Product
Jake Trujillo
Oct 9, 2024
Note: These were the top 10 cyber threats to the Computer & Network Security industry as of October 9th, 2024. To see the latest top 10 cyber threats to Computer & Network Security, click here.
1. APT40
Secure Apache Log4j and Microsoft Office from APT40's rapid exploits
Summary: Salt Typhoon, a Chinese state-sponsored hacking group, has breached multiple U.S. internet service providers to gather sensitive information and potentially launch cyberattacks. The compromised ISPs include major providers such as Verizon, AT&T, and Lumen Technologies, which handle extensive amounts of sensitive data. Investigations are ongoing to determine if the attackers accessed Cisco Systems routers, which are critical to ISP infrastructures, though Cisco has denied any current evidence of such involvement.
Free Advice: Conduct a network audit to identify and disconnect any end-of-life or unpatched devices that could be exploited.
2. FIN7
Avoid downloading suspicious AI tools; check for malware before opening files
Summary: Cybercriminal group FIN7 is actively using and selling a tool called AvNeutralizer to bypass security systems, which has been available since April 2022. AvNeutralizer is customized for each buyer and priced between $4,000 and $15,000, targeting specific security systems and used in several cyberattacks deploying ransomware like AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. FIN7 has been involved in various cybercrimes including payment card fraud and banking malware, with a shift to ransomware in recent years, employing advanced tools to disrupt endpoint detection and response software.
Free Advice: Update and patch Veeam Backup & Replication software.
3. CVE-2023-46805
Upgrade Ivanti CSA to version 5.0 to address critical OS injection vulnerability
Summary: A critical vulnerability in Ivanti Endpoint Manager, identified as CVE-2024-29847, allows for remote code execution. The Ivanti Cloud Service Appliance (CSA) is affected by multiple vulnerabilities, including CVE-2024-8190 and CVE-2024-8963, which can be combined to bypass admin authentication and execute arbitrary commands. CVE-2024-8190 affects Ivanti CSA versions up to 4.6 Patch 518 and is due to a failure to validate user input in the DateTimeTab.php file. Ivanti CSA 4.6 has reached End-of-Life status and will no longer receive updates, urging users to upgrade to version 5.0 for continued support and protection.
Free Advice: Immediately update affected Ivanti products and conduct reviews of configurations to prevent external exposure of internal interfaces.
4. Fog
Secure Windows Servers with robust VPN and backup strategies against ransomware
Summary: The 'Fog' ransomware operation uses compromised VPN credentials from at least two different gateway vendors and disabled Windows Defender to prepare for the deployment of the ransomware. Fog ransomware encrypts VMDK files used in Virtual Machine storage, adds the ".FOG" extension, and deletes backups from Veeam and Windows volume shadow copies. Despite initial reports of no data theft, it has been confirmed that Fog conducts double-extortion attacks, demanding large ransoms for decryption keys and the deletion of stolen data.
Free Advice: Implement multi-factor authentication, update VPN software, monitor VPN access, and regularly back up data.
5. CVE-2024-40711
Apply Veeam's latest patch immediately to prevent critical RCE exploitation
Summary: Veeam has addressed 18 high and critical vulnerabilities in its Backup & Replication, Service Provider Console, and One products, with the most severe being CVE-2024-40711, an unauthenticated remote code execution flaw. CVE-2024-40711 affects Veeam Backup & Replication versions 12.1.2.172 and earlier and could potentially allow ransomware gangs to gain full system control. Other critical issues include CVE-2024-40713, which allows low-privileged users to alter Multi-Factor Authentication settings, and CVE-2024-40714, involving a TLS certificate validation issue. Proof-of-concept exploits for some of these vulnerabilities have been made available publicly, increasing the urgency for users to apply the latest security patches.
Free Advice: Update Veeam Backup & Replication to the latest version.
6. CloudImposer
Secure Google Cloud Composer with proper package management practices immediately
Summary: A vulnerability named 'CloudImposer' in Google Cloud services could allow attackers to remotely execute code on Google Cloud instances without needing authentication. The vulnerability was caused by a dependency confusion error, where Google Cloud Platform (GCP) failed to properly verify preloaded bundled services when initializing a new cloud instance. Attackers could exploit this to create malicious cloud instances, potentially leading to supply chain attacks. The affected GCP services included App Engine, Cloud Function, and Cloud Composer. Google has patched the flaw and updated its documentation to recommend .
Free Advice: Implemment safer practices for handling Python package dependencies. Developers are advised to use the '--index-url' argument over the '--extra-index-url' to reduce the risk of supply chain attacks.
7. Ajina
Review Telegram channels to prevent Ajina.Banker malware from stealing financial data
Summary: A new Android malware named Ajina.Banker is targeting users in Central Asia with over 1,400 unique variants since November 2023. The malware disguises itself as legitimate apps to steal banking information and intercept two-factor authentication (2FA) codes. Ajina.Banker spreads primarily through social engineering on Telegram, where attackers distribute malicious links and files under the guise of offers or government apps. The malware has evolved to include functionalities that steal phone numbers, bank card details, and PIN codes. Ajina.Banker operates on an affiliate program model, with a core group managing the infrastructure and affiliates handling distribution.
Free Advice: Be cautious of unsolicited messages, only download apps from trusted sources like the Google Play Store, check app permissions, use security software, and stay informed about mobile security best practices.
8. CVE-2024-45195
Upgrade Apache OFBiz to version 18.12.16 to mitigate severe vulnerabilities
Summary: CVE-2024-45195 is a critical remote code execution vulnerability in the Apache OFBiz software, which could allow unauthenticated remote code execution on Linux and Windows servers. CVE-2024-45195 is a bypass for earlier patched vulnerabilities CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856, which were not fully resolved by previous updates. Attackers could exploit these vulnerabilities to execute arbitrary code or SQL queries by manipulating the controller and view map states. Over 25,000 malicious requests targeting 4,000 unique sites have been detected since the disclosure of CVE-2024-45195.
Free Advice: Update Apache OFBiz installations to version 18.12.16 immediately.
9. CVE-2024-40766
Patch SonicWall firewalls immediately to prevent unauthorized access and potential system compromise
Summary: CVE-2024-40766 affects SonicWall Firewall devices, specifically targeting the SSLVPN feature and management access in SonicOS. This vulnerability has been actively exploited by cybercriminals, notably the Akira ransomware group, to gain unauthorized access to accounts and potentially execute malicious code. The vulnerability impacts SonicWall Gen 5, Gen 6, and Gen 7 devices, with specific versions listed as vulnerable. The Akira ransomware group has exploited this vulnerability by compromising SSLVPN user accounts on SonicWall devices, especially targeting local accounts without MFA.
Free Advice: Immediately apply patches and implement security measures, including updating firmware, enabling multi-factor authentication (MFA), and restricting access to trusted sources.
10. CVE-2024-44000
Analyze and purge LiteSpeed Cache plugin's debug logs to prevent account takeover
Summary: CVE-2024-44000 has been discovered in the LiteSpeed Cache plugin for WordPress, potentially affecting over 6 million sites. The flaw allows unauthenticated visitors to hijack user sessions and gain administrator access, enabling them to install malicious plugins and take over the site. This issue arises from the plugin's debug log feature leaking HTTP response headers, including 'Set-Cookie' headers, when users log in.
Free Advice: Update to version 6.5.0.1 of the plugin. Analyze and purge your /wp-content/debug.log file if you have previously activated the debug feature on the LiteSpeed Cache plugin.
Sign up for Fletch to get access more industry threats.