Microsoft Patch Tuesday includes six exploited vulnerabilities
Microsoft patched six actively exploited vulnerabilities, among them a memory corruption RCE flaw in the Windows Scripting Engine (CVE-2024-38178), that requires user interaction and is apparently leveraged by state actors; a RCE in Microsoft Project (CVE-2024-38189), exploitable when the ”Block macros from running in Office files from the Internet” policy is disabled; and a new security bypass flaw in SmartScreen (CVE-2024-38213), exploited by a DarkGate campaign since March.
Mitigate it
Enable the ”Block macros from running in Office files from the Internet” policy or, at least, enable VBA Macro Notification Settings (for CVE-2024-38189).
A new Ipv6 flaw
Microsoft assessed that a new critical RCE vulnerability in the TCP/IP protocol (CVE-2024-38063) is “more likely” to be exploited. By sending crafted IPv6 packets to a target, attackers might use the flaw to trigger a buffer overflow leading to code execution on Windows systems enabling IPv6 by default, specifically Windows 10, Windows 11 and Windows servers.
Mitigate it
Turn off IPv6 on vulnerable machines or block incoming IPv6 traffic in the firewall.
A CLFS vulnerability leads to system crashes
A new bug in the Windows Common Log File System (CLFS) driver (CVE-2024-6768) can be very easily exploited to crash various versions of Windows. The flaw lies in an improper validation of quantities in input data which triggers system crashes. Microsoft added a signature for the exploit to its Defender products, but denied the existence of the vulnerability and apparently will not release a patch for it.
Earth Baku goes West
Earth Baku, a sub-group of the cyberespionage Chinese state actor APT41, is now targeting organizations in Europe, Africa and the Middle East – in a pivot aimed at expanding cyber activities beyond Asia. Earth Baku is known for crafting specific tools to exploit vulnerabilities for initial access, including the ProxyLogon flaw (CVE-2021-26855).
Log4j exploitation is surging
A new report reveals a 61% increase in attempts of exploitation of the Log4j vulnerability (CVE-2021-44228) over the last few months; and a 79% increase for the Oracle WebLogic vulnerability (CVE-2020-14883). The reports also put a spotlight on IntelBroker who is described as one of the most active threat actors currently.
Use the Zafran dashboard to check your exposure to infamous vulnerabilities like Log4shell
Crowdstrike and China
One day after it published a root cause analysis of its recent bug, Crowdstrike denied accusations made by a Chinese security firm according to the reason of the BSOD loop is a memory corruption vulnerability which might be exploited in the future. In parallel, CISA’s director claimed that the Crowdstrike global outage was “a useful exercise” to understand future Chinese cyberattacks, especially from the Chinese APT Volt Typhoon.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
- https://www.securityweek.com/microsoft-warns-of-six-windows-zero-days-being-actively-exploited/, https://www.bleepingcomputer.com/news/microsoft/new-windows-smartscreen-bypass-exploited-as-zero-day-since-march/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
- https://www.fortra.com/security/advisories/research/fr-2024-001, https://www.coresecurity.com/core-labs/articles/cve-2024-6768-improper-validation-specified-quantity-input-produces
- https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html
- https://go.catonetworks.com/rs/245-RJK-441/images/Q2_24_Cato_CTRL_Threat_Report.pdf
- https://www.securityweek.com/crowdstrike-dismisses-claims-of-exploitability-in-falcon-sensor-bug/, https://thecyberexpress.com/crowdstrike-outage-potential-chinese-attack/