Weekly Security News – 26th February 2024

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

SolarWinds Releases Critical Security Updates for Access Rights Manager

SolarWinds has released security updates addressing five remote code execution (RCE) vulnerabilities in Access Rights Manager (ARM). Path traversal vulnerabilities, CVE-2024-23476 and CVE-2024-23479, are both rated as critical with a CVSSv3 score of 9.6. An unauthenticated attacker could exploit these vulnerabilities, which could lead to RCE. The updates also address a third critical vulnerability due to deserialization of untrusted data, CVE-2024-40057, with a CVSS score of 9.0. An authenticated attacker could exploit this vulnerability, which could lead to RCE.

VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk

VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw. Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug. “A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs),” the company said in an advisory.

Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft

Details have emerged about a now-patched high-severity security flaw in Apple’s Shortcuts app that could permit a shortcut to access sensitive information on the device without users’ consent. The vulnerability, tracked as CVE-2024-23204 (CVSS score: 7.5), was addressed by Apple on January 22, 2024, with the release of iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3. “A shortcut may be able to use sensitive data with certain actions without prompting the user,” the iPhone maker said in an advisory, stating it was fixed with “additional permissions checks.”   

Cyber Attacks

Hackers abuse Google Cloud Run in massive banking trojan campaign

Security researchers are warning of hackers abusing the Google Cloud Run service to distribute massive volumes of banking trojans like Astaroth, Mekotio, and Ousaban. Google Cloud Run lets users deploy frontend and backend services, websites or applications, handle workloads without the effort of managing an infrastructure or scaling. Cisco Talos researchers observed a massive uptick in the misuse of Google’s service for malware distribution starting September 2023, when Brazilian actors launched campaigns using MSI installer files to deploy malware payloads.

Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks

Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation. The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages.

Articles

FTC Accuses Avast of Selling Customer Browsing Data to Advertisers

A complaint from the Federal Trade Commission (FTC) accused the European security company of unfairly collecting consumer web browsing data through its browser extension and anti-virus software and “and sold it without adequate notice and without consumer consent.” The agency also plans to slap Avast with a $16.5 million fine and an order to stop selling or licensing any web browsing data for advertising purposes. The complaint alleges that Avast sold that data to more than 100 third parties through its Jumpshot subsidiary.