A second SolarWinds exploited vulnerability

‍

A new SolarWinds vulnerability (CVE-2024-28987) is exploited by threat actors. The flaw concerns hardcoded credentials and enables remote code execution within SolarWinds Web Help Desk. Around 830 vulnerable WHD instances were found Internet-exposed, mostly in the government and education sectors. Last August, another SolarWinds WHD vulnerability (CVE-2024-28987) has been exploited against satellite telecommunication companies.

‍

[mitigate]Detect with Qualys QIDs 152161 and 731717; In Cloudflare WAF, under ruleset Specials, configure rule 100677 in block mode.[/mitigate]

Iran targets critical infrastructures

The US and its allies warned that since October 2023, Iranian actors are actively trying to compromise critical infrastructures in sectors such as healthcare, IT, government, energy and engineering.  The Iranian groups were observed getting initial access through brute force attacks, then modifying MFA registrations and establishing persistence. They also impersonated the domain controller for privilege escalation by exploiting Windows ZeroLogon vulnerability (CVE-2020-1472).

‍

Internet Explorer is dead.. but might still be exploited

The North Korean group APT37 has used an Internet Explorer zero-day (CVE-2024-38178) to infiltrate a South Korean ad agency and launch supply chain attacks against different Korean targets. Concretely, APT37 injected malicious code into IE-based pop-up notification (“toast”) scripts installed in legacy free software tools, to replace ads with malware.

‍

Microsoft revealed an Apple vulnerability

Microsoft disclosed an actively exploited vulnerability in Safari Browser on MacOS (CVE-2024-44133), which exploit has been nicknamed “HM Surf”. The flaw, allowing an attacker to bypass Apple’s Transparency, Consent, and Control (TCC) security layer, might eventually let a threat actor access users’ camera, microphone and browser data.

‍

‍

[mitigate]Detect the hash file 17e1b83089814128bc243315894f412026503c10b710c9c59d4aaf67bc209cb8 [/mitigate]

A new RoundCube vulnerability

Threat actors are using a vulnerability (CVE-2024-37383) in the open-source webmail service RoundCube, especially popular among government agencies. The XSS flaw, allowing for Javascript code execution in the victim’s web browser, has been leveraged as part of a phishing campaign aimed at stealing credentials.

‍

When a 7 years old Excel vulnerability is still exploited

In a campaign targeting military and critical infrastructures in the Middle East and South Asia, an Indian threat actor named APT-C-17 (aka Razor Tiger) has been using an old Microsoft Excel vulnerability (CVE-2017-11882) to run a malicious javascript code and deploy an infostealer malware on compromised assets. Initial access was granted through a spear-phishing email. Last April, the same vulnerability was used by the cybercrime group TA558 to target 320 organizations worldwide.

‍

Apply Threat Prevention Signature 36804 in Palo Alto; Disable Microsoft Equation Editor 3.0.

Fortinet silent about an exploited FortiManager flaw

Fortinet patched a vulnerability impacting FortiManager API (CVE-2024-47575), which has been exploited for a few weeks before disclosure, apparently by Chinese threat actors. The flaw, nicknamed FortiJump, allows attackers to execute arbitrary code following a missing authentication in a critical FortiManager function. However, exploitation requires the attacker to first retrieve a valid certificate from a compromised Fortinet device. Fortinet has been criticized for silently patching the vulnerability in early October and disclosing its details only two weeks later.

‍

[mitigate]In FortiManager, prevent unknown devices to attempt to register or whitelist the IP addresses of FortiGate allowed to connect[/mitigate]

A new Sharepoint vulnerability

A Sharepoint vulnerability (CVE-2024-38094), patched last July, is now exploited in the wild. The flaw allows attackers with Site Owner privilege to run arbitrary code on a Sharepoint server. It has been found similar to another recently patched Sharepoint flaw (CVE-2024-38024).

‍

[mitigate]Apply Citrix Netscaler WAF rule 998455[/mitigate]

Time-to-Exploit significantly dropped

‍

A new report shows that 70% of the 138 new vulnerabilities exploited in 2023 were first leveraged before a patch has been made available. Moreover, the Time-to-Exploit (i.e. the average time between patch release and first exploitation) has been reduced to five days only – a significant drop from 32 days the previous year. More than half of N-days vulnerabilities were exploited within a month after disclosure.