Hezbollah Pager Explosions Highlight Supply Chain Security Concerns

A coordinated attack in Lebanon resulted in the explosion of pagers used by Hezbollah fighters, killing at least eight people, including a child, and injuring over 2,800. The detonations, which occurred simultaneously across the country, are being described as the “biggest security breach” in nearly a year of conflict with Israel.

Security experts believe the explosions were part of a supply chain attack, where threat actors tampered with the hardware of the pagers before they were distributed.

The incident raises serious questions about supply chain security, as the pagers were newly introduced models that Hezbollah had acquired in recent months. While the exact cause remains unclear, experts have ruled out typical battery malfunctions, pointing instead to deliberate sabotage.

This attack underscores the vulnerabilities in supply chains, particularly for critical communications hardware, and highlights the risks of hardware manipulation in warfare.

Authorities Dismantle International Mobile Phone Phishing Network

Europol has aided European and Latin American authorities in taking down an international criminal network that targeted 483,000 victims worldwide through a phishing platform.

The network specialised in unlocking stolen or lost mobile phones, primarily affecting Spanish-speaking individuals across Europe, North America, and South America.

During an operation from September 10th to 17th, 17 individuals were arrested, and 921 items were seized, including phones, electronic devices, and weapons. The network’s leader, an Argentinian national, had been running a phishing-as-a-service platform since 2018, which facilitated the unlocking of over 1.2 million stolen phones.

Europol coordinated this multinational operation, which started in 2022 and involved law enforcement from Spain, Argentina, and several other Latin American nations.

Critical Vulnerabilities in OpenShift Container Platform 4 Raise Urgent Security Concerns

Red Hat has disclosed two critical vulnerabilities in OpenShift Container Platform 4, identified as CVE-2024-45496 and CVE-2024-7387, both requiring immediate attention.

CVE-2024-45496, with a CVSS score of 9.9, involves privilege misuse during the build process, allowing attackers to execute arbitrary commands on a worker node by exploiting the git-clone container’s elevated privileges.

CVE-2024-7387, rated 9.1, allows command injection through path traversal in the openshift/builder container, leading to potential permission escalation on the node.

Both vulnerabilities pose serious risks to affected organisations, and immediate updates are recommended. Red Hat has provided mitigation steps and additional resources to address these flaws.

Malicious Campaign Abuses GitHub Repositories to Spread Malware

A new phishing campaign is exploiting GitHub repositories to distribute malware by targeting users who follow or contribute to open-source projects.

The attackers post fake “issues” on project repositories, falsely claiming security vulnerabilities and urging users to visit a fraudulent website, “github-scanner[.]com.” The site, not associated with GitHub, tricks visitors into downloading Windows malware. Users receive convincing email alerts from legitimate GitHub servers, making the campaign appear credible.

The malicious site prompts users to run a Windows command that downloads a trojan, identified as ’l6E.exe’, which has anti-detection and persistence capabilities. Users are advised to avoid clicking on suspicious links or attachments and report such fake issues to GitHub.

Doctor Web Disconnects Servers Following Cyberattack

Russian anti-virus company Doctor Web (Dr.Web) disconnected all its servers after detecting a cyberattack on September 14th.

The firm identified signs of unauthorised access to its IT infrastructure but assured that the attack did not impact any customers. In response, Dr.Web followed its incident response protocol, disconnecting resources and temporarily suspending the release of its virus databases. A specialised diagnostic service, Dr.Web FixIt!, was deployed to assess the situation and mitigate any potential damage. On September 17th, the company resumed virus database updates.

Dr.Web has not provided further technical details or attributed the attack to any specific threat actor.

Fortinet Faces Security Breach: 440GB of Data Exposed from Cloud Storage

Fortinet has confirmed a recent security incident involving unauthorised access to a limited number of files stored in a third-party cloud drive. The breach exposed 440 GB of data, though Fortinet claims it affected less than 0.3% of its customers. The company asserts there has been no malicious activity or impact on its products, operations, or services.

A threat actor, self-identified as “Fortibitch,” posted claims of stealing the data from Fortinet’s Azure SharePoint instance, sharing credentials to an S3 bucket. Despite an attempted extortion, Fortinet refused to pay any ransom and has implemented measures to protect customers.

Broadcom Patches Critical Vulnerabilities in VMware vCenter Server

Broadcom has released security updates to address a critical vulnerability, CVE-2024-38812 (CVSS score: 9.8), in VMware vCenter Server, which could lead to remote code execution.

This heap-overflow vulnerability is found in the implementation of the DCERPC protocol, allowing malicious actors with network access to exploit the system by sending specially crafted network packets. Additionally, a privilege escalation flaw, CVE-2024-38813, was patched, which could allow attackers to escalate privileges to root. Both vulnerabilities were discovered by team TZL during the 2024 Matrix Cup contest.

Broadcom has not reported any active exploitation in the wild, and updates are available in vCenter Server versions 8.0 U3b, 7.0 U3s, and VMware Cloud Foundation versions 4.x and 5.x.

ServiceNow Knowledge Bases Expose Sensitive Corporate Data Despite Security Enhancements

Over 1,000 instances of ServiceNow enterprise knowledge bases (KBs) were found to be leaking sensitive corporate data, despite security improvements introduced last year.

According to SaaS security firm AppOmni, nearly 45% of ServiceNow KB instances exposed data such as personally identifiable information (PII), system details, and active credentials.

The vulnerability was attributed to outdated configurations and misconfigured access controls, likely stemming from a misunderstanding or replication of poor access settings across multiple instances.

While ServiceNow enhanced its platform security in 2022 with better access control lists (ACLs) and security features, the exposure of sensitive KB data remained a significant issue.

WhatsApp ‘View Once’ Vulnerability Exposes Users’ Media to Persistent Access

Researchers at Zengo have discovered a serious vulnerability in WhatsApp’s ‘View Once’ feature, which is meant to protect media like photos, videos, and audio messages by allowing recipients to view them only once before they disappear.

The flaw allows attackers to bypass this privacy measure and gain persistent access to the shared media. By modifying the message settings on WhatsApp’s servers, adversaries can change the “viewOnce: true” flag to “false,” enabling them to view and download the media repeatedly. Researchers also found that WhatsApp servers retain ‘View Once’ media for two weeks, further weakening its security.

Although the flaw was responsibly disclosed to Meta, the issue has not yet been fully patched. Meta has acknowledged the vulnerability and is reportedly working on a fix, advising users to only share sensitive media with trusted contacts.

17-Year-Old Arrested in Connection to TfL Cyberattack, Customer Data Compromised

The UK National Crime Agency (NCA) has arrested a 17-year-old in connection with the recent cyberattack on Transport for London (TfL) that has caused significant disruptions since September 1st.

TfL has now confirmed that attackers accessed customer data, including names, contact information, and refund details for about 5,000 Oyster card holders. The attack led to ongoing outages affecting live Tube information, contactless payment systems, and online services.

Although the NCA is continuing its investigation, this breach has forced TfL to delay its planned expansion of contactless payments and conduct IT identity checks across its staff.

Critical Vulnerabilities in D-Link Routers Require Immediate Security Updates

D-Link has disclosed several critical vulnerabilities affecting specific models of its wireless routers, including the DIR-X5460, DIR-X4860, and COVR-X1870.

These vulnerabilities, identified by TWCERT and tracked under CVE-2024-45694 through CVE-2024-45698, pose significant risks to user privacy and network security, with CVSS scores as high as 9.8.

The flaws involve stack-based buffer overflows and improper privilege management, potentially allowing unauthenticated remote attackers to execute arbitrary code or gain unauthorised access via hard-coded credentials. D-Link urges all users to promptly apply firmware updates to mitigate these risks.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.