Product
Jake Trujillo
Aug 15, 2024
Note: These were the top 10 cyber threats to the Computer Software industry as of October 9th, 2024. To see the latest top 10 cyber threats to Computer Software, click here.
1. CVE-2024-6915
A flaw leading to cache poisoning.
Summary: JFrog released a critical security advisory for its Artifactory platform due to a vulnerability identified as CVE-2024-6915, with a CVSS score of 9.3. This flaw affects multiple versions of JFrog Artifactory and could enable attackers to execute cache poisoning attacks on software supply chains. Cache poisoning involves manipulating cached software artifacts so that developers or automated systems unknowingly deploy compromised software, potentially leading to data breaches or system takeovers.
Free Advice: For self-hosted environments that cannot be immediately upgraded, disable anonymous access or remove Deploy/Cache permissions for remote repositories for the Anonymous account as a temporary measure.
2. FakePenny
A threat actor deploying sophisticated ransomware.
Summary: North Korean threat actor Moonstone Sleet, responsible for the deployment of the FakePenny ransomware variant, has been actively attempting to compromise Windows systems by publishing malicious npm packages to the JavaScript package registry. Two such packages, named harthat-api and harthat-hash, were identified by Datadog Security Labs and were found to be published on July 7, 2024. These packages did not gain any traction as they were quickly removed from the registry.
Free Advice: Scan for and remove any trojanized tools or malicious NPM packages that may have been inadvertently downloaded by developers.
3. HuntersInternational
A ransomware group using a Rhino RAT.
Summary: Ransomware group Hunters International is using a C#-based remote access trojan (RAT), SharpRhino, to infiltrate corporate networks. This RAT assists in initial infection, privilege escalation, execution of PowerShell commands, and ransomware deployment. It is distributed through a fake Google Ads site impersonating the Angry IP Scanner tool.
Hunters International has been active since late 2023 and is suspected to be a rebranded version of the Hive group. They have claimed responsibility for 134 ransomware attacks globally.
Free Advice: Verify the legitimacy of any recently installed software, especially those related to network scanning or administration. Verify the legitimacy of any network administration tools, especially those similar to Angry IP Scanner, and ensure they are downloaded from official sources.
4. CVE-2024-38472
A series of confusion attacks caused by Apache HTTP flaws.
Summary: Architectural issues within the Apache HTTP Server are revealing multiple technical debts and vulnerabilities that lead to various types of Confusion Attacks. There are three main attack vectors: Filename Confusion, DocumentRoot Confusion, and Handler Confusion, each with its own set of primitives for exploitation. CVE-2024-38472 is 1 of 9 new vulnerabilities demonstrating the potential to bypass built-in access control, authentication, and achieving remote code execution (RCE) through different methods.
Free Advice: Immediately upgrade Apache HTTP Server to version 2.4.60 to address the vulnerabilities.
5. CVE-2024-42005
A series of vulnerabilities in multiple versions of Django.
Summary: Security updates for Django versions 5.0.8 and 4.2.15 address multiple vulnerabilities, including a critical SQL injection vulnerability, CVE-2024-42005, that affects QuerySet.values() and values_list() methods on models with a JSONField. Other vulnerabilities include potential denial-of-service (DoS) attacks through the floatformat template filter (CVE-2024-41989), the urlize() and urlizetrunc() template filters (CVE-2024-41990 and CVE-2024-41991).
Free Advice: Limit the size of inputs that can be processed by the `floatformat`, `urlize`, and `urlizetrunc` template filters to mitigate potential DoS attacks.
6. Daggerfly
A Chinese cyber spy group compromising service providers.
Summary: A China-linked cyber espionage group, Daggerfly, recently compromised an internet service provider to distribute malicious software updates. The group has been active since 2012.
Daggerfly altered DNS query responses for domains associated with automatic software updates, particularly targeting software with insecure update mechanisms or inadequate integrity checks. They used this method to deploy malware such as MgBot or MACMA, depending on the victim's operating system.
Free Advice: Implement strict access controls and application whitelisting to prevent execution of unauthorized scripts and files.
7. BlackSuit
A ransomware that split off a ransomware that split off that a ransomware that was the Conti ransomware.
Summary: Since 2022, the BlackSuit ransomware gang has demanded over $500 million from its victims. BlackSuit is an offshoot of the Royal ransomware, which in turn evolved from the defunct Russian Conti group. This group typically demands ransoms ranging from $1 million to $10 million, payable in Bitcoin.
Victims are not informed of the ransom amount until they contact the attackers through a dark web link. BlackSuit has been known to negotiate ransom amounts but also threatens to leak stolen data if their demands are not met.
Free Advice: Conduct an immediate vulnerability assessment to identify and patch any public-facing applications that may be exploited.
8. CVE-2024-20419
A vulnerability that could affect thousands of Cisco devices.
Summary: CISA issued a warning about ongoing attacks targeting Cisco network devices that have been misconfigured to use the Smart Install functionality. There are over 6,000 exposed IP addresses with Cisco Smart Install (SMI) accessible via the internet. CISA highlighted that the exploitation of these devices is facilitated by the use of weak passwords, which can allow threat actors to gain access to system configuration files and passwords, potentially leading to the compromise of victim networks.
Additionally, a proof-of-concept exploit for a critical vulnerability in Cisco's Smart Software Manager On-Prem, identified as CVE-2024-20419, has emerged, which could enable unauthenticated credential changes.
Free Advice: Temporarily disable the file analysis feature or content filter feature on the Secure Email Gateway if you cannot update immediately.
9. CVE-2024-7593
An eight-pack of Ivanti vulns.
Summary: Ivanti has released patches for eight vulnerabilities across its products Neurons for ITSM, Avalanche, and Virtual Traffic Manager. Two critical flaws were addressed: one in Neurons for ITSM that could allow unauthenticated attackers to obtain sensitive information (CVE-2024-7569), and another in Virtual Traffic Manager that could enable remote attackers to bypass authentication (CVE-2024-7593). Additionally, a high-severity improper certificate validation flaw in Neurons for ITSM (CVE-2024-7570) and five high-severity vulnerabilities in Avalanche were patched. There have been no known exploits of these vulnerabilities in the wild, although a proof-of-concept exploit exists for the critical Virtual Traffic Manager flaw.
Free Advice: Restrict access to the vTM management interface by binding it to an internal network or a private IP address, as recommended by Ivanti.
10. CVE-2024-38213
A patched zero-day that could bypass Windows SmartScreen.
Summary: A Microsoft zero-day vulnerability (CVE-2024-38213) which allowed attackers to bypass Windows SmartScreen protection, was patched in the June 2024 Patch Tuesday updates. The flaw could be exploited remotely with user interaction, as the user would need to be convinced to open a malicious file. The vulnerability was actively exploited since March by attackers, including the DarkGate malware operators who used it to distribute malware disguised as legitimate software installers.
Free Advice: Ensure all systems have installed the latest security updates, especially the June 2024 Patch Tuesday update that patches the CVE-2024-38213 vulnerability.
Sign up for Fletch to get access more industry threats.
