Cyber Attack Hits German Air Traffic Control Agency

The German air traffic control agency, Deutsche Flugsicherung (DFS), has confirmed a recent cyber attack that disrupted its office communications, though air traffic operations remained unaffected.

The attack, suspected to be the work of the notorious hacker group APT28 (Fancy Bear), targeted the company’s IT infrastructure. APT28, closely linked to Russia’s military intelligence service GRU, has a long history of cyber attacks on critical infrastructure, government agencies, and political organisations across Europe and North America.

DFS has begun implementing defensive measures, though the full extent of the breach remains unclear, and it is not yet known if any sensitive data was compromised.

Germany’s Federal Office for the Protection of the Constitution (BfV) has been notified and is investigating the incident.

Microsoft September 2024 Patch Tuesday Fixes 79 Security Flaws, Including Two Actively Exploited Zero-Days

Microsoft has released its September 2024 Patch Tuesday updates, addressing 79 security vulnerabilities across its Windows operating systems and related software.

Several of these flaws are already being exploited in the wild, including two zero-day vulnerabilities. One of the most critical bugs, CVE-2024-43491, caused certain Windows 10 systems to remain unpatched for months due to a rollback of fixes affecting optional components on devices produced in 2015. Users need to install the September 2024 Servicing Stack and Security Updates to resolve this issue.

Among the actively exploited vulnerabilities is CVE-2024-38226, affecting Microsoft Publisher, and CVE-2024-38217, both of which bypass Windows’ “Mark of the Web” feature. Attackers could exploit these flaws by tricking users into opening malicious Office files.

Another notable vulnerability is CVE-2024-38014, an elevation of privilege flaw in Windows Installer, which is also under active exploitation.

As always, it’s recommended that users and system administrators prioritise applying these critical updates to safeguard their systems. Alongside Microsoft’s patches, Adobe has also rolled out security updates for its range of products, including Reader, Acrobat, and Photoshop.

Ivanti Patches Critical Remote Code Execution Flaw in Endpoint Management Software (EPM)

Ivanti has released crucial security updates to address a critical vulnerability, CVE-2024-29847, in its Endpoint Management (EPM) software. This flaw, a deserialisation of untrusted data issue in the agent portal, allows attackers to execute remote code on the core server. The vulnerability affects Ivanti EPM versions before 2022 SU6 and the September 2024 update.

In addition to this maximum severity flaw, Ivanti also patched several SQL injection vulnerabilities (CVE-2024-32840, CVE-2024-32842, and others) that could allow attackers with admin privileges to execute arbitrary code on the core server.

Ivanti reports no known exploitation of these vulnerabilities in the wild, but urges users to update their systems immediately to protect against potential threats.

SonicWall SonicOS Firewall Bug Exploited in Ransomware Attacks

A newly discovered vulnerability in SonicWall SonicOS firewalls, tracked as CVE-2024-40766, is now being actively exploited in ransomware attacks.

SonicWall has identified and patched this improper access control flaw, which affects Gen 5, Gen 6, and Gen 7 firewalls, including their SSLVPN feature.

Despite not yet having a severity score, the company has urged immediate patching to mitigate risks.

Security researchers from Arctic Wolf and Rapid7 confirm that Akira ransomware affiliates are leveraging this bug to breach networks. Akira, active since March 2023, has targeted diverse industries, exploiting instances with MFA disabled on high-value accounts.

The vulnerability is now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalogue, imposing a September 30 deadline for federal agencies to apply patches or discontinue use. Organisations unable to patch immediately should restrict firewall management and SSLVPN access to trusted sources and enable multi-factor authentication for all SSLVPN users to enhance security.

Researchers Discover SQL Injection Flaw That Could Bypass Airport Security

Security researchers identified a critical vulnerability in FlyCASS, a web-based cockpit access security system used by airlines to verify crew members’ jumpseat eligibility. This vulnerability, an SQL injection flaw, allows attackers to bypass airport security checks and gain unauthorised access to restricted areas, including cockpits.

By exploiting the flaw, adversaries could inject malicious SQL queries into the system, adding fake users to the Known Crewmember (KCM) and Cockpit Access Security System (CASS) databases, enabling them to bypass standard airport security screening.

The researchers disclosed the vulnerability to the Department of Homeland Security (DHS), leading to a temporary disabling of FlyCASS until the issue was addressed. While the TSA acknowledged the report, they downplayed the risk, stating that no government data was compromised and that multiple identity verification measures are in place for crew access.

DPC Launches Inquiry into Google’s Compliance with GDPR for AI Development

The Data Protection Commission (DPC) has initiated a Cross-Border statutory inquiry into Google Ireland Limited under Section 110 of the Data Protection Act 2018.

This inquiry is focused on whether Google adhered to the requirements of Article 35 of the General Data Protection Regulation (GDPR) by conducting a Data Protection Impact Assessment (DPIA) before processing the personal data of EU/EEA data subjects in developing its AI model, Pathways Language Model 2 (PaLM 2).

This inquiry is part of the DPC’s broader efforts, in collaboration with EU/EEA regulators, to oversee AI data processing practices and safeguard data subject rights.

NoName Ransomware Gang Shifts Tactics and Tools, Now Tied to RansomHub Operations

The NoName ransomware gang, known for targeting small and medium-sized businesses globally, appears to be evolving its tactics and tools.

For over three years, the gang has used custom malware from the Spacecolon family to infiltrate networks via brute force and vulnerabilities like EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1472). Recently, NoName has begun deploying ScRansom ransomware, a successor to Scarab, and has experimented with the leaked LockBit 3.0 ransomware builder, creating a similar data leak site and ransom notes.

The gang’s recent tactics include exploiting vulnerabilities such as CVE-2023-27532 in Veeam Backup and CVE-2021-42278 and CVE-2021-42287 for privilege escalation. Pure7 also notes NoName’s use of CVE-2017-0290 to disable Windows Defender. The group’s continued evolution suggests they are increasingly aligned with RansomHub operations, reflecting a broader shift in ransomware tactics and tools.

RansomHub Ransomware Gang Uses TDSSKiller to Disable EDR Systems

Researchers from Malwarebytes ThreatDown Managed Detection and Response (MDR) have observed the RansomHub ransomware group using Kaspersky’s legitimate TDSSKiller tool to disable endpoint detection and response (EDR) systems.

This marks the first recorded instance of RansomHub employing TDSSKiller, with the -dcsvc flag used to target specific security services, such as Malwarebytes Anti-Malware Service (MBAMService). Alongside this, the group also used the LaZagne tool for credential harvesting, generating logs of extracted credentials before erasing traces.

RansomHub is believed to be a rebrand of the Knight ransomware, employing a double extortion model. By leveraging legitimate tools like TDSSKiller, threat actors evade traditional security measures, making it critical for organisations to implement monitoring and controls to prevent such attacks.

Progress Software Releases Critical Security Update for LoadMaster and Multi-Tenant Hypervisor Flaw

Progress Software has released critical security updates to fix a maximum-severity vulnerability in its LoadMaster and Multi-Tenant Hypervisor products, tracked as CVE-2024-7591, with a CVSS score of 10.0.

This vulnerability, caused by improper input validation, could allow unauthenticated remote attackers to execute arbitrary operating system commands via crafted HTTP requests to the management interface.

The flaw affects LoadMaster versions 7.2.60.0 and prior, and Multi-Tenant Hypervisor versions 7.1.35.11 and earlier. Although no evidence of exploitation has been found, Progress urges all users to install the latest updates immediately by downloading an add-on package.

A New Side-Channel Attack That Exploits LCD Screens to Exfiltrate Data from Air-Gapped Systems

Researchers have discovered a new side-channel attack dubbed PIXHELL, capable of targeting air-gapped computers by exploiting noise generated by pixels on an LCD screen to exfiltrate sensitive data.

Dr. Mordechai Guri of Ben Gurion University explains that malware on compromised air-gapped systems can generate pixel patterns that emit acoustic signals within the 0-22 kHz range, breaching the “audio gap.”

This attack leverages the phenomenon of coil whine, where electricity passing through an LCD’s internal components, such as inductors and capacitors, produces high-pitched noises. By manipulating pixel patterns, malware can control the frequency of the emitted acoustic signals to encode and transmit data to nearby devices, such as Windows or Android systems, without the need for specialised audio hardware.

PIXHELL is visible on the LCD screen, displaying alternating black-and-white rows, and is a sophisticated method of covert data exfiltration that bypasses traditional air-gapping defences.

Zyxel Releases Critical Security Fixes for Routers and Firewalls

Zyxel has rolled out several security updates for vulnerabilities impacting its routers and firewalls, with the most critical flaw identified as CVE-2024-7261. This OS command injection vulnerability affects various Zyxel routers, allowing unauthenticated attackers to execute commands by sending crafted cookies.

Affected devices include the NWA1123ACv3, WAC500, WAX655E, and USG LITE 60AX, and users are urged to update to the latest firmware to address the issue.

In addition, Zyxel patched a buffer overflow flaw (CVE-2024-5412) and seven other vulnerabilities affecting firewall devices, including command injection, denial-of-service, and cross-site scripting vulnerabilities. Users should apply the latest updates to protect their systems from potential exploits.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.