The Ntirety Weekly Threat Intelligence Report: August 19, 2024

Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.?

Threats to Watch?

• ANONVNC: CERT-UA has warned of a new phishing campaign that masquerades as the Security Service of Ukraine to distribute malware capable of remote desktop access. The agency is tracking the activity under the name UAC-0198 and the attack chain involves the mass distribution of emails to deliver a ZIP archive file containing an MSI installer file, which when opened leads to the deployment of a malware called ANONVNC. ?
• Azure’s Health Bot Service: Researchers have discovered two security flaws in Microsoft’s Azure Health Bot Service. If exploited, the flaws could permit a malicious actor to achieve lateral movement within customer environments and access sensitive patient data. ?
• GhostWrite: A team of researchers has disclosed an architectural bug, named GhostWrite, impacting T-Head’s XuanTie C910 and C920 RISC-V CPUs that could allow attackers to gain unrestricted access to susceptible devices. ?
• Microsoft: Microsoft’s August Patch Tuesday addressed a total of 90 security flaws, including 10 zero-days, of which 6 have come under active exploitation. ?
• Gafgyt: Researchers have discovered a new variant of the Gafgyt botnet that’s targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computation power. The infected devices are corralled into a botnet capable of launching DDoS attacks against targets of interest. ?
• SolarWinds: SolarWinds has released patches to address a critical security vulnerability in its Web Help Desk Software that could be exploited to execute arbitrary code on susceptible instances. The flaw (CVE-2024-28986) has been described as a deserialization bug. ?
• BitLocker: Microsoft has disabled a fix for a BitLocker security feature bypass vulnerability due to firmware incompatibility issues that were causing patching Windows devices to go into BitLocker recovery mode. The flaw (CVE-2024-38058) can let attackers bypass the BitLocker Device Encryption feature and access encrypted data with physical access to the targeted device. The August security updates disabled this fix. ?
• IPv6 Vulnerability: Microsoft has warned of a critical security bug (CVE-2024-38063) that is caused by an Integer Underflow weakness, which attackers could exploit to trigger buffer overflows that can be used to execute arbitrary code on vulnerable Windows 10, Windows 11, and Windows Server systems. ?
• SAP: SAP has released its security patch package for August 2024, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to fully compromise the system. The flaw is being tracked as CVE-2024-41730. ?
• 0.0.0.0 Day: Researchers have discovered a new “0.0.0.0 Day” impacting all major web browsers that malicious websites could take advantage of to breach local networks. The critical vulnerability exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices. ?
• Cisco: CISA has disclosed that threat actors are abusing the legacy Cisco Smart Install (SMI) feature with the aim of accessing sensitive data. CISA reported that they are continuing to see weak password types used on Cisco network devices, thereby exposing them to password-cracking attacks. Threat actors who are able to gain access to the device in this manner would be able to easily access system configuration files, facilitating a deeper compromise of the victim networks.? ?
• OpenVPN: Microsoft disclosed four medium-severity flaws in the open-source OpenVPN software that could be chained to achieve RCE and local privilege escalation. The flaws affect all versions of OpenVPN prior to 2.6.10 and 2.5.10.?
• Microsoft: Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability (CVE-2024-38200) has been described as a spoofing flaw that affects a few versions of Office apps.? ?
• Chrome/Edge extensions: An ongoing, widespread malware campaign has been observed installing rogue Chrome and Edge extensions via a trojan distributed via fake websites masquerading as popular software. The trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands. ?
• EastWind: The Russian government and IT organizations are the target of a new campaign that delivers a number of backdoors and trojans as part of a spear phishing campaign codenamed EastWind. The attack chains are characterized by the use of RAR archive attachments containing a Windows shortcut (LNK) file that, upon opening, activates the infection sequence, culminating in the deployment of malware such as GrewApacha, an updated versions of the CloudSorcerer backdoor. ?
• FreeBSD: The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability (CVE-2024-7589) revolves around a signal handler in sshd (8) may call a logging function that is not async-signal-safe.?

Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.?

For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.?

Get Started ?