Cyber Threat Pulse
#9, July 2024
Cybercriminals Exploit Panic: Attacks After CrowdStrike Failure
On July 19, CrowdStrike released an update for Falcon Sensor that caused widespread disruption to Windows systems. An update bug caused a blue screen of death (BSOD) on millions of computers, including those used in mission-critical industries such as healthcare and finance.
Cybercriminals quickly took advantage of the chaos caused by the failed CrowdStrike update. Malicious activities include phishing campaigns and the distribution of malware under the guise of legitimate recovery tools.
1. Remcos RAT disguised as a hotfix: Attackers are distributing a ZIP archive called "crowdstrike-hotfix.zip" which contains a malware loader called HijackLoader. This bootloader, in turn, installs the Remcos RAT remote management tool on infected devices. This campaign primarily targeted CrowdStrike's Latin American customers, as evidenced by the Spanish-language instructions included in the archive.
https://x.com/g0njxa/status/1814564408846147830
2. Daolpu spyware: Another hacking campaign involves sending phishing emails with a malicious document attached, disguised as a recovery guide from Microsoft. This document contains macros that, when activated, load the Daolpu infostealer. It steals credentials, browsing history, and authentication files from popular browsers including Chrome, Edge, and Firefox.
https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/
3. Handala Data Shredder: Pro-Iranian hacker group Handala, under the guise of official CrowdStrike updates, distributed malware designed to destroy data on infected systems. The hackers disguised themselves as CrowdStrike representatives, sending phishing emails from the fake domain “crowdstrike[.]com[.]vc.” These emails contained PDF documents with instructions for running a fake update and links to malicious ZIP archives. When users launched the executable file "Crowdstrike.exe" located inside the archive, the destruction of data on the device began.
https://x.com/anyrun_app/status/1814658084460957890
New Vulnerabilities in OpenSSH Allow Commands to Be Executed as Root
On July 1, 2024, a high severity vulnerability in OpenSSH (CVSS 8.1) called "regreSSHion" was disclosed (CVE-2024-6387). It affects glibc-based Linux systems and can lead to remote code execution (RCE) with root privileges. As of July 2, 2024, Palo Alto Networks reports more than 7 million vulnerable OpenSSH instances worldwide.
The vulnerability affects:
● OpenSSH versions from 8.5p1 to 9.8p1 ● Versions older than 4.4p1, unless patched for CVE-2006-5051 or CVE-2008-4109
Another vulnerability in OpenSSH has also been discovered, tracked as CVE-2024-6409 (CVSS 7.0). This only affects versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9.
To eliminate these vulnerabilities, it is necessary to update OpenSSH to version 9.8p1 or later. It is also recommended to monitor connections using the protocol SSH using firewalls and segmenting the network to prevent unauthorized access and movement around the organization's perimeter.
https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/
It's Time to Update!
Microsoft
In the July Patch Tuesday, Microsoft fixed 142 vulnerabilities, 5 of which are critical:
● Hyper-V: A zero-day vulnerability (CVE-2024-38080) has been discovered that could allow an attacker with local access to escalate privileges to the system level. ● MSHTML: A zero-day vulnerability (CVE-2024-38112) has been discovered that could allow attackers to spoof web content. ● .NET and Visual Studio: A remote code execution vulnerability (CVE-2024-35264) has been discovered due to a use-free error. ● Windows Remote Desktop Licensing Service: Two critical remote code execution vulnerabilities (CVE-2024-38076 and CVE-2024-38077) have been discovered due to buffer overflows.
https://msrc.microsoft.com/update-guide/releaseNote/2024-Jul
Google Chrome
In a recent update for Chrome, Google fixed many vulnerabilities, including:
● CVE-2024-6100: Confusion vulnerability in the V8 JavaScript engine that can lead to crashes and remote code execution. ● CVE-2024-6101: A flaw in the WebAssembly implementation allows unauthorized code to run. ● CVE-2024-6102 & CVE-2024-6103: Out-of-bounds access issues and Use After Free error in Dawn API. ● New zero-day vulnerability: Sandbox Escape RCE, which can lead to remote code execution. The vulnerability is being sold on the darknet for $1 million in cryptocurrency. There is no fix available at this time.
It is recommended to update Chrome to versions 126.0.6478.114/115 for Windows and Mac, and 126.0.6478.114 for Linux
https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html
Mozilla Firefox
Firefox version 128 fixed 20 browser security issues. Among them are:
● CVE-2024-6605: An activation delay issue in Firefox for Android allows tapjacking attacks. ● CVE-2024-6606: An out-of-bounds memory read of the clipboard, exposing sensitive data. ● CVE-2024-6609: Memory corruption in the NSS library leading to potential code execution. ● CVE-2024-6600: Memory corruption in the WebGL API leading to crashes and possible RCE.
https://www.mozilla.org/en-US/security/advisories/
Android
The latest security update fixed 25 vulnerabilities, among which the most significant is CVE-2024-31320, which leads to escalation of privileges in Android 12/12L.
https://source.android.com/docs/security/bulletin/2024-07-01