Threat Pulse – February 2024
Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.
If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.
DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the largest Open Threat Exchange database available.
CVE-2024-21762: Critical Fortinet FortiOS Vulnerability
CVE-2024-21762 is a critical flaw within the FortiOS SSL (Secure Sockets Layer) VPN, the vulnerability allows for the execution of arbitrary code and commands.
It is an out-of-bounds write vulnerability in FortiOS that may allow for an unauthenticated attacker to execute an arbitrary code or commands via specially crafted HTTP requests.
Affected versions of FortiOS are from FortiOS 6.0 to 7.4. The issue stemmed from the issued patches for CVE-2024-23108 and CVE-2024-23109.
Mainly affected targets are government departments, service providers, consultancies, manufacturing and large critical infrastructure organisations.
It’s recommended to update to a patched version of FortiOS as soon as possible.
Sites with Popup Builder Compromised by Balada Injector
Balada malware injection has infiltrated over 7,000 WordPress sites through a vulnerability in the Popup Builder plugin.
Despite being an older vulnerability, it allows the injection of malicious JavaScript code, redirecting users to other sites such as fake tech support pages, fraudulent lottery wins, and push notification scams.
Additionally, threat actors could potentially create a new rogue admin user.
The most recent targets have been premium themes for WordPress sites. Users should exercise caution when encountering popups, especially those associated with the “specialcraftbox” domain which has been used during the recent Popup Builder campaign.
VMware Urges Admins to Remove Deprecated, Vulnerable Auth Plug-in
VMware has strongly advised administrators to eliminate an obsolete authentication plugin that is susceptible to authentication relay and session hijack attacks within Windows domain environments.
These vulnerabilities, identified as CVE-2024-22245 (with a CVSSv3 base score of 9.6/10) and CVE-2024-22250 (with a score of 7.8/10), affect the VMware Enhanced Authentication Plug-in (EAP).
This plugin facilitates seamless login to vSphere’s management interfaces through integrated Windows Authentication and Windows-based smart card functionality on Windows client systems.
The security flaws, which allow malicious actors to exploit Kerberos service tickets and gain control of privileged EAP sessions, have been addressed by patches released today
To mitigate the risks associated with CVE-2024-22245 and CVE-2024-22250, administrators are instructed to remove both the in-browser plugin/client (VMware Enhanced Authentication Plug-in 6.7.0) and the Windows service (VMware Plug-in Service).
New SSH-Snake Malware Steals SSH Keys to Spread Across the Network
A recently released open-source network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities.
SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network. The worm automatically searches through known credential locations and shell history files to determine its next move.
Threat actors have been observed deploying SSH-Snake in real-world attacks to harvest credentials such as the IP addresses of the targets, and the bash command history, following the discovery of a command-and-control (C2) server hosting the data.
These attacks involve active exploitation of known security vulnerabilities in Apache ActiveMQ and Atlassian Confluence instances in order to gain initial access and deploy SSH-Snake.
Xeno RAT Abuses Windows DLL Search to Avoid Detection
A new malware called Xeno RAT, which has been written in C#, has very sophisticated functionality which currently evades normal detection techniques.
The malware is being developed as an open-source tool available from GitHub.
The malware uses process injection, obfuscation, anti-debugging, C2 communication, and several other techniques that make it even more complicated to detect it.
According to the reports shared with Cyber Security News, this malware was initially delivered as a shortcut file (.lnk) which is named as “WhatsApp_2023-12-12_12-59-06-18264122612_DCIM.png.lnk”.
ConnectWise ScreenConnect Vulnerabilities
ConnectWise was notified of two vulnerabilities impacting their remote desktop software ScreenConnect in February.
The vulnerabilities allow for remote code execution and authentication bypass.
As of 21 February 2024, over 18,000 IP addresses were observed hosting vulnerable ScreenConnect software globally.
The vulnerabilities are considered highly severe and likely to be actively targeted by various types of threat actors, including cybercriminals and nation-state actors.
DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.
Talk to the team to see how you can start protecting your business against cyberattacks today.
