Cybersecurity Alerts

There is a recently uncovered set of Palo Alto Networks vulnerabilities affecting PAN-OS Firewall Expedition. The exploits are currently being chained together to allow hackers to hijack networks and steal private data.  

This dangerous attack chain, with the most critical of the vulnerabilities being CVE-2024-9463, allows an attacker to read Expedition database contents via an unauthenticated command injection.  This is leveraged with CVE-2024-9466, gives the threat actor the ability to see usernames, passwords, and even API keys in clear text.

Palo Alto Networks is reporting that proof of concepts exists for this attack making it even more dangerous and likely to be utilized to take control of networks. Palo Alto has released a patch to address this issue, and we are advising organizations to update immediately.

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-9463 (CVSS score: 9.9) - Command Injection
  • CVE-2024-9464 (CVSS score: 9.3) - Command Injection
  • CVE-2024-9465 (CVSS score: 9.2) - SQL Injection
  • CVE-2024-9466 (CVSS score: 8.2) - Cleartext Storage
  • CVE-2024-9467 (CVSS score: 7.0) - XSS Vulnerability
• Severity: Critical
• Affected Devices: Palo Alto PAN-OS Firewalls 

IMMEDIATE ACTION 

• Patch affected devices: Upgrade Palo Alto Networks Expedition to version 1.2.96 or later 
• Implement workarounds: Mitigations in case you cannot upgrade right away:
  • Restrict access to expedition to only authorized users
  • Shut down Expedition until upgraded 

There have been critical vulnerabilities recently discovered in the Optigo Networks ONS-S8 Switches, and widely deployed in industrial control systems and critical infrastructure.  This dangerous exploit gives attackers a direct path into the network, putting your sensitive data at risk of theft.

These vulnerabilities allow remote attackers to bypass authentication and execute code on the affected devices. Given the low complexity of these exploits, the risks are severe and could result in unauthorized access and complete device control.

While we have not seen these flaws being actively exploited, CISA is recommending configuration changes such as setting up VLAN and allow-listing specific devices for organizations to protect themselves.  Due to the severity of this vulnerability and how easy it is to perform, we recommend administrators take immediate action.

Key Points: 

• CVE-2024-41925 Remote Code Execution (CVSS score: 9.8)
• CVE-2024-45367 Authentication Bypass (CVSS score: 9.1)
• Severity: Critical
• Affected Devices: ONS-S8 Spectra Aggregation Switch with firmware versions 1.3.7 and earlier
• Patch Status: No patches currently available 

Immediate Actions: 

• Isolate ONS-S8 management traffic in a dedicated VLAN
• Implement router firewalls with device allow-listing for OneView
• Use a dedicated NIC for OT management and ensure connections are secured via VPN 

 Critical security vulnerabilities were recently discovered in HPE Aruba Networking’s access points. These flaws allow unauthenticated, remote attackers to gain total control of network devices which could lead to sensitive data loss or even ransomware. 

These vulnerabilities exist in HPE’s Command Line Interface service of its Aruba Access Points. Each vulnerability involves a remote attacker sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port 8211. This gives the attacker unauthenticated access and allows them to execute arbitrary code and take full control of vulnerable devices. 

HPE has provided necessary patches, as well as temporary workarounds for the affected devices that you can reference below. Due to the popularity of HPE products, we expect these vulnerabilities to be leveraged by attackers soon, making these updates a main priority for affected systems. 

QUICK POINTS:

• Vulnerability IDs:
  • CVE-2024-42505 (CVSS score: 9.8)
  • CVE-2024-42506 (CVSS score: 9.8)
  • CVE-2024-42507 (CVSS score: 9.8)
• Severity: Critical 
• Affected Devices: 
  • Instant AOS-8.12.0.1 and below
  • Instant AOS-8.10.0.13 and below
  • AOS-10.6.0.2 and below
  • AOS-10.4.1.3 and below 

IMMEDIATE ACTION: 

• Patch affected devices: Ensure that all HPE Aruba access points are updated with the latest security patches immediately.
  • HPE have made the latest security updates available here: HPE Networking Support Portal
• Implement workarounds: Administrators are also urged to implement these workarounds for more protection.
  • Instant AOS-8.x devices: enable “cluster-security” to block exploitation
  • AOS-10.x devices: block access to port UDP/8211 from all untrusted networks 

There are three zero-day vulnerabilities identified in Ivanti's Connect Secure Appliance (CSA) that are being used in a dangerous attack chain. Hackers are actively abusing these exploits in combination to take over networks and steal data.

Ivanti has advised of multiple CVEs, with the most dangerous being CVE-2024-8963, a path traversal bug with a severity score of 9.1.  Threat actors are combining these CVEs to abuse a path traversal weakness, only to follow this up with the ability to inject commands and then execute remote code.  This attack chain gives the attacker full access to the network with administrator level privileges.

Ivanti has acknowledged these zero-days and is offering updates to their Connect Secure Appliance to resolve this issue. The active abuse of these vulnerabilities emphasizes the importance for organizations to apply these patches immediately as we expect to see this attack chain to be abused for data theft or even ransomware.

QUICK POINTS: 

• Vulnerability IDs:  
  • CVE-2024-9379 (CVSS score: 6.5) - SQL Injection
  • CVE-2024-9380 (CVSS score: 7.2) - Remote Code Execution
  • CVE-2024-9381 (CVSS score: 7.2) - Path Traversal
  • CVE-2024-8963 (CVSS score: 9.1) - Path Traversal
• Severity: Critical
• Affected Product: Ivanti Connect Secure Appliance (CSA) 5.0.1 and earlier 
• Follow this link for Ivanti's security report for CVE-2024-9379/9380/9381
• Follow this link for Ivanti's security report for CVE-2024-8963

IMMEDIATE ACTION: 

• Update devices accordingly: Ensure any devices that run the Connect Secure Appliance software are up to date with the latest version
• Upgrade End-of-Life (EOL) devices: With the main devices being exploited being EOL, CSA 4.6 patch 518, admins are strongly advised to upgrade to the latest version, 5.0.2
• Review and monitor: Review appliances and devices for any indicators of compromise, specifically for any modified or newly added admin users 

There have been dangerous critical security flaws discovered in D-Link WiFi 6 routers. These five vulnerabilities include a hardcoded password flaw that could give hackers direct access to a network, leaving it vulnerable to data loss or even ransomware. 

D-Link has released news of five major exploits that are all considered critical.  Two of the more dangerous of these flaws are the remote code execution flaw, CVE-2024-45694, which allows attackers to execute code to take over the device remotely, and the hardcoded password issue, CVE-2024-45697, which provides unauthorized access by threat actors directly into the device. 

D-Link has provided patches to all impacted equipment and is recommending organizations patch immediately.  Due to the popularity of D-Link devices as well as the ease of execution of these threats, we expect to see this leveraged by hackers soon, making updating imperative.  

QUICK POINTS 

• Vulnerability IDs:  
  • RCE flaws
    • CVE-2024-45694 (CVSS score: 9.8)
    • CVE-2024-45695 (CVSS score: 9.8) 
  • Hardcoded Password issues 
    • CVE-2024-45696 (CVSS score: 8.8)
    • CVE-2024-45697 (CVSS score: 9.8)
    • CVE-2024-45698 (CVSS score: 8.8)
• Severity: Critical 
• Affected Devices: 
  • COVR-X1870 (non-US) firmware versions v1.02 and below
  • DIR-X4860 (worldwide) on v1.04B04_Hot-Fix and older
  • DIR-X5460 (worldwide) running firmware v1.11B01_Hot-Fix or older 

IMMEDIATE ACTION 

• Patch all affected D-Link WiFi 6 routers to the following recommended versions: 
  • v1.03B01 for COVR-X1870
  • v1.04B05 for DIR-X4860
  • DIR-X5460A1_V1.11B04 for DIR-X5460
• Audit and review network for potential exposure to this vulnerability

We are alerting you to two critical vulnerabilities found in SolarWinds' Access Rights Manager (ARM) software, a software used for Active Directory and Azure AD user provisioning. These vulnerabilities, when combined, could form an attack chain that would allow an attacker to go from no network access to gaining total control of a network. 

The first vulnerability used in this attack chain, CVE-2024-28990, is a hard-coded credential bypass issue. If exploited, this gives an attacker unauthorized access to SolarWinds devices. The second vulnerability in the chain, CVE-2024-28991, is a result of user-supplied data not being properly validated. Combined with the first vulnerability, an attacker can remotely execute malicious code, which could lead to data breaches and even ransomware attacks.  

Attack chains are dangerous because they demonstrate how a combination of smaller vulnerabilities can be exploited in sequence, leading to more critical breaches and attacks.  SolarWinds has released a patch to their Access Rights Manager to address issues and has advised users to update immediately. 

QUICK POINTS 

• Vulnerability IDs
  • CVE-2024-28990 (CVSS score: 9.8)
  • CVE-2024-28991 (CVSS score: 8.8)
• Severity: Critical
• Affected Devices: SolarWinds Access Rights Manager (ARM) 2024.3 and all previous versions 

IMMEDIATE ACTION 

• Ensure all instances of SolarWinds Access Rights Manager are updated to the latest version
  • Update to SolarWinds ARM 2024.3.1
• Review system access logs for any signs of suspicious activity 

 There is a critical vulnerability in Veeam Backup & Replication that is being actively used to take over networks and deliver dangerous malware.  Due to the severity of the attack and the importance of data backups, it is even more urgent for teams to update their Veeam Backup & Replication to the newest version immediately.

The exploit in Veeam Backup & Replication is a remote code execution (RCE) that bypasses authentication and gives attackers full access. Once authentication has been bypassed, hackers gain full access to all versions of the existing data backups, setting up ransomware scenarios. Organizations are already reporting incidents involving Akira and Fog ransomware being utilized to steal sensitive data and extort its owners.

While this CVE was first recognized by Veaam in late September, we are now seeing threat actors using the known proof of concept to attack organizations via ransomware at an escalated rate.

QUICK POINTS 

• Vulnerability ID: CVE-2024-40711(CVSS Score: 9.8)
• Severity: Critical
• Affected Versions: Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds 

IMMEDIATE ACTION 

• Patch any Veeam Backup & Replication to version 12.2.0.334
• Check for any suspicious access or abnormal behavior in Veeam environments
• No other workarounds suggested, and immediate updates are necessary 
• See Veeam Security Bulletin for further details.

There is a recent critical vulnerability found in Progress Software’s products. This vulnerability could allow remote, unauthenticated attackers to access your network and your company’s sensitive information.  

This vulnerability affects multiple Progress devices including its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor, both of which are used as load balancing solutions. This issue stems from improper input validation which may allow attackers to access the LoadMaster’s management interface and from there, execute arbitrary system commands on victims’ machines. 

Progress Software has released an add-on patch to address the issue for most affected versions. The only caveat is this add-on patch will not work on free versions of Load Master, so this vulnerability currently remains an issue on those machines. 

QUICK POINTS: 

• Vulnerability ID: CVE-2024-7591 (CVSS score: 10.0)
• Severity: Critical
• Affected Versions: LoadMaster versions 7.2.60.0 and all previous versions; MT Hypervisor versions 7.1.35.11 and all previous versions; branches such as Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) are all impacted 

IMMEDIATE ACTION: 

• Apply the add-on patch available from Progress Software’s support portal
• Checkout Progress’ post on basic security hardening techniques you should implement: LoadMaster Security Measures
• Monitor network activity for signs of exploitation using IDS/IPS systems 

There are two highly critical vulnerabilities found in Cisco’s Smart Licensing Utility software that is utilized in a variety of Cisco products. These vulnerabilities could allow unauthenticated, remote attackers to gain complete access to a network leading to possible theft of sensitive data. 

Cisco has disclosed that these vulnerabilities, CVE-2024-20439 and CVE-2024-20440 allow attackers to exploit a default, undocumented administrative account to gain unauthorized access to the system. This could pose a significant security risk to organizations using Cisco's Smart Licensing Utility, as it provides an attacker with the ability to execute arbitrary commands and elevate privileges.  

There is an increased danger with this threat as the Smart Licensing Utility is included as a feature of a large range of Cisco products including Cisco routers, switches, Next-Gen Firewall (NGFW) solutions, wireless controllers and the Cisco DNA Center.  Cisco has released fixes to address these vulnerabilities and is urging teams to update to the newest version of the software immediately.  

QUICK POINTS 

• Vulnerability IDs: CVE-2024-20439 (CVSS score: 9.8) and CVE-2024-20440 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 and any Cisco product that utilizes this software
• Patch Status: All devices have the necessary patches to fix these vulnerabilities. They are listed below.  

IMMEDIATE ACTION 

• Update affected systems to the latest version as per Cisco’s advisory
  • Cisco Smart License Utility version 2.3.0
• Audit and update any Cisco devices/products as Smart Licensing Utility is used with many other Cisco products
• Review any potential exposure to this vulnerability 

Veeam has released security updates addressing 18 high and critical vulnerabilities in their products, including Veeam Backup & Replication (VBR), Service Provider Console, and Veeam One. Among the most severe is CVE-2024-40711, a critical remote code execution (RCE) flaw affecting VBR, with a CVSS score of 9.8. This vulnerability can be exploited without authentication and allows attackers to take over vulnerable systems.

VBR is essential for managing enterprise backup infrastructures, making it a high-value target for ransomware operators. Past attacks by groups such as the Cuba ransomware gang and FIN7—known for collaborating with ransomware groups like Conti, REvil, and Maze—have leveraged VBR vulnerabilities to steal backups for double extortion and delete or encrypt backup sets, leaving victims without recovery options.

The flaw affects Veeam Backup & Replication version 12.1.2.172 and all earlier versions in the 12.x branch. To mitigate this risk, users should update to VBR version 12.2.0.334 immediately.

We strongly urge all Veeam users to apply these critical patches as soon as possible to protect their backup infrastructure from potential exploitation.

For more information, visit the official Veeam security advisory.

There is a recent exploit affecting widely used Zyxel networking devices. This new attack requires no authentication and gives hackers complete access to a network and its data.  

This vulnerability affects various Zyxel business devices including routers and access points, which are commonly used in organizations. By abusing an input validation fault and sending a specially crafted cookie to the device, this exploit allows attackers the ability to run commands without any authentication.    

Zyxel has released security updates to address this exploit as well as a number of other vulnerabilities and are advising organizations to update immediately.  Due to the severity of the exploit and Zyxel’s widespread use, we expect to see this threat leveraged soon, so immediate updates are vital.

QUICK POINTS: 

• Vulnerability ID: CVE-2024-7261 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: NWA Series, NWA1123-AC PRO, NWA1123ACv3, WAC500, WAC500H, WAC Series, WAX Series, and WBE Series access point (AP) devices are all impacted
• Patch Status: All devices have the necessary patch to fix this vulnerability. They are listed below. 

IMMEDIATE ACTION: 

• Verify the version of firmware running on all Zyxel devices.
• Apply the latest Zyxel patches immediately:
• NWA Series – upgrade to 7.00 (ABYW.2) or later
• NWA1123-AC PRO – upgrade to 6.28 (ABHD.3) or later
• NWA1123ACv3, WAC500, WAC500H – upgrade to 6.70 (ABVT.5) or later
• WAC Series – upgrade to 6.28 (AAXH.3) or later
• WAX Series – upgrade to 7.00 (ACHF.2) or later
• WBE Series – upgrade to 7.00 (ACLE.2) or later 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability in the SolarWinds Web Help Desk product.   

Threat actors are leveraging the critical RCE (remote code execution) vulnerability in SolarWinds Web Help Desk, tracked as CVE-2024-28986.  This flaw involves Java deserialization, allowing attackers to execute commands on the host machine.  The vulnerability has a CVSS score of 9.8, indicating the significance of patching this vulnerability as soon as possible.  

What this means for you:

Attackers can use this vulnerability to execute arbitrary commands on the affected system, potentially gaining full control over it. With control over the system, attackers can access sensitive data leading to data breaches. But it doesn’t stop there.  Attackers with the system compromised can then expand to the network causing service disruptions.  

If you are using SolarWinds Web Help Desk it is absolutely critical that all installations are updated as described below. 

QUICK POINTS  

• Affected Product: SolarWinds Web Help Desk  
• Severity: Critical (CVSS v3 score 9.8)
• Exploitation: Although SolarWinds denies they have been able to confirm the unauthenticated instances of this exploit, they urge all affected users to patch out of an “abundance of caution”
• Patch Availability: Immediately upgrade your SolarWinds Web Help Desk installations to version 12.8.3, apply the provided hotfix – Web Help Desk 12.8.3 Hotfix 1 – and install it. 
   

IMMEDIATE ACTION  

• Patch Application: Apply the hotfix provided by SolarWinds to mitigate this vulnerability.  
• Monitor for IOCs: Continuously monitor for indicators of compromise related to this vulnerability (unauthorized access, unusual sign-on attempts, privilege account irregularities, unexpected software installations or updates).  
• Network Segmentation: Implement network segmentation to limit the potential impact of exploitation.
• Enhanced Monitoring: Monitor network traffic and system logs for unusual activity. 

 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a vulnerability in Acronis products to its Known Exploited Vulnerabilities (KEV) Catalog. 

This vulnerability affects Acronis Cyber Infrastructure (ACI) a software-defined infrastructure solution designed to provide secure storage, compute, and networking resources. More than 20,000 service providers, many in the MSP space, use ACI, which covers more than 750,000 organizations in 150 countries. 

The vulnerability from late 2023, CVE-2023-45249, which uses the exploitation of default passwords, has recently been observed as a way in for the bad guys. This vulnerability leads to remote code execution and enables attackers to gain access and control over the affected systems. A security patch was made available upon the discovery of the vulnerability nine months ago.  

CISA is requiring government agencies to remediate the flaw by August 19, 2024.  

QUICKPOINTS 

• Older versions of Acronis Cyber Infrastructure (ACI) use default passwords
• Attackers are actively targeting these instances
• Update to the newest version immediately to stay safe 

IMMEDIATE ACTION 

Vulnerable instances of ACI can be identified by looking for their implementations’ build number via the “About” dialog box within the main window’s “Help” section. Instances before builds 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 are vulnerable to this exploit. 

A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the underlying operating system.

This vulnerability is due to improper handling of email attachments when file analysis and content filters are enabled. An attacker could exploit this vulnerability by sending an email that contains a crafted attachment through an affected device. A successful exploit could allow the attacker to replace any file on the underlying file system. The attacker could then perform any of the following actions: add users with root privileges, modify the device configuration, execute arbitrary code, or cause a permanent denial of service (DoS) condition on the affected device.

Affected device versions: 

• Cisco AsyncOS for Cisco Secure Email Software earlier than 15.5.1-055
• Content Scanner Tools version earlier than 23.3.0.4823

Immediate Action:

• Apply the latest patches and version updates released by Cisco for affected products.
• Review security configurations and ensure monitoring is in place.

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.

Affected Device Versions: 

• Cisco SSM On-Prem versions earlier than 8-202206

Immediate Action:

• Apply the latest patches and version updates released by Cisco for affected products. 
• Review security configurations and ensure monitoring is in place.

There is a critical new vulnerability known as the "BlastRADIUS" attack which could soon impact networks worldwide.  

In networks where RADIUS secure authentication is used this threat allows hackers to bypass normal authentication methods so they can masquerade as a privileged user.  This gives them total access to your entire network and the data it holds. Many corporate networks and even ISPs utilize RADIUS in their authentication methods, which makes this a very significant issue. 

BlastRADIUS gives the threat actor admin privileges on RADIUS devices without requiring the stealing of credentials or any password cracking.  While a public proof-of-concept (POC) has not yet been released, a private POC has been confirmed by researchers and we expect threat actors to begin to leverage this exploit soon.

Quick Points: 

• Vulnerability ID: CVE-2024-3596 
• Severity: Critical
• Patch Status: See below for best practices and how to avoid this kind of attack. 

Immediate Action:  

Upgrading RADIUS clients alone is not sufficient.  Every server using RADIUS must be upgraded to address this exploit.  Additional action: 

• Network administrators are advised to: 

• Upgrade to RADIUS over TLS (RADSEC) 
• Switch to multihop RADIUS deployments
• Isolate RADIUS traffic using tunneling or VLANs 

• Microsoft has released steps and best practices in KB5040268 on how you can secure your network for this attack as well. 

There is an emerging Exim mail server vulnerability. If you or your clients are running an Exim mail server, an attacker could deliver a ransomware payload right to a user’s mailbox with no filtering! This puts users at risk of receiving malicious attachments. Opening these attachments could lead to severe system disruptions, including complete server compromise. The Exim Vulnerability is exploited by bypassing extension-blocking protections. Attackers manipulate header filenames to evade the extension-based security measures meant to block malicious attachments. 

QUICK POINTS 

• Exim Mail Server Vulnerability is Critical  
• All Exim versions 4.97.1 and earlier are at risk
• Mailboxes with extension-blocking protection mechanisms are the target
• Successful exploitation by an attacker could lead to a full-scale system compromise 

IMMEDIATE ACTION 

To safeguard your infrastructure as well as your clients, please take the action steps outlined below: 

• The #1 thing you can do at this time is to upgrade Exim to version 4.98!
• Remind your employees and clients to always remain vigilant and on guard when clicking attachments or links in emails. Be extra careful when the email is not from a trusted sender!
• If you cannot upgrade Exim to 4.98 immediately, we advise that you restrict Exim server remote access to help prevent exploit attempts. 

There is an emerging Exim mail server vulnerability. If you are running an Exim mail server, an attacker could deliver a ransomware payload right to a user’s mailbox with no filtering! This puts users at risk of receiving malicious attachments. Opening these attachments could lead to severe system disruptions, including complete server compromise. The Exim Vulnerability is exploited by bypassing extension-blocking protections. Attackers manipulate header filenames to evade the extension-based security measures meant to block malicious attachments. 

QUICK POINTS 

• Exim Mail Server Vulnerability is Critical  
• All Exim versions 4.97.1 and earlier are at risk
• Mailboxes with extension-blocking protection mechanisms are the target
• Successful exploitation by an attacker could lead to a full-scale system compromise 

IMMEDIATE ACTION 

To safeguard your infrastructure, please take the action steps outlined below: 

• The #1 thing you can do at this time is to upgrade Exim to version 4.98!
• Remind your employees to always remain vigilant and on guard when clicking attachments or links in emails. Be extra careful when the email is not from a trusted sender!
• If you cannot upgrade Exim to 4.98 immediately, we advise that you restrict Exim server remote access to help prevent exploit attempts. 

There is an OpenSSH regression flaw that can give attackers complete access to your network and data if exploited.  Known as RegreSSHion, this high-severity threat allows hackers to fully compromise systems by exploiting an unauthenticated remote execution weakness where OpenSSH fails to enforce proper input validation.  It’s estimated that up to 75% of networks have some machines with a vulnerable version of OpenSSH. 

RegreSSHion abuses a situation where an attacker exploits the timings of computer processes (called race condition) in OpenSSH to allow for unauthenticated attackers to run dangerous code remotely. This gives threat actors access to your previously secure network.   

SUPPLY CHAIN ALERT: OpenSSH servers aren’t the only software affected.  Many other pieces of software or hardware utilize OpenSSH in the background.  Check and validate your vendors to guard against being impacted by such an attack.  

QUICK POINTS 

• More than 14 million OpenSSH servers are exposed to the internet with a major risk of remote code execution attack that grants full admin control to attackers
• 40+ Cisco Products Are Also Vulnerable to RegreSSHion Vulnerability
• Push Available Patches ASAP & Continually Update OpenSSH and Cisco Products
• The difficulty for attackers to exploit this vulnerability is high. It mainly takes time and many repeat attempts 

IMMEDIATE ACTION 

• Update OpenSSH software immediately by patching today. (versions 4.4/4.4p1 and earlier & 8.5p1 up to but not including 9.8/9.8p1 are at risk if unpatched)
• Review your vendors immediately for OpenSSH usage for Cisco products, please apply the available Cisco Patches and ensure that continuous updates are being utilized as they become available. NAS devices and anything else that relies on remote access services are also a prime target for this attack.
• Restrict SSH-agent forwarding to only trusted hosts and necessary scenarios and restrict direct network/internet access to SSH using network-based controls to restrict access via SSH to only allow trusted client hosts. 

Juniper Networks has released an out-of-cycle patch for an authentication bypass flaw (CVE-2024-2973) in Junos OS. This vulnerability allows unauthenticated remote attackers to bypass authentication controls and gain access to affected systems. Juniper reports that routers or conductors running in high-availability redundant configurations, where service continuity is critical, are the configurations affected.

The Juniper products, Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router are listed as being impacted by this exploit. Security updates were made available for all products and to patch immediately as no other workarounds are available for this vulnerability. Patching should be top priority as we have seen Juniper devices being targeted in cyberattacks in the past.

QUICK POINTS

• Vulnerability ID: CVE-2024-2973 (CVSS score: 10.0)
• Severity: Maximum Criticality
• Affected Versions:

• Session Smart Router & Conductor:

• ALL versions before 5.6.15
• From 6.0 before 6.1.9-lts
• From 5.2 before 6.2.5-sts

• WAN Assurance Router:

• 6.0 versions before 6.1.9-lts
• 6.2 versions before 6.2.5-sts

IMMEDIATE ACTION 

Due to the severity of this vulnerability, it is critical that you notify your customers who utilize Juniper devices and apply the necessary patches: 5.6.15, 6.1.9-lts, or 6.2.5-sts

There are no “workarounds” for this vulnerability, so action is limited to updating devices to the necessary versions.

 A JavaScript supply chain attack has targeted tens of millions of websites via the Polyfill.io service that was recently purchased by Chinese threat actors. This has turned numerous websites into threatening and risky links. 

What this means for you: 

Websites using Polyfill.io might be compromised by malicious code.  This could lead to unauthorized access or other security issues on your website.  Also, legitimate websites that use this script could also be a dangerous click. We’ve seen impacts on websites such as Hulu, Intuit, Nintendo, JSTOR and even the World Economic Forum. 

There's a significant vulnerability allowing attackers to spoof emails from Microsoft employees that can be leveraged for a sophisticated phishing attack.  This bug can deceive recipients into believing they are receiving legitimate communications from Microsoft and affects all Outlook accounts.  

A cybersecurity researcher with the alias Slonser advised he has discovered an exploit allowing him to impersonate any of the 400 million Outlook accounts, including Microsoft employee email addresses.  While technical details have not been provided on how this vulnerability was performed, it has been confirmed by sources to be successful. 

Slonser has reported this exploit multiple times to Microsoft but so far this attack vector has not been patched as Microsoft states they are unable to replicate the issue. Such an attack underscores the importance of your organization taking proper spoofing precautions via DMARC, DKIM, and SPF settings, however until Microsoft addresses this ongoing vulnerability, we advise considering all emails from Microsoft to Outlook accounts as potentially suspicious, since email authentication policies likely will not effectively protect against this emerging threat. 

This vulnerability not only poses a significant risk of phishing attacks but also serves as a sophisticated vector for supply chain attacks. We strongly recommend reviewing and tightening your security protocols, ensuring all supply chain partners are also taking necessary precautions, and staying vigilant against any unusual email activity or Microsoft-related communications. 

Quick Points: 

• Vulnerability: Email spoofing attacks appearing as Microsoft employees 
• Affected Service: Microsoft Outlook Accounts 
• Microsoft has been notified but no fix has been released

Immediate Action: 

• Implement DMARC, DKIM, and SPF configurations to enhance email security.
• Monitor email logs for unusual activities.
• Confirm users are properly trained on best practices around common phishing techniques.

Look for These Report Findings: 

• DMARC Record Does Not Exist
• DKIM Selectors Do Not Exist
• SPF Record Does Not Exist 

In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Cylance, a major supplier of antivirus software, confirmed a data breach on June 11th, 2024. 

The compromised data includes the following 

• 34 million Cylance customer and employee emails 
• Personally identifiable information of customers, employees and partners 
• Marketing data. 

This means you should be on the lookout for more targeted phishing emails in the coming months, especially once that seem to come from trusted vendors. 

The breach at Cylance was linked to a third-party platform known as Snowflake. Attackers got into Snowflake, and from there compromised their customers, which may number as high as 165 major organizations. The compromise at Snowflake has been linked to potential (and confirmed) breaches at Ticketmaster, Santander Bank, Anheuser-Busch, Allstate, Advanced Auto Parts, Neiman Marcus, Progressive and State Farm.  

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Zyxel has issued an emergency patch for a set of critical vulnerabilities affecting end-of-life NAS devices. This is extremely dangerous to those organizations with legacy Zyxel devices because this flaw allows attackers to gain access to your data and your network, the perfect entry for ransomware threats. 

The vulnerabilities identified in Zyxel NAS devices allow attackers to inject and execute code into a target system remotely, as well as escalate account privilege. Once the exploit is performed, threat actors have direct access to data and can move laterally throughout your network. The flaws impact NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older. 

Although these devices are end-of-life, the threat they pose due to their continued use in some environments can be catastrophic.  This flaw is already being leveraged by hacker groups in botnet attacks and the proof-of-concept (POC) of the attack is publicly available making this even more likely to be exploited.   

QUICK POINTS 

• Vulnerability IDs:  CVE-2024-29972, CVE-2024-29973, CVE-2024-29974 (CVSS score: 9.8) 
• Severity: Critical 
• Patch Status: Zyxel has released patches (see below) as well as further remediation steps you can take. 

IMMEDIATE ACTION 

• Identify all Zyxel NAS326 and NAS542 devices within your managed environments. 
• Apply the emergency patch as per Zyxel's instructions. 
• Replace affected devices as soon as possible to an option being actively updated and supported. 
• Continue to scan your environment for end-of-life devices and remove them accordingly. 

A new, critical vulnerability affecting virtually all VPN systems, is identified as the TunnelVision technique. This vulnerability can potentially expose traffic even under VPN protection, which is crucial for MSPs managing secure client data and communications. Using this vulnerability, hackers can easily steal data, set up man-in-the-middle attacks, or even enable expensive ransomware attacks once network access is established. 

The TunnelVision technique exploits CVE-2024-3661, a DHCP design flaw, where messages using static route (option 121) are not authenticated and expose them to being changed or manipulated. This type of leakage has been demonstrated across various systems, highlighting a fundamental flaw in VPN security architecture that could lead to sensitive data exposure.

QUICK POINTS: 

• This vulnerability is not dependent on VPN provider or implementation and most VPN systems based on IP routing are affected. 
• All major operating systems seem to be impacted including Windows, macOS, Android, iOS, and Linux. 
• Threat actors can leverage an attack simply by being on the same network as the victim.  

WHAT THIS MEANS FOR YOU: 
With the how widespread and available this TunnelVision attack vector is, all organizations utilizing VPNs need to have security settings checked around these connections.  
 

IMMEDIATE ACTION: 

1. Review and audit your VPN settings and configurations to ensure robust leak protection measures are in place. Confirm that all VPN software is up to date and patched.
2. Consider VPN solutions that offer advanced leak prevention, particularly for IPv6 and WebRTC.   
3. Keep your network management teams informed and updated on best practices for VPN security. 

There exists a significant security flaw with Microsoft Defender SmartScreen. If you or your clients are using SmartScreen, you could be subject to this attack. The vulnerability, tracked as CVE-2024-21412 with a patch available since February of 2024, is now being actively exploited in an info-stealing campaign. 

Here is how it works:  

1. The process begins by deploying a phishing email containing a malicious link. (Sound familiar?)
2. Clicking the link allows a file that utilizes PowerShell commands to download a script disguised as an overlay icon. 
3. Once the script is executed, it will run silently and download a decoy PDF that will be used to legitimize the process that installs information stealing malware.  

QUICK POINTS  

• Microsoft Defender SmartScreen Vulnerability is HIGH (8.1)
• Windows 10,11 and Server 2019, 2022 versions are at risk 
• Web browsers, cryptocurrency wallets, messaging apps, email clients, VPN services, password managers and more are the target 
• Successful exploitation by an attacker could lead the execution of malware without user intervention  

IMMEDIATE ACTION  

To safeguard your infrastructure as well as your clients, please take the action steps outlined below:  

• Educate users about the dangers of downloading and running files from unverified sources. 
• Ensure all systems are up to date with the latest Windows security patches.
• Utilize advanced endpoint protection solutions to detect and block malicious activities, pay special attention to PowerShell commands. 
• Implement network monitoring to detect unusual activities.