Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Briefing, 9 - 15 March
Two critical vulnerabilities in Microsoft's Security Patch Day
Microsoft has released updates on Patch Tuesday in March, fixing several vulnerabilities in its software, including Windows, Office, Azure, .NET Framework, SQL Server, Skype, and Microsoft Dynamics. Two of these vulnerabilities are considered critical, while the others are classified as high severity.
One of the vulnerabilities, CVE-2024-21407 CVSSv3 8.1 according to vendor, allows remote code execution on Windows Hyper-V, while the other, CVE-2024-21408 CVSSv3 5.5 according to vendor, causes a denial of service on the same platform. The most severe vulnerability, CVE-2024-21334 CVSSv3 9.8 according to Microsoft, is a remote code execution vulnerability in Open Management Infrastructure (OMI), which allows an unauthenticated attacker to execute code on OMI instances accessible over the Internet.
In addition, Microsoft also addressed a critical elevation of privilege vulnerability in Microsoft Azure Kubernetes, CVE-2024-21400 CVSSv3 9.0 according to vendor.
Phishing campaign detected distributing VCURMS and STRRAT
A new phishing campaign is distributing two remote access trojans (RATs) named VCURMS and STRRAT. The campaign, identified by FortiGuard Labs, uses a Java-based malicious downloader, storing the aforementioned malware on public services such as AWS and GitHub to avoid detection. VCURMS uses a Proton Mail email address to communicate with a C2 server.
The attack chain starts with a phishing email that leads to the download of a malicious JAR file hosted on AWS. This JAR file then downloads two more files that execute the trojans. In addition, it periodically sends emails to the server controlled by the attacker and can execute arbitrary commands, collect system information and steal data from applications such as Discord and Steam, browser credentials, screenshots, among others.
As for STRRAT, this was observed for the first time since 2020, it also spreads via fraudulent JAR files and has similar capabilities to VCURMS. This campaign mainly targets platforms with Java installed, which represents a risk for any organization using it.
PoC available for a vulnerability in Progress Software OpenEdge
The Progress Software team has released technical details about a critical vulnerability in Progress Software OpenEdge Authentication Gateway and Adminserver. The vulnerability, identified as CVE-2024-1403 and CVSS of 10.0, affects software versions prior to 11.7.19, 12.2.14, 12.8.1 and is an authentication bypass flaw, which can lead to unauthorized access.
The bug has been fixed in OpenEdge LTS Update 11.7.19, 12.2.14 and 12.8.1. It is worth noting its criticality, because despite its categorization, a PoC has been released, which indicates that the source of the vulnerability is in the connect() function of the affected asset.
Dropbox detected as a means of phishing attacks
Darktrace researchers have identified an attack in which the threat actor used the Dropbox service to carry out phishing attacks. In this attack, in particular, several employees of a company received an email from a legitimate Dropbox address that included a link, which led to a PDF file that had been named as a company partner. The PDF also contained a link to a malicious domain posing as a Microsoft login page, presumably with the goal of stealing the credentials the user entered there.
Darktrace notes that one of the employees who received this email accessed the phishing domain and entered his credentials, after which the threat actor obtained a valid MFA token from that account and began conducting phishing attacks against other company employees using the compromised Microsoft account email.
CISA affected by security incident
The Infrastructure Security and Cybersecurity Agency (CISA) has informed several digital media outlets that during the month of February they were affected by a security incident. CISA specifically noted that they identified malicious activity that exploited security flaws affecting two Ivanti systems used by the agency.
As a result of these events, they decided to take the decision to take these assets offline to mitigate the compromise. Internal sources told Recorded Future News that these assets were the Infrastructure Protection (IP) Gateway and the Chemical Security Assessment Tool (CSAT). It is not known whether the data has been accessed and the information exfiltrated, although CISA told TechTarget that these events have not had any operational impact at the time of reporting the situation to them.
The organization finally refers as a recommendation to follow the information provided in a security advisory published on February 29 on Ivanti vulnerabilities.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
