Cyber Security Briefing, 14 - 20 September
Docker patches two vulnerabilities, one of which is critical
Docker has published a new security advisory stating that it has patched two new vulnerabilities in versions of Docker Desktop prior to 4.32.2. Specifically, the flaws would be CVE-2024-8695, and CVE-2024-8696, CVSSv4 9.0 and 8.9 depending on vendor, and would affect the way Docker handles changelogs, publisher URLs and extension descriptions.
By exploiting these flaws, an attacker could use the application to execute arbitrary code on the victim's system. Furthermore, malicious actors could exploit both flaws to gain access to sensitive data, install malware and even take control of the affected system.
✅ Docker has urged its users to install version 4.32.2, which includes patches for these two bugs, as soon as possible.
Detected a malware distribution campaign affecting Binance
Binance has issued a warning alerting its customers that malicious actors are conducting a distribution campaign of the Clipper malware, aimed at manipulating withdrawal addresses during transaction processes to steal cryptocurrencies. The malware intercepts data stored in the clipboard.
In this way, Clipper replaces the original address with one designated by the attacker when a user copies and pastes a wallet address to transfer cryptocurrencies, sending the money to the threat actor's wallet. Clipper is commonly distributed through unofficial add-ons and apps on Android devices. The company has not indicated at this time how much money has been extracted or how many people have been affected. As preventive measures,
✅ Binance recommends users to verify addresses as well as the authenticity of downloaded apps, in addition to using up-to-date security software on their devices.
Vulnerability actively exploited in Ivanti
Ivanti has issued a security advisory stating that a critical vulnerability affecting the Cloud Service Appliance (CSA) has been actively exploited. Specifically, the security flaw referred to is registered as CVE-2024-8963, CVSSv3 of 9.4 according to the vendor, which is due to an administration bypass caused by a cross-path weakness.
It should be noted that its exploitation could allow unauthenticated remote attackers to access restricted functions on vulnerable CSA systems. It should also be noted that this vulnerability is being exploited by concatenating the exploitation of another security flaw, which is CVE-2024-8190, CVSSv3 of 7.2 according to the vendor, which is used to bypass administrator authentication and execute arbitrary commands.
✅ Ivanti recommends upgrading to CSA version 5.0.
More than 1 000 instances of ServiceNow identified exposing data
Researchers at AppOmni have published a report claiming to have identified more than 1,000 misconfigured enterprise instances of ServiceNow that expose information. Specifically, according to the researchers, the exposed data would include personal identification, user credentials and access tokens, among others.
This highlights the misapplication of ServiceNow updates in 2023, which were intended to improve access control lists but were not applied to those that employ the knowledge base function. AppOmni claims that most ServiceNow knowledge bases use the user criteria permission system instead of access control lists, which makes the upgrade less useful.
✅ The researchers recommend protecting the knowledge bases by setting the appropriate ‘User Criteria’ (Can Read/Cannot Read) and blocking all unauthorised users.
Ransomware operators use Microsoft Azure in their operations
Researchers at modePUSH have conducted an investigation in which they point out that ransomware families such as BianLian and Rhysida use assets such as Microsoft's Azure Storage Explorer and AzCopy in their operations. Specifically, the experts note that operators of these ransomware families store their victims' stolen data in an Azure Blob container in the cloud, from where they can then transfer it to their own assets.
This is because Azure is a trusted enterprise service commonly used by businesses, making it unlikely that corporate firewalls and security tools will block this traffic. In addition, Azure can handle large volumes of unstructured data, thus speeding up the exfiltration process.
✅ As a preventive measure against such events, it is recommended to check the Logout on exit option in order to prevent attackers from using the active session for file theft.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →