Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days
Microsoft has released patches to address 73 security flaws spanning its software lineup as part of its Patch Tuesday updates for February 2024, including two zero-days that have come under active exploitation.
Of the 73 vulnerabilities, 5 are rated Critical, 65 are rated Important, and three and rated Moderate in severity. This is in addition to 24 flaws that have been fixed in the Chromium-based Edge browser since the release of the January 2024 Patch Tuesday updates.
The two flaws that are listed as under active attack at the time of release are below –
- CVE-2024-21351 (CVSS score: 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2024-21412 (CVSS score: 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability
“The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both,” Microsoft said about CVE-2024-21351.
Successful exploitation of the flaw could allow an attacker to circumvent SmartScreen protections and run arbitrary code. However, for the attack to work, the threat actor must send the user a malicious file and convince the user to open it.
CVE-2024-21412, in a similar manner, permits an unauthenticated attacker to bypass displayed security checks by sending a specially crafted file to a targeted user.
“However, the attacker would have no way to force a user to view the attacker-controlled content.” Redmond noted. “Instead, the attacker would have to convince them to take action by clicking on the file link.”
Source: The hacker news / Bleeping computer / Krebs on security / Securityweek / Infosecurity magazine / SANS internet storm center
Link: https://thehackernews.com/2024/02/microsoft-rolls-out-patches-for-73.html
Link: https://krebsonsecurity.com/2024/02/fat-patch-tuesday-february-2024-edition/
Link: https://www.securityweek.com/microsoft-confirms-windows-exploits-bypassing-security-features/
Link: https://www.infosecurity-magazine.com/news/microsoft-two-zerodays-february/
Link: https://isc.sans.edu/diary/Microsoft%20February%202024%20Patch%20Tuesday/30646
Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
Microsoft on Wednesday acknowledged that a newly disclosed critical security flaw in Exchange Server has been actively exploited in the wild, a day after it released fixes for the vulnerability as part of its Patch Tuesday updates.
Tracked as CVE-2024-21410 (CVSS score: 9.8), the issue has been described as a case of privilege escalation impacting the Exchange Server.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability,” the company said in an advisory published this week.
“The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.” Successful exploitation of the flaw could permit an attacker to relay a user’s leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user, Redmond added.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek
Link: https://thehackernews.com/2024/02/critical-exchange-server-flaw-cve-2024.html
Link: https://www.securityweek.com/microsoft-warns-of-exploited-exchange-server-zero-day/
Bumblebee malware attacks are back after 4-month break
The Bumblebee malware has returned after a four-month vacation, targeting thousands of organizations in the United States in phishing campaigns.
Bumblebee is a malware loader discovered in April 2022 and is believed to have been developed by the Conti and Trickbot cybercrime syndicate as a replacement for the BazarLoader backdoor.
The malware is commonly distributed in phishing campaigns to drop additional payloads on infected devices, such as Cobalt Strike beacons, for initial network access and to conduct ransomware attacks.
In a new malware campaign observed by Proofpoint, the return of Bumblebee since October is significant as it could lead to a broader increase in cybercrime activities as we head into 2024.
Source: Bleeping computer / The hacker news / Dark reading
Link: https://thehackernews.com/2024/02/bumblebee-malware-returns-with-new.html
Link: https://www.darkreading.com/cyberattacks-data-breaches/bumblebee-malware-buzzes-back-4-month-hiatus
Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries
A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains. Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, said the base operating system used by the Utah-based software company for the device is CentOS 6.4.
“Pulse Secure runs an 11-year-old version of Linux which hasn’t been supported since November 2020,” the firmware security company said in a report shared with The Hacker News.
The development comes as threat actors are capitalizing on a number of security flaws discovered in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deliver a wide range of malware, including web shells, stealers, and backdoors.
The vulnerabilities that have come under active exploitation in recent months comprise CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Last week, Ivanti also disclosed another bug in the software (CVE-2024-22024) that could permit threat actors to access otherwise restricted resources without any authentication.
Source: The hacker news / Bleeping computer / Securityweek / Infosecurity magazine / Ivanti forum
Link: https://thehackernews.com/2024/02/ivanti-pulse-secure-found-using-11-year.html
Link: https://www.securityweek.com/ivanti-vulnerability-exploited-to-deliver-new-dslog-backdoor/
Link: https://www.infosecurity-magazine.com/news/new-ivanti-vulnerability-security/
SAP Patches Critical Vulnerability Exposing User, Business Data
Enterprise software maker SAP announced the release of 13 new and three updated security notes as part of its February 2024 Security Patch Day, including one addressing a critical vulnerability in the SAP ABA cross-application component.
The critical issue, a code injection bug tracked as CVE-2024-22131 (CVSS score of 9.1), could be exploited by an attacker that has remote execution authorization to use a vulnerable interface to invoke an application function and perform actions without permission. “Depending on the function executed, the attack(er) can read or modify any user/business data and can make the entire system unavailable,” a NIST advisory reads.
According to enterprise application security firm Onapsis, the flaw exists because of a lack of sufficient checks on external calls to a function module.
Source: Securityweek
Link: https://www.securityweek.com/sap-patches-critical-vulnerability-exposing-user-business-data/
Patch Tuesday: Adobe Warns of Critical Flaws in Widely Deployed Software
Software maker Adobe on Tuesday released patches for at least 30 documented security flaws in multiple products, warning that users are exposed to code execution, security feature bypass and application denial-of-service attacks.
As part of its scheduled Patch Tuesday releases, Adobe called urgent attention to critical flaws in the Adobe Acrobat and Reader, Adobe Commerce and Magento Open Source, Substance 3D Painter, and FrameMaker.
Adobe documented at least 13 serious security defects covered in the Adobe Acrobat and Reader update and warned that both Windows and macOS users are at risk.
“Successful exploitation could lead to arbitrary code execution, application denial-of-service, and memory leak,” Adobe said.
Source: Securityweek / Adobe security bulletin
Link: https://helpx.adobe.com/security/security-bulletin.html
How are attackers using QR codes in phishing emails and lure documents?
Though QR codes were once on the verge of extinction, many consumers are used to seeing them in the wild for ordering at restaurants, or as mainstays on storefront doors informing customers how they can sign up for a newsletter or score a sweet deal.
The use of QR codes saw a resurgence during the COVID-19 pandemic as a non-contact way for consumers to obtain important information. And as they’ve become more prevalent, attackers have taken notice, too, increasingly deploying them in phishing and email-based attacks.
There was a significant increase in QR code phishing in 2023, according to public reporting and recently collected data from Cisco Talos Incident Response (Talos IR).
As highlighted in our latest Quarterly Trends report, Talos IR responded to a QR code phishing campaign for the first time in an engagement in the fourth quarter of 2023, where threat actors tricked victims into scanning malicious QR codes embedded in phishing emails with their personal mobile devices, thereby leading to malware being executed on the mobile devices.
In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered.
QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.
Source: CISCO Talos intelligence group