Threat
alerts

n the last Patch Tuesday, Microsoft addressed a high-vulnerability flaw in Microsoft Outlook that could allow attackers to execute remote code via maliciously crafted emails. Similarly, Sophos has observed threat actors leveraging the Office365 suite in attacks such as email bombing, IT impersonation on Teams, and remote control via Quick Assist.

Ivanti disclosed two critical zero-day vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for ZTA gateways. While the researchers have yet to link the attacks to any advanced persistent threat (APT) group, they have identified several malware samples on compromised systems, including the SPAWN ecosystem of malware as well as newly discovered malware such as a credential harvesting tool called DRYHOOK and a dropper called PHASEJAM.

In 2024, threat actor Salt Typhoon (known as “Earth Estries”, “GhostEmperor”, “FamousSparrow”, and “UNC2286”) has been attributed to a series of cyber-attacks targeting U.S. telecommunications companies. The group’s primary focus is cyberespionage and it’s notorious for targeting government entities as well as global organisations including the telecommunications sector. Salt Typhoon exploits internet-facing systems by leveraging living-off-the-land binaries (LOLBINs) like WMIC.exe, PSEXEC.exe for lateral movement and customised malware to establish and maintain persistence.

Ivanti has issued critical security updates to address multiple vulnerabilities in its Cloud Services Application (CSA) and Connect Secure products. These flaws, if exploited, could lead to privilege escalation and remote code execution (RCE), posing significant risks to organizations relying on these tools.

Palo Alto Networks has identified a critical authentication bypass vulnerability (CVE-2024-0012) affecting its PAN-OS software. This flaw allows unauthenticated attackers with network access to the management web interface to gain administrator privileges. Attackers can further perform administrative actions, and manipulate configurations.

Threat actor group “Midnight Blizzard” has been recently observed targeting several industries and sectors in a new highly sophisticated spear-phishing campaign that contains a signed Remote Desktop Protocol (RDP) configuration file. This operation targets individuals in government and non-governmental organizations across over 100 entities.

A critical vulnerability has been identified in the FortiManager fgfmd daemon, allowing remote unauthenticated attackers to execute arbitrary code or commands. The missing authentication vulnerability has been actively exploited in the wild, posing a severe risk to organizations using FortiManager and FortiAnalyzer models.

Ivanti issued a security update for three new zero-day vulnerabilities in its Cloud Services Appliance (CSA), which are being reported as exploited. These are tracked under CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381.

Broadcom has patched a critical vulnerability in VMware vCenter Server, which could allow attackers to achieve remote code execution (RCE) by exploiting a heap overflow flaw in the DCE/RPC (Distributed Computing Environment/Remote Procedure Call) protocol. The vulnerability allows unauthenticated attackers to send specially crafted network packets to unpatched servers, leading to potential system compromise.