Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Microsoft releases February 2024 Security Updates
Scheduled updates for Microsoft products, including security updates for 73 vulnerabilities with 6 rated as critical. Microsoft has released security updates to address 73 vulnerabilities, including six that are critical, which are highlighted in the vulnerability details below. Microsoft has confirmed exploitation of CVE-2024-21351 (Windows SmartScreen security feature bypass vulnerability), CVE-2024-21412 (Internet Shortcut Files security feature bypass vulnerability) and CVE-2024-21410 (Microsoft Exchange Server Elevation of Privilege Vulnerability). Affected organisations are encouraged to review Microsoft’s February 2024 Security Update Summary and apply the relevant updates.
Zoom patches critical privilege elevation flaw in Windows apps
The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw that could allow an unauthenticated attacker to conduct privilege escalation on the target system over the network. For most people, Zoom should automatically prompts users to update to the latest version. However, you can manually download and install the latest release of the desktop client for Windows, version 5.17.7, from here. Zoom users should apply the security update as soon as possible to mitigate the likelihood of external actors elevating their privileges to a level that allows them to steal sensitive data, disrupt or eavesdrop on meetings, and install backdoors.
Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
Thousands of Ivanti Connect Secure and Policy Secure endpoints remain vulnerable to multiple security issues first disclosed more than a month ago and which the vendor gradually patched. The flaws are CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888. Their severity ranges from high to critical and they concern authentication bypass, server-side-request forgery, arbitrary command execution, and command injection problems. Some of these vulnerabilities have been reported as exploited by nation-state actors before they were being leveraged at a larger scale by a broad range of threat actors.
Cyber Attacks
DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability
A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders. “In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware,” the cybersecurity firm said in a Tuesday report. Microsoft, which addressed the flaw in its February Patch Tuesday update, said an unauthenticated attacker could exploit the flaw by sending the targeted user a specially crafted file in order to bypass displayed security checks.
Malicious ‘SNS Sender’ Script Abuses AWS for Bulk Smishing Attacks
A malicious Python script known as SNS Sender is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service (SNS). The SMS phishing messages are designed to propagate malicious links that are designed to capture victims’ personally identifiable information (PII) and payment card details, SentinelOne said in a new report, attributing it to a threat actor named ARDUINO_DAS. “The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery,” security researcher Alex Delamotte said.
Articles
U.S. State Government Network Breached via Former Employee’s Account
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization’s network environment was compromised via an administrator account belonging to a former employee. Using the compromised credentials, the attackers accessed an internal VPN, performed reconnaissance of the on-premises environment, and executed LDAP queries on a domain controller. The organization, which CISA has not named, failed to remove the account of the former employee, which allowed the threat actor to conduct reconnaissance and discovery activities.