Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 20 - 26 April
Critical vulnerability in Chrome fixed
Chrome 124 stable channel and extended channel was updated to 124.0.6367.78/.79 for Mac and Windows, 124.0.6367.78 for Linux. This security update includes fixes for a total of 4 vulnerabilities, most notably CVE-2024-4058 (no CVSSv3 yet, but rated critical by the vendor), a type of confusion bug in the ANGLE graphics engine that could allow a remote attacker to execute arbitrary code.
Google has rewarded the researchers who discovered the vulnerability with $16,000. In addition, CVE-2024-4059 and CVE-2024-4060, both non-CVSSv3 but rated high by the vendor, have been patched.
Malicious campaign exploiting 0-days in firewall models
Cisco researchers published a research report in which they claim to have discovered a campaign, called ArcaneDoor, dedicated to the exploitation of two 0-day vulnerabilities affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. According to experts, this campaign is said to have been carried out by a state-sponsored threat actor called UAT4356, also known as STORM-1849, which has been attacking government networks worldwide since November 2023.
As for the initial vector, Cisco has not been able to identify it, although it has released patches to correct two 0-days registered as CVE-2024-20353, CVSSv3 of 8.6 according to manufacturer, and CVE-2024-20359, CVSSv3 of 6.0 according to manufacturer, as they have been used by UAT4356 in its campaign. It is worth noting that exploiting these vulnerabilities could allow a denial-of-service condition, as well as local code execution, which made it possible to deploy new malware on its victims' networks.
Based on these facts, Cisco recommends applying the following security patches.
MagicDot Vulnerabilities in Windows Exposed
At Black Hat Asia Conference in Singapore, a SafeBreach researcher, Or Yair, published several vulnerabilities in the conversion of paths from DOS to NT in Windows that have been dubbed MagicDot. By exploiting them, attackers hide and manipulate files and processes, offering rootkit-like capabilities without the need for administrator privileges.
During path conversion, Windows automatically removes extra dots and spaces, allowing specific NT paths to be created to hide malicious actions. Among the vulnerabilities identified, along with other problems that have already been mostly patched by Microsoft, there is a remote code execution vulnerability (CVE-2023-36396, CVSSv3 7.8 according to manufacturer) that is triggered when extracting a compressed file.
It is recommended to opt for NT paths over DOS paths to mitigate these risks and to develop techniques to detect suspicious manipulations in file paths, such as dots and trailing spaces, since the underlying problem of self-deleting characters and the possibility of future similar exploits still exists.
Vulnerability in Citrix uberAgent allowing privilege escalation
Cloud Software Group recently reported a critical vulnerability in its Citrix uberAgent product, which can lead to privilege escalation by the attacker. Identified as CVE-2024-3902 and with a CVSSv3 score of 7.3 according to the vendor, it affects all versions prior to 7.1.2. The flaw is due to improper configurations that allow manipulation of user privileges.
In addition, it requires specific conditions to be exploited, including certain metrics, WmiProvider configurations and at least one [CitrixADC_Config] entry set. To mitigate the risk, Citrix recommends disabling all CitrixADC metrics by removing certain specified timer properties, removing all [CitrixADC_Config] entries and, for versions 7.0 to 7.1.1, ensuring that WmiProvider is not configured or set to WMIC. The company also strongly urges users to upgrade to version 7.1.2 as soon as possible.
MITRE attacked by exploiting two vulnerabilities in Ivanti
MITRE Corporation has shared initial findings from its investigation into the cyberattack that occurred in January. The evidence shows that the threat actor gained access to MITRE Nerve, the virtualization, research, and experimentation environment, through the concatenated exploitation of vulnerabilities CVE-2023-46805 (CVSSv3 8.2) and CVE-2024-21887 (CVSSv3 9.1) in Ivanti Connect Secure products. MITRE claims that a foreign government-backed group is responsible for the incident, without specifying who or which country might be behind the attack.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
