13 Dec 2024
Week in review
Greetings,
This week, we were reminded of the critical importance of strong operational security (OPSEC) in protecting sensitive information, as poor security practices can not only compromise data but also expose criminal activities and lead to arrests.
A 19-year-old Californian resident was recently arrested for an alleged role in cyber crimes committed by the Scattered Spider group. According to court documents released this week, investigators were able to identify the suspect by linking together online accounts, IP and physical addresses, and the use of a money laundering service that was operated by the FBI.
In a similar case, alleged cyber criminals who had stolen source code, credentials, and other sensitive data were uncovered due to their own poor cyber security practices. Security researchers discovered more than 2 terabytes of stolen data as a result of overly permissive access control settings on their AWS S3 bucket.
These incidents underscore the need for vigilance and robust security practicesโnot only for those seeking to protect against cyber threats but ironically also for those who perpetrate them.
Mitel MiCollab zero-day flaw gets proof-of-concept exploit
Date: 2024-12-05
Author: Bleeping Computer
[AUSCERT identified the impacted members (where possible) and contacted them via email]
Researchers have uncovered an arbitrary file read zero-day in the Mitel MiCollab collaboration platform, allowing attackers to access files on a server's filesystem. Mitel MiCollab is an enterprise collaboration platform that consolidates various communication tools into a single application, offering voice and video calling, messaging, presence information, audio conferencing, mobility support, and team collaboration functionalities.
Fully patched Cleo products under renewed 'zero-day-ish' mass attack
Date: 2024-12-10
Author: The Register
Researchers at security shop Huntress are seeing mass exploitation of a vulnerability affecting three Cleo file management products, even on patched systems.
Cleo issued patches for CVE-2024-50623, an unauthenticated remote code execution (RCE) bug affecting Harmony, VLTrader, and LexiCom running version 5.8.0.21 โ marketed as secure file integration and transfer products โ back in October.
The situation was described by Huntress on Reddit as "zero-day-ish." It's a zero-day in the sense that it involves the novel exploit of a vulnerability, but "ish" because that vulnerability was already addressed, or so Cleo thought.
SonicWall Patches 6 Vulnerabilities in Secure Access Gateway
Date: 2024-12-06
Author: Security Week
[AUSCERT identified the impacted members (where possible) and contacted them via email]
SonicWall this week announced patches for multiple vulnerabilities in the SMA100 SSL-VPN secure access gateway, including high-severity flaws leading to remote code execution (RCE). The most severe of these issues are two buffer overflow bugs affecting the web management interface and a library loaded by the Apache web server.
Django Releases Patches for CVE-2024-53907 and CVE-2024-53908 to Mitigate DoS and SQLi Threats
Date: 2024-12-05
Author: Security Online
[AUSCERT identified the impacted members (where possible) and contacted them via email]
The Django team has recently announced the release of Django 5.1.4, Django 5.0.10, and Django 4.2.17 to address two security vulnerabilities. All users are strongly encouraged to upgrade their Django installations as soon as possible.
CVE-2024-53907: Potential Denial-of-Service Attack
The first vulnerability, identified as CVE-2024-53907, involves a potential denial-of-service (DoS) vulnerability in the django.utils.html.strip_tags() method and striptags template filter.
Microsoft NTLM Zero-Day to Remain Unpatched Until April
Date: 2024-12-10
Author: Dark Reading
[Please see AUSCERT advisory: https://portal.auscert.org.au/bulletins/ASB-2024.0236/ ]
The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.
QNAP Patches Vulnerabilities Exploited at Pwn2Own
Date: 2024-12-09
Author: Security Week
Taiwan-based QNAP Systems over the weekend announced patches for multiple QTS and QuTS Hero vulnerabilities demonstrated at the Pwn2Own Ireland 2024 hacking contest.
At Pwn2Own, participants earned tens of thousands of dollars for QNAP product exploits, and one entry even earned white hat hackers $100,000, but it involved chaining not only QNAP but also TrueNAS device vulnerabilities.
ASB-2024.0236 – Windows Workstation and Server
AUSCERT issued an advisory warning its members about the zero-day vulnerability in Windows NTLM. Microsoft has not yet released a patch but has provided new guidance to organisations on how to mitigate NTLM relay attacks.
ESB-2024.8086 – Atlassian Products: CVSS (Max): 8.1
Atlassian has released fixes for 10 high-severity vulnerabilities affecting Bamboo, Bitbucket, and Confluence Data Center and Server products. The patches address issues in third-party dependencies like Apache, AWS SDK, and Hazelcast. Users are urged to update their instances.
ASB-2024.0233 – Microsoft Windows: CVSS (Max): 9.8
Microsoft has issued security updates for 59 vulnerabilities across Windows 10, 11, and Server, with Windows 7 and 8.1 no longer receiving support. CVE-2024-49138, a high-risk buffer overflow vulnerability in the shared protocol file system driver, is actively being targeted, allowing attackers to gain elevated system privileges. Users are advised to update to Windows 10 22H2 or Windows 11 23H2 for continued security.
ESB-2024.8056 – Google Chrome: CVSS (Max): None
Google has released a Chrome update (version 131.0.6778.139/140) for Windows, Mac, and Linux, addressing several security vulnerabilities, including two rated "High" severity. Notably, CVE-2024-12381 (Type Confusion in V8) and CVE-2024-12382 (Use After Free in Translate) were fixed, reducing risks of arbitrary code execution and system control.
ESB-2024.8062 – Adobe Connect: CVSS (Max): 9.3
Adobe has released a security update for Adobe Connect, addressing critical, important, and moderate vulnerabilities that could lead to arbitrary code execution, privilege escalation, and security feature bypass. Affected versions include Adobe Connect 12.6 and earlier, as well as 11.4.7 and earlier. The update, rated priority 3, is available for all platforms, and users are urged to upgrade to Adobe Connect 12.7 or 11.4.9.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
