Cyber News Roundup for October 25, 2024
In this week’s roundup of cybersecurity news, we dive into significant developments, including investigations into restricted chips found in Huawei products, the confirmation of a zero-day vulnerability in Fortinet’s FortiManager, and CISA’s addition of a critical Microsoft SharePoint flaw to its Known Exploited Vulnerabilities catalog. We also explore active attacks on Cisco’s ASA software and the U.S. Defense Department’s initiative to harness tech talent for military cyber roles. Stay informed as we uncover the latest threats, vulnerabilities, and responses shaping the cybersecurity landscape.
Officials investigate how restricted chips ended up in products from Huawei
Taiwan Semiconductor Manufacturing Co. (TSMC) discovered this month that chips it made for a specific client ended up in Huawei Technologies products, potentially violating U.S. sanctions aimed at restricting technology to the Chinese company. TSMC halted shipments to the client in mid-October and notified both U.S. and Taiwanese authorities. It’s unclear if the client was working on behalf of Huawei or where they are based, but the incident raises questions about how Huawei accessed advanced chips despite sanctions.
Huawei, blacklisted since 2020, has relied on Semiconductor Manufacturing International Corp. (SMIC) for chip production. However, recent reports suggest Huawei’s latest AI servers contain processors made by TSMC. TSMC had previously stated it stopped all shipments to Huawei in 2020. U.S. officials are now investigating whether third-party distributors played a role in bypassing export restrictions. This development adds pressure on TSMC and the U.S. Bureau of Industry and Security to address potential loopholes in export controls.(Bloomberg)
Fortinet confirms a recently rumored zero-day
For over a week, rumors of a zero-day vulnerability in Fortinet’s FortiManager have been circulating online. Today, the flaw, dubbed “FortiJump” (CVE-2024-47575), was officially disclosed by Fortinet, confirming it has been actively exploited since June 2024. The vulnerability, a missing authentication issue in the FortiGate to FortiManager Protocol (FGFM) API, allows attackers to execute commands on FortiManager servers and steal data from managed FortiGate devices.
Cybersecurity firm Mandiant revealed that a threat actor, tracked as UNC5820, has been exploiting the flaw in attacks affecting more than 50 servers. Attackers used their own FortiManager and FortiGate devices with valid certificates to register on vulnerable FortiManager servers. Once connected, even in an unauthorized state, these devices could access sensitive data, including configuration details and hashed passwords of managed devices.
Fortinet has released patches and advised customers to restrict IP connections and block unauthorized FortiGate devices. The company’s advisory includes mitigation measures, indicators of compromise, and logs to help detect affected systems. Organizations are urged to apply these patches and update credentials to prevent further breaches. So far, no additional malicious activity has been reported since the initial attacks. (Bleepingcomputer)
CISA adds Microsoft SharePoint flaw to its KEV catalog
The flaw in question is the Microsoft SharePoint Deserialization Vulnerability, which has a CVSS v4 score of 7.2 and a CVE number: CVE-2024-38094.This means “an authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.” Federal agencies must fix this vulnerability by November 12, and of course it is recommended that private organizations review the Catalog and address this vulnerability. (Security Affairs)
Cisco warns of ASA and FTD software vulnerability under active attack
Cisco is in the news for a second time this week, this time in regard to a flaw in its Adaptive Security Appliance (ASA) that could lead to a denial-of-service (DoS) condition. This flaw impacts the Remote Access VPN (RAVPN) service of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software. The company says, “an attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device…resulting in a DoS of the RAVPN service on the affected device.” This is also known as resource exhaustion. Cisco has released updates to address this flaw. (The Hacker News)
Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland
On the first day of the first ever Pwn2Own contest held in Ireland, hackers demonstrated 52 zero-day vulnerabilities across a wide range of devices, earning a total of $486,250 in cash prizes. The biggest prize of the day went to a group named Summoning Team who revealed “a chain of nine vulnerabilities to go from QNAP QHora-322 router to TrueNAS Mini X device. This earned them a $100,000 payout and 10 Master of Pwn points. The event concludes today. (BleepingComputer)
Cisco Patches Vulnerability Exploited in Large-Scale Brute-Force Campaign
Cisco has released patches for multiple vulnerabilities affecting its Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products, including one that has been actively exploited. The exploited vulnerability, tracked as CVE-2024-20481 (CVSS score: 5.8), impacts the Remote Access VPN (RAVPN) service on ASA and FTD devices, allowing remote attackers to cause a denial-of-service (DoS) condition through resource exhaustion by sending numerous VPN authentication requests.Cisco linked this issue to a large-scale brute-force attack campaign it first reported in April 2024, which targets various VPN and SSH services, not only Cisco products but also those from other vendors like Checkpoint, Fortinet, and Ubiquiti.
Alongside CVE-2024-20481, Cisco’s October 2024 security advisory bundle addressed 50 other flaws, including three critical vulnerabilities (CVE-2024-20329, CVE-2024-20424, and CVE-2024-20412) that could allow attackers to execute commands with root privileges or log in using static credentials. Additionally, proof-of-concept code has been released for three information disclosure vulnerabilities (CVE-2024-20377, CVE-2024-20387, CVE-2024-20388). Cisco urges organizations to apply the patches immediately to avoid potential exploits. Further details are available in Cisco’s security advisories. (SecurityWeek)
Fortinet patches actively exploited zero-day
On October 13th, Fortinet began privately notifying impacted customers about a critical flaw in its FortiManager API. This flaw allowed an attacker with a valid certificate from any owned or compromised Fortinet device to execute arbitrary code and take complete control of attached firewalls. Some customers reported the flaw under active exploitation for weeks before any notice from the company. This notification included mitigations until a patch was formally released. Security researcher Kevin Beaumont posted on social media about the flaw the same day Fortinet sent its initial notification, dubbing it FortiJump. Fortinet released a patch for the vulnerability as well as indicators of compromise. (Ars Technica, Bleeping Computer)
DeFi game used to exploit Chrome zero-day
Researchers from Kaspersky detailed a North Korea’s Lazarus Group campaign that used an NFT-based game as a lure to install its tried and true Manuscrypt backdoor. Lazarus promoted the game DeTankZone through spearphishing and ads on X and LinkedIn DMs. The game loads to a login screen, which then points users to the game’s website to complete registration. The site uses a hidden script to trigger a Chrome V8 Javascript confusion vulnerability, used to overwrite sections of Chrome’s compiler to get access to the browser’s entire address space. Lazarus used this for reconnaissance to see if the victim was valuable enough to continue attacking. Chrome patched the flaw in V8 in March. (Bleeping Computer)
Samsung zero-day under active exploit
A zero-day vulnerability (CVE-2024-44068) has been discovered in Samsung’s mobile processors and is being used in an exploit chain for arbitrary code execution. NIST said the use-after-free bug is in the m2m scaler driver in Samsung Mobile and Wearable Processors (Exynos 9820, 9825, 980, 990, 850, and W920) and leads to privilege escalation. The vulnerability was rated critical and scored 8.1 out of 10 on the CVSS scale. Samsung issued a patch along with its October set of security fixes. (Dark Reading)
Exploit released for new Windows Server “WinReg” attack
Proof-of-concept exploit code is now public for a vulnerability in Microsoft’s Remote Registry client (CVE-2024-43532) that falls back to old transport protocols if SMB transport is not present. An attacker could use the issue to authenticate to Active Directory Certificate Services (ADCS) where they could then obtain a user certificate for further domain authentication. The flaw affects all Windows server versions 2008 through 2022 as well as Windows 10 and Windows 11. Akamai researcher Stiv Kupchik originally disclosed the issue back in February after which Microsoft dismissed the report as a documentation issue. In mid-June, Kupchik resubmitted the report with a better proof-of-concept (PoC) and explanation leading Microsoft to confirm the issue in early July and issue a fix earlier this month. Akamai provided methods of detecting vulnerable services and recommends orgs use Event Tracing for Windows (ETW) to monitor for related RPC calls. (Bleeping Computer)
The DoD wants to offer senior cyber executives part-time roles as military reservists
The U.S. Defense Department is looking to tap into Silicon Valley’s tech talent by offering senior executives part-time roles as military reservists. These tech pros, like chief technology officers, would serve in high-ranking positions and be called in for short-term projects in areas like cybersecurity and data analytics. Brynt Parmeter, the Defense Department’s chief talent management officer, is spearheading the effort, aiming to bring dozens of tech professionals on board by next September, with plans to grow the program significantly over the next few years.
This initiative marks a shift in Silicon Valley’s relationship with the military, as tech companies increasingly see national security opportunities as beneficial. Parmeter hopes to place these tech experts in roles equivalent to major or lieutenant colonel in the Army and Air Force Reserves. The goal is to strengthen the military’s capabilities by leveraging private-sector expertise, without pulling these tech pros away from their keyboards and into combat. (WSJ)
Proposed rules ban U.S. companies from selling sensitive data
The Biden administration has formally proposed new regulations that would restrict the sale and transfer of sensitive personal data, such as health, financial, and geolocation data, to six adversarial nations: China, Russia, Iran, North Korea, Cuba, and Venezuela. These rules, which stem from a February executive order, aim to address national security risks posed by foreign actors exploiting bulk data to carry out cyberattacks and espionage. The new regulations set strict thresholds for data transactions and impose compliance requirements based on cybersecurity frameworks, with exemptions for certain telecommunications and clinical trial data. Though with congressional and presidential elections just weeks away there is doubt as to whether there will be any forward movement on the bill this year. (CyberScoop), (The Record)
APT41 group linked to months-long attack
The Chinese nation-state hacking group APT41 has been linked to a months-long cyberattack on a company in the gambling and gaming industry, where they stole sensitive data including network configurations and passwords. The group used a sophisticated, evolving toolkit to bypass security defenses, maintain persistent access, and escalate privileges. The attackers’ custom tools allowed them to establish covert channels for further malware deployment. While exact initial access vector is unknown, security researchers believe spear-phishing emails may be the point of access. (The Hacker News)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
