Security
Headlines
HeadlinesLatestCVEs

Headline

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21 - Oct 27)

Cybersecurity news can sometimes feel like a never-ending horror movie, can’t it? Just when you think the villains are locked up, a new threat emerges from the shadows. This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don’t worry, we’re here to break it all down in plain English and arm you with the

The Hacker News
#vulnerability#web#mac#google#microsoft#amazon#cisco#git#java#kubernetes#rce#aws#auth#zero_day#chrome#sap#The Hacker News

Cyber Security / Hacking News

Cybersecurity news can sometimes feel like a never-ending horror movie, can’t it? Just when you think the villains are locked up, a new threat emerges from the shadows.

This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don’t worry, we’re here to break it all down in plain English and arm you with the knowledge you need to stay safe.

So grab your popcorn (and maybe a firewall), and let’s dive into the latest cybersecurity drama!

⚡ Threat of the Week

Critical Fortinet Flaw Comes Under Exploitation: Fortinet revealed that a critical security flaw impacting FortiManager (CVE-2024-47575, CVSS score: 9.8), which allows for unauthenticated remote code execution, has come under active exploitation in the wild. Exactly who is behind it is currently not known. Google-owned Mandiant is tracking the activity under the name UNC5820.

🚢🔐 Kubernetes Security for Dummies

How to implement a container security solution and Kubernetes Security best practices all rolled into one. This guide includes everything essential to know about building a strong security foundation and running a well-protected operating system.

Get the Guide️🔥 Trending CVEs

CVE-2024-41992, CVE-2024-20481, CVE-2024-20412, CVE-2024-20424, CVE-2024-20329, CVE-2024-38094, CVE-2024-8260, CVE-2024-38812, CVE-2024-9537, CVE-2024-48904

🔔 Top News

  • Severe Cryptographic Flaws in 5 Cloud Storage Providers: Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. The attacks, however, hinge on an attacker gaining access to a server in order to pull them off.
  • Lazarus Exploits Chrome Flaw: The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome (CVE-2024-4947) to seize control of infected devices. The vulnerability was addressed by Google in mid-May 2024. The campaign, which is said to have commenced in February 2024, involved tricking users into visiting a website advertising a multiplayer online battle arena (MOBA) tank game, but incorporated malicious JavaScript to trigger the exploit and grant attackers remote access to the machines. The website was also used to deliver a fully-functional game, but packed in code to deliver additional payloads. In May 2024, Microsoft attributed the activity to a cluster it tracks as Moonstone Sleet.
  • AWS Cloud Development Kit (CDK) Account Takeover Flaw Fixed: A now-patched security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) could have allowed an attacker to gain administrative access to a target AWS account, resulting in a full account takeover. Following responsible disclosure on June 27, 2024, the issue was addressed by Amazon in CDK version 2.149.0 released in July 2024.
  • SEC Fines 4 Companies for Misleading SolarWinds Disclosures: The U.S. Securities and Exchange Commission (SEC) charged four public companies, Avaya, Check Point, Mimecast, and Unisys, for making “materially misleading disclosures” related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020. The federal agency accused the companies of downplaying the severity of the breach in their public statements.
  • 4 REvil Members Sentenced in Russia: Four members of the now-defunct REvil ransomware operation, Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, have been sentenced to several years in prison in Russia. They were originally arrested in January 2022 following a law enforcement operation by Russian authorities.

📰 Around the Cyber World

  • Delta Air Lines Sues CrowdStrike for July Outage: Delta Air Lines filed a lawsuit against CrowdStrike in the U.S. state of Georgia, accusing the cybersecurity vendor of breach of contract and negligence after a major outage in July caused 7,000 flight cancellations, disrupted travel plans of 1.3 million customers, and cost the carrier over $500 million. “CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit,” it said. “If CrowdStrike had tested the Faulty Update on even one computer before deployment, the computer would have crashed.” CrowdStrike said “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”
  • Meta Announces Secure Way to Store WhatsApp Contacts: Meta has announced a new encrypted storage system for WhatsApp contacts called Identity Proof Linked Storage (IPLS), allowing users to create and save contacts along with their usernames directly within the messaging platform by leveraging key transparency and hardware security module (HSM). Until now, WhatsApp relied on a phone’s contact book for syncing purposes. NCC Group, which carried out a security assessment of the new framework and uncovered 13 issues, said IPLS “aims to store a WhatsApp user’s in-app contacts on WhatsApp servers in a privacy-friendly way” and that “WhatsApp servers do not have visibility into the content of a user’s contact metadata.” All the identified shortcomings have been fully fixed as of September 2024.
  • CISA, FBI Investigating Salt Typhoon Attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating “the unauthorized access to commercial telecommunications infrastructure” by threat actors linked to China. The development comes amid reports that the Salt Typhoon hacking group broke into the networks of AT&T, Verizon, and Lumen. The affected companies have been notified after the “malicious activity” was identified, CISA said. The breadth of the campaign and the nature of information compromised, if any, is unclear. Multiple reports from The New York Times, The Wall Street Journal, Reuters, Associated Press, and CBS News have claimed that Salt Typhoon used their access to telecommunications giants to tap into phones or networks used by Democratic and Republican presidential campaigns.
  • Fraudulent IT Worker Scheme Becomes a Bigger Problem: While North Korea has been in the news recently for its attempts to gain employment at Western companies, and even demanding ransom in some cases, a new report from identity security company HYPR shows that the employee fraud scheme isn’t just limited to the country. The company said it recently offered a contract to a software engineer claiming to be from Eastern Europe. But subsequent onboarding and video verification process raised a number of red flags about their true identity and location, prompting the unnamed individual to pursue another opportunity. There is currently no evidence tying the fraudulent hire to North Korea, and it’s not clear what they were after. “Implement a multi-factor verification process to tie real world identity to the digital identity during the provisioning process,” HYPR said. “Video-based verification is a critical identity control, and not just at onboarding.”
  • Novel Attacks on AI Tools: Researchers have uncovered a way to manipulate digital watermarks generated by AWS Bedrock Titan Image Generator, making it possible for threat actors to not only apply watermarks to any image, but also remove watermarks from images generated by the tool. The issue has been patched by AWS as of September 13, 2024. The development follows the discovery of prompt injection flaws in Google Gemini for Workspace, allowing the AI assistant to produce misleading or unintended responses, and even distribute malicious documents and emails to target accounts when users ask for content related to their email messages or document summaries. New research has also found a form of LLM hijacking attack wherein threat actors are capitalizing on exposed AWS credentials to interact with large language models (LLMs) available on Bedrock, in one instance using them to fuel a Sexual Roleplaying chat application that jailbreaks the AI model to “accept and respond with content that would normally be blocked” by it. Earlier this year, Sysdig detailed a similar campaign called LLMjacking that employs stolen cloud credentials to target LLM services with the goal of selling the access to other threat actors. But in an interesting twist, attackers are now also attempting to use the stolen cloud credentials to enable the models, instead of just abusing those that were already available.

🔥 Resources & Insights****🎥 Infosec Expert Webinar

Master Data Security in the Cloud with DSPM: Struggling to keep up with data security in the cloud? Don’t let your sensitive data become a liability. Join our webinar and learn how Global-e, a leading e-commerce enabler, dramatically improved their data security posture with DSPM. CISO Benny Bloch reveals their journey, including the challenges, mistakes, and critical lessons learned. Get actionable insights on implementing DSPM, reducing risk, and optimizing cloud costs. Register now and gain a competitive edge in today’s data-driven world.

🛡️Ask the Expert

Q: What is the most overlooked vulnerability in enterprise systems that attackers tend to exploit?

A: The most overlooked vulnerabilities in enterprise systems often lie in IAM misconfigurations like over-permissioned accounts, lax API security, unmanaged shadow IT, and poorly secured cloud federations. Tools like Azure PIM or SailPoint help enforce least privilege by managing access reviews, while Kong or Auth0 secure APIs through token rotation and WAF monitoring. Shadow IT risks can be reduced with Cisco Umbrella for app discovery, and Netskope CASB for enforcing access control. To secure federations, use Prisma Cloud or Orca to scan settings and tighten configurations, while Cisco Duo enables adaptive MFA for stronger authentication. Finally, safeguard service accounts with automated credential management through HashiCorp Vault or AWS Secrets Manager, ensuring secure, just-in-time access.

🔒 Tip of the Week

Level Up Your DNS Security: While most people focus on securing their devices and networks, the Domain Name System (DNS)—which translates human-readable domain names (like example.com) into machine-readable IP addresses—is often overlooked. Imagine the internet as a vast library and DNS as its card catalog; to find the book (website) you want, you need the right card (address). But if someone tampered with the catalog, you could be misled to fake websites to steal your information. To enhance DNS security, use a privacy-focused resolver that doesn’t track your searches (a private catalog), block malicious sites using a “hosts” file (rip out the cards for dangerous books), and employ a browser extension with DNS filtering (hire a librarian to keep an eye out). Additionally, enable DNSSEC to verify the authenticity of DNS records (verify the card’s authenticity) and encrypt your DNS requests using DoH or DoT (whisper your requests so no one else can hear).

Conclusion

And there you have it – another week’s worth of cybersecurity challenges to ponder. Remember, in this digital age, vigilance is key. Stay informed, stay alert, and stay safe in the ever-evolving cyber world. We’ll be back next Monday with more news and insights to help you navigate the digital landscape.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Fortinet FortiManager Unauthenticated Remote Code Execution

This Metasploit module exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. The vulnerable FortiManager versions are 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12. The vulnerable FortiManager Cloud versions are 7.4.1 through 7.4.4, 7.2.1 through 7.2.7, 7.0.1 through 7.0.12, and 6.4 (all versions).

About Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability

About Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices. 🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via specially […]

About the Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability

About the Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices. 🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via […]

The severity of the Remote Code Execution – Microsoft SharePoint (CVE-2024-38094) vulnerability has increased

The severity of the Remote Code Execution – Microsoft SharePoint (CVE-2024-38094) vulnerability has increased. It was fixed as part of the July Microsoft Patch Tuesday (July 9). SharePoint is a popular platform for corporate portals. According to the Microsoft bulletin, аn authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code […]

Researchers Discover Command Injection Flaw in Wi-Fi Alliance's Test Suite

A security flaw impacting the Wi-Fi Test Suite could enable unauthenticated local attackers to execute arbitrary code with elevated privileges. The CERT Coordination Center (CERT/CC) said the vulnerability, tracked as CVE-2024-41992, said the susceptible code from the Wi-Fi Alliance has been found deployed on Arcadyan FMIMG51AX000J routers. "This flaw allows an unauthenticated local attacker to

UNC5820 Exploits FortiManager Zero-Day Vulnerability (CVE-2024-47575)

Fortinet and Mandiant investigated the mass exploitation of FortiManager devices via CVE-2024-47575, impacting 50+ systems across industries. Threat…

Critical Bug Exploited in Fortinet's Management Console

An attacker compromised one of Fortinet's most sensitive products and mopped up all kinds of reconnaissance data helpful for future mass device attacks.

Lazarus Group Exploits Chrome 0-Day for Crypto with Fake NFT Game

North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with…

Cisco ASA, FTD Software Under Active VPN Exploitation

Unauthenticated threat actors can remotely cause a denial-of-service (DoS) cyberattack within the Remote Access VPN software in Cisco's ASA and Firepower software.

Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack

Cisco on Wednesday said it has released updates to address an actively exploited security flaw in its Adaptive Security Appliance (ASA) that could lead to a denial-of-service (DoS) condition. The vulnerability, tracked as CVE-2024-20481 (CVSS score: 5.8), affects the Remote Access VPN (RAVPN) service of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software. Arising due to resource

Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack

Cisco on Wednesday said it has released updates to address an actively exploited security flaw in its Adaptive Security Appliance (ASA) that could lead to a denial-of-service (DoS) condition. The vulnerability, tracked as CVE-2024-20481 (CVSS score: 5.8), affects the Remote Access VPN (RAVPN) service of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software. Arising due to resource

Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack

Cisco on Wednesday said it has released updates to address an actively exploited security flaw in its Adaptive Security Appliance (ASA) that could lead to a denial-of-service (DoS) condition. The vulnerability, tracked as CVE-2024-20481 (CVSS score: 5.8), affects the Remote Access VPN (RAVPN) service of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software. Arising due to resource

Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack

Cisco on Wednesday said it has released updates to address an actively exploited security flaw in its Adaptive Security Appliance (ASA) that could lead to a denial-of-service (DoS) condition. The vulnerability, tracked as CVE-2024-20481 (CVSS score: 5.8), affects the Remote Access VPN (RAVPN) service of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software. Arising due to resource

Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices

The North Korean threat actor known as Lazarus Group has been attributed to the zero-day exploitation of a now-patched security flaw in Google Chrome to seize control of infected devices. Cybersecurity vendor Kaspersky said it discovered a novel attack chain in May 2024 that targeted the personal computer of an unnamed Russian national with the Manuscrypt backdoor. This entails triggering the

Fortinet Warns of Critical Vulnerability in FortiManager Under Active Exploitation

Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild. Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol. "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

On Monday, October 21, updates for the critical Remote Code Execution – VMware vCenter (CVE-2024-38812) vulnerability were released again

On Monday, October 21, updates for the critical Remote Code Execution – VMware vCenter (CVE-2024-38812) vulnerability were released again. Wait, haven’t fixes for this vulnerability been available since September 17th? They were, but it was not enough. “VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not completely address […]

Microsoft SharePoint Vuln Is Under Active Exploit

The risk of exploitation is heightened, thanks to a proof-of-concept that's been made publicly available.

CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result

OPA for Windows Vulnerability Exposes NTLM Hashes

The vulnerability affects all versions prior to v0.68.0 and highlights the risks organizations assume when consuming open source software and code.

Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers

Details have emerged about a now-patched security flaw in Styra's Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes. "The vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server's local user account to a remote server, potentially allowing the attacker to relay the authentication or

VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability

VMware has released software updates to address an already patched security flaw in vCenter Server that could pave the way for remote code execution. The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), concerns a case of heap-overflow vulnerability in the implementation of the DCE/RPC protocol. "A malicious actor with network access to vCenter Server may trigger this vulnerability by

CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting ScienceLogic SL1 to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation as a zero-day. The vulnerability in question, tracked as CVE-2024-9537 (CVSS v4 score: 9.3), refers to a bug involving an unspecified third-party component that could

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices […]

Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution

Broadcom on Tuesday released updates to address a critical security flaw impacting VMware vCenter Server that could pave the way for remote code execution. The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), has been described as a heap-overflow vulnerability in the DCE/RPC protocol. "A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a

North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.

Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation

Google has revealed that a security flaw that was patched as part of a security update rolled out last week to its Chrome browser has come under active exploitation in the wild. Tracked as CVE-2024-7965, the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine. "Inappropriate implementation in V8 in Google Chrome prior to

Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild

Google has rolled out security fixes to address a high-severity security flaw in its Chrome browser that it said has come under active exploitation in the wild. Tracked as CVE-2024-7971, the vulnerability has been described as a type confusion bug in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap

Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities

This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities.

The Hacker News: Latest News

AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case