Cyber Threat Pulse
#8, June 2024
New Scam: Hackers Steal Telegram and WhatsApp Accounts
CERT-UA records an increase in cyber-attacks aimed at stealing accounts in messengers with two-factor authentication bypass techniques.
Criminals spread fake messages via SMS and Telegram/WhatsApp offering to vote in a fictitious art competition.
When going to the contest's phishing site, the user is asked to authenticate using a QR code or a phone number and a one-time code.
Once "authorized," the attacker gains full control over the victim's account by linking their device to their account.
Hackers then use the stolen account to run various fraudulent schemes for profit, including sending new phishing messages to the victim's contacts.
How to prevent an incident:
● Do not follow suspicious links and do not enter data, even if the message came from your contacts ● If you receive a suspicious message, assume that the sender's account has been compromised and contact them via another channel to check ● When a compromise is detected: check the settings of connected devices and end unknown sessions
Details at: https://cert.gov.ua/article/6279491
Russian and Chinese Hacker Activity on the Rise: New Trellix report
Trellix has published "The Cyber Threat Report: June 2024", providing in-depth analysis of the cyber threat landscape over the past six months.
Here's some interesting information from the report:
● Cyber attacks from China and Russia: China-linked groups like Volt Typhoon generate 68.3% of all recorded threats, with 23% of their activity targeting the global government sector. The Russian group Sandworm increased its activity by 40% compared to the previous period. ● Changes in the ransomware ecosystem: Attacks by extortionists are most often aimed at the transport and financial sectors. The appearance of imitators of the LockBit group is observed after the actions of law enforcement agencies against it. ● EDR detection evasion: An evasion tool called "Terminator" was used in January 2024, targeting mainly the telecommunications sector of Ukraine in the context of the Russian invasion of Ukraine. ● Use of artificial intelligence: The ChatGPT 4.0 Jabber tool has been discovered on the dark web, allowing criminals to use generative AI in their operations and learn from other cybercriminals.
Read the full report at: https://www.trellix.com/advanced-research-center/threat-reports/june-2024/
Vulnerabilities in ASUS Routers: Millions of Devices are at Risk
ASUS has released firmware updates to address critical security vulnerabilities in several router models, with the most severe flaw being an authentication bypass tracked as CVE-2024-3080 (CVSS score 9.8). This vulnerability allows remote attackers to log in to the device without authentication.
Affected Models and Fixes:
● ZenWiFi XT8 (Fixed in 3.0.0.4.388_24621) ● ZenWiFi XT8 V2 (Fixed in 3.0.0.4.388_24621) ● RT-AX88U (Fixed in 3.0.0.4.388_24209) ● RT-AX58U (Fixed in 3.0.0.4.388_24762) ● RT-AX57 (Fixed in 3.0.0.4.386_52303) ● RT-AC86U (Fixed in 3.0.0.4.386_51925) ● RT-AC68U (Fixed in 3.0.0.4.386_51685)
Additionally, another high-severity buffer overflow vulnerability, CVE-2024-3079 (CVSS score 7.2), which requires administrative access to exploit, has been patched.
ASUS also addressed a critical vulnerability (CVE-2024-3912, CVSS score 9.8) earlier this year, which allowed remote attackers to upload arbitrary files and execute system commands on affected devices.
Recommendations:
● Update Firmware: Users are advised to promptly update their routers to the latest firmware versions to mitigate these vulnerabilities. ● Security Practices: For those unable to update immediately, it is recommended to use strong passwords and disable remote access features such as admin panel access from WAN, port forwarding, DDNS, VPN server, DMZ, and port triggering.
https://www.asus.com/content/asus-product-security-advisory/
It's Time to Update!
Microsoft
● Total Vulnerabilities: 51 (decrease from last month) ● Critical Vulnerabilities: 1 (CVE-2024-30080) ● Significant Vulnerabilities: - CVE-2024-30080 (MSMQ): Use After Free flaw allowing remote code execution with CVSS score of 9.8. Affected if the Windows Message Queuing Service is enabled. - CVE-2024-30101 (Microsoft Office 2016): Use After Free flaw, CVSS 7.5, exploitable via malicious email. - CVE-2024-30104 (Microsoft Office): Improper Link Resolution flaw, CVSS 7.8, requires user interaction. - CVE-2024-30102 (Microsoft 365): Use After Free flaw, CVSS 7.3, exploitable via social engineering. - CVE-2024-30103 (Microsoft Outlook): Incomplete List of Disallowed Inputs, CVSS 8.8, exploitable via malicious DLL files. - CVE-2024-30072 (Event Trace Log File Parsing): Integer overflow, CVSS 7.8, exploitable via malicious file.
Google Chrome
● Version: 125 ● Critical Vulnerabilities: - CVE-2024-4947: Type confusion in V8 JavaScript engine, actively exploited. - CVE-2024-4948: Use-after-free in Dawn (WebGPU implementation). - CVE-2024-5274: Type confusion in V8, another zero-day actively exploited.
Mozilla Firefox
● Version: 126 ● Total Vulnerabilities: 21 ● Critical Vulnerabilities: - CVE-2024-4764: Use-after-free in WebRTC streams. - CVE-2024-4367: JavaScript execution via custom fonts in PDF viewer.
PHP
● Vulnerability: CVE-2024-4577 ● Impact: Remote code execution via PHP CGI, circumvents CVE-2012-1823 patch. ● Patched Versions: 8.3.8, 8.2.20, 8.1.29
Azure
● Vulnerability: High-severity in service tags (similar to SSRF). ● Impact: Potential exposure of personal information. ● Affected Services: Includes Application Insights, DevOps, Machine Learning, Logic Apps, and more. ● Recommendation: Implement additional authentication and authorization layers.
GitHub
● Vulnerability: CVE-2024-4985 ● Impact: Allows unauthenticated attacker to gain administrative privileges on Enterprise Server. ● Affected Versions: Up to 3.13.0 using SAML SSO with encrypted assertions. ● Patched Versions: 3.9.15, 3.10.12, 3.11.10, 3.12.4