Microsoft has released security updates for the month of April 2024 to remediate a record 149 flaws, two of which have come under active exploitation in the wild.

Of the 149 flaws, three are rated Critical, 142 are rated Important, three are rated Moderate, and one is rated Low in severity. The update is aside from 21 vulnerabilities that the company addressed in its Chromium-based Edge browser following the release of the March 2024 Patch Tuesday fixes.

The two shortcomings that have come under active exploitation are below –

• CVE-2024-26234 (CVSS score: 6.7) – Proxy Driver Spoofing Vulnerability
• CVE-2024-29988 (CVSS score: 8.8) – SmartScreen Prompt Security Feature Bypass Vulnerability

While Microsoft’s own advisory provides no information about CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) that’s signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate.

Authenticode analysis of the binary has revealed the original requesting publisher to Hainan YouHu Technology Co. Ltd, which is also the publisher of another tool called LaiXi Android Screen Mirroring.

The latter is described as “a marketing software … [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting.”

Present within the purported authentication service is a component called 3proxy that’s designed to monitor and intercept network traffic on an infected system, effectively acting as a backdoor.

“We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,” Sophos researcher Andreas Klopsch said.

The cybersecurity company also said it discovered multiple other variants of the backdoor in the wild going all the way back to January 5, 2023, indicating that the campaign has been underway at least since then. Microsoft has since added the relevant files to its revocation list.

The other security flaw that has reportedly come under active attack is CVE-2024-29988, which – like CVE-2024-21412 and CVE-2023-36025 – allows attackers to sidestep Microsoft Defender Smartscreen protections when opening a specially crafted file.

“To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown,” Microsoft said.

“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability.”

The Zero Day Initiative revealed that there is evidence of the flaw being exploited in the wild, although Microsoft has tagged it with an “Exploitation More Likely” assessment.

Another vulnerability of importance is CVE-2024-29990 (CVSS score: 9.0), an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container that could be exploited by unauthenticated attackers to steal credentials.

“An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to,” Redmond said.

In all, the release is notable for addressing as many as 68 remote code execution, 31 privilege escalation, 26 security feature bypass, and six denial-of-service (DoS) bugs. Interestingly, 24 of the 26 security bypass flaws are related to Secure Boot.

“While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future,” Satnam Narang, senior staff research engineer at Tenable, said in a statement.

The disclosure comes as Microsoft has faced criticism for its security practices, with a recent report from the U.S. Cyber Safety Review Board (CSRB) calling out the company for not doing enough to prevent a cyber espionage campaign orchestrated by a Chinese threat actor tracked as Storm-0558 last year.

It also follows the company’s decision to publish root cause data for security flaws using the Common Weakness Enumeration (CWE) industry standard. However, it’s worth noting that the changes are only in effect starting from advisories published since March 2024.

“The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability,” Adam Barnett, lead software engineer at Rapid7, said in a statement shared with The Hacker News.

“The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause. Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment.”

In a related development, cybersecurity firm Varonis detailed two methods that attackers could adopt to circumvent audit logs and avoid triggering download events while exfiltrating files from SharePoint.

The first approach takes advantage of SharePoint’s “Open in App” feature to access and download files, whereas the second uses the User-Agent for Microsoft SkyDriveSync to download files or even entire sites while miscategorizing such events as file syncs instead of downloads.

Microsoft, which was made aware of the issues in November 2023, has yet to release a fix, although they have been added to their patch backlog program. In the interim, organizations are recommended to closely monitor their audit logs for suspicious access events, specifically those that involve large volumes of file downloads within a short period.

“These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events,” Eric Saraga said.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Apr 09, 2024NewsroomBotnet / Vulnerability

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.

Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter,” security researcher who goes by the name netsecfish said in late March 2024.

Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.

The issues affect the following models –

• DNS-320L
• DNS-325
• DNS-327L, and
• DNS-340L

Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to deliver the Mirai botnet malware, thus making it possible to remotely commandeer the D-Link devices.

In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.

The findings once again illustrate that Mirai botnets are continuously adapting and incorporating new vulnerabilities into their repertoire, with threat actors swiftly developing new variants that are designed to abuse these issues to breach as many devices as possible.

With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.

“Some scanning attacks originate from benign networks likely driven by malware on infected machines,” the company said.

“By launching scanning attacks from compromised hosts, attackers can accomplish the following: Covering their traces, bypassing geofencing, expanding botnets, [and] leveraging the resources of these compromised devices to generate a higher volume of scanning requests compared to what they could achieve using only their own devices.”

Apr 05, 2024NewsroomAdvanced Persistent Threat

Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).

The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.

The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations.

“UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments,” Mandiant researchers said.

The threat actor has been linked to post-exploitation activity leading to the deployment of the Sliver command-and-control (C2) framework, a variant of the WARPWIRE credential stealer, and a new Go-based backdoor dubbed TERRIBLETEA that comes with command execution, keylogging, port scanning, file system interaction, and screen capturing functions.

UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances at least since February 2024, has leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating post-compromise actions –

• PHANTOMNET – A modular backdoor that communicates using a custom communication protocol over TCP and employs a plugin-based system to download and execute additional payloads
• TONERJAM – A launcher that’s designed to decrypt and execute PHANTOMNET

Besides using Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence, UNC5330 is known to compromise LDAP bind accounts configured on the infected devices in order to domain admin access.

Another notable China-linked espionage actor is UNC5337, which is said to have infiltrated Ivanti devices as early as January 2024 using CVE-2023-46805 and CVE-2024 to deliver a custom malware toolset known as SPAWN that comprises four distinct components that work in tandem to function as a stealthy and persistent backdoor –

• SPAWNSNAIL – A passive backdoor that listens on localhost and is equipped to launch an interactive bash shell as well as launch SPAWNSLOTH
• SPAWNMOLE – A tunneler utility that’s capable of directing malicious traffic to a specific host while passing benign traffic unmodified to the Connect Secure web server
• SPAWNANT – An installer that’s responsible for ensuring the persistence of SPAWNMOLE and SPAWNSNAIL by taking advantage of a coreboot installer function
• SPAWNSLOTH – A log tampering program that disables logging and log forwarding to an external syslog server when the SPAWNSNAIL implant is running

Mandiant has assessed with medium confidence that UNC5337 and UNC5221 are one and the same threat group, noting the SPAWN tool is “designed to enable long-term access and avoid detection.”

UNC5221, which was previously attributed to web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, has also unleashed a Perl-based web shell referred to as ROOTROT that’s embedded into a legitimate Connect Secure .ttc file located at “/data/runtime/tmp/tt/setcookie.thtml.ttc” by exploiting CVE-2023-46805 and CVE-2024-21887.

A successful deployment of the web shell is followed by network reconnaissance and lateral movement, in some cases, resulting in the compromise of a vCenter server in the victim network by means of a Golang backdoor called BRICKSTORM.

“BRICKSTORM is a Go backdoor targeting VMware vCenter servers,” Mandiant researchers explained. “It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying.”

The last among the five China-based groups tied to the abuse of Ivanti security flaws is UNC5291, which Mandiant said likely has associations with another hacking group UNC3236 (aka Volt Typhoon), primarily owing to its targeting of academic, energy, defense, and health sectors.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” the company said.

The findings once again underscore the threat faced by edge appliances, with the espionage actors utilizing a combination of zero-day flaws, open-source tooling, and custom backdoors to tailor their tradecraft depending on their targets to evade detection for extended periods of time.

Apr 03, 2024NewsroomMobile Security / Zero Day

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies.

The high-severity zero-day vulnerabilities are as follows –

• CVE-2024-29745 – An information disclosure flaw in the bootloader component
• CVE-2024-29748 – A privilege escalation flaw in the firmware component

“There are indications that the [vulnerabilities] may be under limited, targeted exploitation,” Google said in an advisory published April 2, 2024.

While the tech giant did not reveal any other information about the nature of the attacks exploiting these shortcomings, the maintainers of GrapheneOS said they “are being actively exploited in the wild by forensic companies.”

“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking,” they said in a series of posts on X (formerly Twitter).

“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.”

GrapheneOS noted that CVE-2024-29748 could be weaponized by local attackers to interrupt a factory reset triggered via the device admin API.

The disclosure comes more than two months after the GrapheneOS team revealed that forensic companies are exploiting firmware vulnerabilities that impact Google Pixel and Samsung Galaxy phones to steal data and spy on users when the device is not at rest.

It also urged Google to introduce an auto-reboot feature to make exploitation of firmware flaws more difficult.

Mar 26, 2024NewsroomCyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerabilities added are as follows –

• CVE-2023-48788 (CVSS score: 9.3) – Fortinet FortiClient EMS SQL Injection Vulnerability
• CVE-2021-44529 (CVSS score: 9.8) – Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
• CVE-2019-7256 (CVSS score: 10.0) – Nice Linear eMerge E3-Series OS Command Injection Vulnerability

The shortcoming impacting Fortinet FortiClient EMS came to light earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available.

CVE-2021-44529, on the other hand, concerns a code injection vulnerability in Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) that allows an unauthenticated user to execute malicious code with limited permissions.

Recent research published by security researcher Ron Bowes indicates that the flaw may have been introduced as an intentional backdoor in a now-discontinued open-source project called csrf-magic that existed at least since 2014.

CVE-2019-7256, which permits an attacker to conduct remote code execution on Nice Linear eMerge E3-Series access controllers, has been exploited by threat actors as early as February 2020.

The flaw, alongside 11 other bugs, were addressed by Nice (formerly Nortek) earlier this month. That said, these vulnerabilities were originally disclosed by security researcher Gjoko Krstic in May 2019.

In light of the active exploitation of the three flaws, federal agencies are required to apply the vendor-provided mitigations by April 15, 2024.

The development comes as CISA and the Federal Bureau of Investigation (FBI) released a joint alert, urging software manufacturers to take steps to mitigate SQL injection flaws.

The advisory specifically highlighted the exploitation of CVE-2023-34362, a critical SQL injection vulnerability in Progress Software’s MOVEit Transfer, by the Cl0p ransomware gang (aka Lace Tempest) to breach thousands of organizations.

“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,” the agencies said.

Mar 22, 2024NewsroomCyber Defense / Vulnerability

A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an “aggressive” campaign.

Google-owned Mandiant is tracking the activity under its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a “former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.”

The threat actor is believed to have orchestrated widespread attacks against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and U.K. government organizations between October and November 2023, and again in February 2024 using the ScreenConnect bug.

Initial access to target environments is facilitated by the exploitation of known security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052).

A successful foothold is followed by extensive reconnaissance and scanning of internet-facing systems for security vulnerabilities, with UNC5174 also creating administrative user accounts to execute malicious actions with elevated privileges, including dropping a C-based ELF downloader dubbed SNOWLIGHT.

SNOWLIGHT is designed to download the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a remote URL that’s related to SUPERSHELL, an open-source command-and-control (C2) framework that allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code.

Also put to use by the threat actor is a Golang-based tunneling tool known as GOHEAVY, which is likely employed to facilitate lateral movement within compromised networks, as well as other programs like afrog, DirBuster, Metasploit, Sliver, and sqlmap.

In one unusual instance spotted by the threat intelligence firm, the threat actors have been found to apply mitigations for CVE-2023-46747 in a likely attempt to prevent other unrelated adversaries from weaponizing the same loophole to obtain access.

“UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives ‘Dawn Calvary’ and has collaborated with ‘Genesis Day”https://thehackernews.com/”Xiaoqiying’ and ‘Teng Snake,'” Mandiant assessed. “This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments.”

There is evidence to suggest that the threat actor may be an initial access broker, even claiming to be affiliated with the MSS in dark web forums. This is bolstered by the fact some of the U.S. defense and U.K. government entities were simultaneously targeted by another access broker referred to as UNC302.

The findings once again underscore Chinese nation-state groups’ continued efforts to breach edge appliances by swiftly co-opting recently disclosed vulnerabilities into their arsenal in order to conduct cyber espionage operations at scale.

“UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, U.K. government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation,” Mandiant researchers said.

“There are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated “hundreds” of Chinese business and government organizations by leveraging phishing emails and known security bugs to breach networks. It did not reveal the threat actor’s name or origin.

Mar 21, 2024NewsroomMachine Learning / Software Security

GitHub on Wednesday announced that it’s making available a feature called code scanning autofix in public beta for all Advanced Security customers to provide targeted recommendations in an effort to avoid introducing new security issues.

“Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing,” GitHub’s Pierre Tempel and Eric Tooley said.

The capability, first previewed in November 2023, leverages a combination of CodeQL, Copilot APIs, and OpenAI GPT-4 to generate code suggestions. The Microsoft-owned subsidiary also said it plans to add support for more programming languages, including C# and Go, in the future.

Code scanning autofix is designed to help developers fix vulnerabilities as they code by generating potential fixes as well as providing a natural language explanation when an issue is discovered in a supported language.

These suggestions could go beyond the current file to include changes to several other files and the dependencies that should be added to rectify the problem.

“Code scanning autofix lowers the barrier of entry to developers by combining information on best practices with details of the codebase and alert to suggest a potential fix to the developer,” the company said.

“Instead of starting with a search for information about the vulnerability, the developer starts with a code suggestion that demonstrates a potential solution for their codebase.”

That said, it’s left to the developer to evaluate the recommendations and determine if it’s the right solution and ensure that it does not deviate from its intended behavior.

GitHub also emphasized the current limitations of the autofix code suggestions, making it imperative that developers carefully review the changes and the dependencies before accepting them –

• Suggest fixes that are not syntactically correct code changes
• Suggest fixes that are syntactically correct code but are suggested at the incorrect location
• Suggest fixes that are syntactically valid but that change the semantics of the program
• Suggest fixes that are fail to address the root cause, or introduce new vulnerabilities
• Suggest fixes that only partially resolve the underlying flaw
• Suggest unsupported or insecure dependencies
• Suggest arbitrary dependencies, leading to possible supply chain attacks

“The system has incomplete knowledge of the dependencies published in the wider ecosystem,” the company noted. “This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name.”

Mar 21, 2024NewsroomDatabase / Vulnerability

Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could be exploited without requiring user interaction.

Tracked as CVE-2024-1597, the vulnerability carries a CVSS score of 10.0, indicating maximum severity.

Described as an SQL injection flaw, it’s rooted in a dependency called org.postgresql:postgresql, as a result of which the company said it “presents a lower assessed risk” despite the criticality.

“This org.postgresql:postgresql dependency vulnerability […] could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction,” Atlassian said.

According to a description of the flaw in the NIST’s National Vulnerability Database (NVD), “pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE.” The driver versions prior to the ones listed below are impacted –

• 42.7.2
• 42.6.1
• 42.5.5
• 42.4.4
• 42.3.9, and
• 42.2.28 (also fixed in 42.2.28.jre7)

“SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value,” the maintainters said in an advisory last month.

“There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.”

The Atlassian vulnerability is said to have been introduced in the following versions of Bamboo Data Center and Server –

• 8.2.1
• 9.0.0
• 9.1.0
• 9.2.1
• 9.3.0
• 9.4.0, and
• 9.5.0

The company also emphasized that Bamboo and other Atlassian Data Center products are unaffected by CVE-2024-1597 as they do not use the PreferQueryMode=SIMPLE in their SQL database connection settings.

SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw. Users are advised to update their instances to the latest version to protect against any potential threats.

Mar 13, 2024NewsroomPatch Tuesday / Software Update

Microsoft on Tuesday released its monthly security update, addressing 61 different security flaws spanning its software, including two critical issues impacting Windows Hyper-V that could lead to denial-of-service (DoS) and remote code execution.

Of the 61 vulnerabilities, two are rated Critical, 58 are rated Important, and one is rated Low in severity. None of the flaws are listed as publicly known or under active attack at the time of the release, but six of them have been tagged with an “Exploitation More Likely” assessment.

The fixes are in addition to 17 security flaws that have been patched in the company’s Chromium-based Edge browser since the release of the February 2024 Patch Tuesday updates.

Topping the list of critical shortcomings are CVE-2024-21407 and CVE-2024-21408, which affect Hyper-V and could result in remote code execution and a DoS condition, respectively.

Microsoft’s update also addresses privilege escalation flaws in the Azure Kubernetes Service Confidential Container (CVE-2024-21400, CVSS score: 9.0), Windows Composite Image File System (CVE-2024-26170, CVSS score: 7.8), and Authenticator (CVE-2024-21390, CVSS score: 7.1).

Successful exploitation of CVE-2024-21390 requires the attacker to have a local presence on the device either via malware or a malicious application already installed via some other means. It also necessitates that the victim closes and re-opens the Authenticator app.

“Exploitation of this vulnerability could allow an attacker to gain access to multi-factor authentication codes for the victim’s accounts, as well as modify or delete accounts in the authenticator app but not prevent the app from launching or running,” Microsoft said in an advisory.

“While exploitation of this flaw is considered less likely, we know that attackers are keen to find ways to bypass multi-factor authentication,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

“Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”

Another vulnerability of note is a privilege escalation bug in the Print Spooler component (CVE-2024-21433, CVSS score: 7.0) that could permit an attacker to obtain SYSTEM privileges but only upon winning a race condition.

The update also plugs a remote code execution flaw in Exchange Server (CVE-2024-26198, CVSS score: 8.8) that an unauthenticated threat actor could abuse by placing a specially crafted file onto an online directory and tricking a victim into opening it, resulting in the execution of malicious DLL files.

The vulnerability with the highest CVSS rating is CVE-2024-21334 (CVSS score: 9.8), which concerns a case of remote code execution affecting the Open Management Infrastructure (OMI).

“A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability,” Redmond said.

“The first quarter of Patch Tuesday in 2024 has been quieter compared to the last four years,” Narang said. “On average, there were 237 CVEs patched in the first quarter from 2020 through 2023. In the first quarter of 2024, Microsoft only patched 181 CVEs. The average number of CVEs patched in March over the last four years was 86.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

Mar 11, 2024NewsroomRansomware / Vulnerability

The threat actors behind the BianLian ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their extortion-only attacks.

According to a new report from GuidePoint Security, which responded to a recent intrusion, the incident “began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian’s Go backdoor.”

BianLian emerged in June 2022, and has since pivoted exclusively to exfiltration-based extortion following the release of a decryptor in January 2023.

The attack chain observed by the cybersecurity firm entails the exploitation of a vulnerable TeamCity instance using CVE-2024-27198 or CVE-2023-42793 to gain initial access to the environment, followed by creating new users in the build server and executing malicious commands for post-exploitation and lateral movement.

It’s currently not clear which of the two flaws were weaponized by the threat actor for infiltration.

BianLian actors are known to implant a custom backdoor tailored to each victim written in Go, as well as drop remote desktop tools like AnyDesk, Atera, SplashTop, and TeamViewer. The backdoor is tracked by Microsoft as BianDoor.

“After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor,” security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said.

The obfuscated PowerShell backdoor (“web.ps1”) is designed to establish a TCP socket for additional network communication to an actor-controlled server, allowing the remote attackers to conduct arbitrary actions on an infected host.

“The now-confirmed backdoor is able to communicate with the [command-and-control] server and asynchronously execute based on the remote attacker’s post-exploitation objectives,” the researchers said.

The disclosure comes as VulnCheck detailed fresh proof-of-concept (PoC) exploits for a critical security flaw impacting Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) that could lead to remote code execution in a fileless manner and load the Godzilla web shell directly into memory.

The flaw has since been weaponized to deploy C3RB3R ransomware, cryptocurrency miners and remote access trojans over the past two months, indicating widespread exploitation in the wild.

“There’s more than one way to reach Rome,” VulnCheck’s Jacob Baines noted. “While using freemarker.template.utility.Execute appears to be the popular way of exploiting CVE-2023-22527, other more stealthy paths generate different indicators.”