Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 24 - 30 August
APT29 reuses NSO Group and Intellexa exploits in iOS and Chrome attacks
Google's Threat Analysis Group (TAG) found that the malicious actors behind APT29 conducted multiple exploit campaigns using vulnerabilities in iOS and Chrome from November 2023 through July 2024. These campaigns, which affected outdated devices, leveraged exploits previously developed and used by spyware companies Intellexa and NSO Group. The attacks reportedly compromised websites through watering hole tactics, using exploits that were originally 0-days to obtain sensitive information such as authentication cookies.
Google published technical details about these campaigns, noting that it does not know how APT29 obtained these exploits, but highlights their similarity in exploit and payload frameworks to those of NSO and Intellexa, suggesting a possible tool swap. In addition, Google stresses the need to quickly address the vulnerabilities, as, although they had already been patched, the attacks continued to be effective on unpatched devices.
Hitachi Energy patches 5 MicroSCADA vulnerabilities, 2 critical
Hitachi Energy has issued a security advisory warning of 5 new vulnerabilities affecting MicroSCADA systems. Notable among the patched flaws are CVE-2024-4872 and CVE-2024-3980, both with CVSSv3 9.9 according to vendor. While the former would allow attackers to carry out SQL injection attacks due to the product's inability to correctly validate user queries, the latter would be an argument injection flaw that attackers could exploit to access or modify system files and other critical application files on affected systems.
Regarding the other 3 vulnerabilities, these would be CVE-2024-3982, CVSSv3 8.2 according to vendor, CVE-2024-7940, CVSSv3 8.3 according to vendor and CVE-2024-7941, with CVSSv3 4.3 according to Hitachi. Specifically, these would allow an attacker to hijack an already established session, expose a service on the network without authentication and redirect users to malicious URLs.
Hitachi Energy encourages its users to upgrade to version 10.6 as soon as possible.
Proof-of-concept exploit released for RCE vulnerability in Windows
A proof-of-concept (PoC) code was recently published on GitHub for the remote code execution vulnerability in the Windows TCP/IP stack, affecting IPv6-enabled systems. Identified as CVE-2024-38063 and with a CVSSv3 of 9.8 according to Microsoft, it allows attackers to exploit Windows 10, 11 and Server systems without requiring user interaction by sending specially crafted IPv6 packets that trigger a buffer overflow.
As for the PoC, published by researcher Ynwarcs, it describes how the flaw can be exploited through a sequence of carefully orchestrated steps, involving the manipulation of packet offsets and header fields to cause unexpected behavior during packet reassembly. According to the researcher, the key to exploiting CVE-2024-38063 lies in triggering a timeout in the IPv6 packet reassembly process, leading to an integer overflow and subsequent buffer overflow.
Google patches new actively exploited 0-day
Google has released a new update to fix an actively exploited 0-day vulnerability. Specifically, the security flaw has been registered as CVE-2024-7965, CVSSv3 of 8.8, and is due to an inappropriate implementation in Google Chrome's JavaScript V8 engine that can allow remote attackers to exploit heap corruption through a specially crafted HTML page. It should be noted that this vulnerability was published last week, but it was not until yesterday, August 26, when Google updated the security advisory pointing out this new information.
Based on these facts, it is recommended to update the browser to Chrome version 128.0.6613.84/.85 for Windows/MacOS systems and to version 128.0.6613.84 for Linux users.
Iranian APT33 group uses Tickler malware in new campaigns
Researchers at Microsoft have detected that the Iranian advanced persistent threat (APT) group known as APT33 has employed a new backdoor malware, called Tickler, to access networks of organizations in the government, space, defense, education, oil and gas sectors in the United Arab Emirates and the United States. Tickler was used as part of an intelligence gathering campaign between April and July 2024 linked to the threat actor, itself associated with Iran's Islamic Revolutionary Guard Corps (IRGC).
The group initially employed compromised user accounts, primarily in the education sector, to obtain its operational infrastructure by accessing existing Azure subscriptions or creating them, using the compromised accounts, for the purpose of using Microsoft Azure infrastructure for command and control (C2). This infrastructure was used in subsequent operations targeting the other sectors noted above.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
