Warning for a Chinese botnet, Microsoft re-design after CrowdStrike outage and how to reduce cyber risk during employee onboarding...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Broadcom Releases Critical Security Advisory for VMware vCenter Server and Cloud Foundation
Broadcom has issued a critical security advisory addressing two vulnerabilities in VMware vCenter Server, the centralised management utility for virtual machines and hosts, and VMware Cloud Foundation, the private cloud platform.
- CVE-2024-38812 is a heap-overflow vulnerability in VMware vCenter Server with a CVSSv3 score of 9.8. An attacker with network access to vCenter Server could trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.
- CVE-2024-38813 is a privilege escalation vulnerability in vCenter Server with a CVSSv3 score of 7.5. An attacker with network access to vCenter Server could exploit this vulnerability by sending a specially crafted network packet to escalate privileges to root.
Affected organisations are encouraged to review Broadcom’s VMware advisory VMSA-2024-0019 and VMSA-2024-0019: Questions & Answers and apply the relevant updates. More information about applying async patches/individual product updates to VMware Cloud Foundation environments using Async Patch Tool (AP Tool) is available in Article ID: 344935.
Chrome 129 Patches High-Severity Vulnerability in V8 Engine
Google on Tuesday announced the release of Chrome 129 in the stable channel with patches for nine vulnerabilities, including six reported by external researchers. The most severe of the externally reported flaws is a type of confusion bug in the V8 JavaScript engine, tracked as CVE-2024-8904, the internet giant notes in an advisory. A type of memory safety bugs, type confusion issues allow attackers to modify variables and trigger unexpected application behavior. Successful exploitation of such defects could lead to crashes, remote code execution, and other types of attacks. Chrome 129 also addresses three medium-severity vulnerabilities reported by external researchers, namely inappropriate implementation in V8, incorrect security UI in Downloads, and insufficient data validation in Omnibox. The update also resolves two low-severity inappropriate implementation flaws, impacting Chrome’s Autofill and UI components.
Cyber Attacks
UK and allies issue cyber-attack warning over China-backed 'botnet' of 260,000 compromised devices
The UK and its Five Eyes allies have issued a cyber-attack warning over a China-backed “botnet” of more than 260,000 compromised devices. Businesses have been urged by the National Cyber Security Centre (NCSC) and its allies in the US, Canada, Australia, and New Zealand to protect their devices from possible attacks. It says a company based in China, with links to the country’s government, has created and wields a botnet of more than 260,000 compromised devices around the globe. Botnets are large networks of internet-connected devices that have been infected with malware. As a result, they can be controlled by the group and used to carry out malicious attacks without the owners’ knowledge. Most commonly, they are used to carry out distributed denial of service (DDoS) attacks, which flood a website with traffic with the aim of knocking it offline.
Clever 'GitHub Scanner' campaign abusing repos to push malware
A clever threat campaign is abusing GitHub repositories to distribute the Lumma Stealer password-stealing malware targeting users who frequent an open-source project repository or are subscribed to email notifications from it. A malicious GitHub user opens a new “issue” on an open-source repository falsely claiming that the project contains a “security vulnerability” and urges others to visit a counterfeit “GitHub Scanner” domain. The domain in question, however, is not associated with GitHub and tricks users into installing Windows malware. To make matters even more interesting, users and contributors to such repositories receive these “IMPORTANT!” email alerts from legitimate GitHub servers each time a threat actor files a new issue on a repository, making this phishing campaign seem more convincing. GitHub users have been receiving email notifications this week urging them to address a bogus “security vulnerability” in a project repo that they have contributed to, or are otherwise subscribed to. Users are advised to visit “github-scanner[.]com” to learn more about the alleged security issue.
In Other News...
Post-CrowdStrike Fallout: Microsoft Redesigning EDR Vendor Access to Windows Kernel
Microsoft plans to redesign the way anti-malware products interact with the Windows kernel in direct response to the global IT outage in July that was caused by a faulty CrowdStrike update. Technical details on the changes are not yet available, but the world’s largest software vendor said “new platform capabilities” will be fitted into Windows 11 to allow security vendors to operate “outside of kernel mode” in the interest of software reliability. Following a one-day summit in Redmond with EDR vendors, Microsoft vice president David Weston described the OS tweaks as part of long-term steps to serve resilience and security goals. “[We] explored new platform capabilities Microsoft plans to make available in Windows, building on the security investments we have made in Windows 11. Windows 11’s improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode,” Weston said in a note following the EDR summit.
How to reduce cyber risk during employee onboarding
Onboarding new employees is an important time for any organization — after all, it’s your opportunity to integrate new team members into your company and its culture. But the onboarding time frame also creates a unique set of security risks as you share sensitive information with people who are new to the organization. Numerous areas of risk exist during the onboarding process. One of the biggest is sharing sensitive information, particularly passwords. Many organizations still rely on insecure methods for sharing passwords with new employees, including sending them via plain text SMS or email. These methods are vulnerable to man-in-the-middle attacks, where hackers intercept the communication and gain access to the password. Specops research found another alarming trend when it comes to breached passwords: employees often fail to change the “temporary” login passwords that the IT team provides for their initial logins. When new employees are given temporary passwords during onboarding, they may not prioritize changing them to strong, unique passwords. This oversight leaves the organization vulnerable to attacks, as these temporary passwords are more likely to be weak or easily guessable.