Top Middle East Cyber Threats – October 29th, 2024
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
Fortinet Discloses Critical Vulnerability Exploited in Zero-Day Attacks
Fortinet has disclosed a critical FortiManager API vulnerability, tracked as CVE-2024-47575, also known as FortiJump, which was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. FortiJump has a severity rating of 9.8 out of 10.
A missing authentication for a critical function vulnerability [CWE-306] in the FortiManager fgfmd daemon may allow a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Samsung Addresses Critical Zero-Day Vulnerability Exploited in Galaxy Devices
Samsung has addressed a critical zero-day vulnerability classified as a ‘use-after-free’ flaw, which could be exploited in certain Galaxy devices. This vulnerability allows attackers to execute arbitrary code or gain control of the system by manipulating memory after it has been freed, posing a significant threat to device security. Researchers from Google Project Zero confirmed that threat actors are actively exploiting this vulnerability as part of a broader exploit chain.
This flaw, affecting devices with certain Exynos chipsets and Android versions up to Android 12, can potentially lead to full system compromise if exploited.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Google Releases Security Update Fixing High-Severity Vulnerabilities in Chrome
Google has published a security update to address multiple vulnerabilities in the Chrome browser, now fixed in the latest version (130.0.6723.69/.70 for Windows and Mac, and 130.0.6723.69 for Linux).
The update includes three security fixes contributed by external researchers, all rated as high in severity.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
BIG-IP Monitor Functionality Allows Privilege Escalation for Authenticated Attackers
The BIG-IP monitor functionality may allow an authenticated attacker with at least Manager role privileges to elevate their privileges and/or modify the configuration (CVE-2024-45844).
This vulnerability may enable an authenticated attacker with Manager role privileges or higher, with access to the Configuration utility or TMOS Shell (tmsh), to elevate their privileges and compromise the BIG-IP system. There is no data plane exposure; this is solely a control plane issue.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
CISA Issues Alert on Cyber Actors Exploiting Brute Force Techniques Against Critical Infrastructure
Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning of cyber actors targeting multiple critical infrastructure sectors, including healthcare, government, IT, and energy, using brute force attacks and other credential access techniques. These actors aim to compromise user accounts and gain unauthorized network access, which may later be sold on cybercriminal platforms.
Since October 2023, cyber actors have employed brute force methods such as password spraying and multi-factor authentication (MFA) push bombing to access critical systems, including Microsoft 365, Azure, and Citrix environments. Once inside, they often register new MFA devices to maintain persistent access and conduct reconnaissance to gather credentials and sensitive data. These credentials are likely sold on cybercriminal forums for further exploitation.
Key techniques include:
- Brute force password attacks (password spraying)
- MFA fatigue attacks by bombarding users with push notifications
- Credential and privilege escalation using Kerberos attacks and Active Directory tools
- Lateral movement via Remote Desktop Protocol (RDP)
- Data exfiltration and persistence using VPN services
RECOMMENDATIONS
- Ensure all systems are patched and updated.
- Avoid clicking on or opening untrusted or unknown links, files, or attachments.
- Enforce a strong password policy and ensure the use of MFA.
- Restrict VPN and RDP usage and monitor for suspicious connections.
- Use RBAC and regularly audit privileged accounts.
- Monitor your network for abnormal behaviors and IoCs.
- Ensure frequent backups are in place.
- Educate employees about detecting and reporting phishing or suspicious emails.
References
https://www.fortiguard.com/psirt/FG-IR-24-423
https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2024/CVE-2024-44068.html
https://cybersecuritynews.com/samsung-use-after-free-zero-day-vulnerability/
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-44068/
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_22.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a