Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 22 - 28 June
Critical vulnerability used for credit card theft
Friends-of-Presta has posted a Proof-of-Concept (PoC) that exploits a critical vulnerability in the Facebook add-on for PrestaShop called Promokit. The flaw, CVE-2024-36680 (CVSSv3 9.8 according to the vendor), was initially discovered at the end of May, but Promokit claimed that it had already been fixed without providing evidence.
Specifically, the vulnerability allows SQL injections via HTTP requests in the Ajax script facebookConnect.php of the pkfacebook plugin. Furthermore, the PoC posted by Friends-of-Presta is reportedly being actively used by malicious actors to deploy a web skimmer aimed at mass credit card skimming. The company has posted a series of mitigations for this flaw, due to the fact that Promokit developers have not shared with them the latest version of the add-on to check if patches for CVE-2024-36680 have been applied.
Ransomware attack in London forces cancellation of more than 1,100 medical operations
A ransomware attack in London has forced the cancellation of more than 1,100 operations, including nearly 200 cancer treatments. The hacker group Qilin has diffused via Telegram more than 100 compressed files that it claims contain confidential information obtained from the systems of Synnovis, a pathology services company.
His aim is to punish the company for refusing to pay the ransom. The hospitals' ability to perform blood tests and other procedures has been severely affected. Healthcare staff are working to reduce the impact, but it is expected that the disruptions could last until September.
New attack technique called GrimResource
Researchers at Elastic have published a paper on a new attack technique against Windows systems, dubbed GrimResource. Specifically, the technique involves the use of specially crafted MSC (Microsoft Saved Console) files concatenated with an unpatched Windows XSS flaw in apds.dll that would allow malicious actors to deploy Cobalt Strike to gain initial access to victims' networks, as well as end up performing code execution actions via the Microsoft Management Console.
According to the researchers, samples of malicious msc files were identified on 6 June in VirusTotal without any antivirus engine classifying them as malicious, so, on that basis, it is believed that this technique is being actively exploited by malicious actors.
Critical vulnerability in MOVEit
Watchtowr researchers have published a technical analysis on the discovery of a critical vulnerability in MOVEit Transfer. Specifically, this security flaw has been registered as CVE-2024-5806, CVSSv3 of 9.1 according to the vendor, and is an authentication bypass vulnerability in MOVEit's SFTP module, whose exploitation by malicious actors could allow attackers to impersonate legitimate users and access sensitive data without authentication. It should be noted that this vulnerability affects MOVEit Transfer versions 2023.0.0.0 prior to 2023.0.11, 2023.1.0 prior to 2023.1.6 and 2024.0.0 prior to 2024.0.2, so the vendor recommends upgrading to the latest available versions.
Posible ataque a la cadena de suministro empleando polyfill.io
Durante esta semana salía a la luz una investigación de Sansec que señalaba que el servicio Polyfill estaría infectando con malware cientos de miles de sitios web. Asimismo, entre otros, Cloudflare instó a los clientes a eliminar una popular biblioteca de código abierto al considerar veraz la información señalada. A raíz de estos hechos, los actuales propietarios de polyfill.io relanzaron el servicio CDN de JavaScript en un nuevo dominio después de que se cerrara dicho activo. Consecuentemente, en una serie de publicaciones en X, la compañía acusada de realizar ataque a la cadena de suministro ha negado estar involucrada en estos hechos y señala que están siendo difamados. No obstante, pese a estas declaraciones diferentes investigadores de seguridad recomiendan no hacer uso de dicha biblioteca a modo de prevención.
Possible supply chain attack using polyfill.io
This week, research by Sansec revealed that the Polyfill service was infecting hundreds of thousands of websites with malware. In addition, Cloudflare, among others, urged customers to remove a popular open source library as they believed the information to be true. Following these events, the current owners of polyfill.io relaunched the JavaScript CDN service on a new domain after the asset was shut down. Consequently, in a series of posts on X, the company accused of supply chain attack has denied any involvement in these events and points out that they are being defamed. However, despite these statements, several security researchers recommend not to use the library as a precaution.
https://therecord.media/polyfill-cloudflare-trade-barbs-supply-chain-attack
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
