Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 12 - 18 October
Splunk fixes several vulnerabilities, two critical ones enabling RCE
Splunk has released patches to fix several vulnerabilities in third-party packages in Splunk Enterprise versions 9.3.1, 9.2.3, 9.1.6 and higher, highlighting two critical remote code execution flaws. The most serious vulnerability, identified as CVE-2024-45733 and with a CVSSv3 of 8.8 according to vendor, affects instances on Windows and allows a user without high-level roles to remotely execute code due to an insecure session storage configuration.
Another flaw, CVE-2024-45731 CVSSv3 8.0 according to the vendor, allows arbitrary writing of files to the Windows root directory, which could lead to code execution via a malicious DLL. Both issues are fixed in Splunk Enterprise versions 9.2.3 and 9.3.1. In addition, CVE-2024-45732, CVSSv3 7.1 as per vendor, an information disclosure flaw in Splunk Enterprise and Splunk Cloud Platform, was fixed. Other medium severity vulnerabilities related to JavaScript code execution, exposure of passwords and sensitive data, and system crashes were also addressed.
✅ Splunk recommends applying appropriate updates to mitigate the risks.
Fixed critical RCE vulnerability in pac4j-core module
A critical vulnerability has been detected in the pac4j Java framework, which affects versions prior to 4.0 of the pac4j-core module. The flaw, identified as CVE-2023-25581, and with a CVSSv3 score of 9.2 according to the vendor, exposes systems to potential remote code execution attacks due to a flaw in the deserialization process.
Specifically, the vulnerability is due to improper verification of the restore method if an attribute string contains the {#sb64} prefix. This allows an attacker to create a malicious attribute that triggers deserialization of an arbitrary Java class, potentially leading to arbitrary code execution on vulnerable systems if exploitation of the flaw is successful.
✅ To mitigate the risk, users are advised to upgrade to pac4j-core version 4.0 or later, in which the listed vulnerability has been fixed.
EDRSilencer is used by threat actors to evade detection
Trend Micro researchers have observed that malicious actors are using the EDRSilencer tool, integrating it into their actions in order to evade detection. EDRSilencer is an open source pen-testing tool that detects running EDR processes and uses Windows Filtering Platform (WFP) to monitor, modify or block network traffic. Using custom rules, an attacker could disrupt the exchange of data between an EDR tool and its management server, preventing the delivery of alerts, logs and reports.
In its latest version, EDRSilencer detects and blocks 16 EDR tools, including Microsoft Defender, SentinelOne or FortiEDR, among others. It allows attackers to add filters for specific processes by providing file paths. In this way, malware or other malicious activities can evade detection, increasing the chances of successful attacks.
✅ TrendMicro recommends detecting the tool as malware, as well as implementing multi-layered security controls and looking for IOCs.
Ransomware attacks increase but incidents reaching the encryption stage decrease
Microsoft has stated in its new 2024 Digital Defense Report that active threat actors have increased the sophistication of their tactics, techniques and tools. In the analysis period covered by the report, which would run from June 2022 to July 2023, not only would an increase in the complexity of attacks have been observed, but the frequency of some types of incidents would have increased by more than 200%.
In particular, ransomware incidents stand out as having a 275% higher incidence than in the previous analysis period, although Microsoft points out that the number of these attacks that reached the encryption phase has dropped by 300% in the last two years. The vendor, which has attributed this decline to new tools for automatic detection and disruption of cyberattacks, also reportedly highlighted that the two main motivations behind ransomware attacks are financial gain and nation-state espionage.
IntelBroker offers allegedly stolen Cisco data for sale
Cisco has indicated that it is investigating claims that the company was breached by malicious actors. Specifically, in a post made on the cybercrime platform Breach Forums by the threat actor known as IntelBroker, he claimed that he and two other users named EnergyWeaponUser and zjj accessed the company on June 10, 2024 and stole a large amount of developer data from the company.
Among the leaked information would be source codes, confidential documents, API tokens, certificates and credentials of global companies such as AT&T, Microsoft or Verizon. In addition, IntelBroker shared samples of the alleged stolen data, showing a database, various customer information and documentation, and screenshots of customer management portals. However, the threat actor did not provide further details on how the security breach occurred.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
