Cybersecurity Alerts

There are two critical security vulnerabilities recently identified in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. These vulnerabilities allow remote, unauthenticated attackers to gain access to affected devices and escalate their privileges. This can ultimately lead to remote code execution, unauthorized data access, and complete network compromise. 

Ivanti has admitted and warned that there have been a “limited number of customers” using Ivanti Connect Secure appliances that have been affected by the remote code execution vulnerability, adding more urgency to the necessity of updating affected devices immediately. 

QUICK POINTS: 

• Vulnerability IDs:
  • CVE-2025-0282 (CVSS score: 9.0) – Remote Code Execution
  • CVE-2025-0283 (CVSS score: 7.0) – Privilege Escalation
• Severity: Critical
• Affected Devices: Ivanti Connect Secure, Policy Secure, and Neurons for ZTA 

IMMEDIATE ACTIONS: 

• Patch Immediately: Ivanti has released a patch for Connect Secure (version 22.7R2.5). Patches for Policy Secure and ZTA Gateways are expected by January 21, 2025.
• Run ICT Scans: Perform Integrity Checker Tool (ICT) scans on all affected devices to detect potential compromise.
• Factory Reset if Compromised: If ICT reveals signs of compromise, perform a factory reset before applying patches.
• Monitor for Suspicious Activity: Watch for unusual behavior in DNS queries, LDAP responses, and privilege escalations. 

There is a critical security vulnerability discovered in Apache Traffic Control, a content delivery network tool. This vulnerability allows hackers unauthorized access to your database, potentially leading to data manipulation, sensitive data theft, and, ultimately, complete compromise of your network.  

The critical vulnerability stems from a SQL injection vulnerability in Traffic Ops within Apache Traffic Control. This allows users with the role “admin”, “federation”, “operations”, “portal”, or “steering” to send specially crafted PUT requests against the database to execute arbitrary SQL commands.  

This comes off the heels of another critical vulnerability found in Apache Tomcat servers, tracked as CVE-2024-56337, which allows a hacker to perform remote code execution. These vulnerabilities stress the importance of keeping Apache products up to date with the latest updates and patches.  

QUICK POINTS  

• Vulnerability ID: CVE-2024-45387 (CVSS score 9.9)
• Severity: Critical
• Affected Devices: Apache Traffic Control (see Immediate Action section for specific versions) 

IMMEDIATE ACTION  

• Patch Immediately: Apache Software Foundation (ASF) has released a patch to address this vulnerability in Apache Traffic Control
  • Upgrade to version 8.0.2 or later
  • Note: Traffic Control versions 7.0.0 (before 8.0.0) are not affected by this vulnerability
• Temporary Workarounds: For those unable to update immediately, it is advised to restrict access to the Traffic Ops for users with affected roles (admin, federation, operations, portal, steering) 

 There is an escalating cyber threat targeting macOS devices that impacts 100 million users worldwide. The malicious actor in question? Banshee Stealer.  

This credential-stealing malware is wreaking havoc, with capabilities to exfiltrate browser credentials, sensitive files, and even cryptocurrency wallets. Banshee is spread through phishing attacks and fake GitHub repositories, masquerading as legitimate software downloads. Its latest evolution includes hijacked encryption algorithms from macOS's XProtect antivirus, making detection more challenging than ever.  

Adding to the urgency, Microsoft researchers have recently identified a macOS vulnerability (CVE-2024-44243) that allows attackers to bypass System Integrity Protection (SIP). This critical defense typically blocks unauthorized system changes. Left unchecked, attackers can exploit this flaw to install rootkits and infiltrate the OS kernel.  

Key Facts at a Glance:  

• Target: Credentials, sensitive files, and crypto wallets on macOS devices.  
• Affected Population: 100 million macOS users globally.  
• Critical Vulnerability: SIP bypass, resolved in macOS Sequoia 15.2 (December update).  
   

What You Need to Do Now  

• Have Us Analyze Mac Devices: Prioritize removing stored browser credentials and purging unencrypted files of Personally Identifiable Information (PII) to enhance security and reduce vulnerabilities.  
• Educate Your End Users: Enroll your users in Self-Defense Training to ensure you're building a strong foundation of evidence every step of the way.  
• Update Immediately: Ensure all devices are running macOS Sequoia 15.2 or higher.  

There are two critical vulnerabilities found on Windows servers, including Domain Controllers (DCs). These vulnerabilities could allow a remote hacker to crash and/or execute arbitrary code on any unpatched servers without any user interaction, and, therefore, potentially steal sensitive information and take complete control of a network. 

These vulnerabilities stem from an integer overflow in LDAP-related code and are exploitable if the DNS server of the victim DC is connected to the Internet. A hacker could send specially crafted RPC calls to trigger malicious LDAP queries which could crash the server or allow for remote code execution.  

These vulnerabilities are very dangerous since exploitation requires no user interaction and could enable hackers to take complete control over an entire domain. This makes any unpatched Windows server a prime target for ransomware groups and threat actors. On top of that, a proof of concept (PoC) has been released by SafeBreach that illustrates both vulnerabilities.  

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-49112 (CVSS score: 9.8) - Remote Code Execution
  • CVE-2024-49113 (CVSS score: 7.5) - Denial of Service
• Severity: Critical
• Affected Devices: Any Windows Server and Domain Controller running prior to Microsoft’s December 2024 Patch 

IMMEDIATE ACTION 

• Patch Immediately: Apply the Microsoft December 2024 Patch update from Microsoft to any Windows Server in your environment
• Temporary Workarounds: Configure domain controllers to block inbound Remote Procedure Calls (RPC) from untrusted networks
• Monitor for Suspicious Activity: Monitor DNS SRV queries, CLDAP referral responses, and DsrGetDcNameEx2 calls 

There are two critical vulnerabilities with Veeam’s Service Provider Console. These two exploits allow attackers to take over the VSPC server, giving hackers possible access to your network and possibly your data backups.  

The first flaw, CVE-2024-42448, carries a 9.9 severity score out of 10 and allows attackers to execute code remotely (RCE) on unpatched servers. This flaw combines with CVE-2024-42449, an exploit allowing NTLM hash stealing, which then provides access to servers where the Veeam management agent is authorized.

Veeam has released patches for these vulnerabilities and is advising an immediate update for organizations. While this flaw is not yet being seen actively exploited in the wild, due to Veeam being a recent target of Akira and Fog ransomware attacks, it makes this patching even more crucial and timely.

QUICK POINTS  

• Vulnerability IDs:
  • CVE-2024-42448 (CVSS score 9.9)
  • CVE-2024-42449 (CVSS score 7.1)
• Severity: Critical
• Affected Devices: Please see the “Immediate Action” section for list of specific devices  

IMMEDIATE ACTION  

• Patch Affected Devices: As VSPC versions 8.1.0.21377 and earlier are impacted (including unsupported versions) please update to version 8.1.0.21999 to address these vulnerabilities. 

 There are several critical vulnerabilities affecting QNAP Network Attached Storage (NAS) and router software. These dangerous flaws could allow remote attackers to gain unauthorized access, execute commands and take over your critical systems.  

Two of these critical vulnerabilities affect the NAS systems from QNAP and involve a lack of proper authentication mechanisms. This would allow attackers, who obviously lack proper credentials, to gain unauthorized access and execute system functions. The other vulnerability in the NAS systems is a server-side request forgery (SSRF) vulnerability that allows remote attackers to send crafted requests to the server-side, leading to exposure of sensitive data.  

The third critical vulnerability affects QNAP router system, QuRouter. This vulnerability is a command injection flaw that allows remote attackers to execute commands on the host system.  

QNAP has released patches to address these exploits, as well as a multitude of others in various other products. Due to the critical nature of these vulnerabilities and the major impact they could have, it is advised to apply these updates immediately.

QUICK POINTS  

• Vulnerability IDs
  • CVE-2024-38643 (CVSS score: 9.3) - NAS authentication vulnerability
  • CVE-2024-38645  (CVSS score: 9.4) - NAS server-side request forgery (SSRF) vulnerability
  • CVE-2024-48860 (CVSS score: 9.5) - QuRouter OS command injection
• Severity: Critical
• Affected Products:  QNAP Notes Station 3 and QuRouter 2.4.x products 

IMMEDIATE ACTION 

• Patch Systems Immediately
  • QNAP Notes Station 3 – update to version 3.9.7 and later
  • QuRouter 2.4.x - update to version 2.4.3.106 and later
  • Please note that QNAP has released updates for other products as well that address other vulnerabilities, those should be updated as well  .

Reporting on two actively exploited zero-day vulnerabilities affecting Apple devices. These vulnerabilities pose significant risks and have been confirmed by Apple as being used in targeted campaigns, particularly on Intel-based Macs and devices running macOS, iOS, and other Apple platforms. These exploits allow attackers to take control of devices, steal sensitive data, or even set up dangerous ransomware.

The first vulnerability is an arbitrary code execution flaw in the JavaScriptCore engine. By exploiting this, attackers can execute malicious code through specially crafted web content, compromising device integrity and potentially giving unauthorized access to sensitive systems. The second vulnerability lies in WebKit's cookie management and enables cross-site scripting (XSS) attacks, allowing attackers to steal session tokens or manipulate web applications.

Apple has released patches to address these vulnerabilities, which are available for IOS, iPadOS, macOS, visionOS, and Safari. These updates are critical, and Apple is advising they be applied as soon as possible. 

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-44308: JavaScriptCore flaw enabling remote code execution.
  • CVE-2024-44309: WebKit flaw enabling cross-site scripting (XSS).
• Severity: Critical.
• Affected Products:
  • iOS, iPadOS, macOS, Safari, and visionOS across multiple versions. 

IMMEDIATE ACTION 

• Patch Systems Immediately:
  • Apply Apple’s latest updates for iOS, macOS, Safari, and visionOS. 
• Strengthen Monitoring:
  • Monitor for unusual web activity, unauthorized access attempts, or signs of exploitation. 

There are multiple critical vulnerabilities recently disclosed in Ivanti products including:

• Connect Secure
• Policy Secure
• Endpoint Manager.

The first set of vulnerabilities that you want to address are remote code execution (RCE) flaws. These specific vulnerabilities allow unauthenticated attackers to execute arbitrary code remotely, which could lead to sensitive data theft and even deployment of ransomware.  

Other vulnerabilities that Ivanti has addressed include privilege escalation flaws, DoS conditions, arbitrary folder creation, and path traversal flaws. Due to the volume of vulnerabilities being disclosed, we expect many to be used for attacks in the future, which adds to the urgency of patching your Ivanti software as soon as possible to mitigate your risk of being exposed.  

QUICK POINTS 

• Vulnerability IDs: RCE vulnerabilities
  • CVE-2024-50330 (CVSS score: 9.8)
  • CVE-2024-38655/38656 (CVSS score: 9.1)
  • CVE-2024-39710, CVE-2024-39711, CVE-2024-39712 (CVSS score: 9.1)
  • CVE-2024-11005, CVE-2024-11006, CVE-2024-11007 (CVSS score: 9.1)
• Severity: Critical 
• Affected Products: 
  • Connect Secure, Policy Secure, Avalanche, and Endpoint Manager
  • Please see the “Immediate Action” section for specific updates for each 

IMMEDIATE ACTION

• Patch All Systems: Apply necessary patches and updates to software to mitigate risk of exposure. 
  • Connect Secure
    • Update to version 22.7R2.3 or above
  • Policy Secure
    • Update to version 22.7R1.2 or above
  • Avalanche
    • Update to version 6.4.6 or above
  • Endpoint Manager
    • Update to the release of the 2024 November Security Update and 2022 SU6 November Security Update (instructions for update can be found on Ivanti’s advisory page) 

Over 60,000 D-Link NAS devices are vulnerable to a critical command injection flaw (CVE-2024-10914) with a severity score of 9.2, affecting models commonly used by small businesses. The vulnerability is located in the cgi_user_add command, where insufficient sanitization of the name parameter allows unauthenticated attackers to inject shell commands via crafted HTTP GET requests.

Impacted Models:

• DNS-320 (v1.00)
• DNS-320LW (v1.01.0914.2012)
• DNS-325 (v1.01, v1.02)
• DNS-340L (v1.08)

Vendor Advisory:

D-Link has confirmed no future fix for these devices and recommends retiring them. If immediate retirement is not feasible, users should at least isolate affected devices from the public internet or impose stricter access controls.

Additional Note:

A similar command injection vulnerability (CVE-2024-3273) was discovered in April, impacting the same models. D-Link has reiterated that these NAS devices are end-of-life and will not receive further security updates.

There are critical vulnerabilities within Hewlett Packard Enterprise’s (HPE) Aruba Networking Access Points. These vulnerabilities could allow remote, unauthenticated attackers to gain high-privilege access to your network and execute malicious code on your systems.

Stemming from an issue within the command line interface (CLI) service within these products, which is typically accessed via the PAPI protocol, the vulnerabilities allow a remote attacker to perform an unauthenticated command injection by sending specially crafted packets to Aruba’s Access Point Management protocol over UDP port 8211.   

Please address these vulnerabilities immediately because exploitation of one access point could allow for lateral movement to other areas of the network.   

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-42509 (CVSS score: 9.8)
  • CVE-2024-47460 (CVSS score: 9.0)
• Severity: Critical
• Affected Devices: Please see the “Immediate Action” section for list of specific devices 

IMMEDIATE ACTION 

• Patch Affected Devices: Update devices to the following software versions or newer to mitigate the risks associated with these vulnerabilities. 
  • AOS-10.7.x.x: Update to version 10.7.0.0 or later
  • AOS-10.4.x.x: Update to version 10.4.1.5 or later
  • Instant AOS-8.12.x.x: Update to version 8.12.0.3 or above
  • Instant AOS-8.10.x.x: Update to version 8.10.0.14 or above
• Implement Temporary Workarounds: Workarounds for these flaws in cases where software updates cannot be immediately installed are listed below.
  • Restrict/block access to UDP 8211 from all untrusted networks
  • Restrict access to the CLI and web-based management interfaces by placing them on a dedicated layer 2 segment or VLAN; also control access with firewall policies at layer 3 or above 

There is a critical vulnerability in the WordPress plugin “Really Simple Security”. This flaw enables attackers to escalate their privileges to administrator level, allowing them to take over affected websites entirely.

This vulnerability is the result of a flaw within the two-factor authentication function in the “Really Simple Security” plugin in both the free and Pro versions. It is caused by improper handling of user authentication in the REST API actions. This flaw is especially dangerous as it can be exploited even when two-factor authentication is enabled. This then allows a remote attacker to gain access to any account on the site, including administrators.  

Researchers have warned that this vulnerability can be scripted, which allows attackers to automate their attacks on a larger scale. Paired with the widespread use of this plugin across over 4 million WordPress sites, this vulnerability presents a significant risk to websites managed by you or your clients. Immediate updating is necessary to prevent exploitation.

QUICK POINTS: 

• Vulnerability ID: CVE-2024-10924 (CVSS score: 9.8)
• Severity: Critical
• Affected Systems: WordPress plugin “Really Simple Security”, please see “Immediate Action” section to see specific versions and updates 
  
  

IMMEDIATE ACTION:

• Update affected plugins immediately: Check all WordPress sites for the vulnerable plugin and apply the latest patches released.
  • For both free and Pro/Pro Multisite versions – update to version 9.1.2 or above 

There is a recently discovered, severe vulnerability that is affecting a group of Cisco Ultra-Reliable Backhaul (URWB) access points and clients. This exploit allows attackers to execute commands with admin privileges which could lead to full network compromise, data theft, and even ransomware.  

This vulnerability is due to a lack of input validation in the web-based management interface of the affected devices. Unauthenticated attackers could exploit this vulnerability by performing a command injection that does not require any user interaction. This involves sending malicious HTTP requests to the interface. Such an attack vector puts an entire network and its data at serious risk. 

At this time, Cisco’s Incident Response Team is not aware of any attacks that have successfully exploited this vulnerability. However, we highly recommend taking the immediate action steps that are listed below so you can be proactive in safeguarding you and your clients’ organizations.

QUICK POINTS  

• Vulnerability ID: CVE-2024-20418 (CVSS score: 10.0)
• Severity: Critical
• Affected Devices:
  • Catalyst IW9165D Heavy Duty Access Points
  • Catalyst IW9165E Rugged Access Points and Wireless Clients
  • Catalyst IW9167E Heavy Duty Access Points
  • Note: The above devices are only vulnerable if they have the URWB operating mode enabled (please see “Immediate Action” section for steps to determine the mode running) 

IMMEDIATE ACTION  

• Audit Devices: To determine if the URWB operating mode is enabled, check to see if the “show mpls-config" CLI command is available. If command is not available, URWB operating mode is disabled.
• Patch Affected Devices: Upgrade the affected access points and clients to version 17.15.1 or later  
• Note: No workarounds or secondary mitigations are officially endorsed by Cisco at this time. It is crucial that devices are updated to patch this vulnerability. 

A critical vulnerability was recently identified in Synology NAS devices. This vulnerability was discovered at Pwn2Own Ireland 2024 and allows zero-click exploitation, meaning attackers can gain remote code execution (RCE) as root without any user interaction.  

Attackers can exploit this zero-click flaw to gain complete control over affected devices, manipulate or steal data, and use these devices as launch points to access other parts of the network. This vulnerability has a very high potential of being abused by attackers since there is no need for user interaction for exploitation, stressing the urgency of immediate updates to these devices.

There has yet to be a proof-of-concept (PoC) released for this vulnerability, but due to this being demonstrated at the Pwn2Own event, we expect one to be released soon. Once released, this again adds to the high potential of this being exploited in the wild by attackers.  

QUICK POINTS 

• Vulnerability: CVE-2024-10443 (no CVSS score has been assigned to this vulnerability at the time of this email)
• Severity: Critical
• Affected Systems: Please see “Immediate Action” section for specifics
  
  

IMMEDIATE ACTION 

• Patch Updates: Ensure immediate application of Synology’s patches for affected software. Please note that these updates are not automatically applied:
  • BeePhotos for BeeStation
    • OS 1.1 - upgrade to 1.1.0-10053 or above
    • OS 1.2 - upgrade to 1.0.2-10026 or above
  • DSM 7.2
    • Synology Photos 1.7 - upgrade to 1.7.0-0795 or above
    • Synology Photos 1.6 - upgrade to 1.6.2-0720 or above 

There are two recently uncovered security vulnerabilities found in Google Chrome. Left unchecked, these vulnerabilities could lead to data breaches, account theft, and even system compromise.  

The first vulnerability, tracked as CVE-2024-10487, has been identified as an out-of-bounds write issue in the Dawn implementation within Chrome, which is a cross-platform implementation of the WebGPU standard. This vulnerability can lead to attackers being able to execute arbitrary code on machines. The second vulnerability, tracked as CVE-2024-10488, involves a high critical use-after-free bug which could lead to privilege escalation and remote code execution.  

 Although it is still unclear as to whether the recent Chrome vulnerabilities have been exploited in the wild or not, it is best to update chrome immediately. 

QUICK POINTS  

• Vulnerability IDs:
  • CVE-2024-10487 (CVSS score: 8.8) - Out of Bounds Access
  • CVE-2024-10488 (CVSS score: 8.8) - Use After Free Vulnerability
• Severity: High
• Affected Versions: Google Chrome versions in Windows, macOS, and Linux (see version numbers below) 

IMMEDIATE ACTION  

• Patch Affected Devices: Update Chrome immediately to versions:
  • Windows and macOS: 130.0.6723.91/.92
  • Linux: 130.0.6723.91 

There is a critical zero-day vulnerability recently identified in QNAP NAS devices, specifically within the Hybrid Backup Sync (HBS 3) application. Threat actors can abuse this exploit to gain access to sensitive data and take control of data backups, putting your company in danger of ransomware attacks. 

The vulnerability enables attackers to execute arbitrary commands remotely, potentially leading to unauthorized access and control over sensitive data stored on NAS devices. The exploit leverages a command injection with only a single directive to gain administrative level access.  

This flaw was demonstrated at the Pwn2Own Ireland 2024 event but has not been disclosed publicly. QNAP has issued a patch to their HBS 3 devices to address the flaw. Due to the simplicity of the exploit, as well as the potential danger of the attack, we are advising administrators to update any affected environments immediately.

QUICK POINTS 

• Vulnerability ID: CVE-2024-50388 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: QNAP NAS devices running HBS 3 Hybrid Backup Sync version 25.1.x 

IMMEDIATE ACTION 

• Update HBS 3: QNAP has released a patch (HBS 3 version 25.1.1.673) to address this vulnerability. We recommend updating all affected devices immediately.
• Enhanced Monitoring: Implement monitoring for unusual command executions or unauthorized access attempts on all QNAP NAS devices. 

There is a newly discovered critical vulnerability in Fortinet’s FortiManager, which is currently being exploited in active zero-day attacks. This flaw allows attackers to gain unauthorized access to vulnerable on-prem and cloud-based Fortinet systems, putting your clients' networks at serious risk of compromise. 

This vulnerability, CVE-2024-47575, allows attackers to exploit Fortinet devices remotely via an authentication bypass in the FortiManager FGFM API. Once this API is bypassed, attackers can view firewall config files, steal passwords, and alter device configurations and eventually take full control of the device. They can then gain further access to all other networks also managed by an organization’s FortiManager.  

This vulnerability poses an extremely high risk for organizations using FortiManager to manage their FortiGate deployments. This flaw is extremely easy to exploit and is already being utilized in the wild, allowing for threat actors to traverse to networks “downstream” that are managed by the device. We are recommending teams address this immediately to protect their networks and their clients’ networks.  

QUICK POINTS: 

• Vulnerability ID: CVE-2024-47575 (CVSS score: 9.8) 
• Severity: Critical 
• Affected Devices: Please see “Immediate Action Section” for update versions for all product versions

IMMEDIATE ACTION: 

• Apply the latest patches: Ensure that all FortiManager devices are updated immediately with their latest versions listed below: 
  • FortiManager 6.2 ---> upgrade to 6.2.13 or above
  • FortiManager 6.4 ---> upgrade to 6.4.15 or above
  • FortiManager 7.0 ---> upgrade to 7.0.13 or above
  • FortiManager 7.2 ---> upgrade to 7.2.8 or above
  • FortiManager 7.4 ---> upgrade to 7.4.5 or above 
  • FortiManager 7.6 ---> upgrade to 7.6.1 or above
  • FortiManager Cloud 6.4 ---> migrate to Fixed Release
  • FortiManager Cloud 7.0 ---> upgrade to 7.0.13 or above
  • FortiManager Cloud 7.2 ---> upgrade to 7.2.8 or above
  • FortiManager Cloud 7.4 ---> upgrade to 7.4.5 or above
  • FortiManager Cloud 7.6 ---> not affected
• Use temporary workarounds: If you are unable to install the latest updates, Fortinet has advised using these workarounds in which you can get a guide on how to implement them on their advisory page:
  • Utilize the set fgfm-deny-unknown enable command to prevent devices with unknown serial numbers from registering to the FortiManager
  • When creating the SSL tunnel and authenticating FortiGate devices with FortiManager, create a custom certificate 
  • Create an allowlist of IP addresses for FortiGate devices that are allowed to connect to FortiManager
• Check for Indicators of Compromise (IOC): Even if the FortiManager is NOT connected to the internet, check for these specific IOCs found on Fortinet’s advisory page
  • If IOCs are found on devices, start the Incident Response Plan and Procedures 

There is a recently uncovered set of Palo Alto Networks vulnerabilities affecting PAN-OS Firewall Expedition. The exploits are currently being chained together to allow hackers to hijack networks and steal private data.  

This dangerous attack chain, with the most critical of the vulnerabilities being CVE-2024-9463, allows an attacker to read Expedition database contents via an unauthenticated command injection.  This is leveraged with CVE-2024-9466, gives the threat actor the ability to see usernames, passwords, and even API keys in clear text.

Palo Alto Networks is reporting that proof of concepts exists for this attack making it even more dangerous and likely to be utilized to take control of networks. Palo Alto has released a patch to address this issue, and we are advising organizations to update immediately.

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-9463 (CVSS score: 9.9) - Command Injection
  • CVE-2024-9464 (CVSS score: 9.3) - Command Injection
  • CVE-2024-9465 (CVSS score: 9.2) - SQL Injection
  • CVE-2024-9466 (CVSS score: 8.2) - Cleartext Storage
  • CVE-2024-9467 (CVSS score: 7.0) - XSS Vulnerability
• Severity: Critical
• Affected Devices: Palo Alto PAN-OS Firewalls 

IMMEDIATE ACTION 

• Patch affected devices: Upgrade Palo Alto Networks Expedition to version 1.2.96 or later 
• Implement workarounds: Mitigations in case you cannot upgrade right away:
  • Restrict access to expedition to only authorized users
  • Shut down Expedition until upgraded 

There is a newly released and dangerous exploit targeting a vulnerability in Windows servers and systems. This exploit, known as the “WinReg” NTLM relay attack, allows attackers to bypass normal authentication and take full control of a Windows domain and its critical data.

This vulnerability stems from a fallback mechanism in the Windows Registry (WinReg) implementation. Specifically, how Microsoft’s Remote Registry client handles the RPC (Remote Procedure Call) authentication when fallback mechanisms are put into action which makes SMB transport unavailable. When this happens, an attacker could relay the NTLM authentication to Active Directory Certificate Services (ADCS) and obtain a user certificate and from there, gain authentication and takeover the domain.  

Akamai researchers originally reported this issue in April and June of this year, but Microsoft disregarded this as a “documentation issue”.  During a recent security conference, these researchers released a proof-of-concept (PoC) leading to Microsoft releasing a patch as part of October’s patch Tuesday to address the exploit.  Due to this PoC and the ease of attack, we are recommending teams update immediately.

QUICK POINTS: 

• Vulnerability ID: CVE-2024-43532 (CVSS score: 8.8)
• Severity: Critical
• Affected Devices: All Windows server versions 2008 through 2022, also Windows 10 and Windows 11 

IMMEDIATE ACTION: 

• Immediately update all Windows systems: Microsoft has addressed this issue in their October Patch Tuesday update, so ensure all systems are updated with this monthly rollout
• Monitor systems for suspicious activity: It is recommended to use Event Tracing for Windows (ETW) to monitor for RPC calls, including ones related to the WinReg RPC interface 

There have been critical vulnerabilities recently discovered in the Optigo Networks ONS-S8 Switches, and widely deployed in industrial control systems and critical infrastructure.  This dangerous exploit gives attackers a direct path into the network, putting your sensitive data at risk of theft.

These vulnerabilities allow remote attackers to bypass authentication and execute code on the affected devices. Given the low complexity of these exploits, the risks are severe and could result in unauthorized access and complete device control.

While we have not seen these flaws being actively exploited, CISA is recommending configuration changes such as setting up VLAN and allow-listing specific devices for organizations to protect themselves.  Due to the severity of this vulnerability and how easy it is to perform, we recommend administrators take immediate action.

Key Points: 

• CVE-2024-41925 Remote Code Execution (CVSS score: 9.8)
• CVE-2024-45367 Authentication Bypass (CVSS score: 9.1)
• Severity: Critical
• Affected Devices: ONS-S8 Spectra Aggregation Switch with firmware versions 1.3.7 and earlier
• Patch Status: No patches currently available 

Immediate Actions: 

• Isolate ONS-S8 management traffic in a dedicated VLAN
• Implement router firewalls with device allow-listing for OneView
• Use a dedicated NIC for OT management and ensure connections are secured via VPN 

 Critical security vulnerabilities were recently discovered in HPE Aruba Networking’s access points. These flaws allow unauthenticated, remote attackers to gain total control of network devices which could lead to sensitive data loss or even ransomware. 

These vulnerabilities exist in HPE’s Command Line Interface service of its Aruba Access Points. Each vulnerability involves a remote attacker sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port 8211. This gives the attacker unauthenticated access and allows them to execute arbitrary code and take full control of vulnerable devices. 

HPE has provided necessary patches, as well as temporary workarounds for the affected devices that you can reference below. Due to the popularity of HPE products, we expect these vulnerabilities to be leveraged by attackers soon, making these updates a main priority for affected systems. 

QUICK POINTS:

• Vulnerability IDs:
  • CVE-2024-42505 (CVSS score: 9.8)
  • CVE-2024-42506 (CVSS score: 9.8)
  • CVE-2024-42507 (CVSS score: 9.8)
• Severity: Critical 
• Affected Devices: 
  • Instant AOS-8.12.0.1 and below
  • Instant AOS-8.10.0.13 and below
  • AOS-10.6.0.2 and below
  • AOS-10.4.1.3 and below 

IMMEDIATE ACTION: 

• Patch affected devices: Ensure that all HPE Aruba access points are updated with the latest security patches immediately.
  • HPE have made the latest security updates available here: HPE Networking Support Portal
• Implement workarounds: Administrators are also urged to implement these workarounds for more protection.
  • Instant AOS-8.x devices: enable “cluster-security” to block exploitation
  • AOS-10.x devices: block access to port UDP/8211 from all untrusted networks 

There are three zero-day vulnerabilities identified in Ivanti's Connect Secure Appliance (CSA) that are being used in a dangerous attack chain. Hackers are actively abusing these exploits in combination to take over networks and steal data.

Ivanti has advised of multiple CVEs, with the most dangerous being CVE-2024-8963, a path traversal bug with a severity score of 9.1.  Threat actors are combining these CVEs to abuse a path traversal weakness, only to follow this up with the ability to inject commands and then execute remote code.  This attack chain gives the attacker full access to the network with administrator level privileges.

Ivanti has acknowledged these zero-days and is offering updates to their Connect Secure Appliance to resolve this issue. The active abuse of these vulnerabilities emphasizes the importance for organizations to apply these patches immediately as we expect to see this attack chain to be abused for data theft or even ransomware.

QUICK POINTS: 

• Vulnerability IDs:  
  • CVE-2024-9379 (CVSS score: 6.5) - SQL Injection
  • CVE-2024-9380 (CVSS score: 7.2) - Remote Code Execution
  • CVE-2024-9381 (CVSS score: 7.2) - Path Traversal
  • CVE-2024-8963 (CVSS score: 9.1) - Path Traversal
• Severity: Critical
• Affected Product: Ivanti Connect Secure Appliance (CSA) 5.0.1 and earlier 
• Follow this link for Ivanti's security report for CVE-2024-9379/9380/9381
• Follow this link for Ivanti's security report for CVE-2024-8963

IMMEDIATE ACTION: 

• Update devices accordingly: Ensure any devices that run the Connect Secure Appliance software are up to date with the latest version
• Upgrade End-of-Life (EOL) devices: With the main devices being exploited being EOL, CSA 4.6 patch 518, admins are strongly advised to upgrade to the latest version, 5.0.2
• Review and monitor: Review appliances and devices for any indicators of compromise, specifically for any modified or newly added admin users 

There have been dangerous critical security flaws discovered in D-Link WiFi 6 routers. These five vulnerabilities include a hardcoded password flaw that could give hackers direct access to a network, leaving it vulnerable to data loss or even ransomware. 

D-Link has released news of five major exploits that are all considered critical.  Two of the more dangerous of these flaws are the remote code execution flaw, CVE-2024-45694, which allows attackers to execute code to take over the device remotely, and the hardcoded password issue, CVE-2024-45697, which provides unauthorized access by threat actors directly into the device. 

D-Link has provided patches to all impacted equipment and is recommending organizations patch immediately.  Due to the popularity of D-Link devices as well as the ease of execution of these threats, we expect to see this leveraged by hackers soon, making updating imperative.  

QUICK POINTS 

• Vulnerability IDs:  
  • RCE flaws
    • CVE-2024-45694 (CVSS score: 9.8)
    • CVE-2024-45695 (CVSS score: 9.8) 
  • Hardcoded Password issues 
    • CVE-2024-45696 (CVSS score: 8.8)
    • CVE-2024-45697 (CVSS score: 9.8)
    • CVE-2024-45698 (CVSS score: 8.8)
• Severity: Critical 
• Affected Devices: 
  • COVR-X1870 (non-US) firmware versions v1.02 and below
  • DIR-X4860 (worldwide) on v1.04B04_Hot-Fix and older
  • DIR-X5460 (worldwide) running firmware v1.11B01_Hot-Fix or older 

IMMEDIATE ACTION 

• Patch all affected D-Link WiFi 6 routers to the following recommended versions: 
  • v1.03B01 for COVR-X1870
  • v1.04B05 for DIR-X4860
  • DIR-X5460A1_V1.11B04 for DIR-X5460
• Audit and review network for potential exposure to this vulnerability

We are alerting you to two critical vulnerabilities found in SolarWinds' Access Rights Manager (ARM) software, a software used for Active Directory and Azure AD user provisioning. These vulnerabilities, when combined, could form an attack chain that would allow an attacker to go from no network access to gaining total control of a network. 

The first vulnerability used in this attack chain, CVE-2024-28990, is a hard-coded credential bypass issue. If exploited, this gives an attacker unauthorized access to SolarWinds devices. The second vulnerability in the chain, CVE-2024-28991, is a result of user-supplied data not being properly validated. Combined with the first vulnerability, an attacker can remotely execute malicious code, which could lead to data breaches and even ransomware attacks.  

Attack chains are dangerous because they demonstrate how a combination of smaller vulnerabilities can be exploited in sequence, leading to more critical breaches and attacks.  SolarWinds has released a patch to their Access Rights Manager to address issues and has advised users to update immediately. 

QUICK POINTS 

• Vulnerability IDs
  • CVE-2024-28990 (CVSS score: 9.8)
  • CVE-2024-28991 (CVSS score: 8.8)
• Severity: Critical
• Affected Devices: SolarWinds Access Rights Manager (ARM) 2024.3 and all previous versions 

IMMEDIATE ACTION 

• Ensure all instances of SolarWinds Access Rights Manager are updated to the latest version
  • Update to SolarWinds ARM 2024.3.1
• Review system access logs for any signs of suspicious activity 

 There is a critical vulnerability in Veeam Backup & Replication that is being actively used to take over networks and deliver dangerous malware.  Due to the severity of the attack and the importance of data backups, it is even more urgent for teams to update their Veeam Backup & Replication to the newest version immediately.

The exploit in Veeam Backup & Replication is a remote code execution (RCE) that bypasses authentication and gives attackers full access. Once authentication has been bypassed, hackers gain full access to all versions of the existing data backups, setting up ransomware scenarios. Organizations are already reporting incidents involving Akira and Fog ransomware being utilized to steal sensitive data and extort its owners.

While this CVE was first recognized by Veaam in late September, we are now seeing threat actors using the known proof of concept to attack organizations via ransomware at an escalated rate.

QUICK POINTS 

• Vulnerability ID: CVE-2024-40711(CVSS Score: 9.8)
• Severity: Critical
• Affected Versions: Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds 

IMMEDIATE ACTION 

• Patch any Veeam Backup & Replication to version 12.2.0.334
• Check for any suspicious access or abnormal behavior in Veeam environments
• No other workarounds suggested, and immediate updates are necessary 
• See Veeam Security Bulletin for further details.

There is a recent critical vulnerability found in Progress Software’s products. This vulnerability could allow remote, unauthenticated attackers to access your network and your company’s sensitive information.  

This vulnerability affects multiple Progress devices including its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor, both of which are used as load balancing solutions. This issue stems from improper input validation which may allow attackers to access the LoadMaster’s management interface and from there, execute arbitrary system commands on victims’ machines. 

Progress Software has released an add-on patch to address the issue for most affected versions. The only caveat is this add-on patch will not work on free versions of Load Master, so this vulnerability currently remains an issue on those machines. 

QUICK POINTS: 

• Vulnerability ID: CVE-2024-7591 (CVSS score: 10.0)
• Severity: Critical
• Affected Versions: LoadMaster versions 7.2.60.0 and all previous versions; MT Hypervisor versions 7.1.35.11 and all previous versions; branches such as Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) are all impacted 

IMMEDIATE ACTION: 

• Apply the add-on patch available from Progress Software’s support portal
• Checkout Progress’ post on basic security hardening techniques you should implement: LoadMaster Security Measures
• Monitor network activity for signs of exploitation using IDS/IPS systems 

Veeam has released security updates addressing 18 high and critical vulnerabilities in their products, including Veeam Backup & Replication (VBR), Service Provider Console, and Veeam One. Among the most severe is CVE-2024-40711, a critical remote code execution (RCE) flaw affecting VBR, with a CVSS score of 9.8. This vulnerability can be exploited without authentication and allows attackers to take over vulnerable systems.

VBR is essential for managing enterprise backup infrastructures, making it a high-value target for ransomware operators. Past attacks by groups such as the Cuba ransomware gang and FIN7—known for collaborating with ransomware groups like Conti, REvil, and Maze—have leveraged VBR vulnerabilities to steal backups for double extortion and delete or encrypt backup sets, leaving victims without recovery options.

The flaw affects Veeam Backup & Replication version 12.1.2.172 and all earlier versions in the 12.x branch. To mitigate this risk, users should update to VBR version 12.2.0.334 immediately.

We strongly urge all Veeam users to apply these critical patches as soon as possible to protect their backup infrastructure from potential exploitation.

For more information, visit the official Veeam security advisory.

There are two highly critical vulnerabilities found in Cisco’s Smart Licensing Utility software that is utilized in a variety of Cisco products. These vulnerabilities could allow unauthenticated, remote attackers to gain complete access to a network leading to possible theft of sensitive data. 

Cisco has disclosed that these vulnerabilities, CVE-2024-20439 and CVE-2024-20440 allow attackers to exploit a default, undocumented administrative account to gain unauthorized access to the system. This could pose a significant security risk to organizations using Cisco's Smart Licensing Utility, as it provides an attacker with the ability to execute arbitrary commands and elevate privileges.  

There is an increased danger with this threat as the Smart Licensing Utility is included as a feature of a large range of Cisco products including Cisco routers, switches, Next-Gen Firewall (NGFW) solutions, wireless controllers and the Cisco DNA Center.  Cisco has released fixes to address these vulnerabilities and is urging teams to update to the newest version of the software immediately.  

QUICK POINTS 

• Vulnerability IDs: CVE-2024-20439 (CVSS score: 9.8) and CVE-2024-20440 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 and any Cisco product that utilizes this software
• Patch Status: All devices have the necessary patches to fix these vulnerabilities. They are listed below.  

IMMEDIATE ACTION 

• Update affected systems to the latest version as per Cisco’s advisory
  • Cisco Smart License Utility version 2.3.0
• Audit and update any Cisco devices/products as Smart Licensing Utility is used with many other Cisco products
• Review any potential exposure to this vulnerability 

There is a recent exploit affecting widely used Zyxel networking devices. This new attack requires no authentication and gives hackers complete access to a network and its data.  

This vulnerability affects various Zyxel business devices including routers and access points, which are commonly used in organizations. By abusing an input validation fault and sending a specially crafted cookie to the device, this exploit allows attackers the ability to run commands without any authentication.    

Zyxel has released security updates to address this exploit as well as a number of other vulnerabilities and are advising organizations to update immediately.  Due to the severity of the exploit and Zyxel’s widespread use, we expect to see this threat leveraged soon, so immediate updates are vital.

QUICK POINTS: 

• Vulnerability ID: CVE-2024-7261 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: NWA Series, NWA1123-AC PRO, NWA1123ACv3, WAC500, WAC500H, WAC Series, WAX Series, and WBE Series access point (AP) devices are all impacted
• Patch Status: All devices have the necessary patch to fix this vulnerability. They are listed below. 

IMMEDIATE ACTION: 

• Verify the version of firmware running on all Zyxel devices.
• Apply the latest Zyxel patches immediately:
• NWA Series – upgrade to 7.00 (ABYW.2) or later
• NWA1123-AC PRO – upgrade to 6.28 (ABHD.3) or later
• NWA1123ACv3, WAC500, WAC500H – upgrade to 6.70 (ABVT.5) or later
• WAC Series – upgrade to 6.28 (AAXH.3) or later
• WAX Series – upgrade to 7.00 (ACHF.2) or later
• WBE Series – upgrade to 7.00 (ACLE.2) or later 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability in the SolarWinds Web Help Desk product.   

Threat actors are leveraging the critical RCE (remote code execution) vulnerability in SolarWinds Web Help Desk, tracked as CVE-2024-28986.  This flaw involves Java deserialization, allowing attackers to execute commands on the host machine.  The vulnerability has a CVSS score of 9.8, indicating the significance of patching this vulnerability as soon as possible.  

What this means for you:

Attackers can use this vulnerability to execute arbitrary commands on the affected system, potentially gaining full control over it. With control over the system, attackers can access sensitive data leading to data breaches. But it doesn’t stop there.  Attackers with the system compromised can then expand to the network causing service disruptions.  

If you are using SolarWinds Web Help Desk it is absolutely critical that all installations are updated as described below. 

QUICK POINTS  

• Affected Product: SolarWinds Web Help Desk  
• Severity: Critical (CVSS v3 score 9.8)
• Exploitation: Although SolarWinds denies they have been able to confirm the unauthenticated instances of this exploit, they urge all affected users to patch out of an “abundance of caution”
• Patch Availability: Immediately upgrade your SolarWinds Web Help Desk installations to version 12.8.3, apply the provided hotfix – Web Help Desk 12.8.3 Hotfix 1 – and install it. 
   

IMMEDIATE ACTION  

• Patch Application: Apply the hotfix provided by SolarWinds to mitigate this vulnerability.  
• Monitor for IOCs: Continuously monitor for indicators of compromise related to this vulnerability (unauthorized access, unusual sign-on attempts, privilege account irregularities, unexpected software installations or updates).  
• Network Segmentation: Implement network segmentation to limit the potential impact of exploitation.
• Enhanced Monitoring: Monitor network traffic and system logs for unusual activity. 

 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a vulnerability in Acronis products to its Known Exploited Vulnerabilities (KEV) Catalog. 

This vulnerability affects Acronis Cyber Infrastructure (ACI) a software-defined infrastructure solution designed to provide secure storage, compute, and networking resources. More than 20,000 service providers, many in the MSP space, use ACI, which covers more than 750,000 organizations in 150 countries. 

The vulnerability from late 2023, CVE-2023-45249, which uses the exploitation of default passwords, has recently been observed as a way in for the bad guys. This vulnerability leads to remote code execution and enables attackers to gain access and control over the affected systems. A security patch was made available upon the discovery of the vulnerability nine months ago.  

CISA is requiring government agencies to remediate the flaw by August 19, 2024.  

QUICKPOINTS 

• Older versions of Acronis Cyber Infrastructure (ACI) use default passwords
• Attackers are actively targeting these instances
• Update to the newest version immediately to stay safe 

IMMEDIATE ACTION 

Vulnerable instances of ACI can be identified by looking for their implementations’ build number via the “About” dialog box within the main window’s “Help” section. Instances before builds 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 are vulnerable to this exploit. 

A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system.

This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device. A successful exploit could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

Affected device versions: 

• Cisco AsyncOS for Cisco Secure Email Software earlier than 15.5.1-055
• Content Scanner Tools version earlier than 23.3.0.4823

Immediate Action:

• Apply the latest patches and version updates released by Cisco for affected products.
• Review security configurations and ensure monitoring is in place.

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.

Affected Device Versions: 

• Cisco SSM On-Prem versions earlier than 8-202206

Immediate Action:

• Apply the latest patches and version updates released by Cisco for affected products. 
• Review security configurations and ensure monitoring is in place.

There is a critical new vulnerability known as the "BlastRADIUS" attack which could soon impact networks worldwide.  

In networks where RADIUS secure authentication is used this threat allows hackers to bypass normal authentication methods so they can masquerade as a privileged user.  This gives them total access to your entire network and the data it holds. Many corporate networks and even ISPs utilize RADIUS in their authentication methods, which makes this a very significant issue. 

BlastRADIUS gives the threat actor admin privileges on RADIUS devices without requiring the stealing of credentials or any password cracking.  While a public proof-of-concept (POC) has not yet been released, a private POC has been confirmed by researchers and we expect threat actors to begin to leverage this exploit soon.

Quick Points: 

• Vulnerability ID: CVE-2024-3596 
• Severity: Critical
• Patch Status: See below for best practices and how to avoid this kind of attack. 

Immediate Action:  

Upgrading RADIUS clients alone is not sufficient.  Every server using RADIUS must be upgraded to address this exploit.  Additional action: 

• Network administrators are advised to: 

• Upgrade to RADIUS over TLS (RADSEC) 
• Switch to multihop RADIUS deployments
• Isolate RADIUS traffic using tunneling or VLANs 

• Microsoft has released steps and best practices in KB5040268 on how you can secure your network for this attack as well. 

There is an emerging Exim mail server vulnerability. If you or your clients are running an Exim mail server, an attacker could deliver a ransomware payload right to a user’s mailbox with no filtering! This puts users at risk of receiving malicious attachments. Opening these attachments could lead to severe system disruptions, including complete server compromise. The Exim Vulnerability is exploited by bypassing extension-blocking protections. Attackers manipulate header filenames to evade the extension-based security measures meant to block malicious attachments. 

QUICK POINTS 

• Exim Mail Server Vulnerability is Critical  
• All Exim versions 4.97.1 and earlier are at risk
• Mailboxes with extension-blocking protection mechanisms are the target
• Successful exploitation by an attacker could lead to a full-scale system compromise 

IMMEDIATE ACTION 

To safeguard your infrastructure as well as your clients, please take the action steps outlined below: 

• The #1 thing you can do at this time is to upgrade Exim to version 4.98!
• Remind your employees and clients to always remain vigilant and on guard when clicking attachments or links in emails. Be extra careful when the email is not from a trusted sender!
• If you cannot upgrade Exim to 4.98 immediately, we advise that you restrict Exim server remote access to help prevent exploit attempts. 

There is an emerging Exim mail server vulnerability. If you are running an Exim mail server, an attacker could deliver a ransomware payload right to a user’s mailbox with no filtering! This puts users at risk of receiving malicious attachments. Opening these attachments could lead to severe system disruptions, including complete server compromise. The Exim Vulnerability is exploited by bypassing extension-blocking protections. Attackers manipulate header filenames to evade the extension-based security measures meant to block malicious attachments. 

QUICK POINTS 

• Exim Mail Server Vulnerability is Critical  
• All Exim versions 4.97.1 and earlier are at risk
• Mailboxes with extension-blocking protection mechanisms are the target
• Successful exploitation by an attacker could lead to a full-scale system compromise 

IMMEDIATE ACTION 

To safeguard your infrastructure, please take the action steps outlined below: 

• The #1 thing you can do at this time is to upgrade Exim to version 4.98!
• Remind your employees to always remain vigilant and on guard when clicking attachments or links in emails. Be extra careful when the email is not from a trusted sender!
• If you cannot upgrade Exim to 4.98 immediately, we advise that you restrict Exim server remote access to help prevent exploit attempts. 

There is an OpenSSH regression flaw that can give attackers complete access to your network and data if exploited.  Known as RegreSSHion, this high-severity threat allows hackers to fully compromise systems by exploiting an unauthenticated remote execution weakness where OpenSSH fails to enforce proper input validation.  It’s estimated that up to 75% of networks have some machines with a vulnerable version of OpenSSH. 

RegreSSHion abuses a situation where an attacker exploits the timings of computer processes (called race condition) in OpenSSH to allow for unauthenticated attackers to run dangerous code remotely. This gives threat actors access to your previously secure network.   

SUPPLY CHAIN ALERT: OpenSSH servers aren’t the only software affected.  Many other pieces of software or hardware utilize OpenSSH in the background.  Check and validate your vendors to guard against being impacted by such an attack.  

QUICK POINTS 

• More than 14 million OpenSSH servers are exposed to the internet with a major risk of remote code execution attack that grants full admin control to attackers
• 40+ Cisco Products Are Also Vulnerable to RegreSSHion Vulnerability
• Push Available Patches ASAP & Continually Update OpenSSH and Cisco Products
• The difficulty for attackers to exploit this vulnerability is high. It mainly takes time and many repeat attempts 

IMMEDIATE ACTION 

• Update OpenSSH software immediately by patching today. (versions 4.4/4.4p1 and earlier & 8.5p1 up to but not including 9.8/9.8p1 are at risk if unpatched)
• Review your vendors immediately for OpenSSH usage for Cisco products, please apply the available Cisco Patches and ensure that continuous updates are being utilized as they become available. NAS devices and anything else that relies on remote access services are also a prime target for this attack.
• Restrict SSH-agent forwarding to only trusted hosts and necessary scenarios and restrict direct network/internet access to SSH using network-based controls to restrict access via SSH to only allow trusted client hosts. 

Juniper Networks has released an out-of-cycle patch for an authentication bypass flaw (CVE-2024-2973) in Junos OS. This vulnerability allows unauthenticated remote attackers to bypass authentication controls and gain access to affected systems. Juniper reports that routers or conductors running in high-availability redundant configurations, where service continuity is critical, are the configurations affected.

The Juniper products, Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router are listed as being impacted by this exploit. Security updates were made available for all products and to patch immediately as no other workarounds are available for this vulnerability. Patching should be top priority as we have seen Juniper devices being targeted in cyberattacks in the past.

QUICK POINTS

• Vulnerability ID: CVE-2024-2973 (CVSS score: 10.0)
• Severity: Maximum Criticality
• Affected Versions:

• Session Smart Router & Conductor:

• ALL versions before 5.6.15
• From 6.0 before 6.1.9-lts
• From 5.2 before 6.2.5-sts

• WAN Assurance Router:

• 6.0 versions before 6.1.9-lts
• 6.2 versions before 6.2.5-sts

IMMEDIATE ACTION 

Due to the severity of this vulnerability, it is critical that you notify your customers who utilize Juniper devices and apply the necessary patches: 5.6.15, 6.1.9-lts, or 6.2.5-sts

There are no “workarounds” for this vulnerability, so action is limited to updating devices to the necessary versions.

 A JavaScript supply chain attack has targeted tens of millions of websites via the Polyfill.io service that was recently purchased by Chinese threat actors. This has turned numerous websites into threatening and risky links. 

What this means for you: 

Websites using Polyfill.io might be compromised by malicious code.  This could lead to unauthorized access or other security issues on your website.  Also, legitimate websites that use this script could also be a dangerous click. We’ve seen impacts on websites such as Hulu, Intuit, Nintendo, JSTOR and even the World Economic Forum. 

There's a significant vulnerability allowing attackers to spoof emails from Microsoft employees that can be leveraged for a sophisticated phishing attack.  This bug can deceive recipients into believing they are receiving legitimate communications from Microsoft and affects all Outlook accounts.  

A cybersecurity researcher with the alias Slonser advised he has discovered an exploit allowing him to impersonate any of the 400 million Outlook accounts, including Microsoft employee email addresses.  While technical details have not been provided on how this vulnerability was performed, it has been confirmed by sources to be successful. 

Slonser has reported this exploit multiple times to Microsoft but so far this attack vector has not been patched as Microsoft states they are unable to replicate the issue. Such an attack underscores the importance of your organization taking proper spoofing precautions via DMARC, DKIM, and SPF settings, however until Microsoft addresses this ongoing vulnerability, we advise considering all emails from Microsoft to Outlook accounts as potentially suspicious, since email authentication policies likely will not effectively protect against this emerging threat. 

This vulnerability not only poses a significant risk of phishing attacks but also serves as a sophisticated vector for supply chain attacks. We strongly recommend reviewing and tightening your security protocols, ensuring all supply chain partners are also taking necessary precautions, and staying vigilant against any unusual email activity or Microsoft-related communications. 

Quick Points: 

• Vulnerability: Email spoofing attacks appearing as Microsoft employees 
• Affected Service: Microsoft Outlook Accounts 
• Microsoft has been notified but no fix has been released

Immediate Action: 

• Implement DMARC, DKIM, and SPF configurations to enhance email security.
• Monitor email logs for unusual activities.
• Confirm users are properly trained on best practices around common phishing techniques.

Look for These Report Findings: 

• DMARC Record Does Not Exist
• DKIM Selectors Do Not Exist
• SPF Record Does Not Exist 

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Cylance, a major supplier of antivirus software, confirmed a data breach on June 11th, 2024. 

The compromised data includes the following 

• 34 million Cylance customer and employee emails 
• Personally identifiable information of customers, employees and partners 
• Marketing data. 

This means you should be on the lookout for more targeted phishing emails in the coming months, especially once that seem to come from trusted vendors. 

The breach at Cylance was linked to a third-party platform known as Snowflake. Attackers got into Snowflake, and from there compromised their customers, which may number as high as 165 major organizations. The compromise at Snowflake has been linked to potential (and confirmed) breaches at Ticketmaster, Santander Bank, Anheuser-Busch, Allstate, Advanced Auto Parts, Neiman Marcus, Progressive and State Farm.  

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Zyxel has issued an emergency patch for a set of critical vulnerabilities affecting end-of-life NAS devices. This is extremely dangerous to those organizations with legacy Zyxel devices because this flaw allows attackers to gain access to your data and your network, the perfect entry for ransomware threats. 

The vulnerabilities identified in Zyxel NAS devices allow attackers to inject and execute code into a target system remotely, as well as escalate account privilege. Once the exploit is performed, threat actors have direct access to data and can move laterally throughout your network. The flaws impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older. 

Although these devices are end-of-life, the threat they pose due to their continued use in some environments can be catastrophic.  This flaw is already being leveraged by hacker groups in botnet attacks and the proof-of-concept (POC) of the attack is publicly available making this even more likely to be exploited.   

QUICK POINTS 

• Vulnerability IDs:  CVE-2024-29972, CVE-2024-29973, CVE-2024-29974 (CVSS score: 9.8) 
• Severity: Critical 
• Patch Status: Zyxel has released patches (see below) as well as further remediation steps you can take. 

IMMEDIATE ACTION 

• Identify all Zyxel NAS326 and NAS542 devices within your managed environments. 
• Apply the emergency patch as per Zyxel's instructions. 
• Replace affected devices as soon as possible to an option being actively updated and supported. 
• Continue to scan your environment for end-of-life devices and remove them accordingly. 

A new, critical vulnerability affecting virtually all VPN systems, is identified as the TunnelVision technique. This vulnerability can potentially expose traffic even under VPN protection, which is crucial for MSPs managing secure client data and communications. Using this vulnerability, hackers can easily steal data, set up man-in-the-middle attacks, or even enable expensive ransomware attacks once network access is established. 

The TunnelVision technique exploits CVE-2024-3661, a DHCP design flaw, where messages using static route (option 121) are not authenticated and expose them to being changed or manipulated. This type of leakage has been demonstrated across various systems, highlighting a fundamental flaw in VPN security architecture that could lead to sensitive data exposure.

QUICK POINTS: 

• This vulnerability is not dependent on VPN provider or implementation and most VPN systems based on IP routing are affected. 
• All major operating systems seem to be impacted including Windows, macOS, Android, iOS, and Linux. 
• Threat actors can leverage an attack simply by being on the same network as the victim.  

WHAT THIS MEANS FOR YOU: 
With the how widespread and available this TunnelVision attack vector is, all organizations utilizing VPNs need to have security settings checked around these connections.  
 

IMMEDIATE ACTION: 

1. Review and audit your VPN settings and configurations to ensure robust leak protection measures are in place. Confirm that all VPN software is up to date and patched.
2. Consider VPN solutions that offer advanced leak prevention, particularly for IPv6 and WebRTC.   
3. Keep your network management teams informed and updated on best practices for VPN security. 

There exists a significant security flaw with Microsoft Defender SmartScreen. If you or your clients are using SmartScreen, you could be subject to this attack. The vulnerability, tracked as CVE-2024-21412 with a patch available since February of 2024, is now being actively exploited in an info-stealing campaign. 

Here is how it works:  

1. The process begins by deploying a phishing email containing a malicious link. (Sound familiar?)
2. Clicking the link allows a file that utilizes PowerShell commands to download a script disguised as an overlay icon. 
3. Once the script is executed, it will run silently and download a decoy PDF that will be used to legitimize the process that installs information stealing malware.  

QUICK POINTS  

• Microsoft Defender SmartScreen Vulnerability is HIGH (8.1)
• Windows 10,11 and Server 2019, 2022 versions are at risk 
• Web browsers, cryptocurrency wallets, messaging apps, email clients, VPN services, password managers and more are the target 
• Successful exploitation by an attacker could lead the execution of malware without user intervention  

IMMEDIATE ACTION  

To safeguard your infrastructure as well as your clients, please take the action steps outlined below:  

• Educate users about the dangers of downloading and running files from unverified sources. 
• Ensure all systems are up to date with the latest Windows security patches.
• Utilize advanced endpoint protection solutions to detect and block malicious activities, pay special attention to PowerShell commands. 
• Implement network monitoring to detect unusual activities.