Cyber Security Briefing, 29 June - 5 July
Google patches vulnerabilities in Android
Google has released a security update for the Android system that fixes a total of 25 vulnerabilities, one of which is considered critical. Specifically, this security flaw has been registered as CVE-2024-31320, which affects the Framework component and whose exploitation could produce a local escalation of privileges without the need for additional execution privileges.
It should be noted that this vulnerability affects Android versions 12 and 12L, and seven other high-severity issues have also been addressed in this asset. Moreover, 17 other vulnerabilities in Kernel, Arm, Imagination Technologies, MediaTek and Qualcomm components have been resolved. Google recommends users to update devices to fix these vulnerabilities.
Velvet Ant exploits vulnerability in Cisco NX-OS to distribute malware
Recently, security firm Sygnia reported that the Chinese cyberespionage group known as Velvet Ant is exploiting a 0-day vulnerability in Cisco NX-OS software to distribute malware. The flaw, identified as CVE-2024-20399 and with a CVSSv3 score of 6.0 according to vendor, allows an authenticated local attacker to execute arbitrary commands as root on affected Cisco Nexus switches.
According to experts, Velvet Ant has used this vulnerability to deploy custom malware that allows it to remotely connect to compromised devices, upload additional files and execute code. For its part, Cisco has stated that the vulnerability is due to insufficient validation of arguments in configuration CLI commands, allowing a user with administrator privileges to execute commands without generating syslog messages. It has also released software updates to fix this vulnerability, as there are no workarounds.
Juniper fixes critical authentication bypass vulnerability
Juniper Networks has released an emergency update to address an authentication bypass vulnerability in its Session Smart Router (SSR), Session Smart Conductor and WAN Assurance Router products. This security flaw, identified as CVE-2024-2973 and with a CVSSv3 score of 10.0 according to the vendor, affects redundant high-availability configurations, and allows an attacker to bypass authentication and take full control of the device. The update has been released in versions 5.6.15, 6.1.9-lts, 6.2.5-sts and later for SSR.
In Conductor-managed environments, it is sufficient to upgrade only Conductor nodes and the fix will be automatically applied to all connected routers. For WAN Assurance Routers, updates will be applied automatically when they are connected to Mist Cloud. For its part, Juniper guarantees that the update does not disrupt production traffic and, while it claims to have no knowledge of any active exploitation of this vulnerability, it recommends applying the available fixes.
FakeBat is distributed by drive-by download techniques
FakeBat, also known as EugenLoader and PaykLoader, is one of the most prominent loader malware in 2024, according to research published by Sekoia. This malware is distributed using the drive-by download technique, employing malvertising campaigns, browser updates, social engineering and malicious pages impersonating legitimate software, including AnyDesk and Google Chrome.
In addition, FakeBat acts as a Malware-as-a-Service (MaaS), deploying payloads of other malware such as IcedID, Lumma or Redline. With respect to its C2 infrastructure, researchers identified several servers used by threat actors for this purpose, as well as to carry out detection evasion tactics, including filtering traffic based on User-Agent values and IP addresses.
Ransomware operators threaten victims with phone calls
Researchers at Halcyon have published research indicating that a new ransomware group, called Volcano Demon, is using phone calls to extort money from its victims. According to experts, the actor would employ double extortion techniques and would carry out at least two attacks on logistics and industrial companies by infecting them with the LukaLocker ransomware.
It is noted that these ransomware operators do not have a leak website, but use almost daily phone calls via unidentified numbers to threaten their victims. It should be noted that Halcyon has not been able to confirm whether Volcano Demon operates independently, or whether it is a subsidiary of a known ransomware group.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →