Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 1 - 6 September
North Korean actors exploit in their 0-day Chrome operations
Microsoft researchers have published research indicating that the North Korean malicious group known as Citrine Sleet, also known as AppleJeus, UNC4736 or Hidden Cobra, is exploiting a security flaw in Chrome in its operations. Specifically, this vulnerability is the 0-day vulnerability registered as CVE-2024-7971, CVSSv3 of 8.8, which is due to a type confusion weakness in Chrome's JavaScript V8 engine, allowing remote code execution.
The vulnerability was patched last week, but the said North Korean group is reportedly targeting financial institutions, focusing on cryptocurrency organisations and associated individuals, in order to gain financial benefit by exploiting the security flaw and with the aim of distributing the FudModule rootkit after obtaining SYSTEM privileges on affected devices.
Critical vulnerability detected in TP-Link routers
A critical vulnerability was recently identified in TP-Link RE365 V1_180213 routers, exposing them to remote exploitation and potentially allowing full control. The vulnerability, identified as CVE-2024-42815 and with a CVSSv3 score of 9.8 according to CISA, arises from a buffer overflow in the router's HTTP server, caused by failure to verify the length of the "User-Agent" header in HTTP GET requests.
Specifically, this allows attackers to send specially crafted requests, causing the device to crash or malicious code to execute. Furthermore, exploitation of this vulnerability could lead to denial of service or complete control of the router and network.
✅ TP-Link has released a patch to mitigate the risk. Therefore, users are strongly recommended to update the firmware as soon as possible.
Zyxel fixes critical vulnerability in access points and enterprise routers
Zyxel has issued security patches to fix a critical vulnerability in several of its enterprise routers and access points (APs), which could allow unauthenticated attackers to inject commands into the operating system by sending a tampered cookie to a vulnerable device.
The flaw, identified as CVE-2024-7261 and with a CVSSv3 score of 9.8 according to the vendor, is due to incorrect neutralization of special elements in the "host" parameter of the CGI program of some versions of access points and routers.
✅ The affected models include the NWA, WAC, WAX and WBE series, which require specific patches to correct the vulnerability, so it is recommended to apply them as soon as possible. Zyxel also notes that the USG LITE 60AX router does not require any action as it updates automatically.
Critical vulnerabilities in Veeam products
The company Veeam has released security patches to correct a total of 18 vulnerabilities of high and critical severity that affect several of its products such as Veeam Backup & Replication, Service Provider Console and One. Specifically, 5 of the vulnerabilities are considered critical, the most prominent being the one registered as CVE-2024-40711, CVSSv3 of 9.8, which affects VBR and which an unauthenticated malicious actor could exploit to perform remote code execution.
The other four critical vulnerabilities have been classified as CVE-2024-42024, CVSSv3 of 9.1, CVE-2024-42019, CVSSv3 of 9.0, CVE-2024-38650, CVSSv3 of 9.9 and CVE-2024-39714, CVSSv3 of 9.9 affecting Service Provider Console versions 8.1.0.21377 and earlier and ONE product versions 12.1.0.3208 and earlier.
✅ Veeam recommends that users upgrade their Veeam ONE assets to version 12.2.0.4093 and Veeam Service Provider Console to version 8.1.0.21377 to correct the issues.
Malicious actors use MacroPack to distribute malware
Cisco Talos discovered that several malicious actors are using the MacroPack macro generation tool, originally designed for Red Team computers, to deploy payloads such as Brute Ratel, Havoc and a new variant of the PhantomCore remote access Trojan (RAT). Researchers reportedly observed several related Microsoft Office documents uploaded to VirusTotal between May and July 2024 that were generated with MacroPack.
These malicious documents, uploaded from different sources and countries, including China, Pakistan, Russia and the U.S., share connections between the payloads and use advanced evasion and obfuscation techniques, making them difficult to detect. However, despite similarities in tactics, techniques and procedures (TTPs), it has not been possible to attribute the activities to a single threat actor.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
____
