Updates for Fortinet, Citrix and Microsoft, 4,700 fake shopping sites used to steal credit card data, more Palo Alto bugs exploited...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Fortinet Releases Multiple Security Advisories
Fortinet has released 18 security advisories to address a range of security vulnerabilities in multiple products. Three of the advisories address two high severity vulnerabilities in FortiClient for Windows and one high severity vulnerability in FortiOS affecting SSLVPN sessions. FortiClient and FortiOS provide an endpoint detection and response (EDR) solution, a virtual private network (VPN) solution, and other security functionality. In addition to the three vulnerabilities highlighted below, full details for other affected products can be found at the Fortinet Security Advisories website.
- CVE-2023-50176 is a ‘session fixation’ vulnerability in FortiOS with a CVSSv3 score of 7.1. If exploited, a remote, unauthenticated attacker could hijack a SSLVPN session or execute arbitrary code via a phishing SAML authentication link.
- CVE-2024-47574 is an ‘authentication bypass’ vulnerability in FortiClientWindows with a CVSSv3 score of 7.4. If exploited, an authenticated attacker could execute arbitrary code with high privilege on an affected device.
- CVE-2024-36513 is a ‘privilege context switching error’ vulnerability in FortiClientWindows with a CVSSv3 score of 7.4. If exploited, an authenticated attacker could perform privilege escalation using Lua ‘auto patch’ scripts.
Citrix Releases Security Updates for Virtual Apps and Desktops Session Recording
Citrix has released a security advisory to address two vulnerabilities in the Session Recording feature of the Virtual Apps and Desktops platform. Virtual Apps and Desktops is a virtual desktop infrastructure (VDI) solution, providing users with a secure desktop experience on any device.
- CVE-2024-8068 is an ‘improper privilege management’ vulnerability in Session Recording with a CVSSv4 score of 5.1, which if exploited could allow a remote, authenticated attacker to perform privilege escalation to the NetworkService account.
- CVE-2024-8069 is a ‘deserialisation of untrusted data’ vulnerability in Session Recording with a CVSSv4 score of 5.1, which if exploited could allow a remote, authenticated attacker to execute arbitrary code on the Virtual Apps and Desktops server.
- CVE-2024-8068 and CVE-2024-8069 can be chained together, allowing a remote, authenticated attacker to perform remote code execution on the underlying server with SYSTEM privileges.
- Security researchers are claiming that CVE-2024-8068 and CVE-2024-8069 do not require authentication to exploit. If this claim is true, a remote, unauthenticated attacker could execute arbitrary code with SYSTEM privileges on the Virtual Apps and Desktops server.
Cyber Attacks
Fraud network uses 4,700 fake shopping sites to steal credit cards
A financially motivated Chinese threat actor dubbed “SilkSpecter” is using thousands of fake online stores to steal the payment card details of online shoppers in the U.S. and Europe. The fraud campaign started in October 2024, offering steep discounts for the upcoming Black Friday shopping period that usually sees elevated shopping activity. EclecticIQ threat researcher Arda Buyukkaya, who discovered the campaign, as of the publishing of their report, SilkSpecter operates 4,695 fraudulent domains. These sites impersonate well-known brands such as the North Face, Lidl, Bath & Body Works, L.L. Bean, Wayfair, Makita, IKEA, and Gardena. In many cases, the domain names used in the campaign include the ‘Black Friday’ string, clearly targeting online shoppers looking for discount deals. SilkSpecter websites are well-designed and typically named after the impersonated brand to appear authentic at a quick glance. However, their sites usually use top-level domains like ‘.shop,’ ‘.store,’ ‘.vip,’ and ‘.top,’ which are not generally associated with large brands or trustworthy e-commerce sites. Depending on the victim’s location, the website uses Google Translate to automatically adjust the language on the fraud sites accordingly. When users attempt to purchase from those sites, they are redirected to a payment page that prompts them to enter their credit/debit card number, expiration date, and CVV code. A phone number is also requested at the final step.
New Glove infostealer malware bypasses Chrome’s cookie encryption
New Glove Stealer malware can bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies. As Gen Digital security researchers who first spotted it while investigating a recent phishing campaign said, this information-stealing malware is “relatively simple and contains minimal obfuscation or protection mechanisms,” indicating that it’s very likely in its early development stages. During their attacks, the threat actors used social engineering tactics like those used in the ClickFix infection chain, where potential victims get tricked into installing malware using fake error windows displayed within HTML files attached to the phishing emails. The Glove Stealer .NET malware can extract and exfiltrate cookies from Firefox and Chromium-based browsers (e.g., Chrome, Edge, Brave, Yandex, Opera). It’s also capable of stealing cryptocurrency wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authenticator apps, password data from Bitwarden, LastPass, and KeePass, as well as emails from mail clients like Thunderbird. “Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications,” said malware researcher Jan Rubín. “These extensions and applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, email clients and others.”
In Other News...
CISA warns of more Palo Alto Networks bugs exploited in attacks
CISA warned today that two more critical security vulnerabilities in Palo Alto Networks’ Expedition migration tool are now actively exploited in the wild. Attackers can use the two unauthenticated command injection (CVE-2024-9463) and SQL injection (CVE-2024-9465) vulnerabilities to hack into unpatched systems running the company’s Expedition migration tool, which helps migrate configurations from Checkpoint, Cisco, and other supported vendors. While CVE-2024-9463 allows attackers to run arbitrary OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, the second flaw can be exploited to access Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems. Palo Alto Networks is shipping security updates addressing these issues in Expedition 1.2.96 and later. The company advises admins who can’t immediately update the software to restrict Expedition network access to authorized users, hosts, or networks. “Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system,” Palo Alto Networks added in a security advisory published in early October that still needs to be updated to warn customers that attackers are exploiting these vulnerabilities in the wild.
Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
Microsoft on Tuesday revealed that two security flaws impacting Windows NT LAN Manager (NTLM) and Task Scheduler have come under active exploitation in the wild. The security vulnerabilities are among the 90 security bugs the tech giant addressed as part of its Patch Tuesday update for November 2024. Of the 90 flaws, four are rated Critical, 85 are rated Important, and one is rated Moderate in severity. Fifty-two of the patched vulnerabilities are remote code execution flaws. The fixes are in addition to 31 vulnerabilities Microsoft resolved in its Chromium-based Edge browser since the release of the October 2024 Patch Tuesday update. The two vulnerabilities that have been listed as actively exploited are below –
- CVE-2024-43451 (CVSS score: 6.5) – Windows NTLM Hash Disclosure Spoofing Vulnerability
- CVE-2024-49039 (CVSS score: 8.8) – Windows Task Scheduler Elevation of Privilege Vulnerability
“This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user,” Microsoft said in an advisory for CVE-2024-43451. The update also fixes a critical cryptographic protocol flaw impacting Windows Kerberos (CVE-2024-43639, CVSS score: 9.8) that could be abused by an unauthenticated attacker to perform remote code execution.