environments. Its cross-platform design makes it highly adaptable to different environments, further amplifying its threat potential.
Unicode QR Code Scams: Bypassing Security with Invisible Threats
Researchers have discovered a new cyber threat called “Unicode QR Code Phishing”, where attackers use Unicode text characters to create QR codes that evade traditional image-based security measures. This technique takes advantage of the ubiquity of QR codes in digital interactions, which has led to a significant rise in QR code phishing attacks. Traditional defenses that scan for suspicious images are ineffective against this text-based approach. These Unicode QR codes can be scanned and function correctly on smartphones, yet look different in plain text, complicating their detection. The rise of this new threat, with a reported 587% increase in attacks, underscores the need for updated security strategies to address these sophisticated phishing techniques.
NEWS AND RESOURCES
What’s on at CyberProof
Speak with an expert
Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.
SPEAK WITH AN EXPERT