Cyware Daily Threat Intelligence
Daily Threat Briefing • May 22, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • May 22, 2024
The conveniences of IoT also bring forth its dark side. Researchers have uncovered multiple critical vulnerabilities in a tool used by renowned companies like Roku, Owlet, and Wyze, affecting 100 million IoT devices. The vulnerabilities could have facilitated full device compromise, prompting immediate action from affected vendors who urged users to update their devices. Researchers uncovered a new cryptomining campaign that utilizes the GhostEngine malware to disable security tools and deploy XMRig miner. Deployed through a PowerShell script, GhostEngine relies on vulnerable drivers to terminate EDR processes to evade detection.
Additionally, Veeam warned of a critical VBEM vulnerability allowing unauthorized access. Mitigation involves patching or disabling services. Also, critical vulnerabilities have been patched in Honeywell's ControlEdge Virtual UOC, Google Chrome, Microsoft Exchange Server, Atlassian Confluence Server, and others.
Cryptomining campaign exploits vulnerable drivers
Researchers have discovered a cryptomining campaign named REF4578, which uses the GhostEngine payload to disable security products and install the XMRig miner. The attack begins with the execution of a file named 'Tiworker.exe,' leading to the download of a PowerShell script from a command and control server. However, the campaign's origin and scope remain unclear as no known threat actors or specific targets were identified.
Exchange Server bugs exploited in Africa and Middle East
An unidentified threat actor was found exploiting known vulnerabilities in Microsoft Exchange Server to deploy a keylogger malware, targeting entities across Africa and the Middle East. Russian cybersecurity firm Positive Technologies revealed over 30 victims, including government agencies, banks, and educational institutions, with compromises dating back to 2021. The attack exploits ProxyShell flaws, allowing attackers to bypass authentication and execute remote code.
Malware campaign leverages VBScript and PowerShell
A sophisticated phishing campaign, dubbed CLOUD#REVERSER, deploys malware via a ZIP attachment disguised as an Excel file. The executable, obfuscated with XOR encoding, drops VBScript payloads and a decoy Excel file into the system directory. Then, a VBScript is used to create scheduled tasks for persistence, execute PowerShell scripts to interact with Dropbox and Google Drive, and download further malicious payloads for stealing sensitive data.
Collaborative effort eradicates IoT bugs
Cybersecurity researchers and IoT technology firms joined forces to address four software vulnerabilities in ThroughTek Kalay, a tool used by companies like Roku, Owlet, and Wyze to manage IoT devices. The flaws, disclosed by Bitdefender in October, could have granted deep access to networks, impacting over 100 million devices globally. Bitdefender emphasized the real-world risks posed by these vulnerabilities and published separate white papers detailing potential attacks.
Veeam fixes high severity flaw in VBEM
Veeam has warned customers to patch a critical security vulnerability (CVE-2024-29849) in Veeam Backup Enterprise Manager (VBEM) that allowed unauthenticated attackers to sign into any account. The flaw, with a CVSS score of 9.8/10, is not enabled by default. Administrators can mitigate the issue by disabling specific services or uninstalling VBEM if not in use. Veeam also patched two other high-severity VBEM vulnerabilities (CVE-2024-29850 and CVE-2024-29851).
Security holes in Honeywell ControlEdge Virtual UOC
Claroty researchers uncovered critical vulnerabilities in Honeywell's ControlEdge Virtual UOC, affecting the EpicMo protocol used for communication. A bug tracked as CVE-2023-5389, permits unauthorized file writing, enabling remote code execution without authentication. Additionally, a medium-severity flaw, CVE-2023-5390, facilitates absolute path traversal, potentially exposing device information. Exploiting these flaws could grant attackers full control over controllers.
Google rolls out Chrome 125 update
Google's latest Chrome 125 update resolves six vulnerabilities, including four high-severity bugs reported by external researchers. These issues, such as a use-after-free flaw in Scheduling (CVE-2024-5157) and a type confusion bug in the V8 JavaScript engine (CVE-2024-5158), could lead to sandbox escapes or buffer overflow exploits. Google hasn't reportedly detected exploitation in the wild; users are urged to update to the latest versions.
Critical RCE vulnerability found in Atlassian Confluence
A critical RCE flaw, CVE-2024-21683, has been identified in multiple versions of Atlassian Confluence Data Center and Server, including Data Center version 8.9.0 and Server versions 8.5.0 through 8.5.8 LTS. Authenticated attackers could exploit this flaw to execute arbitrary code without a need for user interaction, posing significant risks to confidentiality, integrity, and availability.
GitHub bug exposes administrator access
GitHub patched a critical authentication bypass vulnerability (CVE-2024-4985) affecting GitHub Enterprise Server instances using SAML single sign-on (SSO). By exploiting this flaw, threat actors could spoof SAML responses, gaining administrator rights without authentication. This posed a severe risk to organizations relying on GHES for repository management. The vulnerability impacted instances using SAML SSO with encrypted assertions.