Monthly Advisory • 7 MIN READ
November 2024 Threat Advisory – Top 5
by Eleanor Barlow • Nov 2024
SecurityHQ’s Monthly Threat Report, Drawn from Recent Advisories of November 2024.
The Emergence of Interlock Ransomware
Threat Reference: Global
Risks: Ransomware
Advisory Type: Threats
Priority: Standard
SecurityHQ has identified the emergence of a new ransomware strain, Interlock. This ransomware targets Windows systems and is known for its stealthy operations and methodical approach to encrypting files. After gaining initial access through phishing emails containing malicious links, Interlock utilizes ransom notes that threaten to expose sensitive information unless a ransom is paid. The malware then encrypts files and appends specific file extensions to indicate encryption, whilst employing a sophisticated blend of evasion techniques to avoid detection.
Interlock ransomware is believed to have originated from a Russian-speaking cybercrime group. The attack vectors and deployment methods indicate that the threat actors behind Interlock are experienced and familiar with various ransomware distribution strategies. While the precise origins and initial release timeline remain unclear, the ransomware has been observed spreading in targeted campaigns against high-value organizations.
Affected Products include Windows operating systems, Microsoft Office documents, databases, image formats, financial institutions, healthcare organizations, and Government entities.
Recommendations:
SecurityHQ has identified several measures to reduce risk such as implementing Multi-Factor Authentication, deploying Endpoint Detection and Response solutions, regular data backups, addressing vulnerabilities, educating employees, and regular security assessments.
Adobe Released Security Updates to Patch Multiple Critical and Important Severity Vulnerabilities across Adobe Products
Threat Reference: Global
Risks: Arbitrary Code Execution, Memory Leak, Application Denial-of-Service
Advisory Type: Updates/Patches
Priority: Standard
Adobe has released security updates to fix multiple critical severity vulnerabilities across its products. Successful exploitation of these vulnerabilities poses the risk of Memory Leak, Arbitrary Code Execution, and Application denial-of-service.
Affected products include Adobe After Effects, Adobe Substance 3D Painter, Adobe Illustrator, Adobe InDesign, Adobe Photoshop, and Adobe Commerce.
Notable CVEs:
- [Critical] CVE-2024-47441- Out-of-bounds Write – Software error that can occur when reading data from memory. These errors can lead to crashes or other unexpected vulnerabilities, that may allow an attack to read sensitive information.
- [Critical] CVE-2024-49521- Server-Side Request Forgery (SSRF) – A web security vulnerability that allows an attacker to cause an application to make requests to an unintended application.
- [Critical] CVE-2024-49525- Heap-based Buffer Overflow – Buffer Overflows are particularly vulnerable to threat actors attempting to corrupt data and disrupt operations.
Recommendations:
Update all affected products to the latest available patch version.
Joint Agency Advisory: Increased Threat of Zero-Day Exploits Targeting Enterprise Vulnerabilities
Threat Reference: Global
Risks: Code Injection, Privilege Escalation, Heap-Based Buffer Overflow, SQL Injection, Remote Code Execution
Advisory Type: Updates/Patches
Priority: Standard
In a joint advisory published by NCSC, CISA, and allied agencies, experts warn of a surge in cyber attackers, including state-sponsored and financially motivated groups, exploiting zero-day vulnerabilities. Both newly disclosed and known vulnerabilities are being rapidly weaponized, making unpatched systems particularly vulnerable.
Agencies note a shift toward swift exploitation tactics and are advising organizations to bolster defenses by promptly patching and reducing their attack surfaces. Key industries such as government, finance, and critical infrastructure are primary targets.
Notable CVEs
- CVE-2021-44228 (“Log4Shell”): RCE in Apache Log4j, highly exploited – Attackers submit requests causing systems to execute arbitrary code allowing them to take full control of the system, steal information, launch ransomware, and more.
- CVE-2019-0708 (“BlueKeep”): RCE in Windows RDP, critical impact – security vulnerability discovered in Windows operating systems that allows for the possibility of remote code execution – allowing attackers full control over systems.
- CVE-2020-1472 (“Zerologon”): Domain admin access in Microsoft Netlogon. – Attackers gain access to systems via brute-force-attack against Netlogon exploiting a flaw in the system in which 1 in every 256 codes yields a ciphertext of only zeros.
Visit here for the full list.
Recommendations:
Update all the affected products to the latest available patch version.
Microsoft Released its November 2024 Patch Tuesday for 91 Flaws Including 04 Zero-Days and 52 Remote Code Execution Vulnerabilities
Threat Reference: Global
Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service and Spoofing
Advisory Type: Updates/Patches
Priority: Standard
Microsoft has released its Patch Tuesday for November 2024, with security updates for 91 flaws, including 04 actively exploited and 52 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Elevation of Privilege, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service, and Spoofing.
Affected Products include .NET and Visual Studio, Airlift.microsoft.com, Azure CycleCloud, LightGBM, Microsoft Defender for Endpoint, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office Excel, Microsoft Office Word, Microsoft PC Manager, Microsoft Virtual Hard Drive, Microsoft Windows DNS, Role: Windows Active Directory Certificate Services, Role: Windows Hyper-V, SQL Server, TorchGeo, Visual Studio, Visual Studio Code, Windows CSC Service, Windows Defender Application Control (WDAC), Windows DWM Core library, Windows Kerberos, Windows Kernel, Windows NT OS Kernel, Windows NTLM, Windows Package Library Manager, Windows Registry, Windows Secure Kernel Mode, Windows SMB, Windows SMBv3 Client/Server, Windows Task Scheduler, Windows Telephony Service, Windows Update Stack, Windows USB Video Driver, Windows VMSwitch, and Windows Win32 Kernel Subsystem.
Notable CVEs:
- [Zero-Day] – [Important] – CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability – Enables an attacker to authenticate as a user after only minimal interaction, such as opening a malicious file.
- [Critical] – CVE-2024-43498 – .NET and Visual Studio Remote Code Execution Vulnerability – attackers able to exploit vulnerabilities by sending crafted requests to .NET vulnerable webapp, or loading a specifically crafted file into the application.
- [Critical] – CVE-2024-43639 – Windows Kerberos Remote Code Execution Vulnerability – Critical vulnerability that allows attackers to send crafted requests to vulnerable systems to gain unauthorized access and execute arbitrary code on affected systems.
Recommendations:
Update all affected products to the latest available patch version.
Fortinet Patches Critical Vulnerabilities
Threat Reference: Global
Risks: Privilege Escalation, Arbitrary Code Execution and Unauthorized Session Hijacking
Advisory Type: Updates/Patches
Priority: Standard
Fortinet has released patches to address high-severity vulnerabilities affecting its products. Successful exploitation of these vulnerabilities could result in Privilege Escalation, Arbitrary Code Execution, and Unauthorized Session Hijacking.
Affected products include FortiClientWindows, FortiAnalyzer, FortiAnalyzer-BigData, FortiManager, FortiManager Cloud, FortiOS
Notable CVEs:
- [Critical] – CVE-2024-47575 – A missing authentication vulnerability in the FortiManager daemon may permit a remote, unauthenticated attacker to execute arbitrary code or commands through crafted requests.
- [High] – CVE-2024-36513 – A privilege context switching error vulnerability in FortiClient for Windows may enable an authenticated user to gain elevated privileges by exploiting Lua auto-patch scripts.
- [High] – CVE-2024-23666 – A client-side implementation of a server-side security vulnerability in FortiAnalyzer could allow an authenticated attacker with read-only access to carry out sensitive operations through crafted requests.
Recommendations:
Update all affected products to the latest available patch version.
Threat Intelligence for the Future
SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat
Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.
For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.