Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue.


**Apache Airflow Potential Cross-site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Jul 17, 2024

GHSA-j482-47xf-p25c: Apache Airflow Potential Cross-site Scripting Vulnerability

Israel's military computer systems have been under constant barrage in recent months.

Source: Bumble Dee via Alamy Stock Photo

The Israeli Defense Forces (IDF) have nixed somewhere in the range of 3 billion cyberattack attempts since last fall, an army chief said this week.

The claim, circulated across Israeli news outlets, was made by Colonel Racheli Dembinsky, commander of the IDF's Center of Computing and Information Systems, also known as Mamram. Mamram, essentially, is the IT organization for Israel's military, providing, maintaining, and defending its intranet, cloud systems, data processing, public-facing websites, and more.

As Dembinsky recalled at the IT for IDF conference in the city of Rishon LeTsiyon, an uptick in threats to Israel's military systems dates back to the terror attack on Oct. 7. "I received a phone call that morning and thought there was a malfunction in the alert system," she said. "I quickly understood there wasn’t a malfunction, but a broader attack. Also, we immediately understood this wasn’t fake. I put on my uniform and drove to the base. We began transitioning to emergency mode."

The strain on the IDF's systems continued in the weeks thereafter, as hundreds of thousands of reservists were quickly recruited into the war effort, and Mamram began allocating computing resources at 120% capacity.

According to Dembinsky, cyberattacks against the IDF in recent months have involved operational systems central to the military's functioning, such as those that ground forces rely on to coordinate information sharing in real-time. She did not provide details on the nature of the attacks, but noted that the many billions of them had been blocked.

**Cyber Threats to Israel**

Israel has seen a dramatic increase in cyberattacks overall since the start of the war, notes Gil Messing, chief of staff for Check Point Software. "Attacks in general have more than doubled, to the point that an average Israeli organization is attacked more than 2,200 times every week," he explains.

"This has been driven mostly by politically motivated hacking groups — such as nation-states attacking Israel, like Iran, or Hezbollah — and hacktivist groups that are joining forces in attacking Israel in the context of the war. We are monitoring over 80 such groups which do everything from defacement and DDoS to ransomware and wipers."

Specifically, Check Point tracks at least five of those groups as state-level advanced persistent threats (APTs) from Iran, and another five or six as working for the Iranian proxy Hezbollah. Some of the 80-plus work for Hamas, and still others are sympathetic groups from outside of Palestine and Lebanon.

"Cyberattacks are a clear and evident part of the war and, at the same time, the 'regular' hackers who are financially motivated are also attacking Israel (like any other country). So, all in all, the increase of attacks which we see in Israel is almost double what we see on the global average,” Messing says.

In response to the overwhelming threat, he adds, capable organizations have upped their game and their collective information sharing. Still, plenty of companies, government, and law enforcement organizations remain behind.

Case in point: At a separate panel at IT for IDF, Kobi Menashe, head of the guidance department and spectrum defense for the Israel National Cyber Directorate (INCD) defense division, revealed that 139 out of the 259 local authorities in Israel are facing a "very bad cyber situation." By contrast, just 89 are defined as "good." (He did note, though, that only 30 were considered good by Oct. 7.) That, despite a threefold increase in cyberattacks observed against local authorities in recent quarters.

"While the hackers are continuously working hard to attack Israeli organizations, many on the defenders' side don’t act so swiftly," Messing says. "This results in more successful attacks, which happen by the day."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

IDF Has Rebuffed 3B Cyberattacks Since Oct. 7, Colonel Claims

Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks.
Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API.
"Users are

Vulnerability / Data Security

Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks.

Tracked as **CVE-2024-27348** (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API.

"Users are recommended to upgrade to version 1.3.0 with Java11 and enable the Auth system, which fixes the issue," the Apache Software Foundation noted in late April 2024. "Also you could enable the 'Whitelist-IP/port' function to improve the security of RESTful-API execution."

Additional technical specifics about the flaw were released by penetration testing company SecureLayer7 in early June, stating it enables an attacker to bypass sandbox restrictions and achieve code execution, giving them complete control over a susceptible server.

This week, the Shadowserver Foundation said it spotted in-the-wild exploitation attempts that leverage the flaw, making it imperative that users move quickly to apply the latest fixes.

"We are observing Apache HugeGraph-Server CVE-2024-27348 RCE 'POST /gremlin' exploitation attempts from multiple sources," it said. "\[Proof-of-concept\] code is public since early June. If you run HugeGraph, make sure to update."

Vulnerabilities discovered in Apache projects have been lucrative attack vectors for the nation-state and financially motivated threat actors in recent years, with flaws in Log4j, ActiveMQ, and RocketMQ coming under heavy exploitation to infiltrate target environments.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP

A flaw was found in Skupper. When Skupper is initialized with the console-enabled and with console-auth set to Openshift, it configures the openshift oauth-proxy with a static cookie-secret. In certain circumstances, this may allow an attacker to bypass authentication to the Skupper console via a specially-crafted cookie.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-6535

**Skupper uses a static cookie secret for the openshift oauth-proxy**

Moderate severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Jul 17, 2024

**Package**

gomod github.com/skupperproject/skupper (Go)

**Affected versions**

< 0.0.0-20240703184342-c26bce4079ff

**Patched versions**

0.0.0-20240703184342-c26bce4079ff

**Description**

Published to the GitHub Advisory Database

Jul 17, 2024

Last updated

Jul 17, 2024

GHSA-w799-v85j-88pg: Skupper uses a static cookie secret for the openshift oauth-proxy

Secure Boot technology is part of Unified Extensible Firmware Interface (UEFI) specification. It is a useful and powerful tool which can be used to improve boot time security of an operating system by only allowing trusted code to be executed on that system. The technology is not new—it was part of UEFI specification since v2.0 (2006), and it is extensively used by x86 hardware vendors today. In the cloud world, however, the technology only became available fairly recently:Google made Shielded VMs generally available in April, 2019Microsoft announced Trusted Launch general availability in No

Red Hat Enterprise Linux and Secure Boot in the cloud

SOC analysts should also cultivate skills like incident handling and response, threat hunting, digital forensics, Python, and bash scripting.

Source: Artem Samokhvalov via Shutterstock

Though artificial intelligence is poised to drastically transform enterprise security operations centers (SOCs), for the moment at least, the top three technologies for new hires to be familiar with remain SIEM, host-based extended detection and response, and vulnerability remediation.

But a trio of other hard skills scored highly in a survey of some 400 cybersecurity practitioners that the SANS Institute conducted on behalf of Torq. These include a knowledge of cloud security issues, PowerShell expertise, and the ability to automate repetitive tasks and systems management functions.

**Core Hard Skills**

Besides the top three skills, "the core hard skills that are currently essential for SOC analysts include: incident handling and response, threat hunting, cloud security, digital forensics, Python, PowerShell, and bash scripting," says Dallas Young, senior technical product manager at Torq.

"As for soft skills, those include critical thinking and creative, informed problem solving, attention to detail in rapidly changing environments, and communication skills at both a technical and interpersonal level," he says.

The SANS survey polled respondents from small, medium, and large companies in the US and other countries about their top SOC challenges. The responses showed that many organizations continue to struggle with issues that have plagued them for years. These include a lack of automation and orchestration of key SOC functions, high-staffing requirements, a shortage of skilled staff, and a lack of visibility. They also reported a pervasive silo mentality among security, incident response, and operations teams.

**SOC Retention Rates Improve**

On the positive side though, the survey showed a surprising uptick in staff retention rates at many SOCs. Some 30% of respondents — a plurality — identified the average SOC tenure at their organization as being between three and five years, compared to the one-to-three year tenures that respondents indicated in previous SANS surveys.

Young chalks up the trend to the increasing automation of Tier-1 triage and analysis at more organizations. This has enabled SOC analysts to focus on more strategic and intellectually stimulating activities, such as threat hunting and advanced incident response. It's also helped alleviate the analyst burnout problem, he says.

Other factors that appear to have contributed to the increased retention rates include better work environments, with remote and flexible hours and management-track leadership training for high performers. "In addition, for security analysts who want to maintain a technical focus, organizations are paying for more training and certification opportunities in areas of interest such as penetration testing, reverse malware engineering, and cloud security subject matter areas as examples," Young says.

Jake Williams, faculty at IANS Research and vice president of R&D at Hunter Strategy, says current job market conditions have allowed many organizations to secure more experienced SOC analysts at the same budget than they could a few years ago. "This is a good thing for organizations short term, but they should be making plans now for when the job market rebounds," Williams says. "Many organizations are camouflaging a lack of process with the skills these more senior analysts bring to the table."

**Cloud Knowledge, ID Management, PowerShell Are Hot Skills**

Like Young, Williams says the biggest in-demand SOC skills — outside of the obvious core skills of SIEM and XDR — are knowledge of cloud platforms such as AWS and Azure, and understanding of Active Directory and Entra ID. "I've seen a lot more expectation of baseline cloud knowledge, especially for senior SOC analysts," Williams notes. Given the prolific use of M365 in enterprise, there's an expectation that many senior SOC analysts know PowerShell to query GraphAPI, he says, "PowerShell experience and cloud platform knowledge were niche skills a few years ago. For midtier to senior SOC analysts today, it seems like table stakes."

The SANS survey showed that many SOC practitioners aren't thrilled with their initial usage of artificial intelligence and machine learning tools for SOC analysis purposes. In fact, respondents gave AI and ML tools the lowest rating when asked to rate SOC tools. However, there's little doubt that AI and GenAI technologies are set to fundamentally change the SOC and, in the process, the skills landscape as well.

Young says AI will fundamentally continue moving forward to enhance automated threat detection, proactive threat hunting, automation of repetitive and time-consuming tasks, alert fatigue reduction, and predictive analytics. Increasingly, SOC analysts are going to need to be familiar with machine learning algorithms and data analysis techniques to interpret AI-generated insights, Young says. They will also need skills to handle complex security incidents identified by AI systems and be willing to continuously learn and adapt to new AI technologies and methodologies, he says.

**"Why Does That Matter?"**

Williams expects AI tools to reduce the need for analysts whose sole role has been to respond to basic alarms. "Junior analysts should be looking now at what tasks AI does — and doesn't — do well and educating themselves in the places they can't be replaced by AI, such as critical thinking," he says. "The SOC of the future will be less about knowing that port 3389 is RDP — AI will provide that context on demand — and more about providing the 'why does that matter in this context?'"

Creative thinking when it comes to interesting problems and correlations will remain a key asset for SOC professionals, says Sajeeb Lohani, senior director of cybersecurity at Bugcrowd. "Nowadays, SIEMs are capable of raising alerts, so it is quite easy to fall into a rut and churn tickets," he says. "However, in my opinion, the most successful professionals are able to correlate events and understand business context when triaging and responding to such alerts. That context is key."

Lohani expects that some threats that are considered relatively niche issues in the SOC will become more important over the next few years. "Currently, a large portion of SOCs haven't had to deal with more niche threats like supply chain security issues," he says. "I believe, over time, that will start to change, and more mature practices will \[be needed\] to prepare and adapt."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Security, PowerShell Expertise Emerge as Key SOC Analyst Skills

As attackers set their sights on infrastructure, security teams need to reduce risk levels without compromising operational agility.

Amir Hirsh, SVP & General Manager of OT Security, Tenable

July 16, 2024

4 Min Read

Source: ElenaBs via Alamy Stock Photo

COMMENTARY

Hackers affiliated with the Chinese government have reportedly maintained access to US critical infrastructure for years, several agencies warned in February. The revelation is, at least on the surface, a heel-turn for Chinese cyber behavior — moving from espionage to the potential compromise or destruction of infrastructure via operational technology (OT). This includes the programmable systems and devices connected to physical environments.

Last December, a supply chain-focused attack against ShipManager software from maritime advisory company DNV reportedly disrupted operations for dozens of its clients — affecting as many as 1,000 vessels. In November, the Cybersecurity and Infrastructure Security Agency warned of Iranian actors actively exploiting Unitronics equipment used in water and wastewater systems, prompting a later warning from the Environmental Protection Agency (EPA) and the White House. The EPA also warned in May that a whopping 70% of US water systems fail its cybersecurity standards.

Similar OT systems have been connected to the Internet to enable remote monitoring and control, but that convenience has opened up avenues for attackers. These systems were often built for reliability before widespread connectivity. They are often implemented with niche solutions and can be difficult to audit and protect.

OT attacks, along with IT attacks on infrastructure supporting these operational environments, can take down customers' supply chains, damage equipment, and result in costly production disruptions: According to a study by ITC, four in 10 enterprise organizations said one hour of downtime can cost from $1 million to over $5 million.

Keeping the lights on in these increasingly complex environments is no easy feat. OT needs even higher levels of protection than that afforded to IT, since a single OT breach can cascade across multiple systems. Here, I'll outline three key steps for defending these environments, which begins with understanding OT's cyber-physical impacts and complexities.

**1\. Eliminate Gaps Across Environments**

Convergence of security between IT and OT is accelerating, but the two cannot be completely independent workstreams. Managing OT security is not a "set it and forget it" or reactive process, and vulnerability management cannot be lax. An effective strategy meant to reduce OT risk and protect operational uptime requires full asset visibility, and oftentimes there is crossover with IT.

With greater visibility, defenders can gather accurate and continuous telemetry data. Acquiring it, however, will entail ongoing communication and collaboration with the IT teams who have traditionally overseen Internet-facing devices.

IT and OT defenders can establish cross-functional teams and carry out joint risk assessment exercises. This open line will generate a better understanding about how assets communicate with each other, which apps are running (and where), and how user privileges are configured. The visibility gives teams greater control over their organizational infrastructure and can inform critical decision-making processes.

**2\. Develop Comprehensive OT Playbooks**

Once assets are mapped and better understood, the next step is a standardization of security practices. Defenders should create or evolve OT security playbooks and consider a range of scenarios.

Plans should draw from the organization's existing knowledge base, outline step-by-step incident response protocols, and define reactive steps among all business units and executives — for instance, documenting which teams or partners must respond in the event of a sector-specific worst-case scenario, such as a critical pipeline being held for ransom.

OT defenders should also regularly monitor guidance disseminated by the National Institute of Standards and Technology (including the new governance pillar of the NIST CSF framework) and intelligence agencies, along with industry groups and vendors.

**3\. Implement Robust Controls**

With more systems coming online, the general widening of the OT attack surface necessitates powerful exposure management technology. In fact, this is a point my colleagues and I continue to raise in different forums, as threat actors, like China-backed entities, continue to shift their tactics.

Sophisticated advanced persistent threats (APTs), like China's Volt Typhoon, increasingly rely on living-off-the-land techniques — using legitimate, embedded services to carry out their crimes. This can cloak their network activity and make traditional indicators of compromise highly difficult to detect. This ultimately dilutes the impact of more traditional security technologies.

Defenders simply cannot overlook this threat. They must be able to contextualize data and resolve issues before they can be exploited, performing functions like high-speed asset discovery and malware detection.

**Moving Away From Reactive Policies**

Given the rise of ransomware attacks in OT environments — more than half of polled industrial firms confirming they've suffered a related incident — there is new urgency tied to this domain. In fact, these events have created space for security teams to advocate internally for more robust controls.

Luckily, as part of this effort, organizations are steadily moving away from the reactive policies that once guided OT and instead are looking more holistically at the intricate web of networks and devices across their operations.

By using these tips, security teams can effectively reduce risk levels without compromising operational agility. OT infrastructure demands time and attention, but greater security will help protect physical environments from the advances of prominent APTs.

**About the Author(s)**

SVP & General Manager of OT Security, Tenable

Amir Hirsh is a technological entrepreneur based in Israel with over 20 years of experience. He has been instrumental in the creation, growth and sale of numerous companies covering cyber, AI, and media.

Amir leads Tenable's platform, exposure management, and operational technology (OT) business units, driving continued product innovation and development to address both present and future market needs. He also oversees Tenable's go-to-market, marketing, and engineering teams. He is a creative thinker and an innovative tech and business leader with an execution-focused management style.

As a key leader at Tenable, Amir speaks regularly at various industry events and conferences, and his views on market trends and the technology innovation driving them have been covered in many media outlets.

Defending OT Requires Agility, Proactive Controls

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Where's a good tailwind when you need it? Come up with a clever cybersecurity-related caption to describe the scene above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Aug. 14, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Congratulations, Joe Ayella, whose caption for last month's contest, "Future Shock," rose above a creative collection of contenders to capture first place. Your gift card is on the way. As always, we appreciate everyone who took the time to participate.

**About the Author(s)**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Near Miss

The ransomware is rudimentary with basic functionalities, likely having been created by an inexperienced developer — but it's effective at locking up files and sucking up memory capacity.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

A ransomware strain coined "ShadowRoot" has been found targeting Turkish businesses through phishing attacks.

The phishing emails contain a PDF attachment disguised as an invoice with embedded malicious links. Upon user interaction, this triggers a download of a RootDesign.exe file hosted on a compromised GitHub account.

The downloaded file is a Delphi binary and, according to researchers at Forcepoint who analyzed the exe, it drops further payloads: "C:\\TheDream\\RootDesign.exe," "C:\\TheDream\\Uninstall.exe” and “C:\\TheDream\\Uninstall.ini".

"We have observed recursive self-process creation by RootDesign.exe, which causes the files to get encrypted multiple times, resulting in higher memory consumption," the researchers said. "It also drops many copies of encrypted files on the root."

They add that the ransomware appears "rudimentary" and likely the work belonging to an inexperienced developer.

In addition to user awareness for defense, the researchers recommend blocking the following email addresses to prevent being targeted by the Shadowroot threat actors:

*   Kurumsal\[.\]tasilat\[@\]internet\[.\]ru
    
*   ran\_master\_som\[@\]proton\[.\]me
    
*   lasmuruk\[@\]mailfence\[.\]com
    

**About the Author(s)**

Shadowroot Ransomware Lures Turkish Victims via Phishing Attacks

The threat group used CVE-2024-38112 and a "zombie" version of IE to spread Atlantida Stealer through purported PDF versions of reference books.

Source: Ezyjoe via Alamy Stock Photo

New details have emerged about how an advanced persistent threat (APT) group exploited an unpatched Microsoft zero-day in a spear-phishing campaign to spread the Atlantida Stealer, which lifts system information and sensitive data such as passwords and cookies from various applications.

A blog post published July 15 by Trend Micro sheds new light on how the APT, dubbed Void Banshee, which used the flaw (CVE-2024-38112)against victims in North America, Europe, and Southeast Asia. The bug exists in the MSHTML (Trident) engine for the now retired Internet Explorer (IE) browser, but it can be exploited on a victim's machine even if IE is disabled or not the default browser.

It's an "alarming" attack given that IE has "historically been a vast attack surface but now receives no further updates or security fixes," Trend Micro senior threat researcher Peter Girnus and malware reverse engineer Aliakbar Zahravi wrote in the post.

The Void Banshee campaign lured victims via zip archives containing malicious files disguised as book PDFs that were disseminated via cloud-sharing websites, Discord servers, and online libraries, among others sectors, the researchers found. This is a typical tactic of the group, which tends to target victims both for information stealing and financial gain, they noted.

"\[Atlantida\] malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and it can also collect files with specific extensions from the infected system's desktop," the researchers wrote. "Moreover, the malware captures the victim's screen and gathers comprehensive system information."

**New Details on Zero-Day Exploitation**

Separately, security researchers already had revealed that unidentified threat groups were exploiting the IE flaw — which was patched in Microsoft's July Patch Tuesday update— to spread Atlantida and other malware in malicious PDF files.

Microsoft described CVE-2024-38112 as a spoofing vulnerability that could have a high impact on system confidentiality, integrity, and availability if successfully exploited, but only gave it a moderately high severity rating of 7.5 out of 10 on the CVSS vulnerability-severity scale. That's because that for an attack to be successful, an attacker would need to convince a victim to interact with the weaponized URL file, among other factors.

Trend Micro's report provides new details about how Void Banshee was able to get Windows users to do this by convincing targets in a spear-phishing campaign to open URL shortcut files designed to look like PDF copies of a book — specifically, textbooks and reference materials such as "Clinical Anatomy."

This "suggests the campaign is targeting highly skilled professionals and students who often use reference materials and places where digital copies of books are collected," the researchers wrote.

**CVE-2024-38112 Exploitation & Payload Behavior**

A previously revealed attack vector described by Check Point security researcher Haifei Li detailed how malicious shortcuts when could use IE — even if it's not the default browser — to open an attacker-controlled URL by calling the defunct browser instead of a more secure browser such as Chrome or Edge. The vector hid dangerous HTML application (HTA) files in PDF documents that looked safe to users.

Trend Micro's report describes how Void Banshee did this by distributing URL files that contained the MHTML protocol handler and the x-usc! directive, which allowed the group to access and run HTA files directly through the disabled IE process. When a victim opens what looks like an innocuous PDF, it instead opens the URL target in the native IE through the iexplore.exe process.

"The Internet shortcut file that exploits CVE-2024-38112 points to an attacker-controlled domain where an HTML file downloads the HTA stage of the infection chain," the researchers explained. "Using this HTML file, the attacker can also control the window view size of the website through IE. This is used by the threat actor to hide browser information and to mask the downloading of the next stage of the infection chain from the victim."

As mentioned, the attack ultimately delivers the Atlantida stealer, which is built from open source stealers NecroStealer and PredatorTheStealer. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and Web browsers. The malware then compresses the stolen data into a zip file and sends it back to an attacker-controlled command-and-control (C2) site over TCP port 6655.

**"Zombie Relics" Like IE Remain Dangerous**

Overall, the attacks on CVE-2024-38112 demonstrate how even technology like IE that is no longer supported or even in active use at an organization can still pose a major threat, according to Trend Micro.

"Even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware," the researchers wrote.

Furthermore, the ability of threat actors to access unsupported and disabled system services to circumvent modern Web sandboxes, such as IE mode for Microsoft Edge, poses "a significant industry concern," they wrote.

Patching the flaw is the most obvious way to thwart current exploitation of the IE issue, the researchers noted. Trend Micro also included a list of MITRE ATT&CK techniques and a link to indicators of compromise (IoCs) in its post.

According to Trend Micro, organizations also should take a proactive approach and engage in advanced threat intelligence as well as adopt a security posture that is constantly monitoring scanning software and other corporate network assets for potential flaws and other attack surfaces that potentially can be exploited.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#auth