Patch your Apple devices now, XSS vulnerabilities top danger list, NFC traffic relayed to steal money...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Exploitation of Critical Vulnerabilities in VMware vCenter Server and Cloud Foundation
Broadcom released security updates in Sept 2024 to remediate against CVE-2024-38812 and CVE-2024-38813, vulnerabilities that if exploited could lead to remote code execution and privilege escalation. These vulnerabilities were not fully remediated by the security updates, and Broadcom reissued the security updates in Oct 2024. The revised advisory included updated software packages to address security and functional issues reported after the original disclosure. Broadcom has updated their advisory again to report that these vulnerabilities are now being exploited in the wild. Affected platforms known to be affected are VMware vCenter Server and VMware Cloud Foundation.
- CVE-2024-38812 is a heap-overflow vulnerability in VMware vCenter Server with a CVSSv3 score of 9.8. An attacker with network access to vCenter Server could trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.
- CVE-2024-38813 is a privilege escalation vulnerability in vCenter Server with a CVSSv3 score of 7.5. An attacker with network access to vCenter Server could exploit this vulnerability by sending a specially crafted network packet to escalate privileges to root.
Affected organisations must review Broadcom’s VMware advisory VMSA-2024-0019 and VMSA-2024-0019: Questions & Answers and apply the relevant updates. More information about applying async patches/individual product updates to VMware Cloud Foundation environments using Async Patch Tool (AP Tool) is available in Article ID: 344935.
Time to Patch: Apple Releases Fix for Zero-Day Attack Targeting Macs, iPhones
Apple has released an emergency patch to fix two vulnerabilities that hackers have exploited to target Intel-based Mac computers. The previously unknown “zero-day” flaws led Apple to issue patches for macOS, iOS, and iPadOS. Details are thin, but both bugs involve a Mac, iPhone, or iPad processing “maliciously crafted web content” to trigger the operating system to execute rogue computer code. “Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems,” the company said for both vulnerabilities. One of the flaws, CVE-2024-44309, can cause a cross-site scripting attack through Apple’s WebKit browser engine, which is used in Safari and web browsers for iOS and iPadOS. The resulting attack can inject malicious computer code into a legitimate website or app. Meanwhile, the second vulnerability, CVE-2024-44308, can trigger Apple’s JavaScriptCore software to run malicious computer code without the user’s permission. Apple’s advisory suggests hackers used both flaws together to target older Intel-based Macs, which the company started transitioning away from in 2020 in favor of using its own Arm-based M chips. In response, Apple released patches with macOS Sequoia 15.1.1, iOS 18.1.1, and iPadOS 18.1.1. Those on iOS 17 and iPadOS 17 or who own the Apple Vision Pro headset can also receive the fix. To install the patch on an iPhone, go to Settings > General > Software Update. The device can also patch itself automatically if you’ve switched on automatic updates. Mac users can patch by going to the Apple icon > System Settings > General > Software Update.
Cyber Attacks
New Ghost Tap attack abuses NFC mobile payments to steal money
Threat actors are increasingly banking on a new technique that leverages near-field communication (NFC) to cash out victim’s funds at scale. The technique, codenamed Ghost Tap by ThreatFabric, enables cybercriminals to cash-out money from stolen credit cards linked to mobile payment services such as Google Pay or Apple Pay and relaying NFC traffic. “Criminals can now misuse Google Pay and Apple Pay to transmit your tap-to-pay information globally within seconds,” the Dutch security company told The Hacker News in a statement. “This means that even without your physical card or phone, they can make payments from your account anywhere in the world”. These attacks typically work by tricking victims into downloading mobile banking malware that can capture their banking credentials and one-time passwords using an overlay attack or a keylogger. Alternatively, it can involve a voice phishing component. Once in possession of the card details, the threat actors move to link the card to Google Pay or Apple Pay. But to avoid getting the cards blocked by the issuer, the tap-to-pay information is relayed to a mule, who is responsible for making fraudulent purchases at a store. This is accomplished by means of a legitimate research tool called NFCGate, which can capture, analyze, or modify NFC traffic. It can also be used to pass the NFC traffic between two devices using a server. “One device operates as a ‘reader’ reading an NFC tag, the other device emulates an NFC tag using the Host Card Emulation (HCE),” according to researchers from the Secure Mobile Networking Lab at TU Darmstadt.
New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems
Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus. “Helldown deploys Windows ransomware derived from the LockBit 3.0 code,” Sekoia said in a report shared with The Hacker News. “Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware.” Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an “aggressive ransomware group” that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare. Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It’s estimated to have attacked at least 31 companies within a span of three months. The Windows version of Helldown, once launched, performs a series of steps prior to exfiltrating and encrypting the files, including deleting system shadow copies and terminating various processes related to databases and Microsoft Office. In the final step, the ransomware binary is deleted to cover up the tracks, a ransom note is dropped, and the machine is shut down.
In Other News...
MITRE Updates List of 25 Most Dangerous Software Vulnerabilities
The MITRE Corporation has updated its Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, which reflects the latest trends in the cyber threat landscape. The list provides information on the most common and impactful weaknesses that threat actors exploit in attacks to take over systems, steal sensitive information, and cause disruptions. Cross-site scripting (XSS) vulnerabilities are at the top of this year’s CWE Top 25 list, up from the second position last year, with out-of-bounds write flaws dropping to the second place. While SQL injection bugs have remained on the third position, cross-site request forgery (CSRF), path traversal, and out-of-bounds read defects went up by five, three, and one place, respectively, displacing OS command injection and use-after-free issues. The top 10 is rounded by missing authorization, which was eleventh last year, and unrestricted file uploads, stationary on the tenth position. Code injection, which ranked 23 in last year’s list, landed on 11 in the updated one. New entries on the 2024 CWE Top 25 list include exposure of sensitive information on 14, up from 30 last year, and uncontrolled resource consumption on 24, up from 37 last year. Incorrect default permissions and race condition flaws dropped from the top 25 most dangerous software weaknesses. The US cybersecurity CISA, which worked with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, in updating 2024 CWE Top 25, urges organizations to review the list and prioritize these weaknesses in development and procurement processes.
After CrowdStrike Outage, Microsoft Debuts ‘Quick Machine Recovery’ Tool
Microsoft used the spotlight of its Ignite conference this week to introduce a new Quick Machine Recovery tool to help organizations remotely rebuild computer systems after major crises like the CrowdStrike outage earlier this year. The software maker said the feature will enable IT administrators to execute “targeted fixes” from Windows Update, even when machines are unable to boot, without needing physical access to the PC. It is a direct response to the CrowdStrike Falcon sensor crash that blue-screened millions of Windows machines around the world and caused major delays as IT staff struggled to manually fix broken computer systems. “This remote recovery will unblock your employees from broad issues much faster than what has been possible in the past,” Microsoft said of the Quick Machine Recovery planned for release into the Windows Insider Program community in early 2025. Redmond’s Windows OS engineers are already redesigning the way anti-malware products interact with the Windows kernel and plans to fit “new platform capabilities” into Windows 11 to allow security vendors to operate “outside of kernel mode” in the interest of software reliability. Following a one-day summit in Redmond with EDR vendors earlier this year, Microsoft vice president David Weston said the plan is to provide more security capabilities to solution providers outside of kernel mode. At Ignite this week, Microsoft said anti-malware vendors is being asked to adopt Safe Deployment Practices, which means that all security product updates must be gradual, leverage deployment rings, as well as monitoring to ensure any negative impact from updates is kept to a minimum.