X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – January 2024

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

Heap-based buffer overflow in the GNU C Library (Glibc) 

CVE-2023-6246: Malicious local attackers can gain full root access to Linux machines by taking advantage of a newly disclosed flaw in this library.  

This heap-based buffer overflow vulnerability is rooted within the Glibc _vsyslog_internal() function this is used by both syslog() and syslog() for logging purposes of the system.  

It looks to have been introduced accidentally with the release of Glibc 2.37. 

This vulnerability only affects Linux systems, but it also requires specific conditions to be exploited (long argv[0] or openlog() ident argument). However, due to the significant use of this library, its impact can be significant. 

This flaw allows for local privilege escalation enabling an unprivileged user to gain full root access. This can affect Linux distributions such as Debian, Ubuntu and Fedora. 

The vulnerability found in this library has affected all Glibc versions released since 1992. 

Patches where made and reviewed over the period of this past month and the coordinated release date for these patches was 30/01/2024. 

Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems 

Cisco has issued patches to resolve a severe security vulnerability affecting Unified Communications and Contact Center Solutions products.  

This flaw could potentially enable an unauthorised remote attacker to execute arbitrary code on a device that is vulnerable. 

Identified as CVE-2024-20253 with a CVSS score of 9.9, the vulnerability arises from the mishandling of user-provided data.  

This provides an opportunity for a malicious actor to exploit the vulnerability, by sending a specifically crafted message to a susceptible appliance’s listening port. 

According to Cisco’s advisory, a successful exploitation of this vulnerability could empower the attacker to run arbitrary commands on the underlying operating system, utilising the privileges of the web services user.  

Once access to the underlying operating system is achieved, the attacker may also establish root access on the affected device. 

Google Kubernetes Clusters Suffer Widespread Exposure to External Attackers 

Incorrectly configuring the permissions of an authentication group within Google Kubernetes Engine (GKE) exposes millions of containers to anyone possessing a Google account. 

Researchers have identified a security loophole in the GKE authentication mechanism, potentially enabling external attackers with Google accounts to infiltrate organisations’ Kubernetes container clusters.  

This vulnerability, named Sys:All, poses significant risks such as cryptomining, denial-of-service (DoS) attacks, and the unauthorised access and theft of sensitive data. 

The issue arises when users grant Kubernetes privileges to the “system:authenticated” group, which encompasses all users with a Google account.  

Despite administrators binding this group in GKE, presuming it includes only organisation-authorised and verified users, it actually encompasses any Google-authenticated account, even those outside the organisation 

Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver  

A recently uncovered ransomware operation named ‘Kasseika‘ has joined the club of threat actors that employs Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software before encrypting files. Kasseika abuses the Martini driver (Martini.sys/viragt64.sys), part of TG Soft‘s VirtIT Agent System. 

The attack chain starts with phishing emails being sent in order to try and gain initial access to a network.  

Next, Kasseika operators abuse the Windows PsExec tool to execute malicious .bat files on the infected system, and others they have accessed through lateral movement.  

Next, they download the vulnerable ‘Martini.sys’ driver on the machine which, when exploited by the malware, gives it the privileges to terminate 991 processes from a hardcoded list, many of which correspond to antivirus products, security tools, analysis tools, and system utilities. 

Apple Warns of WebKit Zero-Day Exploitation 

Apple has released iOS 17.3, a critical update that patches a series of significant vulnerabilities in its WebKit, the web browser engine used by Safari, which were being actively exploited in zero-day attacks.  

Although they have not released the technical details of the vulnerabilities, they could allow attackers to run arbitrary code, cause denial-of-service, or access sensitive data on Apple devices.  

It is recommended to update devices to the latest iOS and MacOS versions to protect against these vulnerabilities. 

Ivanti connect vulnerabilities January 2024 

Two vulnerabilities have been identified and confirmed to be in active use on Ivanti connect, CVE-2023-46805, which is an authentication-bypass vulnerability with a CVSS score of 8.2, and CVE-2024-21887 a command-injection vulnerability found into multiple web components with a CVSS score of 9.1. 

This effects any organisations using Ivanti Connect Secure and Policy Secure gateways and is found in all supported versions (Version 9.x and 22.x)  

When both exploited, these vulnerabilities allow a malicious threat actor to execute arbitrary commands on Ivanti connect.  

Ivanti has released a temporary mitigation through an XML file (mitigation.release.20240107.1.xml,) that can be pushed onto affected products to make necessary changes until the permanent update is released.  

After this has been completed it is recommended to run Ivanti’s External Integrity Checker Tool which will scan for any IOC’s.  

If any IOCs are found, please report it to the SOC using the Cyber Emergency contact number or the National Cyber Security Centre immediately. 

CISA warns of actively exploited bugs in Chrome and Excel parsing library 

The U.S. Cybersecurity and Infrastructure Security Agency has included two vulnerabilities in the Known Exploited Vulnerabilities catalogue.  

These vulnerabilities involve a recently addressed issue in Google Chrome and a bug impacting Spreadsheet::ParseExcel, an open-source Perl library used for reading information in Excel files. 

Federal agencies in the United States are required to address these security concerns, identified as CVE-2023-7024 and CVE-2023-7101, by January 23.  

They must follow vendor instructions for mitigation, or cease using the affected products to enhance cybersecurity measures. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Previous Article

Which Industries Require ISO 27001 Certification

Next Article

4 common ISO 27001 mistakes and how to avoid them

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]