Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 8 - 13 June
Critical vulnerability in PHP for Windows
Security researcher Orange Tsai published a report explaining the discovery of a critical vulnerability in PHP for Windows. Specifically, the security flaw was registered as CVE-2024-4577, CVSSv3 of 9.8 according to vendor, and is due to a flaw in the handling of character encoding conversions, specifically the ‘Best-Fit’ function in Windows when PHP is used in CGI mode.
It should be noted that the discovery was made on 7 May, at which point the researcher contacted the PHP developers, who subsequently released a security patch prior to its publication. The vulnerability affects all versions from 5.x onwards and Shadowserver warns that malicious actors are already beginning to exploit the security flaw, and that a PoC has already been published.
Campaign against Snowflake environments by UNC5537
Researchers at Mandiant published a report stating that around 165 organizations have been affected by a campaign against Snowflake cloud storage systems by threat actor UNC5537. According to experts, the malicious actor is said to have compromised hundreds of Snowflake instances using stolen customer credentials via malware such as Lumma, Meta, Racoon Stealer, Redline, Risepro and Vidar.
Subsequently, UNC5537 would have targeted accounts that did not have two-factor authentication protections to access the victims' environments. Mandiant notes that it has found no evidence to suggest that the unauthorized access to Snowflake customer accounts arose from a compromise at the Snowflake company. They also note that the attacks began on 14 April, at which point the actor began accessing instances by repeatedly executing SQL commands to perform reconnaissance and organize and exfiltrate data.
Microsoft's Patch Tuesday for June
Microsoft published its Patch Tuesday for the month of June in which it has corrected a total of 51 vulnerabilities, of which one is considered a critical risk, 43 as important and 7 have been classified as unknown. It should also be noted that, among the total, there is one that is a 0-day vulnerability. Specifically, this vulnerability has been registered as CVE-2023-50868, and is considered as such because it is a security flaw disclosed prior to having an official solution available.
It should be noted that this refers to a vulnerability in DNSSEC validation, where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using resources, resulting in a denial of service for legitimate users. Apart from this flaw, the one considered critical, which has been registered as CVE-2024-30080, CVSSv3 of 9.8, is a remote code execution vulnerability in Microsoft Message Queuing.
New Agent Tesla distribution campaign targets Spanish-speaking users
The new Agent Tesla malware distribution campaign via phishing emails is reportedly targeting Spanish-speaking users. According to a post by FortiGuard Labs researchers, the attack chain starts with an email containing an Excel file with an OLE hyperlink that automatically opens when the Excel is opened, and includes code to exploit the CVE-2017-0199 (CVSSv3 7.8) vulnerability. Subsequently, the flaw CVE-2017-11882 (CVSSv3 7.8) would also be exploited to execute remote code in Microsoft Office's Equation Editor.
The researchers point out that this campaign targets Windows operating systems, and its purpose would be to obtain sensitive information from the victims. Specifically, the variant of Agent Tesla, a remote access Trojan (RAT) written in .Net, detected in this campaign is characterized by its ability to steal information from more than 80 applications, including login credentials, banking data and screenshots.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
