Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 9 - 15 November
Ivanti fixes multiple vulnerabilities in its products
Ivanti has published its Patch Tuesday to fix multiple vulnerabilities in its products Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC). Among the security flaws published in its bulletin, eight are considered critical and affect its products. Specifically, these are the vulnerabilities registered as CVE-2024-38655, CVE-2024-38656, CVE-2024-39710, CVE-2024-39711, CVE-2024-39712, CVE-2024-11005, CVE-2024-11006 and CVE-2024-11007.
It should be noted that these vulnerabilities are described as argument and command injection flaws that could allow authenticated attackers with administrator privileges to perform remote code execution. Based on this, Ivanti recommends its users to upgrade their products to the following versions Connect Secure version 22.7R2.3 and Policy Secure version 22.7R1.2 to fix these flaws as the rest of the published ones.
Microsoft Patch Tuesday fixes 91 vulnerabilities, including four 0-days
Microsoft has published its November Patch Tuesday advisory, which includes security updates for 91 bugs. Among these are four 0-day vulnerabilities, two of which have been actively exploited. Specifically, these are the flaws registered as CVE-2024-43451, CVSSv3 of 6.5, which causes NTLM hash disclosure spoofing that exposes NTLMv2 hashes to remote attackers with minimal user interaction, as well as the vulnerability CVE-2024-49039, CVSSv3 of 8. 8, Windows Task Scheduler elevation of privilege vulnerability that allows attackers to execute RPC functions normally restricted to privileged accounts resulting in unauthorised code execution or access to resources. The other two vulnerabilities, CVE-2024-49040, CVSSv3 of 7.5 and CVE-2024-49041, are phishing flaws in Microsoft Exchange Server and MSHTML respectively.
Confluences between the new Ymir ransomware and RustyStealer
Kaspersky researchers have published a report pointing out the association between the new Ymir ransomware and the RustyStealer infostealer in its operations. According to the experts, this new strain of ransomware is notable for its in-memory execution, use of the African language Lingala in its code, use of ChaCha20 encryption, use of PDF files as ransom notes and its extension configuration options.
Kaspersky also points out that Ymir connects to external servers that could facilitate data exfiltration, as this ransomware has no such capability. The report also discusses the involvement of RustyStealer, a credential-harvesting malware that allows attackers to gain unauthorised access to systems by compromising legitimate accounts with high privileges by performing lateral movements once the victim's network is accessed. Ymir has been seen attacking victims in Colombia.
Malicious campaign spreading Strela Stealer in Germany, Spain and Ukraine
The IBM X-Force research team has published a research report on the discovery of a campaign to distribute the Strela Stealer malware by the malicious actor known as Hive0145. According to the experts, the campaign is primarily targeting Germany, Spain and Ukraine and is being carried out through the forwarding of malicious emails. Specifically, Hive0145 would distribute Strela Stealer using vulnerable accounts by sending emails that look like invoices and receipts with attachments that, when executed by the victim, will infect the computer with the malware. The researchers also point out that Hive0145 has evolved its TTP since at least 2022, the latest version of the malware, which in addition to stealing information, collects system information, retrieves a list of installed applications, and checks the victim's keyboard language to target only those who use Spanish, German, Catalan, Polish, Italian, Basque, or Ukrainian.
Bitdefender releases ShrinkLocker decryption tool
Bitdefender has published a report detailing the operation of the ShrinkLocker ransomware and, in addition, a free tool to decrypt files encrypted with this malware. ShrinkLocker, which began acting earlier this year, abuses the legitimate Windows tool Bitlocker to encrypt files and then removes recovery options..
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
