Weekly Security News – 26th August 2024

SolarWinds leaking credentials, major backdoor in RFID cards and a new phishing technique found... all in this week's security news...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

SolarWinds Leaks Credentials in Hotfix for Exploited Web Help Desk Flaw

The enterprise software maker warns that the hardcoded credential blunder, which was assigned CVE-2024-28987, with a CVSS score of 9.1, could allow a “remote unauthenticated user to access internal functionality and modify data”. Released for Web Help Desk 12.8.3.1813 or 12.8.3 HF1, the new hotfix not only removes the inadvertently leaked secrets, but also adds more patterns to fix an SSO issue, and resolves the critical-severity remote code execution (RCE) bug that the initial hotfix was meant to address.

Major Backdoor in Millions of RFID Cards Allows Instant Cloning

The backdoor, documented in a research paper by Quarkslab researcher Philippe Teuwen, allows the instantaneous cloning of RFID smart cards used to open office doors and hotel rooms around the world. Although the backdoor requires just a few minutes of physical proximity to an affected card to conduct an attack, an attacker in a position to carry out a supply chain attack could execute such attacks instantaneously at scale.

Cyber Attacks

New Phishing Technique Bypasses Security on iOS and Android to Steal Bank Credentials

On both iOS and Android platforms, ESET warns that cybercriminals used Progressive Web Applications (PWA), which are websites bundled to look like stand-alone applications, while on Android they also used WebAPKs, which appear to be installed from Google Play. Built using web application technologies, PWAs can run on various platforms and device types, and do not require the user to allow third-party app installation. As part of the observed attacks, iOS users were instructed to add the PWA to home screens, while Android users had to confirm certain custom pop-ups in the browser before the application was installed.

Oil Giant Halliburton Confirms Cyber Incident, Details Scarce

Halliburton, considered the world’s second largest oil service company, has engaged with external experts to investigate and mitigate the threat, according to a Reuters news report. Technical details on the breach remain scarce but the compromise has all the hallmarks of a typical ransomware attack where sensitive data is encrypted and used in multi million-dollar extortion demands. Reuters said the Halliburton cyberattack impacted the company’s north Houston campus, as well as some global connectivity networks.

In Other News...

Windows Zero-Day Attack Linked to North Korea’s Lazarus APT

The vulnerability, tracked as CVE-2024-38193 and marked as ‘actively exploited’ by Microsoft, allows SYSTEM privileges on the latest Windows operating systems. Gen, which is a rollup of consumer brands Norton, Avast, LifeLock and Avira, posted a sparse note linking the exploitation to Lazarus via the use of the FudModule rootkit.  However, the company did not release any indicators or technical documentation to support the connection.