Orpheus Weekly Threat Insights - 25.09.2024

Welcome to this week's edition of the Orpheus Weekly Threat Insights, where we provide expert analysis and actionable insights into the most critical developments in cybersecurity.

Our goal is to help you navigate the ever-changing digital landscape, mitigate risks, and protect your organization from evolving cyber threats.

Let's dive into this week's most pressing issues.

Major Cyber Incidents

Cybercriminals Leverage Header Refresh Technique for Business Email Compromise (BEC)

Summary: Security researchers report a surge in the use of the 'header refresh' technique by cybercriminals to enhance Business Email Compromise (BEC) schemes. This method redirects users to credential-harvesting sites through the manipulation of the HTTP response header’s refresh field.

Why It Matters: The tactic introduces another level of deception in phishing attacks, making it harder for victims to identify malicious redirections.

Severity: High

Mitigation Recommendations: Train employees to recognize typosquatting domains and ensure Multi-Factor Authentication (MFA) is enabled on all email accounts to minimize risk.

RedJuliett Threat Actor Linked to Global Botnet

Summary: Security agencies have attributed a botnet of over 260,000 compromised devices to RedJuliett (aka Flax Typhoon and Ethereal Panda), a Chinese state-sponsored group. This botnet, spanning North America, Europe, and Asia, is used to hide malicious activity like vulnerability scanning and exploitation.

Why It Matters: The involvement of state-sponsored actors indicates a well-funded and coordinated cyber threat with global implications.

Severity: Critical

Mitigation Recommendations: Ensure robust network monitoring, patch vulnerabilities promptly, and regularly audit connected devices for unusual activity.

Brute Force Attacks Target Construction Industry's Accounting Software

Summary: A new brute force campaign has been identified targeting Foundation accounting software, widely used in the construction industry. Attackers have gained access to privileged accounts across various sectors, including plumbing, HVAC, and concrete industries.

Why It Matters: The successful compromise of these highly privileged accounts could lead to significant financial losses and operational disruption.

Severity: High

Mitigation Recommendations: Implement strong password policies, enable MFA, and conduct regular account audits for abnormal login attempts.

Critical Vulnerabilities

CVE-2024-27348 (Apache Huge Graph-Server) – CVSS: 9.8 | OVSS: 92

Summary: Apache has patched a critical vulnerability in its Huge Graph-Server that allows remote code execution due to improper access control. This vulnerability has been actively exploited in the wild.

Why It Matters: Without prompt action, attackers could gain full control of affected servers, leading to data loss or system disruption.

Severity: Critical

Mitigation Recommendations: Apply the latest Apache patch immediately to secure your systems against potential exploitation.

CVE-2020-14644 (Oracle JDeveloper) – CVSS: 9.8 | OVSS: 85

Summary: The US Cybersecurity and Infrastructure Security Agency (CISA) added this Oracle vulnerability to its Known Exploited Vulnerabilities Catalog. This remote code execution flaw has been exploited through deserialization issues in Oracle’s Fusion Middleware.

Why It Matters: Exploiting this vulnerability could give attackers unauthorized access to critical systems, with potentially devastating consequences.

Severity: Critical

Mitigation Recommendations: Patch WebLogic Server and Oracle JDeveloper immediately to prevent unauthorized access.

Analyst Comment

Cloud-Based Vulnerabilities on the Rise: Protect Your Organization

This week, we observed several vulnerabilities in cloud-based solutions. A critical flaw in Microsoft’s Azure API Management (APIM) was recently patched, which allowed users to escalate privileges and gain full control over sensitive configurations. In parallel, Ivanti’s Cloud Services Appliance (CSA) is under limited active exploitation due to a command injection vulnerability.

Why It Matters: As organizations increasingly rely on public cloud resources, the risk of cloud-based vulnerabilities grows. Attackers—often state-sponsored groups—are leveraging these flaws to breach cloud infrastructures. Organizations must implement rigorous security measures to reduce the risks posed by these vulnerabilities.

Key Takeaway: Consider adopting private cloud solutions and applying the necessary patches to maintain control over your cloud environments.

By staying informed and vigilant, your organization can stay ahead of emerging cyber threats. We recommend reviewing your security posture and implementing the recommended mitigations to safeguard your systems.

For tailored advice or more detailed guidance, feel free to reach out to the Orpheus team.