Threat Alerts

Researchers have identified a new malware campaign exploiting GitHub to infiltrate the insurance and finance sectors. The attackers cleverly leverage legitimate, high-profile tax-related repositories to bypass standard security measures, employing the Remcos Remote Access Trojan (RAT) within phishing emails. This novel tactic utilizes the trusted nature of GitHub, avoiding conventional detection methods. The malware loader establishes persistence and can deploy further malicious payloads.

Researchers also highlight an increase in inventive phishing strategies, such as the use of ASCII- and Unicode-based QR codes, blob URLs, and the exploitation of legitimate online accommodation booking accounts for financial scams. Recent arrests suggest a highly organized criminal network, targeting vulnerable individuals for recruitment and utilizing advanced tools like the Telekopye Telegram bot for wide-reaching scam operations.

A recent macOS vulnerability -“HM Surf”, identified as CVE-2024-44133 (CVSS Score 5.5), allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, potentially exposing users’ sensitive data. This flaw targets the protection mechanisms for accessing services like the camera, microphone, and location without the user’s consent. Exploiting this vulnerability could enable attackers to gain unauthorized access to personal data stored in the Safari browser directory, raising security risks for macOS users.

The exploit involves manipulating key configuration files within the user’s home directory to bypass TCC protections, granting unrestricted access to sensitive services. Once an attacker gains control of these files, they can modify TCC settings that dictate access permissions, allowing them to stealthily gather data, run malicious code, or perform actions such as taking snapshots, tracking location, or streaming audio and video from the device without the user’s knowledge. Attackers can further leverage the flaw by hosting malicious websites over HTTPS to gain access to TCC-protected services via JavaScript, making this vulnerability a high-priority target for exploitation, especially by malware like Adload, which has been detected in the wild exploiting similar weaknesses.

Jetpack has released a security patch to address a critical vulnerability in the plugin’s Contact Form feature. This issue has been present since version 3.9.9, released in 2016, and could allow logged-in users to access form submissions from site visitors. While there is currently no evidence of the vulnerability being exploited, site owners are urged to update their Jetpack installation as soon as possible to safeguard their websites. Patched versions for all affected releases have been automatically deployed to most websites.

The vulnerability was uncovered during an internal security audit and affects any site running Jetpack versions from 3.9.9 onwards. The flaw allows unauthorized users, once logged in, to potentially access sensitive data submitted through the Contact Form. Though there have been no confirmed cases of exploitation, the release of the security patch could prompt malicious actors to attempt to leverage the flaw, underscoring the importance of immediate updates.

A critical vulnerability, CVE-2024-9486 (CVSS score: 9.8), has been identified in the Kubernetes Image Builder, allowing potential root access if exploited. This flaw arises from default credentials being enabled during the image build process, particularly affecting VM images created with the Proxmox provider.

To mitigate the issue, it is advised to disable the builder account on affected VMs and rebuild images using Kubernetes Image Builder version 0.1.38, which replaces default credentials with a randomly-generated password and disables the builder account post-build.

GitHub has released a security advisory addressing multiple vulnerabilities in GitHub Enterprise Server (GHES), including a critical flaw that could allow unauthorized access to the server. The most severe of these, tracked as CVE-2024-9487, has a CVSS score of 9.5 and arises from improper verification of cryptographic signatures in the SAML single sign-on (SSO) authentication process when the optional encrypted assertions feature is enabled. Exploiting this flaw could allow attackers to bypass SSO, provision users, and gain unauthorized access to the instance.

Additionally, CVE-2024-9539, with a CVSS score of 5.7, could be exploited by uploading malicious SVG files. If a victim clicks a malicious URL for the SVG asset, the attacker can retrieve metadata about the user, potentially aiding in the creation of convincing phishing pages. GitHub has also resolved an issue involving the potential exposure of sensitive data in HTML forms within the management console by removing the “Copy Storage Setting from Actions” feature.

GitLab has released critical patches for its Community Edition (CE) and Enterprise Edition (EE), addressing critical and multiple high-severity vulnerabilities. These vulnerabilities present significant risks, including the ability to run unauthorized pipelines, user impersonation, and exposure to Server-Side Request Forgery (SSRF) attacks.

The critical vulnerability, CVE-2024-9164 (CVSS Score 9.6), allows unauthorized pipelines to run on arbitrary branches. This issue could lead to unauthorized code execution or deployment, posing a risk to sensitive environments. Another high-severity vulnerability, identified as CVE-2024-8970 (CVSS Score 8.2), enables attackers to impersonate users and trigger pipelines under their credentials, which can result in unauthorized actions affecting system integrity and confidentiality. Additionally, CVE-2024-8977 (CVSS Score 8.2), an SSRF vulnerability, allows attackers to make unauthorized requests from the server, potentially exposing internal services or data.

Other notable vulnerabilities include CVE-2024-9631 (CVSS Score 7.5), which affects the viewing of diffs in merge requests with conflicts, potentially slowing down operations and leading to denial-of-service attacks, and CVE-2024-6530 (CVSS Score 7.3), an HTML injection vulnerability that could be exploited for cross-site scripting (XSS) attacks in GitLab’s OAuth page.