• QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Talos’ data, roughly 60% of all email containing a QR code is spam.  
• Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. Users could obscure the data modules, the black and white squares within the QR code that represent the encoded data. Alternatively, users could remove one or more of the position detection patterns — large square boxes located in corners of the QR code used to initially identify the code’s orientation and position. 
• Further complicating detection, both by users and anti-spam filters, Talos found QR code images which are “QR code art”. These images blend the data points of a QR code seamlessly into an artistic image, so the result does not appear to be a QR code at all. 

Prior to 1994, most code scanning technology utilized one-dimensional barcodes. These one-dimensional barcodes consist of a series of parallel black lines of varying width and spacing. We are all familiar with these codes, like the type you might find on the back of a cereal box from the grocery store. However, as the use of barcodes spread, their limitations became problematic, especially considering that a one-dimensional barcode can only hold up to 80 alphanumeric characters of information. To eliminate this limitation, a company named Denso Wave created the very first “Quick Response“ codes (QR codes). 

QR codes are a 2-dimensional matrix bar code that can hold encode just over seven thousand numeric characters, or up to approximately four thousand three hundred alphanumeric characters. While they can represent almost any data, most frequently we encounter QR codes that are used to encode URLs. 

Quantifying the QR code problem 

Cisco Talos extracts QR codes from images inside email messages and attached PDF files for analysis. QR codes in email messages make up as little as .01% up to .2% of all email, worldwide. This equates to roughly 1 out of every 500 email messages. This is not a very big number. However, because QR codes are disproportionately effective at bypassing anti-spam filters, a significant number find their way into users’ email inboxes, skewing users’ perception of the overall problem.  

Also, of course, not all email messages with a QR code inside are spam or malicious. Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on. However, according to Talos’ data, roughly 60% of all email containing a QR code is spam.   

Truly malicious QR codes can be found in a much smaller number of messages. These emails contain links to phishing pages, etc. The most common malicious QR codes tend to be multifactor authentication requests used for phishing user credentials. 

One of the problems that defenders may encounter when dealing with users’ scanning of QR codes received via email, assuming the user’s device is not connected to the corporate Wi-Fi, is that subsequent traffic between the victim and the attacker will traverse the cellular network, largely outside the purview of corporate security devices. This can complicate defense, because few/no alerts from security devices will notify security teams that this has occurred.  

Why are malicious QR codes hard to detect? 

Because QR codes are displayed in images, it can be difficult for anti-spam systems to identify problematic codes. Identifying and filtering these messages requires the anti-spam system to recognize that a QR code is present in an image, decode the QR code, then analyze the link (or other data) present in the decoded data. As spammers are always looking for innovative ways to bypass spam filters, using QR codes has been a valuable technique for spammers to accomplish this. 

As anti-spam systems improve their capability to detect malicious QR codes in images, enterprising attackers have instead decided to craft their QR codes using Unicode characters. Below is an example of an email containing a Unicode art QR code.    

 The graphical parts of the image are contained within a PDF file. The PDF metadata indicates was created from HTML using the tool wkhtmltopdf. Converting the PDF back into HTML shows the Unicode that is being used to construct the QR code. 

Defanging QR codes 

When sharing malicious URLs, it is common to change the protocol from “http” to “hxxp”, or to add brackets [] around one of the dots in the URL. This makes it so browsers and other applications do not render the link as an active URL, ensuring that users do not inadvertently click on the malicious URL. This is a process known as “defanging”. Unfortunately, while defanging URLs is commonplace, many people do not defang malicious QR codes. For example, below is a news article from BBC about criminals who put QR code stickers on parking meters in an attempt to harvest payment credentials from unsuspecting victims. 

The problem is that these QR codes can still be scanned, taking visitors to whatever malicious link that the QR code encoded. To make malicious QR codes safe for consumption, they should be defanged. 

There are a couple of different ways to do this. One way is to obscure the data modules, the black and white squares within the QR code that represent the encoded data. This is where the data that the QR code represents is located. However, based on Talos’ own research, a far easier way to defang a QR code is to remove one or more of the position detection patterns (a.k.a. finder patterns). These are the large square boxes located in three of the four corners of the QR code, which are used by the QR code scanner to initially identify the code’s orientation and position. Removing the position detection patterns renders a QR code unscannable by virtually all scanners. 

Be careful what you scan! 

For years security professionals have encouraged users not to click on unfamiliar or suspicious URLs. These URLs could potentially lead to phishing pages, malware or other harmful sites. However, many users do not exercise the same care when scanning an unknown QR code as they do when clicking on a suspicious link. To be clear, scanning an unknown/suspicious QR code is equivalent to clicking on a suspicious URL. 

To complicate the situation even more, there are QR code images which are “QR code art”. These images blend the data points of a QR code seamlessly into an artistic image, so the result does not appear to be a QR code at all. The potential danger with QR code art images is that a user could conceivably be tricked into scanning a QR code art image with their camera, and then inadvertently navigate to the linked content without realizing it. Below are some QR codes found online by Talos which illustrate a range of artistic possibilities.  

Note: these images have been created by third parties and posted online. Talos is not responsible for the artwork, nor the linked content.

How to protect yourself from malicious QR codes 

QR codes have become ubiquitous, appearing in email, on restaurant menus, at events, on retail packaging, in museums, even public parks and trails. The perfect defense is to avoid scanning *any* QR codes, however, it can be difficult to avoid scanning these entirely, so users must exercise caution. Scanning a QR code is essentially the same as clicking on an unknown hyperlink, but without the ability to see the full URL beforehand. 

There are several QR code decoders freely available online. Typically, if you can save a screenshot of the QR code, you can upload this image to one of these decoders, and the QR code decoder will tell you what data was encoded inside the QR code. This will enable you more closely inspect the link. You can also choose to navigate to that URL using an application like Cisco Secure Malware Analytics (Threat Grid). This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. As always, never EVER enter your username and password into an unknown site. It is better to navigate directly to anywhere you wish to login, rather than clicking on a URL presented to you from an unknown third party. 

Cisco Talos Blog – ​Read More

We’re always working to ensure our products and solutions remain top-tier — both in our own view and in the eyes of independent researchers. We take a comprehensive approach to this, adding new features, combating emerging malware, simplifying migration, and continually enhancing user experience.

Today, we’re excited to introduce a major update to Kaspersky Password Manager for mobile devices. This update will be available in all app stores during November 2024. We’re confident this refresh will make storing and managing passwords, two-factor authentication codes, and encrypted documents even easier. In this article, we’ll cover advanced filtering, search functionality, synchronization, and more.

Highlights

The mobile version of our password manager is celebrating its 10^th  anniversary this year (while the desktop version turns 15), and in those 10 years we’ve managed to consolidate all the best features into a single app. In recent years, we’ve been conducting extensive Kaspersky Password Manager user-behavior research and, based on the findings, we’ve completely revamped the navigation in our mobile app.

What’s new:

• The side menu has been replaced with a navigation bar at the bottom of the screen. The product’s core features are now organized into sections.
• We’ve created a dedicated section for the in-app search, and improved the search scenarios.
• Managing favorite entries is now more convenient; they’re now pinned at the top of the list.
• We’ve added a “Sync” button and placed it in a prominent location.
• The password generator, import, and security-check features have been grouped into a separate “Tools” section.

These changes are available to all Kaspersky Password Manager users on both Android (app version 9.2.106 and later) and iOS (app version 9.2.92 and later).

Navigation bar

All core Kaspersky Password Manager functions are now accessible through the navigation bar at the bottom of the screen.

Updated home screen of Kaspersky Password Manager for iOS (left) and Android (right)

Let’s look at each element of the new bar from left to right.

1. All Entries. This is the main menu – the heart of our password manager.
2.  Subscription. Here, you can view your current subscription, including the expiry date and provider. If you don’t have a subscription, you can create or log in to a My Kaspersky account to activate or purchase one.
3. Tools. Here, you’ll find the “Password Generator”, “Password Check”, and “Import Passwords” tools. The names speak for themselves. With a single click, you can create strong, unique passwords, check your existing passwords for uniqueness, strength, security, and compromise in data breaches, and import passwords from built-in browser password managers and similar products into our secure vault.
4. Search. If you’re an active internet user and have dozens or even hundreds of unique passwords for different accounts saved in Kaspersky Password Manager, simply click on the magnifying glass icon and type just a few characters to quickly find the entry you need.
5. Settings. This is where you can enable notifications, change your primary password, configure auto-lock and login methods, choose sorting options, access help resources, check the app version, and log out of your account.

New filtering

Let’s dive a little deeper. Another additional feature is the option to select entry categories within a section. Now, clicking “All Entries” opens a dropdown menu with these categories: websites, apps, other, bank cards, documents, addresses, notes, authenticator, and folders (you can create new folders as needed).

New entry category display in Kaspersky Password Manager for iOS (left) and Android (right)

Other additions

In the top right corner, you’ll notice a new “Sync” icon – replacing the “Search” button, which now resides in the navigation bar. Clicking this new icon displays the current synchronization status of your entries between your cloud storage and devices. If everything is in order, and your smartphone is connected to the internet and operating normally, you’ll see “All data is synced” with the date and time of the last sync. To refresh the data manually, click “Sync”.

The Search function has not only gotten its own tab in the navigation bar, but now also remembers your last search within the current session. For example, let’s say you were searching for your virtual card details while shopping, then switched to the “All Entries” menu, checked the settings and sync status, and then returned to “Search”. Your query and results will remain, despite your little wander through Kaspersky Password Manager. However, if you restart the app or clear the search, you’ll have to enter the query again.

Important note for Kaspersky Password Manager users on iOS 18. Due to Apple’s policies, the default source for auto-filling passwords and logins in iOS 18 is Apple’s built-in “Passwords” app, not Kaspersky Password Manager. This is easy to fix:

1. After updating to iOS 18, you need to launch Apple’s “Passwords” app at least once. This will activate the “AutoFill & Passwords” section in your device settings.
2. Go to “AutoFill & Passwords” in the device settings.
3. Select Kaspersky Password Manager as the preferred password auto-filling source.
4. In the “Set Up Codes In” section, select Kaspersky Password Manager.

Everything is now set for secure password management. On Android devices, when you first launch the password manager, enable autofill permissions. Simply follow the in-app instructions to do so.

Kaspersky official blog – ​Read More

From kids to retirees, no one is safe from cybercrooks. And if you’re always putting cybersecurity on hold because it all seems so daunting, our five dead-simple tips are just the ticket. Each of them will greatly beef up your protection against the most common cyberthreats. We compiled this post as part of INTERPOL’s #ThinkTwice global information campaign to raise awareness of the main cybercrime vectors plus simple but effective ways to counter them.

Automate your passwords

Make all your passwords for both websites and apps long enough (at least 12 characters) and unique (that is, never use them more than once). No one can think up and memorize so many passwords, so use a password manager to create, store and enter them. You’ll only need to come up with and memorize just one (long!) main password for it; everything else — from generating to entering passwords — will be done automatically.

Keep in mind: you need to install the password manager on all your devices to enter passwords easily and safely everywhere. The data will be synched across all your devices. So, having saved a password on your smartphone, you’ll be able to automatically enter it on your desktop, and vice versa. Note that the password manager will let you store in encrypted form not only passwords, but also PINs, full credit card details, addresses, notes, and even document scans.

Pro level: for maximum security, disable biometric login to the password manager — this way you’ll have to enter the main password every time you use the app, but no one will be able to access all your data without knowing the main password (don’t write it on a sticky note, by the way).

Enable double checking

Double checking, or two-factor authentication, protects you from password-stealing hackers who break into your accounts using leaked credentials. Besides the password, they’ll need to enter a one-time code sent to you via a text or an authenticator app.

Although banks enable two-factor authentication (2FA) automatically, in many other online services it remains optional. Wherever your data is even a tiny bit confidential (social networks, messengers, government services, email), we recommend enabling 2FA in the settings, if available.

Keep in mind: There’s usually a choice of how to get one-time codes: by email or text, or by generating them in a special authenticator app on your smartphone. Of these methods, the safest is to use the latter; next come codes via text (they can be intercepted), and the least secure option is codes via email.

With an authenticator app, the only risk is if you lose your smartphone, in which case you’ll also lose access to accounts protected by one-time codes. Here again, Kaspersky Password Manager comes to the rescue: not only does it securely store authentication tokens and generate one-time codes, it also synchronizes them across all your devices. So, if your smartphone is lost or broken, you can easily generate a verification code on any of your other devices, as well as restore all your Kaspersky Password Manager data to a new phone.

Pro level: get yourself a FIDO U2F hardware key — this dongle looks like a tiny flash drive and offers the best protection against hackers.

Double-check links and attachments

Never follow links or open files sent via messenger or email if you don’t recognize the sender or aren’t expecting any messages. If a friend, colleague or acquaintance writes you a message, but it looks even a little strange, call them, or reply via another communication channel to make sure it really is them and not a scammer.

Keep in mind: use two layers of defense! The first layer is your vigilance; the second is a comprehensive security solution. This will keep you away from phishing sites looking to extract passwords and money, as well as stop malware in its tracks. Incidentally, if a message or website asks you to turn off your antivirus – 99% of the time it’s an attempt to infect you.

Pro level: sign in to email, banking and other accounts only from browser bookmarks or by entering the address manually, and never open links in messages, emails or notifications — it might be phishing.

Enable automatic updates

This is to prevent cybercriminals from infecting you by exploiting bugs in your operating system, browser, office applications or other software. They can all update themselves — you just need to not postpone this action when prompted to restart the program or computer.

Keep in mind: sometimes “updates” are offered on websites. You go to the site, which says you need to update the browser, or video player, or Windows — and invites you to download an update on the spot. Stop! It’s a trick to sneak a virus into your device or computer. Genuine update prompts appear right in an application’s menu or as operating system notifications.
Pro level: Kaspersky Premium can monitor all your installed programs and notify you whenever an update becomes available. One click or tap, and everything’s up-to-date!

Think twice before sharing online

Photos sent to a stranger or scanned documents posted on social media can come back to bite you. You or family members might become victims of extortion, or scammers might use such information to create a convincing cover story to extract money from you or your friends. Therefore, only send and post things that you wouldn’t mind showing on a billboard outside your home. What gets posted online can be very difficult, if not impossible, to remove.

Keep in mind: social networks and messengers have privacy settings to adjust the visibility of your posts. Go there and change as many settings as possible from “Visible to everyone” to “Friends only”. To find out how to best configure privacy for operating systems, browsers, social networks and other programs, visit our Privacy Checker site.

Pro level: use a tool to monitor online leaks of personal information. A free option is to create a Google Alert for your name; a more powerful alternative is to go for a premium service. For example, Kaspersky Premium monitors leaks of personal data linked to all phone numbers and email addresses used by you and your loved ones as a standard feature.

How to automate protection

These tips are much easier to follow with an app that automates each aspect of security. Kaspersky Premium includes a password and one-time 2FA code manager, anti-phishing and anti-malware protection, update management and leak monitoring — all this and much more is available for both computers and smartphones. Join the club of savvy users who enjoy robust protection for next-to-no effort!

Kaspersky official blog – ​Read More

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added two high-severity vulnerabilities affecting Palo Alto Networks Expedition to its Known Exploited Vulnerability (KEV) Catalog.

The two Palo Alto Networks vulnerabilities, which are actively being targeted by cybercriminals, are identified as CVE-2024-9463 and CVE-2024-9465; both have critical severity ratings and are known to be actively exploited in real-world attacks. Organizations using affected versions of Palo Alto Networks Expedition are urged to take immediate action to mitigate the risks.

The vulnerabilities in question—CVE-2024-9463 (OS Command Injection) and CVE-2024-9465 (SQL Injection)—impact Palo Alto Networks’ Expedition software, a tool for migrating and optimizing PAN-OS configurations. Both flaws have been assigned CVSSv4 scores of 9.9 and 9.2, respectively, signifying their high criticality.

These vulnerabilities could allow attackers to gain unauthorized access to sensitive data or execute arbitrary commands on affected systems, posing online risks to organizations’ security.

Details of Palo Alto Networks Vulnerabilities: CVE-2024-9463 and CVE-2024-9465

The first vulnerability, CVE-2024-9463, is a critical OS command injection flaw that affects Palo Alto Networks Expedition. Assigned a CVSSv4 score of 9.9, this vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on the affected system.

If successfully exploited, this can compromise the integrity of the system, giving attackers the ability to disclose sensitive information. This includes usernames, cleartext passwords, device configurations, and API keys associated with PAN-OS firewalls, which are critical for securing network traffic.

Attackers exploiting this flaw can gain root access to these systems, making this vulnerability a prime target for those seeking to compromise firewall configurations and sensitive network data.

Another critical flaw, CVE-2024-9465, is a SQL injection vulnerability found in Expedition. This flaw, with a CVSSv4 score of 9.2, allows attackers to interact with and manipulate the system’s database, exposing sensitive information such as password hashes, usernames, and device configurations. Exploiting this vulnerability could give attackers the ability to create and read arbitrary files on the system, which increases the risk of a full system compromise.

Similar to CVE-2024-9463, the vulnerable version for CVE-2024-9465 is Expedition < 1.2.96. Additionally, proof-of-concept (PoC) exploits for this vulnerability have already been released to the public, escalating the risk of widespread attacks. As the PoC code is now accessible, it allows potential attackers to easily replicate the exploit and target vulnerable systems more efficiently.

Both CVE-2024-9463 and CVE-2024-9465 are critical vulnerabilities in the Expedition software suite. Organizations that are running versions of Expedition older than 1.2.96 are strongly advised to immediately update to the latest patched version. Given the severity and the ongoing active exploitation of these vulnerabilities, patching is crucial to protect sensitive information and maintain system security.

Cyble researchers have observed active exploitation of these flaws, with CVE-2024-9463 being particularly concerning due to its ability to grant attackers root-level access. This could result in a wide range of malicious activities, including data breaches, ransomware deployment, and unauthorized system modifications. Organizations should be particularly vigilant in monitoring their systems for signs of exploitation.

Recommendations and Mitigations

Palo Alto Networks has already released patches to address both vulnerabilities and organizations are urged to upgrade to Expedition version 1.2.96 or later. However, simply applying the patch may not be enough. The following mitigation strategies are recommended:

• Organizations should immediately apply the latest patches released by Palo Alto Networks to close the vulnerabilities. Ensuring that systems are updated with the latest software versions will significantly reduce the risk of exploitation.
• After upgrading to the fixed version of Expedition, all Expedition usernames, passwords, and API keys should be rotated to prevent attackers from using previously exposed credentials to access systems. Similarly, any firewall usernames, passwords, and API keys processed by Expedition should also be updated to maintain system security.
• Organizations should implement comprehensive monitoring and logging solutions to detect suspicious activities. SIEM (Security Information and Event Management) tools can help organizations identify and respond to potential exploitation attempts in real-time.
• Regular vulnerability assessments and penetration testing should be conducted to identify and address any other potential weaknesses. This proactive approach ensures that other unknown vulnerabilities are addressed.
• Organizations should have a well-defined incident response and recovery plan in place, which includes procedures for detecting, responding to, and mitigating the effects of an attack. Regular testing and updates to the plan are crucial to ensure readiness against online threats.

Conclusion

The inclusion of CVE-2024-9463 and CVE-2024-9465 in CISA’s Known Exploited Vulnerabilities catalog highlights the urgent need for organizations to address these critical vulnerabilities in the Palo Alto Networks Expedition.

With active exploitation ongoing, it is important for organizations using vulnerable versions to prioritize patching and apply recommended security measures. Delaying action could lead to severe data breaches and system compromises.

References:

• https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog
• https://nvd.nist.gov/vuln/detail/cve-2024-9463
• https://nvd.nist.gov/vuln/detail/cve-2024-9465

The post CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog appeared first on Cyble.

Blog – Cyble – ​Read More

A pair of actively exploited Microsoft zero-day vulnerabilities highlighted an active November Patch Tuesday, which also saw updates from several IT vendors.

Overview

Cyble Research and Intelligence Labs (CRIL) researchers investigated 22 vulnerabilities and eight dark web exploits from Nov. 6 to 12 and highlighted nine vulnerabilities that merit high-priority attention from security teams.

CRIL researchers also identified six dark web exploits that are at high risk in Cyble’s weekly IT vulnerability report to clients, which examined two Microsoft zero-days and vulnerabilities from Veeam, Cisco, HPE Aruba, D-Link, Citrix, and others.

Security teams should identify the vulnerabilities that are present in their environments and apply patches and mitigations promptly.

The Week’s Top IT Vulnerabilities

Here are the top IT vulnerabilities identified by Cyble threat intelligence researchers this week.

CVE-2024-43451 is an NTLM hash disclosure spoofing vulnerability found in all supported versions of Windows that has been exploited in the wild since at least April. Researchers disclosed this week that suspected Russian hackers exploited it for zero-day attacks targeting Ukrainian entities. The vulnerability was triggered by phishing emails that contained links to download a malicious Internet shortcut file, which, when interacted with, triggered the vulnerability to connect to a remote server and download malware.

CVE-2024-49039 is an elevation of privilege vulnerability in Windows Task Scheduler that has also been attacked. From a low-privilege AppContainer, an attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment, Microsoft said. A successful exploit could allow an attacker to execute RPC functions that are restricted to privileged accounts.

CVE-2024-49040 is a high-severity spoofing vulnerability in Microsoft Exchange Server that allows attackers to forge legitimate senders on incoming emails and makes malicious messages much more effective. A researcher reported a Proof of Concept (PoC) for this vulnerability, but Microsoft paused the update after some customers reported issues with Transport rules stopping periodically after the update was installed.

CVE-2024-40711 is a critical vulnerability in Veeam VBR (Veeam Backup & Replication) servers caused by the deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE). Previously, the vulnerability was observed to be leveraged in Akira and Fog ransomware attacks. At present, researchers have observed that it is now exploited to deploy a newly identified strain of Frag ransomware.

CVE-2024-42509 and CVE-2024-47460 are command injection vulnerabilities in AOS-8 and AOS-10 versions of HPE Aruba’s network operating system. The flaw lies in the underlying CLI service, which could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Cyble researchers detailed the vulnerabilities and others in a separate blog.

CVE-2024-20418 is a critical vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points, which is a specialized software solution designed to provide robust and reliable wireless connectivity for industrial applications. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device. Cyble also covered this vulnerability in a separate blog.

CVE-2024-10914 is a critical command injection vulnerability in end-of-life (EOL) D-Link network-attached storage (NAS) devices. Unauthenticated attackers can exploit it to inject arbitrary shell commands by sending malicious HTTP GET requests to vulnerable D-Link NAS devices exposed online. Researchers observed that attackers are exploiting the vulnerability with publicly available exploit codes.

CVE-2024-11068 is a critical incorrect use of privileged API vulnerability impacting the end-of-life D-Link DSL6740C modem. The vulnerability allows unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account. Since D-Link recently announced that it will not provide patches or updates for this EOL product, the vulnerability poses a significant risk to users.

Vulnerabilities and Exploits on Underground Forums

CRIL researchers also observed multiple Telegram channels and underground forums where threat actors shared or discussed exploits weaponizing vulnerabilities. Those vulnerabilities include:

CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise.

CVE-2024-50340: A high-security vulnerability affecting the Symfony PHP framework. The vulnerability allows an attacker to manipulate the application’s environment or debug mode by sending specially crafted query strings.

CVE-2024-8068 and CVE-2024-8069: These recently identified vulnerabilities in Citrix Session Recording pose significant security risks for Citrix environments. CVE-2024-8068 allows for privilege escalation to the NetworkService Account access level, and the vulnerability CVE-2024-8069 allows for limited remote code execution with the privileges of a NetworkService Account.

CVE-2024-47295: A high-severity vulnerability identified in the SEIKO EPSON Web Config allows a remote unauthenticated attacker to set an arbitrary administrator password on affected devices. The vulnerability results from an insecure initial password configuration in which the administrator password is left blank.

CRIL researchers also observed a threat actor discussing the critical vulnerability CVE-2023-38408, which affects 26 million internet-facing OpenSSH assets detected by Cyble. The vulnerability allows for remote code execution (RCE) when the SSH agent is forwarded to an attacker-controlled system.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

• To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
• Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
• Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
• Implement immutable, air-gapped, ransomware-resistant backup procedures for sensitive and critical data.
• Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
• Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
• Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
• Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post Cyble IT Vulnerability Report: Microsoft Zero Days Under Attack appeared first on Cyble.

Blog – Cyble – ​Read More