Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 6 - 12 April
Two Microsoft 0-days patched
Microsoft has released two patches to fix two 0-day vulnerabilities in its Windows system. The first vulnerability, named CVE-2024-26234 and CVSSv3 of 6.7 according to the vendor, allows attackers to spoof proxy drivers. The malicious file was signed with a valid Microsoft Hardware Publisher certificate and attempted to impersonate Thales Group.
The second vulnerability, known as CVE-2024-29988 with CVSSv3 8.8, allows circumvention of the SmartScreen security feature due to a flaw in the protection mechanism and has been actively used in attacks to deploy malware on Windows systems undetected by the EDR/NDR and Mark of the Web (MotW) functions.
In addition to other fixes in its products, it has disclosed a major flaw in Azure Kubernetes that allows unauthenticated actors to take full control of clusters. The vulnerability, known as CVE-2024-29990 and with a CVSSv3 score of 9.0 according to Microsoft, allows attackers to steal credentials and affects resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC).
https://msrc.microsoft.com/update-guide/releaseNote/2024-Apr
New Spectre attack variant affects Intel and ARM processors
VUSec researchers have discovered a new variant of the Spectre v2 attack, which they have dubbed Spectre Branch History Injection (BHI). Spectre v2, also known as Branch Target Injection (BTI), is a vulnerability affecting CPUs that would allow malicious actors to leak sensitive information by abusing branch prediction errors.
However, the mitigations provided for Spectre v2 do not protect against this new variant of the flaw, as the global fork history can be manipulated from user space to influence fork predictions. The researchers note that, although through BHI attacks an attacker would not be able to directly inject fork targets, they would have the ability to manipulate the global history. Spectre BHI appears to affect multiple models of Intel and Arm processors, although AMD processors do not appear to be vulnerable.
https://www.vusec.net/projects/bhi-spectre-bhb/
Fortinet fixes critical vulnerability
Fortinet has released new security patches to fix a total of 12 vulnerabilities affecting several of its products, FortiOS, FortiProxy, FortiClientMac and FortiSandbox. Among the security flaws identified, the most critical is CVE-2023-45590, CVSSv3 of 9.6 according to the vendor, is described as a code injection issue whose exploitation could allow an unauthenticated remote attacker to execute arbitrary code or commands by convincing a user to visit a malicious website. The vulnerability affects FortiClientLinux versions 7.2.0, 7.0.6 to 7.0.10 and 7.0.3 to 7.0.4, and Fortinet recommends that users upgrade to versions 7.2.1 and 7.0.11 to fix the security flaw.
It should be noted that at this time, Fortinet has not indicated whether this vulnerability has been actively exploited. However, CISA has issued a security alert pointing out this security flaw, among others, affecting Fortinet.
Return of Raspberry Robin: new malware campaign spreads via WSF files
Raspberry Robin, a worm designed for the Windows operating system, has the ability to download and execute additional payloads, serving as a platform for threat actors to distribute malicious files. This malware has been used to deliver several families, including SocGholish, Cobalt, Strike, IcedID, BumbleBee and Truebot, as well as being considered a precursor to ransomware. In March, HP's threat research team detected a change in the propagation strategy employed by malicious actors using Raspberry Robin.
The malware is now distributed via Windows Script Files (WSF); the download process via WSF is highly obfuscated and employs multiple parsing techniques that make it difficult to detect and slow down its analysis. Although its best-known propagation method involves USB drives, threat actors using Raspberry Robin are diversifying their infection vectors, including web downloads, in order to reach their targets.
https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/
Apple alerts users to compromise attempts
Apple has issued a security alert warning of attempted compromises of Apple mobile devices by malicious actors to victims in a total of 92 countries. Specifically, the security advisory states that some users are being targeted by spyware as a result of their position. In other words, malicious actors would be aiming at specific targets such as journalists or diplomats globally. Following these facts, the digital media BleepingComputer asked Apple for more details about the scope of the latest campaign they have detected, but they point out that the company's spokesperson refused to give clarifications.
Based on these facts, Apple has recommended a series of security measures to its users, such as activating the lock mode, updating the iPhone to the latest software version, as well as contacting the online help service if necessary.
https://www.documentcloud.org/documents/24539926-threat-notifications-email-april-10
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
