Issue 18: Microsoft Outlook Critical Zero-Click, China's FortiGate Attacks More Extensive Than First Thought and Pure Storage Confirms Breach
CloudGuard
We help organisations proactively detect and automatically remediate cyber threats in real-time.
Top Stories 14 June 2024:
Microsoft Outlook Critical Zero-Click RCE Flaw Triggered Upon Email Opening
A critical zero-click remote code execution (RCE) vulnerability, designated as CVE-2024-30103, has been identified in Microsoft Outlook. This flaw allows attackers to execute arbitrary code by sending a specially crafted email, which triggers the exploit upon opening. The zero-click nature of CVE-2024-30103 makes it dangerous as it requires no user interaction, lowering the barriers for successful exploitation.
When the malicious email is opened, it causes a buffer overflow, enabling the attacker to run code with the same privileges as the Outlook user. This can result in full system compromise, data theft, or further malware distribution within a network. Given Outlook’s extensive use in both corporate and personal environments, the potential impact is significant, risking major data breaches, financial loss, and reputational damage for organisations.
Microsoft has responded by releasing a security patch to fix the issue. Users and administrators are strongly advised to apply these updates as soon as possible. Additional measures, such as email filtering and monitoring solutions, can help prevent malicious emails from reaching users.
Experts stress the criticality of addressing this vulnerability. Zero-click vulnerabilities are particularly effective for attackers due to the lack of required user interaction. Organisations are urged to prioritise patching and implement multi-layered security strategies to defend against such advanced threats. Currently, there are no known attacks exploiting CVE-2024-30103 in the wild.
China's FortiGate Attacks More Extensive Than First Thought
At the beginning of 2024, reports emerged of Chinese threat actors targeting FortiGate systems using COATHANGER malware. Investigations revealed the campaign had far greater capabilities than initially understood. The Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) issued a security advisory, highlighting that Chinese state actors exploited vulnerabilities in edge devices to enhance their capabilities.
The COATHANGER malware campaign, analysed further, showed that the threat actor compromised at least 20,000 FortiGate systems worldwide. These included devices within dozens of governments, international organisations, and numerous companies in the defence industry. The infiltration occurred over a few months in 2022 and 2023 via the CVE-2022-42475 vulnerability, which has a high severity score.
Notably, the threat actor was aware of this vulnerability at least two months before its public disclosure, infecting over 14,000 devices during this zero-day period. The current number of affected targets remains unknown. Even after victims apply security updates to FortiGate systems, the threat actor retains access, indicating ongoing control over numerous compromised systems.
To mitigate this threat, the NCSC (National Cyber Security Centrum) advises organisations to adopt the "assume breach" principle, presuming a breach has already occurred. They recommend implementing measures such as network segmentation, enhanced detection systems, incident response plans, and forensic readiness to minimise damage and impact.
领英推荐
Pure Storage Confirms Breach of Snowflake Workspace Exposing Customer Information
On Monday, Pure Storage, a leading provider of cloud storage systems, confirmed that attackers breached its Snowflake workspace, gaining access to telemetry information. This data included customer names, usernames, and email addresses, but no credentials for array access or other customer-stored data.
Pure Storage's investigation revealed that a third party temporarily accessed a single Snowflake data analytics workspace, which contained information used for proactive customer support, such as company names, LDAP usernames, email addresses, and the Purity software release version number. The company has since taken measures to prevent further unauthorised access and found no evidence of malicious activity in other parts of its infrastructure. Customers have similarly reported no unusual activity targeting their systems.
Pure Storage serves over 11,000 customers, including major organisations like Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast.
In a related advisory with Mandiant and CrowdStrike, Snowflake disclosed that attackers used stolen credentials to target accounts without multi-factor authentication (MFA). Mandiant linked these attacks to a financially motivated threat actor, UNC5537, active since May 2024. The attackers used credentials stolen in infostealer malware infections dating back to 2020. Hundreds of organisations were affected, with credentials found in malware such as Vidar, RisePro, Redline, Racoon Stealer, Lumm, and Metastealer.
Recent breaches at Santander, Ticketmaster, and Advance Auto Parts were linked to these Snowflake attacks. The attackers sold data stolen from Advance Auto Parts, including 380 million customer profiles and 44 million loyalty card numbers, after compromising its Snowflake account.
That's all folks!
Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Analyst).
If you like what you've read, subscribe so you don't miss next week's roundup!