Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 3 January
Released exploit for LDAPNightmare vulnerability
Researchers at SafeBreach have released code from a proof-of-concept exploit that takes advantage of the CVE-2024-49112 (CVSSv3 9.8) vulnerability known as LDAPNightmare. This exploit causes a DoS on any unpatched Windows server, including domain controllers, by sending specially crafted LDAP requests. The exploit, developed by SafeBreach, can cause any unpatched Windows server to crash without prior interaction, which is particularly critical because domain controllers are key components in corporate networks and a vulnerability in them can severely impact network security.
Microsoft released a patch for the vulnerability on December 10.
DoubleClickjacking as an emerging technique for gaining unauthorized access
Cybersecurity researchers have discovered a new attack technique named “DoubleClickjacking,” which leverages a double-click sequence to bypass clickjacking protections on relevant websites. This method, which uses the interval between clicks to manipulate user interface elements, allows taking control of accounts with minimal interaction, bypassing defenses such as X-Frame-Options headers or SameSite cookies.
The attack begins on a site controlled by an attacker who requests a double-click on a seemingly innocuous pop-up window, such as a CAPTCHA. During the second click, the site covertly redirects the user to a malicious page, approving actions such as authorizing malicious OAuth applications without the user's awareness.
As a preventative workaround, the researchers propose disabling the activation of critical buttons unless a mouse gesture or keystroke is detected in order to prevent the second click from activating too quickly unwanted actions that, for example, covertly authorize applications without the user's awareness until browsers adopt standards that can mitigate the unintended effects of this new attack vector.
Ficora and Capsaicin increase activity targeting D-Link routers
Fortinet researchers have detected two botnets called Ficora, a Mirai variant, and Capsaicin, a Kaiten variant, both of which have seen increased activity targeting D-Link routers running obsolete or end-of-life firmware versions. For initial access, both malware use known exploits for CVE-2015-2051, CVE-2019-10891, CVE-2022-37056 and CVE-2024-33112.
After compromising a device, the attackers exploit weaknesses in the D-Link management interface (HNAP) and execute malicious commands via GetDeviceSettings for DDoS purposes. Botnets are capable of executing shell scripts, stealing data and leaking it to the C2 server. Ficora has a wide geographical distribution, targeting especially Japan and the United States, while Capsaicin appears to target mainly East Asian countries.
Users are advised to update devices to the latest firmware version available, or replace them with a new model in case they do not receive updates.
Cisco confirms that both leaks posted by IntelBroker were due to the same intrusion
Cisco has confirmed that the second publication of BreachForums user IntelBroker about a leak of information from its systems would be related to the first publication. The new leak would not be due to a new intrusion, but would be composed of data from the attack, also confirmed by Cisco, to its development instances.
Coordinated attack on Google Chrome extensions
Several Chrome extensions were compromised in a coordinated attack in which a threat actor injected code to steal sensitive user information. One of those affected, Cyberhaven, alerted that an attacker hijacked an employee account and published a malicious version (24.10.4) of the extension, which included code capable of exfiltrating authenticated sessions and cookies to the attacker's domain.
Other affected Chrome extensions included Internxt VPN, VPNCity, Uvoice, ParrotTalks, Bookmark Favicon Changer, Castorus, Wayin AI, Search Copilot AI Assistant, VidHelper, Vidnoz Flex, TinaMind, Primus, AI Shop Buddy, Sort by Oldest, Earny, ChatGPT Assistant, Keyboard History Recorder and Email Hunter.
Users are recommended to remove those extensions or update them to a safe version released after December 26, provided that the publisher has fixed the issue. Alternatively, it is recommended to uninstall the extension, reset account passwords, clear browser data and restore original settings.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
