There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Thursday, February 15, 2024 14:00

I’ll be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasn’t.  

I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.  

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.  

This attack was only a _hypothetical_ that a security researcher posed in an interview but was reported or translated as an attack that happened. 

To me, I think we can all learn from a few major takeaways from this entire saga — myself included.  

It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year. 

But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised. 

That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations. 

I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.) 

And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web. 

Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.  

**The one big thing **

Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. 

**Why do I care? **

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.  

**Top security headlines of the week **

**Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years,** according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian) 

**A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate.** Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog) 

**Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it.** The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #143: The Reddit security diaries 
*   The Need to Know: How are attackers using QR codes in phishing emails and lure documents? 
*   First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Why the toothbrush DDoS story fooled us all

By Deeba Ahmed
This is the first instance of an iOS trojan that has been found stealing facial data from victims.
This is a post from HackRead.com Read the original post: New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data

Beware, as a new iOS trojan dubbed GoldPickaxe has emerged, capable of stealing banking data, ID documents, and even facial data from infected devices.

Group-IB has discovered a new iOS Trojan, dubbed GoldPickaxe.iOS designed to steal facial recognition data, identity documents, and intercept SMS. The company’s Threat Intelligence Unit has attributed the entire threat cluster to a threat actor dubbed GoldFactory.

The GoldPickaxe family has been active since mid-2023, targeting the Asia-Pacific region, specifically Thailand and Vietnam and the attack method involves impersonating local banks and government organizations.

As per Group-IB, the threat actor exploits stolen biometric data using AI-driven face-swapping services to create deepfakes, allowing unauthorized access to a victim’s banking account, which is a new monetary theft technique.

In this campaign, GoldFactory has successfully used Mobile Device Management (MDM) to manipulate Apple devices, distributing its iOS Trojan by abusing TestFlight. Victims receive seemingly innocent URLs (e.g. testflight.apple.com/join/) leading to the installation of malicious software.

Another sophisticated method is tricking victims into interacting with fraudulent websites to install an MDM profile, allowing cybercriminals complete control over the victim’s device.

Thailand Banking Sector CERT (TB-CERT) has also reported that cybercriminals are distributing malicious links via messengers to lure victims into a fraudulent app posing as a ‘Digital Pension’ app. The app’s credibility is doubtful as Group-IB’s investigation confirmed multiple versions of GoldPickaxe impersonating official Thai government services, including the Digital Pension app for Thailand.

Researchers believe that the group may be engaging operators proficient in Thai and Vietnamese or possibly running a call center since an SMS written in Thai was found in the phishing campaign. In Thailand, cybercriminals impersonate government authorities and convince victims to use LINE, a popular messaging application.

According to Group-IB’s blog post, the gang reportedly employs a combination of smishing and phishing techniques to carry out their malicious activities in Vietnam and Thailand. Despite evidence that it is a Chinese-speaking group, the involvement/role of local cybercriminals cannot be ruled out when calls made to victims are examined.

It is worth noting that Group-IB previously discovered an Android Trojan, codenamed GoldDigger, stealing facial data, targeting over 50 Vietnamese banking applications, electronic wallets, and cryptocurrency wallets since June 2023.

GoldDigger stealing facial data from Android devices (Group-IB)

The newly discovered GoldPickaxe family is based on the GoldDigger Android Trojan. However, researchers claim the infection chain for GoldPickaxe iOS variants is not significantly different for other Trojans within the GoldFactory family.

GoldPickaxe malware was developed using the same communication mechanism and cloud bucket URL as GoldDigger but has fewer functionalities compared to its Android sibling due to iOS’s closed nature and stricter permissions.

Both versions use fake login pages to access fake Digital pension applications, potentially avoiding detection. Another variant, GoldDiggerPlus, was also identified with extended GoldDigger’s functionality, allowing real-time call calls through a specially designed APK called GoldKefu. All Trojans identified are currently in the active stage of evolution.

“_Overall, we identified four Trojan families that were used by cybercriminals. We maintained the naming convention by using the prefix Gold for the newly discovered malware as a symbolic representation that they have been developed by the same threat actor_,” Group-IB researchers noted.

Researchers couldn’t identify the toolset GoldFactory uses, indicating that this is a highly organized and technically advanced group.

For your information, in March 2023, the Bank of Thailand mandated facial biometric verification for transactions exceeding 50,000 baht, and 200,000 baht per day, and raised credit transfer limits on mobile devices. As per Group-IB’s research, GoldPickaxe likely reached Vietnam in February 2024 when a Vietnamese citizen performed a facial recognition scan, withdrawing over 40,000 USD.

The State Bank of Vietnam plans to mandate facial authentication as a security measure for all money transfers from April 2024, indicating the potential exploitation of GoldPickaxe in the country. The use of GoldPickaxe in Vietnam is expected to increase assessed Group—IB.

_“GoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial recognition data collection. Equipped with diverse tools, they have the flexibility to select and execute the most suitable one that fits the scenario,”_ researchers noted.

The report highlights the growing cybersecurity threat and the sophisticated techniques used by cybercriminals. They have refined GoldDigger malware, introduced new categories for facial recognition data harvesting, and developed a tool for communication between victims and cybercriminals. Group-IB researchers emphasize the need for proactive, multi-faceted cybersecurity measures, including user education.

1.  **Kaspersky’s iShutdown Tool Detects iOS Pegasus Spyware**
2.  **Fake Lockdown Mode Exposes iOS Users to Malware Attacks**
3.  **Fake LastPass Password Manager App Lurks on iOS App Store**
4.  **Bitdefender Introduces GravityZone Security for Android and iOS**
5.  **Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware**

New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns.

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits. The gang’s novel approach challenged a bottleneck that makes it hard to scale ransomware attacks, and other gangs may try to replicate its approach in 2024.

Big game ransomware attacks are devastating but relatively rare compared to other forms of cyberattack. There were about 4,500 known ransomware attacks in 2023, although the true figure is probably twice that. These attacks extorted more than $1 billion in ransoms in 2023, according to blockchain data platform Chainalysis.

The potential riches are enormous and there’s no other form of cybercrime that’s so lucrative, so why aren’t we seeing more attacks? It doesn’t seem to be a lack of targets, in fact the evidence suggests that the gangs are picky about who they attack. The most likely reason is that each attack takes a lot of work. Broadly speaking, an attack requires a team of people that: Breaks in to an internet-connected computer, researches the target to see if they’re worth the effort of an attack, explores their network, elevates their privileges until they’re an all-conquering administrator, steals and stores terabytes of data, attacks security software and backups, positions ransomware, runs it, and then conducts negotiations.

Doing all of this efficiently requires people, tools, infrastructure, expertise, and experience, and that seems to make it a difficult business model to scale up. The number of known ransomware attacks a year is increasing steadily, by tens of percentage points rather than exploding by thousands. This suggests that most of the people who are drawn to this life of crime are probably already doing it, and there isn’t a vast pool of untapped criminal talent waiting in the wings.

Known ransomware attacks, July 2022-December 2023

Before 2023, cybercrime’s best answer to this scalability problem was Ransomware-as-a-Service (RaaS), which splits the work between vendors that provide the malware and infrastructure, and affiliates that carry out the attacks.

CL0P found another way. It weaponised zero-day vulnerabilities in file transfer software, notably GoAnywhere MFT and MOVEit Transfer, and created automated attacks that plundered data from them. Hundreds of unsuspecting victims were attacked in a pair of short, sharp campaigns lasting a few days, leaving Cl0P as the third most active gang of the year, beating ransomware groups that were active in every month of 2023.

It remains to be seen if other gangs can or will follow CL0P’s lead. The repeated use of zero-days signaled a new level of sophistication for a ransomware gang and it may take a while for its rivals to catch up. However, the likes of LockBit—the most prolific group of them all—don’t want for resources so this is probably a matter of time and will, rather than a fundamental barrier.

There is also a question mark about how successful the attacks were. While automation allowed CL0P to increase its reach, it’s reported that a much lower percentage of victims paid a ransom than normal. However, ransomware incident response firm Coveware believes the group managed to compensate by demanding higher ransoms, earning the gang as much as $100 million.

Because of CL0P’s actions, the shape of ransomware in 2024 is in flux and organisations need to be ready. To learn more about how big game ransomware is evolving, the threat of zero-day ransomware, and how to protect against them, read our 2024 State of Malware report.

 How ransomware changed in 2023 

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday.

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild.

The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security Agency’s catalog of  Known Exploited Vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by March 5, 2024, in order to protect their devices.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in this round of updates are:

CVE-2024-21351 (CVSS score 7.6 out of 10): a Windows SmartScreen security feature bypass vulnerability. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both. An authorized attacker must send the user a malicious file and convince the user to open it.

CVE-2024-21412 (CVSS score 8.1 out of 10): an Internet Shortcut Files security feature bypass vulnerability. An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

The bypassed security feature in both cases is the Mark of the Web (MOTW), the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet. When a file is downloaded, Windows adds a ZoneId in the form of an Alternate Data Stream to the file which is responsible for the warning message(s).

Another vulnerability worth keeping an eye on is CVE-2024-21413 (CVSS score 9.8 out of 10): a Microsoft Outlook remote code execution (RCE) vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and to gain high privileges, which include read, write, and delete functionality. Microsoft notes that the Preview Pane is an attack vector. The update guide for this vulnerability lists a number of required updates before protection is achieved.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Commerce and Magento
*   Adobe Substance 3D Painter
*   Adobe Acrobat and Reader
*   Adobe FrameMaker Publishing Server
*   Adobe Audition 
*   Adobe Substance 3D Designer

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-02-05 or later.

**Ivanti** has urged customers to patch yet another critical vulnerability.

**SAP** has released its February 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Update now! Microsoft fixes two zero-days on February Patch Tuesday 

By Deeba Ahmed
QNAP has released fixes for the zero-day vulnerability, so it's important to install them immediately.
This is a post from HackRead.com Read the original post: Zero-Day in QNAP QTS Affects NAS Devices Globally

Unit 42 researchers discovered a new vulnerability in QNAP devices on 7 November 2023, which was confirmed by the vendor on 19 December 2023, and a security advisory was released subsequently to provide guidance and recommendations.

Palo Alto Networks Unit 42’s Advanced Threat Prevention (ATP) and telemetry systems identified a new zero-day vulnerability in QNAP QTS and QuTS hero firmware from the vendor QNAP. The vulnerability is tracked as **CVE-2023-50358** and affects QNAP Network Attached Storage (NAS) devices.

For your information, QNAP, a company specializing in NAS devices, is known for its QNAP Turbo NAS System (QTS) operating system, which is often embedded in the firmware of QNAP NAS devices.

In its **report** published on 13 February 2024, authors Chao Lei, Jeff Luo, and Zhibin Zhang explained that CVE-2023-50358 is a command injection vulnerability found in the quick.cgi component of QNAP QTS firmware that is accessible without authentication. The vulnerability occurs when the HTTP request parameter todo=set\_timeinfo is set, and the parameter SPECIFIC\_SERVER is saved into a configuration file /tmp/quick/quick\_tmp.conf with the entry name NTP Address.

The component then starts time synchronization using the ntpdate utility, and the command-line execution is ensured by reading the NTP Address in quick\_tmp.conf and system(). Untrusted data from the SPECIFIC\_SERVER parameter helps build a command line, which is executed in the shell, leading to arbitrary command execution.

It is worth noting that this vulnerability affects 289,665 separate IP addresses. The top five countries affected by the vulnerability are Germany, the United States, China, Italy, and Japan.

Proof of command-line execution and heatmap shows the most impacted countries. (Screenshot: Unit 42)

According to Unit 42 researchers threat actors constantly search for vulnerabilities in network-connected hosts, such as NAS devices because these can be exploited quickly. This is why ensuring foolproof security of these devices is necessary.

IoT devices are vulnerable to remote code execution vulnerabilities due to their low attack complexity and critical impact. To protect against these threats, QNAP recommends updating to the latest version of QTS or QuTScloud hero- QTS 5.1.5 or QuTS hero h5.1.5.

****List of Affected Devices****

*   QTS 5.1.x
*   QTS 5.0.1
*   QTS 5.0.0
*   QTS 4.5.x
*   QTS 4.3.6
*   QTS 4.3.4
*   QTS 4.3.x
*   QTS 4.2.x
*   QuTS hero h5.1.x
*   QuTS hero h5.0.1
*   QuTS hero h5.0.0
*   QuTS hero h4.x

QNAP has **released** a security advisory, advising affected organizations to follow mitigation instructions or apply firmware updates. 

“Multiple vulnerabilities have been reported to affect several QNAP operating system versions. If exploited, the OS command injection vulnerabilities could allow users to execute commands via a network.”

In its advisory, the vendor noted fixing two vulnerabilities, CVE-2023-47218 and CVE-2023-50358 and explained how to implement the fixes.

“If you do not want to install a fully fixed version for your device, you can still mitigate the vulnerabilities by installing a partially fixed version. However, note that the vulnerabilities still exist during the installation process of a partially fixed version. The vulnerabilities only disappear after installation is complete.”

1.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
2.  **Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners**
3.  **Hackers Uncover Airbus EFB App Vulnerability, Risking Aircraft Data**
4.  **Ethical Hackers Reported 835 Vulnerabilities, Earned $450K in 2023**
5.  **Smart Helmets Flaw Exposed Millions to Risk of Hacking and Surveillance**

Zero-Day in QNAP QTS Affects NAS Devices Globally

A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders.
Trend Micro, which began tracking the campaign in late December 2023, said it entails the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet

DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability

Microsoft has released patches to address 73 security flaws spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation.
Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity. This is in addition to 24 flaws that have been fixed

Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

**Microsoft Corp.** today pushed software updates to plug more than 70 security holes in its **Windows** operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.

Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “**Water Hydra**,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi) that in turn unloads a remote access trojan (RAT) onto infected Windows systems.

The other zero-day flaw is CVE-2024-21351, another security feature bypass — this one in the built-in **Windows SmartScreen** component that tries to screen out potentially malicious files downloaded from the Web. **Kevin Breen** at **Immersive Labs** says it’s important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation, and instead would likely be used in conjunction with something like a spear phishing attack that delivers a malicious file.

**Satnam Narang**, senior staff research engineer at **Tenable**, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.

Narang called special attention to CVE-2024-21410, an “elevation of privilege” bug in **Microsoft Exchange Server** that Microsoft says is likely to be exploited by attackers. Attacks on this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.

“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers,” Narang said. “A Russian-based threat actor leveraged a similar vulnerability to carry out attacks – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.”

Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14 (CU14), a security feature called Extended Protection for Authentication (EPA), which provides NTLM credential relay protections, was not enabled by default.

“Going forward, CU14 enables this by default on Exchange servers, which is why it is important to upgrade,” Narang said.

Rapid7’s lead software engineer **Adam Barnett** highlighted CVE-2024-21413, a critical remote code execution bug in **Microsoft Office** that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.

“Microsoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources,” Barnett said. “CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file.”

Barnett stressed that administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update knowledge base (KB) articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.

It’s a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.

For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.

Fat Patch Tuesday, February 2024 Edition

Although considered of moderate risk, one of the vulnerabilities is being actively exploited in the wild — CVE-2024-21351, a security feature bypass vulnerability in Windows SmartScreen.

Tuesday, February 13, 2024 13:59

Microsoft followed up one of the lightest recent Patch Tuesdays in January with a large release of vulnerabilities on Tuesday, although still far from numbers seen in the past. 

In all, February’s security update from Microsoft includes 75 vulnerabilities, three of which are considered critical. There are 69 “important” vulnerabilities, according to Microsoft, and three that are of “moderate” severity.

Although considered of moderate risk, one of the vulnerabilities is being actively exploited in the wild — CVE-2024-21351, a security feature bypass vulnerability in Windows SmartScreen. “Smart screen” protects users from malicious websites and files downloaded from the internet. Exploiting this vulnerability may allow a user to be tricked into downloading and executing a file from the internet without the traditional SmartScreen protections. There were no zero-day vulnerabilities disclosed in last month’s Patch Tuesday.

Of the three critical vulnerabilities, one (CVE-2024-20684) could allow an attacker that controls a Hyper-V guest to cause a denial-of-service attack on the host and, as a consequence, to all other guests of the same host.

CVE-2024-21357 is another critical remote code execution vulnerability in a multicast network protocol called Windows Pragmatic General Multicast. The vulnerability could, in theory, allow an attacker on the same network to execute code on other systems on that network. Microsoft considers the vulnerability exploitation complex, however, the company does list it as “more likely” to be exploited.

The third critical vulnerability (CVE-2024-21380) is an information disclosure vulnerability in Microsoft Dynamics Business Central/NAV. According to Microsoft, the exploitation of this attack requires user interaction, and the attacker must first win a race condition. Therefore, it’s considered to be a more complex attack and “less likely” to be exploited.

Cisco Talos would also like to highlight CVE-2024-21378, a remote code execution vulnerability in Microsoft Outlook. However, according to the advisory, this requires the attacker to be on the same network as the targeted machine and trick the victim into opening a specially crafted file or email.

CVE-2024-21379 is also a remote code execution vulnerability, this time in Microsoft Word. Exploiting this vulnerability requires an attacker to send to a victim a specially crafted Word document that, when opened, would allow remote code execution in the victim’s system.

The advisory contains 26 other remote code execution vulnerabilities that are considered “less likely” to be exploited. A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63000 - 63001, 63004, 63005, 62992 - 62994, 62998 and 62999. There are also Snort 3 rules 300822 - 300826.

First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities

By Deeba Ahmed
Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days…
This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners

Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days in early January 2024.

On January 31, 2024, Ivanti released fixes to address four vulnerabilities, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893. The last two vulnerabilities were disclosed the same day when the patch was released, along with a second set of mitigations as substitutes for the fixes. Within hours, Orange Cyberdefense CERT identified attacks targeting this vulnerability, allowing attackers to inject a backdoor into the Ivanti application.

In its report (PDF), Orange Cyberdefense noted discovering attackers exploiting the vulnerability to ensure persistent remote access. They injected a backdoor into a component using the SAML vulnerability, controlling access to the backdoor. Orange identified a compromised appliance on 3 February 2024, with initial mitigations applied but no patch. The attackers conducted reconnaissance to determine root access and deployed a new backdoor, DSLog, indicating they had root access to the device.

A backdoor on a compromised device enables attackers to execute commands and log all web requests, including authenticated ones, and system logs. Orange identified 700 compromised appliances, with over a hundred compromised in attacks targeting CVE-2023-46805 and CVE-2024-21887. The remaining ones had initial XML mitigation applied, preventing direct detection. The backdoor uses a unique hash per appliance.

Timeline shared by Orange Cyberdefense

Hackread has been following the exploitation of zero-day vulnerabilities in Ivanti VPN devices. Hackers have exploited them to deploy KrustyLoader malware and cryptocurrency miners. For your information, CVE-2023-46805 and CVE-2024-21887 were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateway appliances.

CVE-2023-46805, an Authentication Bypass flaw, allows remote attackers to bypass control checks, while CVE-2024-21887 is a Command Injection flaw that lets an authenticated administrator exploit Ivanti appliances by sending crafted requests and executing arbitrary commands. CVE-2024-21888 is a Privilege Escalation vulnerability in Ivanti Connect Secure and Ivanti Policy Secure, allowing a user to gain administrative privileges.

CVE-2024-21893 is a server-side request forgery bug in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA. The issue could be exploited without authentication to leak sensitive information. In its latest advisory, Ivanti noted that a “limited” number of customers were affected by CVE-2024-21893.

The findings were also shared by Shadowserver Foundation, which reported in early February that a zero-day vulnerability, CVE-2024-21893, discovered by Ivanti in January 2024, is being exploited in the wild. Rapid7 reported a surge in attacks since February, with over 170 discrete IP addresses involved.

Organizations are advised to install Ivanti’s patches released on January 31 and February 1, which replace initial mitigations prevent zero-day exploitation, and factory reset their devices. Additionally, they should install security updates released on February 8 to address a vulnerability in the SAML component of VPN appliances, tracked as CVE-2024-22024.

****_RELATED ARTICLES_****

1.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
2.  **Excessive Expansion Flaws Leave Jenkins Servers Open to Attacks**
3.  **Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks**
4.  **TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware**
5.  **Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer**

Tag

#zero_day