Threat Report 28.05.24

Imitation antivirus websites spreading malware to Windows and Android devices

Threat actors have recently been observed setting up fake websites imitating legitimate suppliers such as Avast, Bitdefender, and Malwarebytes to spread malware.

The particular websites spotted are:

• avast-securedownload[.]com: Used to distribute SpyNote trojan.
• bitdefender-app[.]com: Used to distribute Lumma information stealer malware.
• malwarebytes[.]pro: Used to distribute StealC information stealer malware.

It is important to remain vigilant and double check that the website you are on is as expected. Avoiding clicking any suspicious links and verifying that the website url is correct are key ways to defend yourself from these types of attacks.

Google releases patch fixing fourth zero-day this month

Google has released a patch fixing another zero-day vulnerability. This marks the fourth zero-day vulnerability fixed this month, and the eighth since the start of the year.

The vulnerability is tracked as CVE-2024-5274 and is a type of confusion bug in the V8 JavaScript and WebAssembly engine. When exploited, it allows threat actors to perform out-of-bounds memory access, cause a crash, and execute arbitrary code. Additional information regarding the vulnerability has not yet been released.

To mitigate this vulnerability, it’s recommended to update to the latest version of Google Chrome as soon as possible. Google has noted that there is an exploit that exists for the vulnerability, so ensuring it is patched is crucial.

Maximum severity vulnerability in GitHub Enterprise Server (GHES)

GitHub has released a patch fixing a maximum severity vulnerability in GitHub Enterprise Server (GHES).

The vulnerability is tracked as CVE-2024-4985 and has a maximum CVSS score of 10.0. It affects servers using SAML single sign-on (SSO) authentication with the optional encrypted assertions feature enabled. When exploited by a threat actor, the vulnerability could allow for unauthorised access to an instance without prior authentication.

The vulnerability affects all versions before version 3.13.0 and has been fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4. It is recommended to update servers to the latest available version as soon as possible to avoid potential incidents, even without SAML SSO or the encrypted assertions setting enabled.