Monthly Advisory • 10 MIN READ
August 2024 Threat Advisory – Top 5
by Eleanor Barlow • Aug 2024
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of August 2024.
RansomEXX Ransomware Group Observed Targeting Financial Organizations
Threat Reference: Asia
Risks: Threats
Advisory Type: Ransomware
Priority: Standard
SecurityHQ is aware of many ransomware attacks from the RansomEXX group, targeting Indian banking infrastructure, to cause major disruptions to payment systems.
A recent attack impacted a widely used centralized payment solution, leading to outages in both digital and physical banking services.
The ransomware group not only encrypted critical data but also exfiltrated sensitive information. Researchers found that a misconfiguration in a Jenkins server facilitated the attack. The vulnerability, identified as CVE-2024-23897, Arbitrary file read via the CLI, potentially leading to remote code execution (RCE).
The SecurityHQ team has also identified that CVE-2024-23897 has a publicly available exploit on GitHub and has been active in other geographic regions including Europe, Asia, and America.
RansomEXX v2.0
RansomEXX v2.0 is an evolved version of the RansomEXX ransomware, originally known as Defray777. This group, referred to as “Sprite Spider,” has been active since 2018. The group is known for encrypting critical data and exfiltrating sensitive information. The group then threatens to publish the data, unless a ransom is paid.
RansomEXX v2.0 is notable for being rewritten in the Rust programming language, which enhances its efficiency and evasion capabilities. It targets Windows and Linux systems, enabling it to affect a wide range of infrastructure, including essential services. The ransomware group has been linked to numerous attacks across various sectors, leveraging vulnerabilities and employing sophisticated techniques to compromise systems and demand ransoms.
Attack Scenario
1) Initial Access: Attackers use spear phishing with malicious attachments, exploit vulnerabilities in public-facing applications, and leverage stolen or brute-forced credentials.
2) Execution: PowerShell scripts, Windows command prompt, and system services are then used to execute malicious commands and deploy ransomware.
3) Persistence: Established persistence by modifying registry keys, startup folders, and creating malicious Windows services.
4) Privilege Escalation: Exploited vulnerabilities and used local admin accounts are then used to gain higher privileges.
5) Defense Evasion: Files are decrypted for payload execution and security tools are disabled.
6) Credential Access: Credentials are extracted from LSASS memory and Active Directory.
7) Discovery: Network services, system information, and running processes are identified.
8) Lateral Movement: Used RDP and SMB shares to move across the network.
9) Exfiltration: Data is sent over command-and-control channels and web services.
Indicators of compromise (IOCs)
Domains/URLs
hxxp://iq3ahijcfeont3xx[.]sm4i8smr3f43.com
hxxps://iq3ahijcfeont3xx[.]tor2web.blutmagie.de
hxxp://iq3ahijcfeont3xx[.]fenaow48fn42.com
Recommendations
- Monitor the network: Monitor for the presence of the mentioned Indicator of Compromise (IOC).
- Deploy Endpoint Detection & Response (EDR): To detect the latest malware and suspicious activities on endpoints.
- Strengthen Email Security: Implement advanced email filtering and security measures to prevent phishing emails and malicious attachments from reaching your employee’s inboxes.
- Educate Employees: Raise awareness among staff about the potential risks associated with opening suspicious emails or documents in general.
Multiple High Severity Vulnerabilities in Ivanti Avalanche, Ivanti Neurons for ITSM and Ivanti Virtual Traffic Manager (vTM)
Threat Reference: Global
Risks: Authentication Bypass
Advisory Type: Updates/Patches
Priority: Standard
Ivanti has released multiple severity vulnerabilities affecting Ivanti Avalanche, Ivanti Neurons for ITSM, and Ivanti Virtual Traffic Manager (vTM).
Notable CVE’S
Ivanti Avalanche:
- [High] – CVE-2024-38652 – Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
- [High] – CVE-2024-38653 – XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
- [High] – CVE-2024-36136 – An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
- [High] – CVE-2024-37399 – A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
- [High] – CVE-2024-37373 – Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.
Ivanti ITSM:
- [Critical] – CVE-2024-7569 – An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.
- [High] – CVE-2024-7570 – Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a Man-in-the-Middle (MITM) position to craft a token that would allow access to ITSM as any user.
Ivanti vTM:
Ivanti vTM is a software-based application delivery controller (ADC) that provides app-centric traffic management and load balancing for hosting business-critical services.
- [Critical] – CVE-2024-7593 – Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. Successful exploitation could lead to an authentication bypass and the creation of an administrator user.
Recommendations
For Ivanti Virtual Traffic Manager (vTM), if an immediate upgrade is not feasible, Ivanti advises limiting Admin Access to the Management Interface to internal networks. This can reduce the exploitability of the vulnerability.
1. On the VTM server, go to System > Security.
2. Click the drop-down for the Management IP Address and Admin Server Port section.
3. Select the Management Interface IP Address in the bindip drop-down. Optionally, use the setting above bindip to restrict access to trusted IP addresses for further protection.
Permanent Fix
- It is recommended to download and install the latest patch version, Avalanche 6.4.4.
- For Ivanti Neurons for ITSM, update all affected products to the latest available patch version.
- It is recommended that users upgrade to either patch 22.2R1 or patch 22.7R2
Mozilla Patches Multiple High-Severity Vulnerabilities in Firefox ESR and Firefox 129
Threat Reference: Global
Risks: Spoofing Attack, Code Execution, Use-After-Free, Out-of-Bound Memory, XSS Attack
Advisory Type: Updates/Patches
Priority: Standard
Mozilla recently addressed multiple vulnerabilities affecting Firefox ESR and Firefox 129. Successful exploitation of these vulnerabilities could result in a Spoofing Attack, Code Execution, Use-After-Free, Out-of-Bound Memory, and XSS attacks.
Affected Products include Firefox ESR 128.1, Firefox ESR 115.14, and Firefox 129.
Notable CVE’S:
- [High]- CVE-2024-7518- Select options could obscure the full-screen notification dialog. This could be used by a malicious site to perform a spoofing attack.
- [High]- CVE-2024-7519- Inadequate checks in graphics shared memory processing could cause memory corruption, which an attacker could exploit for sandbox escape.
- [High]- CVE-2024-7520: A type confusion vulnerability in WebAssembly could allow an attacker to execute arbitrary code.
- [High]- CVE-2024-7521: A use-after-free may have resulted from incomplete WebAssembly exception handling.
- [High]- CVE-2024-7522: Failure to verify an attribute value in editor code could lead to out-of-bounds read issues.
- [High]- CVE-2024-7524: An attacker could exploit Firefox’s web-compatibility shims to bypass strict-dynamic Content Security Policy and achieve XSS using DOM Clobbering.
- [High]- CVE-2024-7525: A web extension with minimal permissions could create a StreamFilter to read and modify response bodies across any site.
- [High]- CVE-2024-7526: ANGLE’s failure to initialize parameters could lead to reading uninitialized memory, potentially leaking sensitive data.
- [High]- CVE-2024-7527: An unanticipated marking task at the onset of sweeping might have resulted in a use-after-free.
- [High]-CVE-2024-7528: Incorrect interaction between garbage collection and IndexedDB could lead to a use-after-free condition.
SecurityHQ has not seen any publicly available exploitation for the above-mentioned vulnerabilities and neither the exploitation by threat actors nor malware variants.
Recommendations
It is recommended to update the affected products to their latest available versions/patch level.
Adobe Released Patches for Multiple Critical-Severity Vulnerabilities
Threat Reference: Global
Risks: Arbitrary Code Execution, Privilege Escalation, Command Injection, and Memory Corruption
Advisory Type: Updates/Patches
Priority: Standard
Adobe has released security updates to fix multiple Critical Severity vulnerabilities across Adobe products. Successful exploitation of these vulnerabilities could lead to Arbitrary code execution, Privilege Escalation, Command Injection, and Memory Corruption.
Affected Products include Adobe Substance 3D Designer, Adobe Substance 3D Sampler, Adobe InCopy, Adobe Commerce, Adobe Substance 3D Stager, Adobe Bridge, Acrobat DC, Adobe Photoshop, Adobe Dimension, and Adobe Illustrator.
Notable CVE’s
- [Critical] – CVE-2024-41864: Adobe Substance3D Designer (versions 13.1.2 and earlier) has an out-of-bounds write vulnerability leading to arbitrary code execution.
- [Critical] – CVE-2024-41860: Adobe Substance3D Sampler (versions 4.5 and earlier) has an out-of-bounds read vulnerability that could disclose sensitive memory.
- [Critical] – CVE-2024-41858: Adobe InCopy (versions 18.5.2, 19.4 and earlier) suffers from an integer overflow vulnerability allowing arbitrary code execution.
- [Critical] – CVE-2024-39397: Adobe Commerce (versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier) allows unrestricted file uploads of dangerous types, leading to arbitrary code execution.
- [Critical] – CVE-2024-39398: Adobe Commerce (versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier) has improper restriction of authentication attempts, enabling brute-force attacks.
- [Critical] – CVE-2024-39399: Adobe Commerce (versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier) is vulnerable to path traversal, allowing arbitrary file system reads.
- [Critical] – CVE-2024-39400: Adobe Commerce (versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier) has a DOM-based XSS vulnerability permitting JavaScript code injection.
- [Critical] – [CVE-2024-39401,CVE-2024-39402]: Adobe Commerce (versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier) is affected by OS command injection allowing arbitrary code execution.
- [Critical] – CVE-2024-39403: Adobe Commerce (versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier) has a stored XSS vulnerability that allows script injection into form fields.
- [Critical] – CVE-2024-39388: Substance3D Stager (versions 3.0.2 and earlier) is vulnerable to use-after-free, allowing arbitrary code execution.
- [Critical] – CVE-2024-39386, CVE-2024-41840: Adobe Bridge (versions 13.0.8, 14.1.1 and earlier) has an out-of-bounds write vulnerability leading to arbitrary code execution.
- [Critical] – CVE-2024-39383, CVE-2024-39422: Acrobat Reader (versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier) are affected by use-after-free vulnerabilities enabling arbitrary code execution.
- [Critical] – CVE-2024-39423: Acrobat Reader (versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier) has an out-of-bounds write vulnerability resulting in arbitrary code execution.
- [Critical] – CVE-2024-39424: Acrobat Reader (versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier) is affected by a use-after-free vulnerability leading to arbitrary code execution.
- [Critical] – CVE-2024-39425: Acrobat Reader (versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier) has a TOCTOU race condition vulnerability leading to privilege escalation.
- [Critical] – CVE-2024-39426: Acrobat Reader (versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier) is vulnerable to an out-of-bounds read, potentially allowing code execution.
- [Critical] – CVE-2024-41830: Acrobat Reader (versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier) has a use-after-free vulnerability enabling arbitrary code execution.
- [Critical] – CVE-2024-41831: Acrobat Reader (versions 20.005.30636, 24.002.20965, 24.002.20964, 24.001.30123 and earlier) suffers from a use-after-free vulnerability leading to arbitrary code execution.
- [Critical] – CVE-2024-34117: Adobe Photoshop Desktop (versions 24.7.3, 25.9.1 and earlier) has a use-after-free vulnerability allowing arbitrary code execution.
- [Critical] – CVE-2024-34124: Adobe Dimension (versions 3.4.11 and earlier) has an out-of-bounds write vulnerability resulting in arbitrary code execution.
- [Critical] – CVE-2024-41865: Adobe Dimension (versions 3.4.11 and earlier) is affected by an untrusted search path vulnerability allowing arbitrary code execution.
- [Critical]- CVE-2024-34133: Adobe Illustrator (versions 28.5, 27.9.4 and earlier) has an out-of-bounds write vulnerability leading to arbitrary code execution.
Recommendation
It is recommended to update all the affected products to the latest available patch version.
Microsoft Release August 2024 Patch Tuesday for 90 Flaws
Threat Reference: Global
Risks: Remote Code Execution, Privilege Escalation, Information Disclosure and Denial of Service
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has released its Patch Tuesday for August 2024 with security updates for 90 flaws with 28 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Privilege Escalation, Information Disclosure, and Denial of Service.
Affected Products include Windows, Windows Server, Windows Kernel, Visual Studio, Microsoft Office, Microsoft Dynamics, Microsoft Edge, Windows Kerberos, and Azure.
Notable CVE’S
- [Critical] – CVE-2024-38063 – Windows TCP/IP Remote Code Execution Vulnerability
- [Critical] – CVE-2024-38109 – Azure Health Bot Elevation of Privilege Vulnerability
- [Critical] – CVE-2024-38140 – Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- [Critical] – CVE-2024-38159 – Windows Network Virtualization Remote Code Execution Vulnerability
- [Critical] – CVE-2024-38160 – Windows Network Virtualization Remote Code Execution Vulnerability
- [Critical] – CVE-2024-38166 – Microsoft Dynamics 365 Cross-site Scripting Vulnerability
- [Critical] – CVE-2024-38206 – Microsoft Copilot Studio Information Disclosure Vulnerability
For the full list of important CVEs, go here.
Recommendation
It is recommended to update all the affected products to the latest available patch version.
Threat Intelligence for the Future
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat
Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.
For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.