Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 5 - 11 October
Salt Typhoon accessed the U.S. court wiretapping system
An investigation published by the Wall Street Journal has revealed that the Chinese advanced persistent threat (APT) Salt Typhoon, also known as FamousSparrow and GhostEmperor, managed to gain access to systems that the U.S. federal government uses to conduct wiretaps authorized by the country's courts. The news outlet reported that the threat actor compromised the networks of broadband providers Verizon, AT&T and Lumen Technologies to collect Internet traffic data from businesses and citizens, although it did not specify the details of the attack and the scope of the compromised data.
Fixed several vulnerabilities in Palo Alto Networks Expedition solution
Palo Alto has fixed five vulnerabilities in its Expedition solution that could allow PAN-OS firewalls to be hijacked. In addition, there are two published PoCs, although no evidence of active exploitation has been detected. The identified flaws correspond to an unauthenticated command injection (CVE-2024-9463, CVSSv3 of 9.9), an authenticated command injection (CVE-2024-9464, CVSSv3 of 9. 3 and for which the second PoC listed was published), an unauthenticated SQL injection (CVE-2024-9465, CVSSv3 of 9.2), cleartext credentials stored in logs (CVE-2024-9466, CVSSv3 of 8.2) and an unauthenticated reflected XSS flaw (CVE-2024-9467, CVSSv3 7).
Combined, they would allow an attacker to read Expedition database content and arbitrary files, as well as write arbitrary files. All bugs have been fixed in Expedition version 1.2.96 and higher.
U.S. justice dismantles Star Blizzard infrastructure
Microsoft's Digital Crimes Unit (DCU) together with the U.S. Department of Justice have conducted an operation in which they have dismantled more than 100 domains linked to threat actor Star Blizzard. This Advanced Persistent Threat (APT), also known as Cold River or Callisto, would have been active since 2017, performing phishing attacks and deploying custom backdoors.
Specifically, according to the article published by Microsoft, since 2023 this group has attacked more than 30 organizations in the civil society sector, including non-governmental organizations (NGOs), journalists and think tanks.
Microsoft Patch Tuesday: updated 118 security bugs and five zero-days
Microsoft has published the October Patch Tuesday advisory, which includes security updates for 118 bugs. Among these, there are five zero-day vulnerabilities, two of which have been actively exploited. The advisory also addresses three remote code execution vulnerabilities: CVE-2024-43468, CVSSv3 of 9.8 according to the vendor; CVE-2024-43488, CVSSv3 of 8.8 according to Microsoft; and CVE-2024-43582, CVSSv3 of 8.1 according to the vendor. As for the actively exploited flaws, these correspond to a Windows MSHTML platform spoofing vulnerability (CVE-2024-43573, CVSSv3 of 6.5 according to Microsoft) and a remote code execution vulnerability in the Microsoft Management Console (CVE-2024-43572, CVSSv3 of 7.8 according to Microsoft).
The former could be a bypass of a previous vulnerability that spoofed file extensions when opening files, while the latter allows malicious Microsoft Saved Console (MSC) files to execute remote code on infected devices.
Phishing campaign using Mamba 2FA detected
Researchers at Sekoia Blog have published an article detailing a new phishing campaign in which the malicious actor employed the Mamba 2FA tool. The campaign was detected in May 2024, offering attackers an adversary-in-the-middle (AiTM) mechanism that can be employed to bypass multi-factor authentication (MFA) protection by capturing victims' authentication tokens.
Furthermore, Mamba 2FA supports Entra ID, AD FS, third-party SSO providers and Microsoft consumer accounts and can mirror each organization's custom login page. The researchers note that the tool is marketed on Telegram via a Phishing-as-a-Service model.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
