Critical Windows Vulnerabilities Expose Systems to Downgrade Attacks

Microsoft is addressing two critical vulnerabilities in its Windows update architecture, CVE-2024-38202 and CVE-2024-21302. These flaws, with CVSS scores of 7.3 and 6.7 respectively, could allow attackers to perform downgrade attacks, replacing current OS files with older versions.

CVE-2024-38202 affects the Windows Backup component, potentially reintroducing mitigated vulnerabilities or circumventing Virtualization Based Security (VBS) features. CVE-2024-21302 enables privilege escalation in VBS-supported Windows systems.

The severity of these vulnerabilities were demonstrated with a tool called Windows Downdate, which can make fully patched Windows machines susceptible to thousands of past vulnerabilities, effectively turning fixed vulnerabilities into zero-days. This tool can bypass integrity verification and Trusted Installer enforcement, allowing the downgrade of critical OS components including DLLs, drivers, and the NT kernel. Microsoft is currently developing security updates to address these serious security loopholes, which have the potential to significantly undermine Windows system security.

Ivanti Warns Users to Patch Authentication Bypass Vulnerability

Ivanti has issued an urgent warning to users regarding a critical authentication bypass vulnerability, tracked as CVE-2024-7593, affecting their Virtual Traffic Manager (vTM) appliances. This severe flaw, resulting from an incorrect implementation of an authentication algorithm, allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels and potentially create rogue administrator accounts.

While Ivanti reports no known exploitations of this vulnerability at the time of disclosure, they emphasise that a Proof of Concept is publicly available, heightening the risk. In response, the company has released updates to address the issue and is strongly urging all customers to upgrade to the latest patched version immediately.

Dispossessor ransomware group taken down by authorities

In a joint operation, US and German authorities have successfully dismantled the globally active ransomware group known as Radar/Dispossessor. Founded in August 2023 and led by an individual using the alias “Brain,” this criminal organisation targeted small to medium-sized companies worldwide, with a particular focus on healthcare and transport sectors.

The group exploited vulnerabilities such as weak passwords and lack of two-factor authentication to infiltrate corporate IT systems.

While authorities have identified 43 victim companies across multiple countries, including the United States, Germany, and the United Kingdom, they suspect the actual number of affected businesses is significantly higher.

The operation resulted in the takedown of the group’s servers and domains in Germany, the US, and Britain. Additionally, law enforcement has identified 12 suspects from various countries, including Germany, Ukraine, Russia, and the United Arab Emirates, marking a significant breakthrough in the fight against cybercrime.

Vulnerability uncovered in AI-Powered Azure Health Bot Service

Cybersecurity researchers from Tenable have uncovered two critical security flaws in Microsoft’s Azure Health Bot Service, a platform used by healthcare organisations to create AI-powered virtual health assistants.

These vulnerabilities, now patched, could have allowed malicious actors to access cross-tenant resources and sensitive patient data. The flaws were found in the Data Connections feature of the service, where attackers could bypass protections by issuing redirect responses when configuring a data connection. This method could potentially lead to obtaining an access token for management.azure.com, granting access to internal subscription IDs and resources.

A similar vulnerability was discovered in an endpoint related to FHIR data exchange format integration. Tenable reported these findings to Microsoft in June and July 2024, and the company has since patched the issues. Microsoft is tracking the primary vulnerability as CVE-2024-38109, with a high CVSS score of 9.1.

Fortunately, there is no evidence of these vulnerabilities being exploited in the wild.

Kimsuky’s Persistent Cyber Targets University Researchers

Kimsuky, a North Korean APT group active since at least 2012, conducts global intelligence collection operations aligned with the interests of the North Korean government. The group primarily targets South Korean think tanks, government entities, and organisations in the US, UK, and Europe, specialising in targeted phishing campaigns using malicious attachments.

In Spring 2024, the NSA and FBI reported Kimsuky exploiting misconfigured DMARC policies for social engineering attempts. A significant development occurred in July 2024 when Resilience analysts discovered an OPSEC mistake by Kimsuky, revealing crucial operational details.

The group’s current focus appears to be targeting university staff, researchers, and professors for espionage, aligning with the goals of North Korea’s Reconnaissance General Bureau (RGB). Kimsuky’s past activities include attempts to steal nuclear weapons research, healthcare, and pharmaceutical secrets, as well as engaging in financially motivated cybercrime to fund their operations.

UK Residents Receive Phishing Messages Following Attack

A significant cyber attack targeting Locata, a software company providing housing services for councils, has affected multiple local authorities across Greater Manchester, including Manchester, Salford, and Bolton.

The attack compromised council housing websites and resulted in thousands of residents receiving phishing emails requesting personal data under the guise of “activating tenancy options.”

While Manchester City Council reported only limited personal data breach in its public-facing website section, the full extent of data exposure remains unclear, particularly for Salford Council.

Locata has apologised for the disruption and is investigating the incident. In response, affected councils are advising residents to follow guidance from the UK National Cyber Security Centre, monitor bank accounts for suspicious activity, report any financial losses to Action Fraud, change passwords for accounts sharing the same credentials as their housing account, and consider obtaining a free credit report.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.