Veeam exploit being exploited by ransomware group, patch releases for Microsoft and Citrix and PHP security flaw used to spread malware... all in this week's security news...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
New Ransomware Group Exploiting Veeam Backup Software Vulnerability
A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware. Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities. Initial access to the target environment is said to have been facilitated by means of a Fortinet FortiGate firewall SSL VPN appliance using a dormant account. “The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server,” security researcher Yeo Zi Wei said in an analysis published today.
Citrix Releases Security Critical Updates for NetScaler Console, NetScaler Agent, and NetScaler SVM
Citrix has released a critical security bulletin addressing two vulnerabilities affecting NetScaler Console, NetScaler Agent, and NetScaler SVM.
- CVE-2024-6235, an improper authentication vulnerability, has a CVSSv4 score of 9.4 and could lead to sensitive information disclosure if the attacker was able to gain access to the NetScaler Console IP.
- CVE-2024-6236, a denial-of-service (DoS) vulnerability, has a CVSSv4 score of 7.1 and could be achieved if an attacker was able to gain access to NetScaler Console IP, NetScaler Agent IP, or SVM IP.
Citrix-managed instances do not need further action. Only customer-managed NetScaler Console instances are vulnerable. Customers using Citrix-managed NetScaler Console Service do not need to take any action. Affected organisations are encouraged to review Citrix Security Bulletin CTX677998 and apply the relevant updates.
Microsoft Releases July 2024 Security Updates
Microsoft has released security updates to address 139 vulnerabilities, including two zero-day vulnerabilities, and two which could lead to remote code execution. Microsoft has reported that both CVE-2024-38080 and CVE-2024-38112 are under active exploitation as zero-day vulnerabilities. A proof-of-concept exploit for CVE-2024-38112 has been detailed publicly by security researchers. Additionally, Microsoft has reported that public proof-of-concept code has been disclosed for CVE-2024-35264. Future exploitation of CVE-2024-35264 is considered likely. Affected platforms includes Microsoft Windows, Windows Server, Microsoft Visual Studio, .NET 8.0 and Microsoft SharePoint Server. Affected organisations are encouraged to review Microsoft’s July 2024 Security Update Summary and apply the relevant updates.
Cyber Attacks
PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024. “CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP,” Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. “The vulnerability itself lies in how Unicode characters are converted into ASCII.” The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge.
In Other News...
Google Adds Passkeys to Advanced Protection Program for High-Risk Users
Google on Wednesday announced that it’s making available passkeys for high-risk users to enroll in its Advanced Protection Program (APP). “Users traditionally needed a physical security key for APP — now they can choose a passkey to secure their account,” Shuvo Chatterjee, product lead of APP, said. Passkeys are considered a more secure and phishing-resistant alternative to passwords. Based on the FIDO Authentication standard, the technology is designed to secure online accounts against potential takeover attacks by ditching passwords in Favor of biometrics or a PIN. High-risk users, who are at an elevated exposure to cyber-attacks because of who they are and what they do (e.g., journalists, elected officials, political campaign staff, human rights workers, and business leaders), can check if they have a compatible device and browser and complete the enrolment process.