CrowdStrike content update causes global IT outage

On July 19th, over 8.5 million computers were compromised in what is now considered one of the most severe cyber incidents in history. The outage impacted a diverse array of industries, grounding flights, disrupting health services, and rendering payment systems inoperable. In the post-incident review, the company revealed that the crash was caused by a system bug that permitted “problematic content data” to bypass the validation process. In a statement, the company expressed: “We understand the profound impact this incident has had on everyone. We recognise the tireless efforts of our customers, partners, and their IT teams, and we are deeply grateful. We apologise for the disruption this has caused. Our primary focus is to restore every system as quickly as possible.”

Spain arrests three for using DDoSia hacktivist platform

Spanish authorities have arrested three individuals for using DDoSia, a distributed denial-of-service platform operated by pro-Russian hacktivists, to launch DDoS attacks against governments and organisations in NATO countries. The arrests took place at the suspects’ homes in Seville, Huelva, and Manacor. Police also seized various computer equipment and documents pertinent to the ongoing investigations. Despite these arrests, the hacktivist group continued their DDoS attacks against targets in the EU.

Over 3,000 GitHub accounts used by malware distribution service

A Malware Distribution-as-a-Service (DaaS) platform created by the threat group known as ‘Stargazer Goblin’ is utilising over 3,000 fake GitHub accounts to spread information-stealing malware. This service, named Stargazers Ghost Network, uses GitHub repositories and compromised WordPress sites to distribute password-protected archives containing malware. The majority of them are infostealers, including RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer.

Critical vulnerability exists in Cisco Secure Email

A vulnerability in Cisco Secure Email Gateway’s content scanning and message filtering features allows unauthenticated, remote attackers to overwrite arbitrary files on the underlying operating system. This issue arises from improper handling of email attachments when file analysis and content filters are enabled. Attackers can exploit this flaw by sending a crafted email attachment through an affected device. Successful exploitation could enable the attacker to replace any file on the file system, add users with root privileges, modify device configurations, execute arbitrary code, or cause a permanent denial of service (DoS) condition. Manual intervention is required to recover from the DoS state, and customers are advised to contact the Cisco Technical Assistance Center (TAC) for assistance.

Critical Docker Engine flaw allows attackers to bypass authorisation plugins

Docker has issued a warning about a critical vulnerability affecting certain versions of Docker Engine that could enable attackers to bypass authorisation plugins (AuthZ) under specific conditions. Designated as CVE-2024-41110, this bypass and privilege escalation vulnerability has a CVSS score of 10.0, indicating the highest level of severity. According to the Moby Project maintainers, “An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly”. While Docker has not reported any active exploitation of the vulnerability, users are encouraged to update their installations to the latest versions to address potential risks.

ConfusedFunction vulnerability discovered in Google Cloud Platform

A privilege vulnerability in Google Cloud Platform’s (GCP) Cloud Functions service has recently been discovered, potentially allowing unauthorised access to various GCP services and sensitive information.

The issue stems from the automatic creation of a Cloud Build service account with excessive permissions whenever a Cloud Function is created or updated. This vulnerability, dubbed “ConfusedFunction,” could enable attackers to escalate their privileges to the Cloud Build service account, granting access to other linked services such as Cloud Storage, Artifact Registry, and Container Registry. While Google has mitigated the issue for new deployments by modifying Cloud Build to use the Compute Engine default service account, existing instances remain at risk. Liv Matan from Tenable highlighted the ongoing risks due to the broad permissions required for Cloud Build service accounts.

This disclosure comes alongside other recent security findings, including an XSS flaw in Oracle Integration Cloud Platform and vulnerabilities in the ServiceNow cloud platform, underscoring the persistent challenges in cloud service security.

Critical vulnerability unveiled in SolarWinds Serv-U

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

The vulnerability documented as CVE-2024-28995 with a CVSS score of 7.5 affects SolarWinds Serv-U 15.4.2 HF 1 and previous versions. Successful exploitation of this vulnerability could lead to further compromise of the system or lateral movement within the network.

This vulnerability is currently being exploited in the wild.

Telegram Zero-Day Enabled Malware Delivery

A critical security flaw in Telegram’s Android app dubbed EvilVideo has been revealed. The vulnerability manipulates Telegram’s API to embed malicious files within seemingly harmless multimedia previews.

Taking advantage of the app’s automatic download feature, the exploit covertly places its payload on users’ devices. When users try to play the compromised video, they encounter an error prompting them to open it with an external player. Following this suggestion triggers a request to install a malicious app disguised as a legitimate video player, while also seeking permission to install unknown applications. This targeted attack exclusively affects Telegram’s Android client, posing a significant security threat to Android users of the widely-used messaging platform.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.