Cybersecurity Alerts

There is a recent exploit affecting widely used Zyxel networking devices. This new attack requires no authentication and gives hackers complete access to a network and its data.  

This vulnerability affects various Zyxel business devices including routers and access points, which are commonly used in organizations. By abusing an input validation fault and sending a specially crafted cookie to the device, this exploit allows attackers the ability to run commands without any authentication.    

Zyxel has released security updates to address this exploit as well as a number of other vulnerabilities and are advising organizations to update immediately.  Due to the severity of the exploit and Zyxel’s widespread use, we expect to see this threat leveraged soon, so immediate updates are vital.

QUICK POINTS: 

• Vulnerability ID: CVE-2024-7261 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: NWA Series, NWA1123-AC PRO, NWA1123ACv3, WAC500, WAC500H, WAC Series, WAX Series, and WBE Series access point (AP) devices are all impacted
• Patch Status: All devices have the necessary patch to fix this vulnerability. They are listed below. 

IMMEDIATE ACTION: 

• Verify the version of firmware running on all Zyxel devices.
• Apply the latest Zyxel patches immediately:
• NWA Series – upgrade to 7.00 (ABYW.2) or later
• NWA1123-AC PRO – upgrade to 6.28 (ABHD.3) or later
• NWA1123ACv3, WAC500, WAC500H – upgrade to 6.70 (ABVT.5) or later
• WAC Series – upgrade to 6.28 (AAXH.3) or later
• WAX Series – upgrade to 7.00 (ACHF.2) or later
• WBE Series – upgrade to 7.00 (ACLE.2) or later 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability in the SolarWinds Web Help Desk product.   

Threat actors are leveraging the critical RCE (remote code execution) vulnerability in SolarWinds Web Help Desk, tracked as CVE-2024-28986.  This flaw involves Java deserialization, allowing attackers to execute commands on the host machine.  The vulnerability has a CVSS score of 9.8, indicating the significance of patching this vulnerability as soon as possible.  

What this means for you:

Attackers can use this vulnerability to execute arbitrary commands on the affected system, potentially gaining full control over it. With control over the system, attackers can access sensitive data leading to data breaches. But it doesn’t stop there.  Attackers with the system compromised can then expand to the network causing service disruptions.  

If you are using SolarWinds Web Help Desk it is absolutely critical that all installations are updated as described below. 

QUICK POINTS  

• Affected Product: SolarWinds Web Help Desk  
• Severity: Critical (CVSS v3 score 9.8)
• Exploitation: Although SolarWinds denies they have been able to confirm the unauthenticated instances of this exploit, they urge all affected users to patch out of an “abundance of caution”
• Patch Availability: Immediately upgrade your SolarWinds Web Help Desk installations to version 12.8.3, apply the provided hotfix – Web Help Desk 12.8.3 Hotfix 1 – and install it. 
   

IMMEDIATE ACTION  

• Patch Application: Apply the hotfix provided by SolarWinds to mitigate this vulnerability.  
• Monitor for IOCs: Continuously monitor for indicators of compromise related to this vulnerability (unauthorized access, unusual sign-on attempts, privilege account irregularities, unexpected software installations or updates).  
• Network Segmentation: Implement network segmentation to limit the potential impact of exploitation.
• Enhanced Monitoring: Monitor network traffic and system logs for unusual activity. 

 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a vulnerability in Acronis products to its Known Exploited Vulnerabilities (KEV) Catalog. 

This vulnerability affects Acronis Cyber Infrastructure (ACI) a software-defined infrastructure solution designed to provide secure storage, compute, and networking resources. More than 20,000 service providers, many in the MSP space, use ACI, which covers more than 750,000 organizations in 150 countries. 

The vulnerability from late 2023, CVE-2023-45249, which uses the exploitation of default passwords, has recently been observed as a way in for the bad guys. This vulnerability leads to remote code execution and enables attackers to gain access and control over the affected systems. A security patch was made available upon the discovery of the vulnerability nine months ago.  

CISA is requiring government agencies to remediate the flaw by August 19, 2024.  

QUICKPOINTS 

• Older versions of Acronis Cyber Infrastructure (ACI) use default passwords
• Attackers are actively targeting these instances
• Update to the newest version immediately to stay safe 

IMMEDIATE ACTION 

Vulnerable instances of ACI can be identified by looking for their implementations’ build number via the “About” dialog box within the main window’s “Help” section. Instances before builds 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 are vulnerable to this exploit. 

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.

Affected Device Versions: 

• Cisco SSM On-Prem versions earlier than 8-202206

Immediate Action:

• Apply the latest patches and version updates released by Cisco for affected products. 
• Review security configurations and ensure monitoring is in place.

A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system.

This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device. A successful exploit could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

Affected device versions: 

• Cisco AsyncOS for Cisco Secure Email Software earlier than 15.5.1-055
• Content Scanner Tools version earlier than 23.3.0.4823

Immediate Action:

• Apply the latest patches and version updates released by Cisco for affected products.
• Review security configurations and ensure monitoring is in place.

There is a critical new vulnerability known as the "BlastRADIUS" attack which could soon impact networks worldwide.  

In networks where RADIUS secure authentication is used this threat allows hackers to bypass normal authentication methods so they can masquerade as a privileged user.  This gives them total access to your entire network and the data it holds. Many corporate networks and even ISPs utilize RADIUS in their authentication methods, which makes this a very significant issue. 

BlastRADIUS gives the threat actor admin privileges on RADIUS devices without requiring the stealing of credentials or any password cracking.  While a public proof-of-concept (POC) has not yet been released, a private POC has been confirmed by researchers and we expect threat actors to begin to leverage this exploit soon.

Quick Points: 

• Vulnerability ID: CVE-2024-3596 
• Severity: Critical
• Patch Status: See below for best practices and how to avoid this kind of attack. 

Immediate Action:  

Upgrading RADIUS clients alone is not sufficient.  Every server using RADIUS must be upgraded to address this exploit.  Additional action: 

• Network administrators are advised to: 

• Upgrade to RADIUS over TLS (RADSEC) 
• Switch to multihop RADIUS deployments
• Isolate RADIUS traffic using tunneling or VLANs 

• Microsoft has released steps and best practices in KB5040268 on how you can secure your network for this attack as well. 

There is an emerging Exim mail server vulnerability. If you are running an Exim mail server, an attacker could deliver a ransomware payload right to a user’s mailbox with no filtering! This puts users at risk of receiving malicious attachments. Opening these attachments could lead to severe system disruptions, including complete server compromise. The Exim Vulnerability is exploited by bypassing extension-blocking protections. Attackers manipulate header filenames to evade the extension-based security measures meant to block malicious attachments. 

QUICK POINTS 

• Exim Mail Server Vulnerability is Critical  
• All Exim versions 4.97.1 and earlier are at risk
• Mailboxes with extension-blocking protection mechanisms are the target
• Successful exploitation by an attacker could lead to a full-scale system compromise 

IMMEDIATE ACTION 

To safeguard your infrastructure, please take the action steps outlined below: 

• The #1 thing you can do at this time is to upgrade Exim to version 4.98!
• Remind your employees to always remain vigilant and on guard when clicking attachments or links in emails. Be extra careful when the email is not from a trusted sender!
• If you cannot upgrade Exim to 4.98 immediately, we advise that you restrict Exim server remote access to help prevent exploit attempts. 

There is an emerging Exim mail server vulnerability. If you or your clients are running an Exim mail server, an attacker could deliver a ransomware payload right to a user’s mailbox with no filtering! This puts users at risk of receiving malicious attachments. Opening these attachments could lead to severe system disruptions, including complete server compromise. The Exim Vulnerability is exploited by bypassing extension-blocking protections. Attackers manipulate header filenames to evade the extension-based security measures meant to block malicious attachments. 

QUICK POINTS 

• Exim Mail Server Vulnerability is Critical  
• All Exim versions 4.97.1 and earlier are at risk
• Mailboxes with extension-blocking protection mechanisms are the target
• Successful exploitation by an attacker could lead to a full-scale system compromise 

IMMEDIATE ACTION 

To safeguard your infrastructure as well as your clients, please take the action steps outlined below: 

• The #1 thing you can do at this time is to upgrade Exim to version 4.98!
• Remind your employees and clients to always remain vigilant and on guard when clicking attachments or links in emails. Be extra careful when the email is not from a trusted sender!
• If you cannot upgrade Exim to 4.98 immediately, we advise that you restrict Exim server remote access to help prevent exploit attempts. 

There is an OpenSSH regression flaw that can give attackers complete access to your network and data if exploited.  Known as RegreSSHion, this high-severity threat allows hackers to fully compromise systems by exploiting an unauthenticated remote execution weakness where OpenSSH fails to enforce proper input validation.  It’s estimated that up to 75% of networks have some machines with a vulnerable version of OpenSSH. 

RegreSSHion abuses a situation where an attacker exploits the timings of computer processes (called race condition) in OpenSSH to allow for unauthenticated attackers to run dangerous code remotely. This gives threat actors access to your previously secure network.   

SUPPLY CHAIN ALERT: OpenSSH servers aren’t the only software affected.  Many other pieces of software or hardware utilize OpenSSH in the background.  Check and validate your vendors to guard against being impacted by such an attack.  

QUICK POINTS 

• More than 14 million OpenSSH servers are exposed to the internet with a major risk of remote code execution attack that grants full admin control to attackers
• 40+ Cisco Products Are Also Vulnerable to RegreSSHion Vulnerability
• Push Available Patches ASAP & Continually Update OpenSSH and Cisco Products
• The difficulty for attackers to exploit this vulnerability is high. It mainly takes time and many repeat attempts 

IMMEDIATE ACTION 

• Update OpenSSH software immediately by patching today. (versions 4.4/4.4p1 and earlier & 8.5p1 up to but not including 9.8/9.8p1 are at risk if unpatched)
• Review your vendors immediately for OpenSSH usage for Cisco products, please apply the available Cisco Patches and ensure that continuous updates are being utilized as they become available. NAS devices and anything else that relies on remote access services are also a prime target for this attack.
• Restrict SSH-agent forwarding to only trusted hosts and necessary scenarios and restrict direct network/internet access to SSH using network-based controls to restrict access via SSH to only allow trusted client hosts. 

Juniper Networks has released an out-of-cycle patch for an authentication bypass flaw (CVE-2024-2973) in Junos OS. This vulnerability allows unauthenticated remote attackers to bypass authentication controls and gain access to affected systems. Juniper reports that routers or conductors running in high-availability redundant configurations, where service continuity is critical, are the configurations affected.

The Juniper products, Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router are listed as being impacted by this exploit. Security updates were made available for all products and to patch immediately as no other workarounds are available for this vulnerability. Patching should be top priority as we have seen Juniper devices being targeted in cyberattacks in the past.

QUICK POINTS

• Vulnerability ID: CVE-2024-2973 (CVSS score: 10.0)
• Severity: Maximum Criticality
• Affected Versions:

• Session Smart Router & Conductor:

• ALL versions before 5.6.15
• From 6.0 before 6.1.9-lts
• From 5.2 before 6.2.5-sts

• WAN Assurance Router:

• 6.0 versions before 6.1.9-lts
• 6.2 versions before 6.2.5-sts

IMMEDIATE ACTION 

Due to the severity of this vulnerability, it is critical that you notify your customers who utilize Juniper devices and apply the necessary patches: 5.6.15, 6.1.9-lts, or 6.2.5-sts

There are no “workarounds” for this vulnerability, so action is limited to updating devices to the necessary versions.

 A JavaScript supply chain attack has targeted tens of millions of websites via the Polyfill.io service that was recently purchased by Chinese threat actors. This has turned numerous websites into threatening and risky links. 

What this means for you: 

Websites using Polyfill.io might be compromised by malicious code.  This could lead to unauthorized access or other security issues on your website.  Also, legitimate websites that use this script could also be a dangerous click. We’ve seen impacts on websites such as Hulu, Intuit, Nintendo, JSTOR and even the World Economic Forum. 

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

There's a significant vulnerability allowing attackers to spoof emails from Microsoft employees that can be leveraged for a sophisticated phishing attack.  This bug can deceive recipients into believing they are receiving legitimate communications from Microsoft and affects all Outlook accounts.  

A cybersecurity researcher with the alias Slonser advised he has discovered an exploit allowing him to impersonate any of the 400 million Outlook accounts, including Microsoft employee email addresses.  While technical details have not been provided on how this vulnerability was performed, it has been confirmed by sources to be successful. 

Slonser has reported this exploit multiple times to Microsoft but so far this attack vector has not been patched as Microsoft states they are unable to replicate the issue. Such an attack underscores the importance of your organization taking proper spoofing precautions via DMARC, DKIM, and SPF settings, however until Microsoft addresses this ongoing vulnerability, we advise considering all emails from Microsoft to Outlook accounts as potentially suspicious, since email authentication policies likely will not effectively protect against this emerging threat. 

This vulnerability not only poses a significant risk of phishing attacks but also serves as a sophisticated vector for supply chain attacks. We strongly recommend reviewing and tightening your security protocols, ensuring all supply chain partners are also taking necessary precautions, and staying vigilant against any unusual email activity or Microsoft-related communications. 

Quick Points: 

• Vulnerability: Email spoofing attacks appearing as Microsoft employees 
• Affected Service: Microsoft Outlook Accounts 
• Microsoft has been notified but no fix has been released

Immediate Action: 

• Implement DMARC, DKIM, and SPF configurations to enhance email security.
• Monitor email logs for unusual activities.
• Confirm users are properly trained on best practices around common phishing techniques.

Look for These Report Findings: 

• DMARC Record Does Not Exist
• DKIM Selectors Do Not Exist
• SPF Record Does Not Exist 

In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Cylance, a major supplier of antivirus software, confirmed a data breach on June 11th, 2024. 

The compromised data includes the following 

• 34 million Cylance customer and employee emails 
• Personally identifiable information of customers, employees and partners 
• Marketing data. 

This means you should be on the lookout for more targeted phishing emails in the coming months, especially once that seem to come from trusted vendors. 

The breach at Cylance was linked to a third-party platform known as Snowflake. Attackers got into Snowflake, and from there compromised their customers, which may number as high as 165 major organizations. The compromise at Snowflake has been linked to potential (and confirmed) breaches at Ticketmaster, Santander Bank, Anheuser-Busch, Allstate, Advanced Auto Parts, Neiman Marcus, Progressive and State Farm.  

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Zyxel has issued an emergency patch for a set of critical vulnerabilities affecting end-of-life NAS devices. This is extremely dangerous to those organizations with legacy Zyxel devices because this flaw allows attackers to gain access to your data and your network, the perfect entry for ransomware threats. 

The vulnerabilities identified in Zyxel NAS devices allow attackers to inject and execute code into a target system remotely, as well as escalate account privilege. Once the exploit is performed, threat actors have direct access to data and can move laterally throughout your network. The flaws impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older. 

Although these devices are end-of-life, the threat they pose due to their continued use in some environments can be catastrophic.  This flaw is already being leveraged by hacker groups in botnet attacks and the proof-of-concept (POC) of the attack is publicly available making this even more likely to be exploited.   

QUICK POINTS 

• Vulnerability IDs:  CVE-2024-29972, CVE-2024-29973, CVE-2024-29974 (CVSS score: 9.8) 
• Severity: Critical 
• Patch Status: Zyxel has released patches (see below) as well as further remediation steps you can take. 

IMMEDIATE ACTION 

• Identify all Zyxel NAS326 and NAS542 devices within your managed environments. 
• Apply the emergency patch as per Zyxel's instructions. 
• Replace affected devices as soon as possible to an option being actively updated and supported. 
• Continue to scan your environment for end-of-life devices and remove them accordingly. 

A new, critical vulnerability affecting virtually all VPN systems, is identified as the TunnelVision technique. This vulnerability can potentially expose traffic even under VPN protection, which is crucial for MSPs managing secure client data and communications. Using this vulnerability, hackers can easily steal data, set up man-in-the-middle attacks, or even enable expensive ransomware attacks once network access is established. 

The TunnelVision technique exploits CVE-2024-3661, a DHCP design flaw, where messages using static route (option 121) are not authenticated and expose them to being changed or manipulated. This type of leakage has been demonstrated across various systems, highlighting a fundamental flaw in VPN security architecture that could lead to sensitive data exposure.

QUICK POINTS: 

• This vulnerability is not dependent on VPN provider or implementation and most VPN systems based on IP routing are affected. 
• All major operating systems seem to be impacted including Windows, macOS, Android, iOS, and Linux. 
• Threat actors can leverage an attack simply by being on the same network as the victim.  

WHAT THIS MEANS FOR YOU: 
With the how widespread and available this TunnelVision attack vector is, all organizations utilizing VPNs need to have security settings checked around these connections.  
 

IMMEDIATE ACTION: 

1. Review and audit your VPN settings and configurations to ensure robust leak protection measures are in place. Confirm that all VPN software is up to date and patched.
2. Consider VPN solutions that offer advanced leak prevention, particularly for IPv6 and WebRTC.   
3. Keep your network management teams informed and updated on best practices for VPN security. 

There exists a significant security flaw with Microsoft Defender SmartScreen. If you or your clients are using SmartScreen, you could be subject to this attack. The vulnerability, tracked as CVE-2024-21412 with a patch available since February of 2024, is now being actively exploited in an info-stealing campaign. 

Here is how it works:  

1. The process begins by deploying a phishing email containing a malicious link. (Sound familiar?)
2. Clicking the link allows a file that utilizes PowerShell commands to download a script disguised as an overlay icon. 
3. Once the script is executed, it will run silently and download a decoy PDF that will be used to legitimize the process that installs information stealing malware.  

QUICK POINTS  

• Microsoft Defender SmartScreen Vulnerability is HIGH (8.1)
• Windows 10,11 and Server 2019, 2022 versions are at risk 
• Web browsers, cryptocurrency wallets, messaging apps, email clients, VPN services, password managers and more are the target 
• Successful exploitation by an attacker could lead the execution of malware without user intervention  

IMMEDIATE ACTION  

To safeguard your infrastructure as well as your clients, please take the action steps outlined below:  

• Educate users about the dangers of downloading and running files from unverified sources. 
• Ensure all systems are up to date with the latest Windows security patches.
• Utilize advanced endpoint protection solutions to detect and block malicious activities, pay special attention to PowerShell commands. 
• Implement network monitoring to detect unusual activities.