Headline
THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)
Hi there! Here’s your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It’s a constant battle.
Cybersecurity / Weekly Recap
Hi there! Here’s your quick update on the latest in cybersecurity.
Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It’s a constant battle. For you, staying protected means keeping your devices and apps up to date.
In this newsletter, we’ll break down the top stories. Whether you’re protecting personal data or managing security for a business, we’ve got tips to help you stay safe.
Let’s get started!
****⚡ Threat of the Week****
China Calls Volt Typhoon an Invention of the U.S.: China’s National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in an attempt to conceal its own malicious cyber attacks and that it has established a “large-scale global internet surveillance network.”
****️Trending CVEs****
CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164
****🔔 Top News****
- Apple macOS Flaw Bypasses Privacy Controls in Safari Browser: Microsoft has disclosed details about a now-patched security flaw in Apple’s Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user’s privacy preferences and access data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, may have been exploited by AdLoad adware campaigns. The issue has been addressed in macOS Sequoia 15 released last month.
- Legitimate Red Team Tool Abuse in Real-World Attacks: Threat actors are attempting to weaponize the open-source EDRSilencer tool as part of efforts to interfere with endpoint detection and response (EDR) solutions and hide malicious activity. In doing so, the aim is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
- TrickMo Can Now Steal Android PINs: Researchers have spotted new variants of the TrickMo Android banking trojan that incorporate features to steal a device’s unlock pattern or PIN by presenting to victims’ a bogus web page that mimics the device’s actual unlock screen.
- FIDO Alliance Debuts New Specs for Passkey Transfer: One of the major design limitations with passkeys, the new passwordless sign-in method becoming increasingly common, is that it’s impossible to transfer them between platforms such as Android and iOS (or vice versa). The FIDO Alliance has now announced that it aims to make passkeys more interoperable through new draft protocols such as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) that allow for secure credential exchange.
- Hijack Loader Uses Legitimate Code-Signing Certificates: Malware campaigns are now leveraging a loader family called Hijack Loader that’s signed legitimate code-signing certificates in a bid to evade detection. These attacks typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.
****📰 Around the Cyber World****
- Apple Releases Draft Ballot to Shorten Certificate Lifespan to 45 Days: Apple has published a draft ballot that proposes to incrementally phase the lifespan of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days.
- 87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113: About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. watchTowr Labs researcher Aliz Hammond described it as a “super complex vulnerability” that could result in remote code execution. The development comes as Google revealed that of the 138 exploited security vulnerabilities that were disclosed in 2023, 97 of them (70%) were first weaponized as zero-days. The time-to-exploit (TTE) has dropped from an average of 63 days in 2018-19 to just five days in 2023.
- Researchers Outline Early Cascade Injection: Researchers have disclosed a novel-yet-stealthy process injection technique called Early Cascade Injection that makes it possible to evade detection by endpoint security software. “This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique,” Outflank researcher Guido Miggelenbrink said. “Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction.”
- ESET Israeli Partner Breached to Deliver Wiper Malware: In a new campaign, threat actors infiltrated cybersecurity company ESET’s partner in Israel, ComSecure, to send phishing emails that propagated wipers to Israeli companies disguised as antivirus software. “Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes,” the company said in a post on X, adding it was not compromised as a result of the incident.
- Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges: Google said it’s migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. In tandem, the tech giant emphasized it’s focusing on risk reduction and containment of memory-unsafe code using techniques like C++ hardening, expanding security boundaries like sandboxing and privilege reduction, and leveraging AI-assisted methods like Naptime to uncover security flaws. As recently disclosed, the number of memory safety vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant has also detailed the ways it’s using Chrome’s accessibility APIs to find security bugs. “We’re now ‘fuzzing’ that accessibility tree – that is, interacting with the different UI controls semi-randomly to see if we can make things crash,” Chrome’s Adrian Taylor said.
Cybersecurity Resources & Insights****LIVE Webinars
1. DSPM Decoded: Learn How Global-e Transformed Their Data Defense: Are your data defenses crumbling? Discover how Data Security Posture Management (DSPM) became Global-e’s secret weapon. In this can’t-miss webinar, Global-e’s CISO breaks down:
- The exact steps that transformed their data security overnight
- Insider tricks to implement DSPM with minimal disruption
- The roadmap that slashed security incidents by 70%
2. Identity Theft 2.0: Defending Against LUCR-3’s Advanced Attacks: LUCR-3 is picking locks to your digital kingdom. Is your crown jewel data already in their crosshairs?
Join Ian Ahl, Mandiant’s former threat-hunting mastermind, as he:
- Decrypts LUCR-3’s shadowy tactics that breach 9 out of 10 targets
- Unveils the Achilles’ heel in your cloud defenses you never knew existed
- Arms you with the counterpunch that leaves LUCR-3 reeling
This isn’t a webinar. It’s your war room strategy session against the internet’s most elusive threat. Seats are filling fast – enlist now or risk becoming LUCR-3’s next trophy.
Cybersecurity Tools
- Vulnhuntr****: AI-Powered Open-Source Bug Hunting Tool — What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced AI models to find complex security flaws in Python code. In just hours, it uncovered multiple 0-day vulnerabilities in major open-source projects.
Tip of the Week
Secure Your Accounts with Hardware Security Key: For advanced protection, hardware security keys like YubiKey are a game-changer. But here’s how to take it up a notch: pair two keys—one for daily use and a backup stored securely offline. This ensures you’re never locked out, even if one key is lost. Also, enable “FIDO2/WebAuthn” protocols when setting up your keys—these prevent phishing by ensuring your key only works with legitimate websites. For businesses, hardware keys can streamline security with centralized management, letting you assign, track, and revoke access across your team in real-time. It’s security that’s physical, smart, and almost foolproof.
****Conclusion****
That’s the roundup for this week’s cybersecurity news. Before you log off, take a minute to review your security practices—small steps can make a huge difference. And don’t forget, cybersecurity isn’t just for the IT team; it’s everyone’s responsibility. We’ll be back next week with more insights and tips to help you stay ahead of the curve.
Stay vigilant, and we’ll see you next Monday!
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting ScienceLogic SL1 to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation as a zero-day. The vulnerability in question, tracked as CVE-2024-9537 (CVSS v4 score: 9.3), refers to a bug involving an unspecified third-party component that could
As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.
The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.
Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access…
Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.
Microsoft disclosed details about the HM Surf vulnerability that could allow an attacker to gain access to the user’s data in Safari
Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user's privacy preferences and access data. The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133. It was addressed by Apple as part of macOS Sequoia 15 by removing the
A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.
A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances. The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability. "A security issue
The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT. The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode.
GitHub has released security updates for Enterprise Server (GHES) to address multiple issues, including a critical bug that could allow unauthorized access to an instance. The vulnerability, tracked as CVE-2024-9487, carries a CVS score of 9.5 out of a maximum of 10.0 "An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2024-28987 (CVSS score: 9.1), the vulnerability relates to a case of hard-coded credentials that could be abused to gain
A security issue was discovered in the Kubernetes Image Builder versions <= v0.1.37 where default credentials are enabled during the image build process. Virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system.
A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the
Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware. Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware. CVE-2024-40711, rated 9.8 out of 10.0 on the
The Iranian threat actor known as OilRig has been observed exploiting a now-patched privilege escalation flaw impacting the Windows Kernel as part of a cyber espionage campaign targeting the U.A.E. and the broader Gulf region. "The group utilizes sophisticated tactics that include deploying a backdoor that leverages Microsoft Exchange servers for credentials theft, and exploiting vulnerabilities
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. Tracked as CVE-2024-9164, the vulnerability carries a CVSS score of 9.6 out of 10. "An issue was discovered in GitLab EE
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-23113 (CVSS score: 9.8), relates to cases of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb. "A
The security bugs were found susceptible to exploitation in connection to the previously disclosed, critical CVE-2024-8963 vulnerability in the security vendor's Cloud Services Appliance (CSA).
Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild. The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said. Successful exploitation of these vulnerabilities could allow an authenticated
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2024-29824, carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity. "An
Though the critical vulnerability was patched in August, Ivanti is reminding customers to update as soon as possible as attacks from unauthenticated threat actors start circulating.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2024-7593 (CVSS score: 9.8), which could be exploited by a remote unauthenticated attacker to bypass the
The critical bug, CVE-2024-8963, can be used in conjunction with the prior known flaw to achieve remote code execution (RCE).
Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild. The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0. "Path Traversal in the Ivanti CSA before 4.6 Patch
The first patch lets threat actors with low-level credentials still exploit the vulnerability, while the second fully resolves the flaw.
CVE-2024-30088 is a Windows kernel elevation of privilege vulnerability which affects many recent versions of Windows 10, Windows 11 and Windows Server 2022. The vulnerability exists inside the function called AuthzBasepCopyoutInternalSecurityAttributes specifically when the kernel copies the _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION of the current token object to user mode. When the kernel performs the copy of the SecurityAttributesList, it sets up the list of the SecurityAttributes structure directly to the user supplied pointed. It then calls RtlCopyUnicodeString and AuthzBasepCopyoutInternalSecurityAttributeValues to copy out the names and values of the SecurityAttribute leading to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.
Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution. The list of shortcomings is below - CVE-2024-40711 (CVSS score: 9.8) - A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution. CVE-2024-42024 (CVSS score: 9.1
SolarWinds has issued patches to address a new security flaw in its Web Help Desk (WHD) software that could allow remote unauthenticated users to gain unauthorized access to susceptible instances. "The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing [a] remote unauthenticated user to access internal functionality and modify data," the company
Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday
Microsoft today released updates to fix at least 90 security vulnerabilities in Windows and related software, including a whopping six zero-day flaws that are already being actively exploited by attackers.
The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP.
The lone critical security issue is a remote code execution vulnerability due to a use-after-free issue in the HTTP handling function of Microsoft Message Queuing.
By Deeba Ahmed Patch Now or Get Hacked: Researchers Confirm Potentially Active Exploitation of One of the FortiOS Flaws in the Wild. This is a post from HackRead.com Read the original post: CISA and Fortinet Warns of New FortiOS Zero-Day Flaws