Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 23 - 29 November
Google removes fake news sites from Glassbridge operation
Google has removed from Google News and Google Discover a multitude of news sites and domains that were coordinately disseminating pro-China narratives supporting government initiatives, originating from several companies that would collaborate in a possibly government-linked influence operation. Thus, an umbrella group of four China-based companies was identified as Glassbridge: Shanghai Haixun Technology, Times Newswire, Durinbridge and Shenzhen Bowen Media.
These companies used to disguise their functions or misrepresent their content as local and independent news coverage, targeting the Chinese and English-speaking diaspora from countries in the Middle East, Eastern Europe, Asia, Africa and the United States.
The companies also tended to share the same content, reproducing press releases among the various networks of fake news websites. In turn, the sites republished articles from China's Global Times or created pieces focused on Beijing's territorial claims or the Covid-19 pandemic, among other issues.
Fixed 0-day fixes in PAN-OS firewalls under active exploitation
Researchers at Zero Day Initiative have issued a security advisory warning of the discovery of a new vulnerability in 7-Zip. Specifically, the security flaw has been reported as CVE-2024-11477, CVSSv3 of 7.8 according to Zero Day Initiative, which affects the Zstandard decompression library in 7-Zip and is due to an integer overflow in the Zstandard decompression implementation, which could lead to memory corruption and allow malicious actors to perform remote code execution.
Based on these facts, it is recommended to upgrade the asset to version 24.07 to fix the issue.
Matrix botnet abuses default passwords on IoT devices
Aqua Nautilus researchers have discovered a new distributed denial of service (DDoS) attack campaign being conducted by a threat actor known as Matrix. The attack relies on the abuse of weak or default passwords and the exploitation of known vulnerabilities in servers, routers, and IoT devices such as IP cameras or DVRs.
Matrix also uses Discord bots and a Telegram store to operate and monetize its attack services. Matrix's campaign could affect up to 35 million devices worldwide, with a particular focus on regions with high adoption of IoT devices such as China and Japan.
Six vulnerabilities in GitLab patched, one of them with high severity
GitLab has released new updates patching issues in Community Edition (CE) and Enterprise Edition (EE). Specifically, the organization has released patches for six bugs, five of them classified by GitLab as medium severity and one as high severity. The vulnerability with the highest severity of this patch set has been named CVE-2024-8114, CVSSv3 8.2 according to vendor, and would allow an attacker to exploit Personal Access Tokens (PAT) to escalate privileges in all versions of GitLab CE and EE since 8.12.
Regarding the bugs with medium severity, these include two vulnerabilities that would allow a malicious actor to perform a Denial of Service attack (CVE-2024-8237, CVSSv3 6. 5 according to vendor, and CVE-2024-8177, CVSSv3 5.3 according to GitLab), as well as a streaming endpoint token revocation breach flaw (CVE-2024-11668, CVSSv3 4.2 according to vendor), one for resource exhaustion via API calls (CVE-2024-11828, CVSSv3 4.3 according to vendor) and one for unintentional access to usage data via scoping tokens (CVE-2024-11669, CVSSv3 6.5 according to vendor).
NachoVPN allows to exploit VPN vulnerabilities to be controlled by an attacker
Researchers at AmberWolf have published a new tool on GitHub, which they have dubbed NachoVPN, that allows exploiting vulnerabilities in GlobalProtect VPN clients from Palo Alto Networks and SonicWall NetExtender. Specifically, NachoVPN allows its users to install malicious updates on the aforementioned software that have not patched the vulnerabilities CVE-2024-5921, CVSSv4 7.1 according to Palo Alto Networks, and CVE-2024-29014, CVSSv3 8.8, which affects NetExtender.
In addition to allowing the aforementioned VPNs to connect to servers controlled by the attacker via documents distributed via social engineering or using malicious web pages, the tool has the ability to steal the victim's login credentials, install malware via updates, install malicious root certificates and even execute code with high privileges.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
