Broadcom updates, VMWare EXSi flaw exploited, Microsoft confirm Azure outage was considered by a cyber attack... all in this week's security news...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Broadcom Releases Security Updates for VMware ESXi, vCenter Server, and Cloud Foundation Vulnerabilities
Broadcom has released an advisory that addresses three security vulnerabilities in VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation. VMware ESXi is an enterprise-class hypervisor, VMware vCenter Server is a centralised virtual machine manager, and Cloud Foundation is a platform for the provision of cloud environments. The following platform are known to be affected; VMware ESXi, VMware vCenter Server and VMware Cloud Foundation. VMware applications have become a popular target for ransomware and data-extortion groups, and rapidly patching vulnerable software should be considered of critical importance. Affected organisations are encouraged to review Broadcom’s VMware advisory VMSA-2024-0013 and apply the relevant updates.
Progress Software Releases Security Update for MOVEit Transfer
MOVEit Cloud has now been upgraded to the patched version, so no further action is needed by MOVEit Cloud customers. Progress (formerly Ipswitch) had released a security update for a vulnerability in the SFTP module of the MOVEit Transfer application. CVE-2024-6576 has a CVSSv3 score of 7.3 and can lead to privilege escalation in MOVEit Transfer. An improper authentication vulnerability can lead to privilege escalation. Affected organisations were encouraged to review the Progress Community MOVEit Transfer Critical Security Alert Bulletin July 2024 – CVE-2024-6576 (applies to MOVEit Transfer) and apply updates as soon as practicable. MOVEit is a managed secure file transfer tool.
Cyber Attacks
VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access
A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by “several” ransomware groups to gain elevated permissions and deploy file-encrypting malware. The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host. “A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” Broadcom-owned VMware noted in an advisory released in late June 2024.
Microsoft Confirms New Outage Was Triggered By Cyberattack
A Microsoft Azure outage on July 30 was triggered by a distributed denial of service cyberattack, the tech giant has confirmed. It comes after users started complaining they couldn’t access several Microsoft services on Tuesday, including Microsoft 365 products such as Office, Outlook, and Azure. The incident—which lasted nearly 10 hours—took place less than two weeks after a CrowdStrike update caused Microsoft Windows machines to crash. Companies affected by the new outage include U.K. bank NatWest, according to the BBC. Microsoft says the “initial trigger event” was a DDoS attack, which sees adversaries flood services with traffic to bring them to a standstill.
In Other News...
Over 1 Million Domains at Risk of 'Sitting Ducks' Domain Hijacking Technique
Over a million domains are susceptible to takeover by malicious actors by means of what has been called a Sitting Ducks attack. The powerful attack vector, which exploits weaknesses in the domain name system (DNS), is being exploited by over a dozen Russian-nexus cybercriminal actors to stealthily hijack domains, a joint analysis published by Infoblox and Eclypsium has revealed. “In a Sitting Ducks attack, the actor hijacks a currently registered domain at an authoritative DNS service or web hosting provider without accessing the true owner’s account at either the DNS provider or registrar,” the researchers said. “Sitting Ducks is easier to perform, more likely to succeed, and harder to detect than other well-publicized domain hijacking attack vectors, such as dangling CNAMEs.”
New Android Banking Trojan BingoMod Steals Money, Wipes Devices
Cybersecurity researchers have uncovered a new Android remote access trojan (RAT) called BingoMod that not only performs fraudulent money transfers from the compromised devices but also wipes them to erase traces of the malware. Italian cybersecurity firm Cleafy, which discovered the RAT towards the end of May 2024, said the malware is under active development. It attributed the Android trojan to a likely Romanian-speaking threat actor owing to the presence of Romanian language comments in the source code associated with early versions. “BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique,” researchers Alessandro Strino and Simone Mattia said.