Multiple bugs being exploited, Fortinet issues warning, hackers exploiting Google Ads and new ransomware attacks...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Windows kernel bug now exploited in attacks to gain SYSTEM privileges
CISA has warned U.S. federal agencies to secure their systems against ongoing attacks targeting a high-severity Windows kernel vulnerability. Tracked as CVE-2024-35250, this security flaw is due to an untrusted pointer dereference weakness that allows local attackers to gain SYSTEM privileges in low-complexity attacks that don’t require user interaction.
While Microsoft didn’t share more details in a security advisory published in June, the DEVCORE Research Team that found the flaw and reported it to Microsoft through Trend Micro’s Zero Day Initiative says the vulnerable system component is the Microsoft Kernel Streaming Service (MSKSSRV.SYS).
DEVCORE security researchers used this MSKSSRV privilege escalation security flaw to compromise a fully patched Windows 11 system on the first day of this year’s Pwn2Own Vancouver 2024 hacking contest. Redmond patched the bug during the June 2024 Patch Tuesday, with proof-of-concept exploit code released on GitHub four months later.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company says in a security advisory that has yet to be updated to indicate the vulnerability is under active exploitation. DEVCORE published the following video demo of their CVE-2024-35250 proof-of-concept exploit being used to hack a Windows 11 23H2 device.
Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits
Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information.
The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0.
“A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files,” the company said in an alert released Wednesday.
However, according to a description of the security flaw in the NIST’s National Vulnerability Database (NVD), the path traversal vulnerability could also be exploited by an attacker to “execute unauthorized code or commands via specially crafted web requests.”
The company credited Horizon3.ai security researcher Zach Hanley for discovering and reporting the shortcoming. It’s worth mentioning here that CVE-2023-34990 refers to the “unauthenticated limited file read vulnerability” the cybersecurity company revealed back in March as part of a broader set of six flaws in FortiWLM.
“This vulnerability allows remote, unauthenticated attackers to access and abuse built-in functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint,” Hanley said at the time.
Patch Alert: Critical Apache Struts Flaw Found; Exploitation Attempts Detected
Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution.
The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164, CVSS score: 9.8), which also came under active exploitation shortly after public disclosure.
“An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution,” according to the Apache advisory.
In other words, successful exploitation of the flaw could allow a malicious actor to upload arbitrary payloads to susceptible instances, which could then be leveraged to run commands, exfiltrate data, or download additional payloads for follow-on exploitation.
Dr. Johannes Ullrich, dean of research for SANS Technology Institute, said that an incomplete patch for CVE-2023-50164 may have led to the new problem, adding exploitation attempts matching the publicly-released proof-of-concept (PoC) have been detected in the wild.
Cyber Attacks
New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP
Cybersecurity researchers have discovered a new PHP-based backdoor called Glutton that has been put to use in cyber-attacks targeting China, the United States, Cambodia, Pakistan, and South Africa.
QiAnXin XLab, which discovered the malicious activity in late April 2024, attributed the previously unknown malware with moderate confidence to the prolific Chinese nation-state group tracked Winnti (aka APT41).
“Interestingly, our investigation revealed that Glutton’s creators deliberately targeted systems within the cybercrime market,” the company said. “By poisoning operations, they aimed to turn the tools of cybercriminals against them – a classic ‘no honor among thieves’ scenario.”
Glutton is designed to harvest sensitive system information, drop an ELF backdoor component, and perform code injection against popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware also shares “near-complete similarity” with a known Winnti tool known as PWNLNX.
Despite the links to Winnti, XLab said it cannot definitely link the backdoor to the adversary owing to the lack of stealth techniques typically associated with the group. The cybersecurity company described the shortcomings as “uncharacteristically subpar.”
This includes the lack of encrypted command-and-control (C2) communications, the use of HTTP (instead of HTTPS) for downloading the payloads, and the fact that the samples are devoid of any obfuscation.
Hackers Exploiting Google Search Ads to Launch Malvertising Campaigns
Threat researchers have identified a persistent series of malvertising campaigns targeting graphic design professionals, using Google Search ads as a vector.
This campaign, active since at least November 13, 2024, exploits two dedicated IP addresses, 185.11.61[.]243 and 185.147.124[.]110, to host malicious domains.
Starting with the first IP address 185.11.61[.]243, at the time of this writing, 109 unique domains were mapped to it, all seemingly for this graphic design/CAD malvertising campaign.
Silent Push, in collaboration with its research partners, has tracked at least ten distinct campaigns over the past month. These malicious Google Ads campaigns utilize domains that direct unsuspecting users to harmful downloads, posing a significant risk to corporate environments and individual security.
The initial domain, frecadsolutions[.]com, launched the malvertising effort with its domain hosted on the IP address 185.11.61[.]243 since early November.
The campaign rapidly expanded with subtle variations in domain names, such as frecadsolutions[.]cc, and spanned across multiple similar-sounding domains like freecad-solutions[.]net and rhino3dsolutions[.]io.
According to the Silent Push Research, “On November 14, 2024, a malvertising campaign was launched using frecadsolutions[.]cc (note the subtle TLD difference of “cc” vs. “com”), which had also been hosted on 185.11.61[.]243 since November 6, 2024. This made use of Bitbucket for its malicious download, which is normally a legitimate file hosting site.”
New “NotLockBit” Ransomware Attack Windows and macOS
A sophisticated new ransomware family, dubbed NotLockBit, is creating waves in the cybersecurity world with its advanced capabilities and cross-platform functionality. Mimicking the techniques of the infamous LockBit ransomware, NotLockBit has proven to be a formidable new threat, targeting both macOS and Windows operating systems with tailored attack strategies.
Distributed as an x86_64 binary written in the Go programming language, NotLockBit is packed with advanced features that enhance its efficiency and destructiveness. Key functionalities include:
- Targeted File Encryption: The ransomware uses robust encryption protocols like AES and RSA to encrypt sensitive data, rendering it inaccessible without the attacker’s private decryption key.
- Data Exfiltration: Stolen data is transferred to attacker-controlled repositories, such as Amazon S3 buckets, enabling double -extortion, threatening both data loss and data exposure.
- Self-Deletion Mechanisms: To eliminate recovery options, NotLockBit deletes its own traces, including shadow copies and its execution binary.
Cybersecurity researchers at Qualys identified NotLockBit as an advanced and highly adaptive ransomware strain. “This new variant demonstrates significant sophistication, combining encryption, data theft, and self-removal to maximize its impact,” the researchers noted.
In Other News...
Meta Fined €251 Million for 2018 Data Breach Impacting 29 Million Accounts
Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined €251 million (around $263 million) for a 2018 data breach that impacted millions of users in the bloc, in what’s the latest financial hit the company has taken for flouting stringent privacy laws.
The Irish Data Protection Commission (DPC) said the data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the European Union and European Economic Area (EEA). It’s worth noting that initial estimates from the tech giant had pegged the total number of affected accounts at 50 million.
The incident, which the social media company disclosed back in September 2018, arose from a bug that was introduced to Facebook’s systems in July 2017, allowing unknown threat actors to exploit the “View As” feature that lets a user see their own profile as someone else.
This ultimately made it possible to obtain account access tokens, allowing the attackers to break into victim accounts. Categories of personal data impacted as a result of the security breach included users’ full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups of which they were member, and children’s personal data.