Cyber Threat Pulse
#10, August 2024
Russian Hackers from APT29 Use Exploits from NSO Group and Intellexa
The Russian hacking group APT29 launched a series of cyberattacks from November 2023 to July 2024, targeting iOS and Android users with exploits from spyware vendors like Intellexa and NSO Group.
The hackers exploited vulnerabilities in Safari and Chrome that, while patched, were still active on non-updated devices. The attacks targeted Mongolian government websites and employed a 'watering hole' tactic, where malicious code is injected into legitimate websites to infect specific users' devices.
APT29 exploited vulnerabilities CVE-2023-41993 (iOS), CVE-2024-5274 and CVE-2024-4671 (Chrome) to steal data like cookies, passwords and browser history. Exploits used by the group were almost identical to those previously used by Intellexa and NSO Group. This suggests the possibility of leakage or sale exploits through intermediaries.
Learn more: https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/
Disguised as Palo Alto Networks
The Unit42 research team has uncovered a scheme for distributing the malicious software "WikiLoader" disguised as the corporate VPN client Palo Alto Networks Global Protect. To gain initial access, attackers employ the technique of SEO poisoning to elevate their malicious site to the top positions in search engine results. This approach is highly effective as users tend to trust websites that rank highly in search results and rarely consider their security.
The attackers' malicious site is a replica of the legitimate Palo Alto Networks resource and contains a link to download a fake Global Protect installer. In reality, this installer contains the malicious "WikiLoader" program, leading to system compromise.
Unit42 provides detailed insights into the operation of WikiLoader, including techniques used to bypass security systems: https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/
Microsoft and Vulnerability Related to IPv6
Microsoft released a critical patch on August 13, 2024, addressing a vulnerability in the Windows TCP/IP stack that could allow remote code execution (RCE). The vulnerability, CVE-2024-38063 (CVSS score 9.8 Critical), impacts a wide range of Windows operating systems, including Windows 10, Windows 11, and Windows Server versions from 2008 to 2022. The vulnerability lies in the way the Windows kernel handles IPv6 extension headers, which can be exploited to trigger a buffer overflow and execute arbitrary code.
Attackers can exploit CVE-2024-38063 remotely and spread over computer networks without requiring user interaction.
Microsoft has released a patch to address the vulnerability, and it is strongly recommended to apply it as soon as possible.
The Picus Security team conducted a detailed investigation of this vulnerability and shared their findings at: https://www.picussecurity.com/resource/blog/cve-2024-38063-remote-kernel-exploitation-via-ipv6-in-windows
It's Time to Update!
Microsoft
Microsoft released updates fixing 87 vulnerabilities, including 7 critical and 6 zero-day vulnerabilities. Among them are:
● CVE-2024-38178: A severe remote code execution vulnerability in Microsoft Scripting Engine (Edge IE Mode) due to a "Type Confusion" error. ● CVE-2024-38106: Elevation of privileges in the Windows Kernel to SYSTEM due to a "Race Condition" error, allowing an attacker to gain full control of the system. ● CVE-2024-38107: A "Use After Free" vulnerability in Windows Power Dependency Coordinator which allows a local attacker to escalate privileges to the SYSTEM level. ● CVE-2024-38189: Remote code execution vulnerability in Microsoft Project when opening a malicious file due to insufficient validation of user input. ● CVE-2024-38199: A critical Use After Free vulnerability in the Windows Line Printer Daemon service that allows remote code execution on the server.
Google Chrome
Chrome has been updated to version 127.0.6533.99/.100 for Windows, Mac and Linux. The update fixes 5 vulnerabilities, including a critical one (CVE-2024-7532) in the ANGLE component, which allows attackers to execute arbitrary code.
Mozilla Firefox
Firefox ver.128 fixes 20 vulnerabilities, including 8 critical. One of the key ones is a vulnerability on Android (CVE-2024-6605), allowing attackers to bypass security mechanisms and gain unauthorized access to the camera, microphone and user location.
Zero-Day Browser Vulnerability
Researchers have identified a vulnerability which has existed since 2006 and allows remote attacks on local networks. All major browsers are vulnerable, but it cannot be exploited on Windows due to the built-in protection mechanisms of this OS.
VMware ESXi
More than 20,000 ESXi servers contain the vulnerability CVE-2024-37085. This vulnerability allows attackers with sufficient AD rights to gain full control of servers.
Android
Google has fixed 46 vulnerabilities, including an actively exploited one (CVE-2024-36971) in the Linux kernel, which enables execution of arbitrary code without user interaction.
Apple
Apple released updates for all platforms, fixing 35 vulnerabilities in iOS and iPadOS 17.6 and 70 vulnerabilities in macOS Sonoma 14.6. The Safari browser has also been updated to fix 9 vulnerabilities, 8 of which affect the WebKit component.
WhatsApp
A serious vulnerability has been found in the Windows version of WhatsApp that allows Python and PHP scripts to run when opening attachments without displaying security warnings.