By Deeba Ahmed
Midnight Blizzard (aka Cozy Bear and APT29) originally breached Microsoft on January 12, 2024.
This is a post from HackRead.com Read the original post: Russian Midnight Blizzard Hackers Breached Microsoft Source Code

Microsoft confirms that Russian state-sponsored hackers, known as Midnight Blizzard, infiltrated their systems and stole source code. Experts warn of potential zero-day vulnerabilities.

Microsoft has been hit by a significant cybersecurity breach, with the company confirming that Russian hackers infiltrated its infrastructure, compromising valuable source code.

The breach, originally discovered on January 12, 2024, and **reported** on January 19, raised concerns about the potential misuse of proprietary information and the security of millions of users relying on Microsoft’s products and services.

Earlier this year, Microsoft disclosed that Russian state-sponsored hackers referred to as Midnight Blizzard (also known as Nobelium, Cozy Bear, and APT29), have been spying on the email accounts of Microsoft’s team members. The group, known for the **devastating SolarWinds attack**, successfully stole source code in what Microsoft now terms an “ongoing attack.”

Reportedly, the hackers infiltrated a “small percentage of corporate email accounts” and stole internal messages and files in an attack that began in late November 2023. The threat actor compromised a non-production test tenant account using a password spray attack, accessing some Microsoft corporate email accounts, including senior leadership and cybersecurity employees, and exfiltrating emails and documents.

The attackers exploited vulnerabilities in Microsoft’s defences, gaining unauthorized access to a substantial portion of source code, including Windows OS components, Office Suite, and other critical software elements.

****Update from Microsoft****

Previously, Microsoft stated that there was no evidence that the “threat actor had any access to customer environments, production systems, source code, or AI systems.” However, as per Microsoft’s update **published** on March 8, 2024, Midnight Blizzard is using information from corporate email systems to gain unauthorized access, including access to source code repositories and internal systems. Still, the company asserts that there’s no evidence that attackers compromised Microsoft-hosted customer-facing systems.

**Midnight Blizzard** is using various tactics to attack Microsoft, some of which were shared between Microsoft and its customers via emails. Moreover, the company claims hackers increased the attack volume, such as password sprays, by up to 10 times in February compared to January.

Microsoft has increased security investments and coordinated cross-enterprise efforts to counter Midnight Blizzard’s persistent threat. The company is enhancing its security controls, detections, and monitoring, as well as conducting ongoing investigations into the group’s activities.

Hackread will continue to share findings and information as they evolve. Users are advised to implement security updates, report suspicious activity, and adhere to security best practices.

**Ariel Parnes**, former Head of the Israeli Intelligence Service Cyber Department, winner of the Israel Defense Prize for tech innovations in the cyber field, and COO and Co-Founder at SaaS incident response leader, Mitiga, shared the following insights with Hackread.com:

“For advanced nation-state cyber groups, access to a company’s source code is akin to finding the master key to its digital kingdom, opening up avenues for finding new zero-day vulnerabilities: undiscovered security flaws that can be exploited before they’re known to the software creators or the public.”

Ariel warned that “Zero-day vulnerabilities represent a critical threat because there’s no straightforward way to detect them until after they’ve been discovered and disclosed by the software creators. Given this challenging landscape, organizations need to double down on cybersecurity measures focused on proactive defence.”

1.  Microsoft Disables App Installer After It’s Abused for Malware
2.  Fake Ledger App on Microsoft Store to Steal $800k in Crypto
3.  Microsoft Azure Exploited to Create Undetectable Cryptominer
4.  Microsoft Teams External Access Abuses for DarkGate Malware
5.  Microsoft Outlook Flaw Exploited by Russian Forest Blizzard Group

Russian Midnight Blizzard Hackers Breached Microsoft Source Code

The FBI has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, whether or not someone has set up MFA.

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.

Here’s how it works.

Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.

Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.

If someone steals the session cookie, they can log in as you—even if you have MFA enabled.

This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.

With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that mention information that’s relevant to you only, leaving you more likely to fall for them.

Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.

How do these criminals get their hands on your session cookies? There are several ways.

On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.

However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.  

**How to keep your email account safe**

There are a few things you can do to stay safe from the cookie thieves:

*   Use security software on every device you use.
*   Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
*   Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
*   Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
*   Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
*   For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Warning: Hackers could take over your email account by stealing cookies, even if you have MFA 

SUMMARY Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake,…

****SUMMARY****

*   **Dubbed AuthQuake; the flaw in Microsoft MFA allowed attackers to bypass security measures and access accounts.**

*   **Vulnerability impacted Azure, Office 365, and other Microsoft services with over 400 million users at risk.**

*   **Exploit leveraged the lack of rate limiting and extended validity of TOTP codes for login sessions.**

*   **Attackers could bypass MFA in under 70 minutes with a 50% success rate without user interaction.**

*   **Microsoft patched the flaw permanently on October 9, 2024, with stricter rate-limiting mechanisms.**

Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake, which allows attackers to bypass security measures and gain unauthorized access to user accounts. 

With over 400 million paid Office 365 subscriptions, the vulnerability could be a highly lucrative opportunity for cyber criminals to steal sensitive information such as emails, files, and communications across Microsoft’s platforms like Outlook, OneDrive, Teams, Azure, etc.

****Exploiting Rate Limit and Time-Based One-Time Password (TOTP)****

The exploit takes advantage of two key weaknesses in the MFA setup: Lack of Rate Limiting and Extended Timeframe for TOTP Codes. When users log in, they’re assigned a session ID and asked to verify their identity using a Time-Based One-Time Password (TOTP) from an authenticator app. The problem is that the system permits up to 10 failed login attempts per session without notifying the user or triggering any alerts.

The lack of rate limiting allows attackers to quickly create new login sessions and trial multiple TOTP codes, which are essentially six-digit numbers. Given that there are a million possible combinations for these codes, an attacker could theoretically exhaust all options without encountering any security measures.

On the other hand, TOTP codes are typically valid for only 30 seconds, the testing conducted by Oasis revealed that the system allowed codes to remain valid for up to 3 minutes. This extended time frame significantly increases the chances of success for an attacker attempting to guess the correct code.

****Result?****

According to Oasis Security’s **blog post** shared with Hackread.com ahead of its publishing on Wednesday, December 11, researchers concluded that attackers could bypass MFA in under 70 minutes with a 50% success rate, all without any user interaction or alerts. Here’s a demonstration the researchers created while testing the exploit themselves:

****Microsoft’s Response****

Oasis Security reported the incident to **Microsoft**. The tech giant was quick to respond and implemented a permanent fix on October 9, 2024, after a temporary fix was deployed on July 4, 2024. The fix involved introducing stricter rate limits that activate after a number of failed attempts, lasting for about half a day.

**Jason Soroko**, Senior Fellow at Sectigo, emphasizes the broader implications of this discovery stating, _“_AuthQuake highlights significant flaws in Microsoft’s MFA implementation. It’s a wake-up call for organizations to adopt patches and reconsider their reliance on outdated MFA solutions. The move towards passwordless authentication is not just a trend but a necessity for future-proofing our security measures._“_

****Lesson for Users and Companies****

While the specific flaw has been patched, organizations should inform employees about the importance of cybersecurity and encourage them to report any suspicious login attempts. Moreover, despite the recent issues, MFA remains a critical security measure therefore, use authenticator apps or explore stronger **passwordless methods** for added protection.

1.  **Microsoft Bookings Flaw Enables Account Hijacking**
2.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
3.  **Hackers Use Excel Files to Deliver Remcos RAT Variant**
4.  **Azure AI Flaws Lets Attacks Bypass Moderation Safeguards**
5.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**

AuthQuake Flaw Allowed MFA Bypass Across Azure, Office 365 Accounts

Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.
The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat

Cyber Threat / Password Security

Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.

The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said.

Midnight Blizzard, formerly known as **Nobelium**, is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes.

The group, which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities.

It's a sign of how determined they are to keep their operations up and running despite being exposed, which makes them a particularly formidable actor in the espionage area.

"These credential attacks use a variety of password spray, brute-force, and token theft techniques," Microsoft said in a series of tweets, adding the actor "also conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale."

The tech giant further called out APT29 for its use of residential proxy services to route malicious traffic in an attempt to obfuscate connections made using compromised credentials.

"The threat actor likely used these IP addresses for very short periods, which could make scoping and remediation challenging," the Windows makers said.

The development comes as Recorded Future detailed a new spear-phishing campaign orchestrated by APT28 (aka BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear) targeting government and military entities in Ukraine since November 2021.

The attacks leveraged emails bearing attachments exploiting multiple vulnerabilities in the open-source Roundcube webmail software (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to conduct reconnaissance and data gathering.

A successful breach enabled the Russian military intelligence hackers to deploy rogue JavaScript malware that redirected the incoming emails of targeted individuals to an email address under the attackers' control as well as steal their contact lists.

"The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients," the cybersecurity company said. "The spear-phishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources."

More importantly, the activity is said to dovetail with another set of attacks weaponizing a then-zero-day flaw in Microsoft Outlook (CVE-2023-23397) that Microsoft disclosed as employed in "limited targeted attacks" against European organizations.

The privilege escalation vulnerability was addressed as part of Patch Tuesday updates rolled out in March 2023.

The findings demonstrate Russian threat actors' persistent efforts in harvesting valuable intelligence on various entities in Ukraine and across Europe, especially following the full-scale invasion of the country in February 2022.

The cyberwarfare operations aimed at Ukrainian targets have been notably marked by the widespread deployment of wiper malware designed to delete and destroy data, turning it into one of the earliest instances of large-scale hybrid conflict.

"BlueDelta will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts," Recorded Future concluded.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers

Zooms On-Premise Meeting Connector MMR before version 4.8.113.20220526 fails to properly check the permissions of a Zoom meeting attendee. As a result, a threat actor in the Zooms waiting room can join the meeting without the consent of the host.

CVE-2022-28749: Security Bulletin

By Deeba Ahmed
The Ddostf Botnet was initially identified in 2016.
This is a post from HackRead.com Read the original post: Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

Researchers claim that the Chinese Ddostf botnet is specifically designed for launching DDoS attacks and that the threat actors are operating a DDoS-for-hire service.

AhnLab Security Emergency Response Center (ASEC) researchers have shared alarming **details** of a new campaign targeting MySQL servers and Docker hosts with DDoS malware.

AhnLab noted that attacks targeting MySQL servers on Windows systems have increased sharply, and vulnerable servers are infected with the Chinese botnet Ddostf, **discovered** in 2016.

Researchers claim that this malware is specifically designed for launching DDoS attacks and that the threat actor is operating a **DDoS-for-hire service**.

According to the AESC blog post, threat actors scan for exploitable MySQL servers. After compromising the servers, threat actors install the Ddostf DDoS botnet to launch distributed denial-of-service (DDoS) attacks against other servers.

**MySQL servers** are a common target in such campaigns because of their widespread use in Windows and Linux environments. Although MS-SQL is a preferred database service for Windows users, MySQL servers are also commonly used on Windows, which makes the systems running them a prime target for cybercriminals.

Based on data from AhnLab’s Smart Defense (ASD) logs, most malware targeting vulnerable MySQL servers were **Gh0st RAT** variants, but instances of **AsyncRAT** were also observed and recently, there’s been an uptick in the use of the Ddostf botnet.

Ddostf is a powerful malware that copies itself with a random name in the %SystemRoot% directory and registers as a service before decrypting the encrypted C2 server URL string to connect to the attackers’ server. It can collect system data and transfer it to the C2 server. Then it waits for specific commands (e.g., SYN, UDP, and HTTP GET/POST floods) to launch the **DDoS attacks**.

The botnet is unique because it can connect to a new address from the C2 server and execute commands there for a limited time. This helps the Ddostf botnet operator to infect multiple systems and sell DDoS attacks as a service. Ddostf can target Linux and Windows systems because of supports both ELF and PE formats and can achieve persistence. 

Attackers first scan for publicly accessible systems using port 3306/TCP and after accessing the server (those with known vulnerabilities or weak credentials), they use brute-force or dictionary attacks on the system.

If the system has signs of poor credential management, attackers can gain access to administrator account credentials. If the system runs an **unpatched version with vulnerabilities**, attackers can exploit them to execute commands without needing these processes. Unlike MS-SQL, which entails direct OS command execution methods, MySQL relies on UDFs (User-Defined Functions) that can allow threat actors to execute commands.

They can also install malicious UDF DLLS on infected MySQL servers and execute commands. Like CLR Stored Procedure WebShell work, these DLLs can provide threat actors complete control of the infected system. In the case of the Ddostf DDoS bot, attackers use the UDF malware as a tool to install it on poorly managed MySQL servers.

Database servers get frequently targeted because of poorly managed account credentials. Administrators must use strong passwords apart from applying the latest patches to protect their servers. Firewalls can be used to restrict access to external actors, and a DDoS mitigation service can help protect against **large-scale attacks**.

****_RELATED ARTICLES_****

1.  **Who Killed the Mozi IoT Zombie Botnet – India or China?**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks**
4.  **How Chinese Hackers Stole Signing Key to Breach Outlook Accounts**
5.  **Chinese Scammers Exploit Cloned Websites in Vast Gambling Network**

Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

By Waqas
A critical Zoom Room vulnerability allowed exploiting service accounts for unauthorized tenant access.
This is a post from HackRead.com Read the original post: Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

The Zoom vulnerability was originally discovered in June 2023. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.

Zoom Rooms, the cloud-based video conferencing platform by **Zoom**, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant.

Exploiting this Zoom vulnerability allows attackers to hijack meetings, manipulate the Contacts feature, infiltrate organization-wide whiteboards, and extract sensitive data from Team Chat channels, even without an invitation. What’s particularly concerning is that these actions can be carried out without detection.

In June 2023, a researcher at AppOmn discovered a vulnerability in Zoom Rooms during HackerOne’s live hacking event, **H1-4420**, where Zoom was a participating company. Despite the discovery being made earlier, the details were only publicly disclosed on November 28, 2023.

In a **blog post** shared with Hackread.com ahead of its scheduled publication on Tuesday, Ciarán Cotter from AppOmni outlined that once attackers gain access to an organization’s tenant, they can infiltrate confidential data shared within Team Chat, Whiteboards, and other Zoom applications.

For your information, **Zoom Rooms** allow team members from different physical locations to collaborate over Zoom. To set it up, the Zoom Rooms app must be installed on a device, such as an iPad. It serves as a terminal for everyone in the room. This device is of critical importance as it attends the meetings on behalf of all. 

When a user creates a Zoom Room, their service account is automatically created with licenses for Whiteboards and Meetings. These accounts possess extensive access within the tenant because of their function as regular team members. 

Exploiting the Zoom vulnerability enabled attackers to predict service account email addresses, hijack the accounts, and collect sensitive information. The issue arose because the Zoom Rooms service account ID was directly inherited from the user with the Owner role in the tenant during the account creation process.

This flaw meant that being in the same meeting as a Zoom Room and messaging it on Team Chat could expose the entire email address, given that it followed the format:  **rooms_<account ID>@companydomain.com.** 

With this information, attackers could create an arbitrary Outlook email address that matches the format: **room__<account ID>@outlook.com** and use it to follow the Zoom sign-up flow. They would receive the activation link sent to the Zoom Room’s email address. With the control of the email inbox, they can click the link and activate the account.

The issue was further intensified by the fact that service accounts couldn’t be removed from Team Chat channels. However, there’s nothing to be wary of as Zoom has addressed this vulnerability by removing the ability to activate Zoom Room accounts. This prevents threat actors from exploiting this predictable email format and claiming unauthorized access to Zoom room service accounts.

Still, this finding highlights the potential misuse of service accounts to gain unauthorized access to **SaaS** systems. Service accounts are frequently used by third-party applications to access SaaS data. Therefore, safeguarding these applications and service accounts is critical for maintaining a robust SaaS security posture.

****_RELATED ARTICLES_****

1.  Zoom Phishing Scam Steals Microsoft Exchange Credentials
2.  Fake Zoom installers infect PCs with RevCode WebMonitor RAT
3.  Zoom web client flaw could’ve let hackers crack meetings passcode
4.  Zoom adds Two-factor authentication (2FA) as extra layer of security
5.  Fake Zoom meeting invite phishing scam harvests Microsoft credentials
6.  ‘Zoom account suspended’ phishing scam aims at Office 365 credentials

Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

By Deeba Ahmed
Attackers Leveraging Windows Vulnerability in Phemedrone Malware Campaign for Enhanced Stealth.
This is a post from HackRead.com Read the original post: Windows Defender SmartScreen Vulnerability Exploited with Phemedrone Stealer

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation.

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation. Since its discovery, numerous malware campaigns, including the Phemedrone Stealer payload, have exploited it in their attack chains.

Cybersecurity researchers at Trend Micro have discovered that a vulnerability affecting Microsoft Windows Defender SmartScreen, tracked as CVE-2023-36025, is being exploited to infect users with Phemedrone Stealer.

For your information, Windows Defender SmartScreen is a built-in security feature in Microsoft Windows 8 and later that helps protect users from malicious websites, downloads, and applications. It acts as a first line of defence against a variety of threats, including phishing websites, malicious downloads and untrusted applications.

This open-source malware strain targets web browsers, cryptocurrency wallets, and messaging apps like Telegram, Steam, and Discord. Its additional capabilities allow the malware to take screenshots gather system information such as hardware details and location data and send stolen data to attackers via Telegram or their C2 server. Phemedrone Stealer is maintained on GitHub and Telegram.

Reportedly, hackers use social media to spread URL files that appear as harmless link shortcuts, which are then downloaded and run by clicking on them. The infection process begins with an attacker hosting malicious Internet Shortcut files on cloud services like Discord or FileTransfer.io, disguised using URL shorteners like shorturl.at. An unsuspecting user may be tricked into opening a maliciously crafted.url file that exploits CVE-2023-36025.

The attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism. The.cpl file is executed through the Windows Control Panel process binary, calling rundll32.exe to execute a malicious DLL.

The malware, hosted on GitHub, downloads a ZIP file containing three files: WerFaultSecure.exe, Wer.dll, and Secure.pdf. The wer.dll file is crucial for the loader’s functionality. The attacker executes the loader using DLL sideloading, spoofing a malicious DLL file in the application’s directory.

The DATA3.txt file masks its contents, making deciphering its purpose difficult. The malware collects system information, compresses it into a ZIP file, and sends the compressed data to the attacker via SendMessage and SendZip methods. Through techniques like API hashing and string encryption, the malware evades detection and complicates reverse engineering.

CVE-2023-36025, having a CVSS score of 8.8, affects Microsoft Windows Defender SmartScreen because of its lack of checks on Internet Shortcut files, allowing attackers to create.url files and execute malicious scripts.

The vulnerability was patched on November 14, 2023, but the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) list due to evidence of in-the-wild exploitation. Since its discovery, numerous malware campaigns, including the Phemedrone Stealer payload, have exploited it in their attack chains.

To stay protected, developers should regularly update their operating systems, apps, and security solutions, be cautious with Internet Shortcut files, and implement advanced solutions like real-time monitoring and threat detection capabilities.

****_RELATED ARTICLES_****

1.  **Microsoft Disables App Installer After Feature is Abused for Malware**
2.  **Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group**
3.  **EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability**
4.  **Microsoft: Storm-1283 Sent 927k Phishing Emails with Malicious OAuth Apps**
5.  **Scammers Use Fake Ledger App on Microsoft Store to Steal $800k in Crypto**

Windows Defender SmartScreen Vulnerability Exploited with Phemedrone Stealer

Plus: Google fixes dozens of Android bugs, Microsoft rolls out nearly 50 patches, Mozilla squashes 15 Firefox flaws, and more.

Later in January, Google released Chrome 121 to the stable channel, fixing 17 security issues, three of which are rated as having a high impact. These include CVE-2024-0807, a use-after-free flaw in WebAudio, and CVE-2024-0812, an inappropriate implementation vulnerability in accessibility. The final high-impact vulnerability is CVE-2024-0808, an integer underflow in WebUI.

Obviously, these updates are important, so check and apply them as soon as you can.

Microsoft

Microsoft’s January Patch Tuesday squashes nearly 50 bugs in its popular software, including 12 remote code execution (RCE) flaws.

No security holes included in this month’s set of updates are known to have been used in attacks, but notable flaws include CVE-2024-20677, a bug in Microsoft Office that could allow attackers to create malicious documents with embedded FBX 3D model files to execute code.

To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint, and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it, Microsoft said.

Meanwhile, CVE-2024-20674 is a Windows Kerberos security feature bypass vulnerability rated as critical with a CVSS score of 8.8. In one scenario for this vulnerability, the attacker could convince a victim to connect to an attacker-controlled malicious application, Microsoft said. “Upon connecting, the malicious server could compromise the protocol,” the software giant added.

Mozilla Firefox

Hot on the heels of its market-dominant competitor Chrome, Mozilla’s Firefox has patched 15 security flaws in its latest update. Five of the bugs are rated as having a high severity, including CVE-2024-0741, an out-of-bounds write issue in Angle that could allow an attacker to corrupt memory, leading to an exploitable crash.

An unchecked return value in TLS handshake code tracked as CVE-2024-0743 could also cause an exploitable crash.

CVE-2024-0755 covers memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

Cisco

Enterprise software giant Cisco has patched a vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

Tracked as CVE-2024-20253 and with a whopping CVSS score of 9.9, Cisco said an attacker could exploit the vulnerability by sending a crafted message to a listening port of an affected device.

“A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user,” Cisco said. “With access to the underlying operating system, the attacker could also establish root access on the affected device,” it warned.

SAP

SAP has issued 10 new security fixes as part of its January Security Patch Day, which includes several issues with a CVSS score of 9.1. CVE-2023-49583 is an escalation-of-privilege issue in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA.

Meanwhile, CVE-2023-50422 and CVE-2023-49583 are escalation-of-privilege issues in SAP Edge Integration Cell.

Another notable flaw is CVE-2024-21737, a code injection vulnerability in SAP Application Interface Framework, which has a CVSS score of 8.4. “A vulnerable function module of the application allows an attacker to traverse through various layers and execute OS commands directly,” security firm Onapsis said. “Successful exploits can cause considerable impact on confidentiality, integrity, and availability of the application.”

Apple and Google Just Patched Their First Zero-Day Flaws of the Year

PRESS RELEASE

PALO ALTO, Calif., Nov. 19, 2024 /PRNewswire/ -- As artificial intelligence (AI) continues to revolutionize industries, the cybersecurity field faces a dual-edged sword of opportunities and threats. StrongDM's latest report, "The State of AI in Cybersecurity," highlights the growing concerns and readiness of cybersecurity professionals to tackle AI-driven challenges. Based on a survey of 600 cybersecurity professionals, the report sheds light on pressing issues around AI regulation, perceived threats, defense confidence, and the future of the cybersecurity workforce.

Key Findings from the Survey:

*   Regulation Concerns: 76% of cybersecurity professionals believe AI should be "heavily regulated" to prevent misuse, underscoring the need for balance between safety and innovation.
    
*   AI-Driven Threats: A significant 87% of respondents expressed concerns about AI-driven cyberattacks, with malware (33%) and data breaches (30%) ranking as top threats.
    
*   Preparedness Levels: Only 33% of professionals feel "very confident" in their current defenses, and 65% of companies admit they are not fully prepared for AI-powered attacks.
    
*   Workforce Impact: Despite challenges, two-thirds of respondents feel optimistic about AI's potential to enhance, rather than replace, jobs in cybersecurity.
    

A Call for Regulation Amid Rapid AI Growth: The report reveals that 76% of surveyed professionals support "heavy regulation" of AI to mitigate potential risks. However, 15% worry that excessive oversight could stifle innovation. This underscores a need for balanced regulations that ensure security while fostering technological advancement.

Growing Concern Over AI-Powered Attacks: AI's potential to enable new attack vectors is top of mind for cybersecurity professionals, with 87% citing concern over AI-driven threats. Malware and data breaches emerged as the leading AI-powered concerns, with 33% and 30% of respondents, respectively, indicating their apprehension over these types of attacks.

Confidence Levels Are Low, but Hope Persists: The report highlights a stark contrast in preparedness, as only 33% of respondents expressed being "very confident" in their current defenses against AI threats. Meanwhile, 46% felt "somewhat confident," and 17% admitted their organizations were not ready for AI-driven attacks. These findings emphasize an urgent call for stronger strategies and investments to bolster AI-specific defenses.

Companies Playing Catch-Up: StrongDM's research found that 65% of respondents admitted their organizations are not fully prepared for AI-driven threats. While 32% of companies are actively investing in AI defenses, 48% say there's still much to be done to close the gap.

AI's Mixed Impact on the Cybersecurity Workforce: Despite the concerns surrounding AI, two-thirds of cybersecurity professionals maintain an optimistic outlook on the technology's impact on their jobs. 40% believe AI will enhance job roles without replacing them, and 25% foresee the creation of new job opportunities. Nonetheless, 30% expressed fears of job replacement, showcasing the nuanced views professionals hold on AI's future role in the workforce.

Complete Study Results: https://www.strongdm.com/blog/state-of-ai-in-cybersecurity-report

Methodology 

The report is based on a survey conducted in October 2024, targeting 600 US-based cybersecurity professionals. The survey was completed online via Pollfish, and responses were random, voluntary, and completely anonymous.

About StrongDM 

StrongDM is at the forefront of cybersecurity, specializing in Zero Trust Privileged Access Management (PAM). Our innovative solutions focus on continuous, policy-based controls that leverage actions and context to enhance enterprise security. StrongDM's technology scrutinizes each interaction in real time, preventing breaches before they occur and ensuring secure, frustration-free access across all platforms.

Supported by leading investors, including GV, Sequoia Capital, True Ventures, and Anchor Capital, StrongDM operates across North America, Europe, and Asia-Pacific, dedicated to setting new standards in cybersecurity and providing top-tier protection for today's digital enterprises.

For more information, visit the StrongDM website.

Search

outlook iniciare sesión