CyberSecurity Newsletter 15th of January 2024
In this week’s news: Critical Vulnerabilities found in GitLabm Ivanti, Bitlocker and Apache. Data Breaches at a US laptop maker and an Aussie travel agent leave customers data in the open, Microsoft Themebleed has an exploit in the wild, and with so many AI and ML projects starting hackers turn their attention to the AI supplychain like TensorFlow.
Critical GitLab flaw allows account takeover without user interaction, patch quickly! (CVE-2023-7028): https://www.helpnetsecurity.com/2024/01/12/cve-2023-7028/
On January 10, Ivanti released a security advisory for two zero-day vulnerabilities that were exploited in-the-wild in limited, targeted attacks: CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability 8.2 CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability 9.1 https://www.tenable.com/blog/cve-2023-46805-cve-2024-21887-zero-day-vulnerabilities-exploited-in-ivanti-connect-secure-and
U.S. repairable laptop maker Framework has confirmed that hackers accessed customer data after successfully phishing an employee at its accounting service provider. Framework says hackers accessed customer data after phishing attack on accounting partner: https://techcrunch.com/2024/01/12/framework-customer-data-stolen-phishing-keating-accounting/
Windows 10 users worldwide report problems installing Microsoft's January Patch Tuesday updates, getting 0x80070643 errors when attempting to install the KB5034441 security update for BitLocker: https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5034441-security-update-fails-with-0x80070643-errors/
Threat Actors Target Microsoft SQL Servers in Mimic Ransomware Attacks: https://malware.news/t/threat-actors-target-microsoft-sql-servers-in-mimic-ransomware-attacks/77398
A Dutch engineer recruited by the country’s intelligence services used a water pump to deploy the now-infamous Stuxnet malware in an Iranian nuclear facility, according to a two-year investigation conducted by Dutch newspaper De Volkskrant: https://www.securityweek.com/dutch-engineer-used-water-pump-to-get-billion-dollar-stuxnet-malware-into-iranian-nuclear-facility-report/
The Apache Struts vulnerability CVE-2023-50164 2, with a critical CVSS score of 9.8, poses a significant threat to a wide range of industries. This newly reported vulnerability enables remote code execution, and its exploitation is already evident in the wild: https://malware.news/t/apache-struts-vulnerability-cve-2023-50164-cybersecurity-advisory/77446
U.S. Attorney's office in Delaware charged Olugbenga Lawal with being a major money launderer for a Nigerian-based international criminal organisation that specialized in Business Email Compromise (#BEC) and Romance Scam: https://malware.news/t/classic-baggie-a-delaware-bec-case-calls-him-the-leader-of-an-international-criminal-organization/77585
Mastermind behind 1.8 million cryptojacking scheme arrested in Ukraine: https://securityaffairs.com/157432/cyber-crime/mastermind-cryptojacking-scheme-arrested-ukraine.html
Aussie Travel Agency Data Leak Puts Thousands of Tourists at Risk: https://www.hackread.com/aussie-travel-agency-data-leak-tourists-at-risk/
(CVE-2023-46805 and CVE-2024-21887 - two bugs, Command Injection and Authentication Bypass) in Ivanti (also known as Pulse Secure) Connect Secure (ICS) and Ivanti Policy Secure appliances: https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/
AhnLab SEcurity intelligence Center (ASEC) recently found that the Remcos RAT malware disguised as adult games is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea: https://asec.ahnlab.com/en/60270/
Privilege escalation using the XAML diagnostics: https://m417z.com/Privilege-escalation-using-the-XAML-diagnostics-API-CVE-2023-36003/
Writeup for CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/
CVE-2023-46214 is a Remote Code Execution (RCE) vulnerability found in Splunk Enterprise which was disclosed on November 16, 2023: https://blog.hrncirik.net/cve-2023-46214-analysis https://github.com/nathan31337/Splunk-RCE-poc
Proof-of-Concept for CVE-2023-38146 ("ThemeBleed"): https://github.com/gabe-k/themebleed
Investigating Outbound Connections upgradeapi.PySimpleGUI.com Is Malware? https://adamcysec.github.io/PySimpleGUI-malware/
Microsoft Message Queuing Denial of Service Vulnerability:CVE-2024-20661 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20661 Windows Subsystem for Linux Elevation of Privilege Vulnerability:CVE-2024-20681 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20681
BitLocker Security Feature Bypass Vulnerability:CVE-2024-20666 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666
A SQL injection vulnerability exists in the CMSEASY CMS version 7.7.7 and earlier: https://github.com/V3geD4g/cmseasy_vul/blob/main/SQL1-EN.md
Tensorflow Supply Chain Compromise via Self-Hosted Runner Attack: https://securityboulevard.com/2024/01/tensorflow-supply-chain-compromise-via-self-hosted-runner-attack/ https://www.praetorian.com/blog/tensorflow-supply-chain-compromise-via-self-hosted-runner-attack/