GitLab Vulnerability Exposes CI/CD Pipelines to Arbitrary Execution
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. GitLab Vulnerability Exposes CI/CD Pipelines to Arbitrary Execution
GitLab has issued security updates for its Community and Enterprise Editions to address eight vulnerabilities, including a critical flaw (CVE-2024-9164) that allows unauthorized CI/CD pipeline execution on branches. This flaw has a high CVSS score of 9.6/10, posing significant risks of unauthorized code execution and data leakage. Affected versions are 12.5 to 17.4.1, with patches available in versions 17.4.2, 17.3.5, and 17.2.9. GitLab’s managed cloud services are unaffected. Other patched vulnerabilities include user impersonation (CVE-2024-8970), SSRF (CVE-2024-8977), and XSS during OAuth processes (CVE-2024-6530). Users are advised to upgrade to the latest patched versions immediately, restrict CI/CD pipeline permissions to trusted users, and conduct regular vulnerability scans while monitoring GitLab security advisories. These actions are crucial for mitigating risks and maintaining a secure CI/CD environment.
2. OilRig Targets UAE and Gulf with Windows Kernel Flaw in Espionage Operation
The Iranian threat group OilRig, also known as Earth Simnavaz, has been exploiting a recently patched Windows Kernel vulnerability (CVE-2024-30088) in a cyber espionage operation targeting the U.A.E. and the Gulf region. This vulnerability, patched in June 2024, allows attackers to escalate privileges to SYSTEM level by exploiting a race condition, enabling deeper penetration into networks. The group uses advanced techniques like deploying a backdoor to steal credentials from Microsoft Exchange servers, maintaining persistence through tools like ngrok, and harvesting passwords using a custom DLL (psgfilter.dll).
Earth Simnavaz gains initial access by exploiting a vulnerable web server and deploying a web shell. The group then escalates privileges using CVE-2024-30088 to deploy the STEALHOOK backdoor, exfiltrating credentials via Exchange servers. This attack pattern, seen as early as December 2022, reflects a focus on exploiting infrastructure vulnerabilities for long-term persistence and further attacks.
Recommendations to mitigate this threat include ensuring all systems are updated with patches like CVE-2024-30088. Strengthen Exchange server security with multi-factor authentication and audit activities regularly. Harden web servers against exploitation by using firewalls and disabling unnecessary services.
3. Click Fix Malware Campaign Exploits Fake Google Meet Pages to Deliver Infostealers
Threat actors are using fake Google Meet pages in a malware campaign called ClickFix to deliver infostealers targeting Windows and macOS. The campaign is linked to the cybercriminal groups Slavic Nation Empire and Scamquerteo, who use similar tactics to distribute malware like StealC, Rhadamanthys, and Atomic stealers.
ClickFix employs fake error messages on Google Meet look-alike pages, tricking users into manually executing encoded PowerShell commands. These commands install infostealers such as StealC and Rhadamanthys on Windows and Atomic stealer on macOS via a disk image file. The campaign has evolved to impersonate services like Facebook, Google Chrome, and Zoom, making fake URLs almost indistinguishable from real ones.
Recommendations to mitigate this threat include educating users on recognizing phishing tactics, deploying endpoint detection and response (EDR) to monitor unusual activity, updating security tools regularly, blocking malicious URLs, using multi-factor authentication, and maintaining regular system backups.
4. SideWinder APT Launches Sophisticated Attacks Across Middle East and Africa
An advanced persistent threat (APT) group known as SideWinder has launched a series of attacks targeting prominent organizations and critical infrastructure across the Middle East and Africa. Also referred to by aliases such as APT-C-17, Baby Elephant, Rattlesnake, and T-APT-04, SideWinder is one of the most active APT groups, known for its sophisticated cyber espionage campaigns.
SideWinder has been active since 2012, primarily targeting military and government entities across South and Southeast Asia. The group’s recent attack wave uses a multi-stage infection chain leading to the deployment of a post-exploitation toolkit named StealerBot. The infection starts with spear-phishing emails containing either a Windows shortcut (LNK) file or a Microsoft Office document, which executes malicious scripts and ultimately installs StealerBot. This advanced malware includes multiple plugins for stealing passwords, capturing keystrokes, intercepting RDP credentials, and deploying additional malware.
The group’s activities also involve using mshta.exe to execute HTML Application (HTA) files and leveraging a vulnerability (CVE-2017-11882) in Microsoft Office to exploit remote template injections, enabling further malicious activity. SideWinder’s growing geographical footprint and increasingly sophisticated tools highlight the group’s evolution in targeting critical infrastructure.
Recommendations to mitigate this threat include strengthening email security to block spear-phishing emails, ensuring timely patching of known vulnerabilities like CVE-2017-11882, deploying endpoint detection and response (EDR) solutions, isolating critical infrastructure through network segmentation, and enforcing multi-factor authentication to reduce credential theft risks.
5. EDRSilencer tool leveraged in attacks to evade security defenses
A red-team tool known as EDRSilencer has been used in malicious attacks to disable security tools and silence their alerts to management consoles, allowing attackers to evade detection.
EDRSilencer targets Endpoint Detection and Response (EDR) tools by detecting their processes and manipulating network traffic using the Windows Filtering Platform (WFP). This disruption prevents EDR products from sending threat reports to management servers, allowing malicious activity to go unnoticed. The tool can target 16 modern EDR tools, including Microsoft Defender, SentinelOne, FortiEDR, Palo Alto Networks Traps/Cortex XDR, and others. Attackers can further customize EDRSilencer by adding specific filters, enhancing its ability to bypass security measures.
Recommendations to mitigate this threat include detecting EDRSilencer as malware, implementing multi-layered security controls to isolate critical systems, using security solutions with behavioral analysis and anomaly detection, monitoring network traffic for indicators of compromise, and applying the principle of least privilege to minimize risk.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories