Critical Vulnerabilities Found in DrayTek Routers

Forescout Research’s Vedere Labs has uncovered 14 critical vulnerabilities in DrayTek routers, affecting both residential and enterprise models. Among the most severe, one vulnerability received a maximum CVSS score of 10, while another scored 9.1.

These security flaws could allow attackers to exploit routers for remote code execution (RCE), denial-of-service (DoS), and cross-site scripting (XSS).

With over 700,000 exposed DrayTek routers globally, including many with public-facing web interfaces, this poses a significant risk to enterprise networks.

DrayTek has released patches to mitigate these vulnerabilities, urging immediate updates to ensure device security.

Urgent Chrome Update Addresses Three High-Severity Vulnerabilities in Latest Patch

Google has released a critical security update for its Chrome web browser (version 129.0.6668.89/.90 for Windows and Mac, 129.0.6668.89 for Linux, and 129.0.6668.81 for Android), marking the third urgent patch in just three weeks.

This update addresses three high-severity vulnerabilities:

• CVE-2024-7025 - an integer overflow in the Layout function,
• CVE-2024-9369 - insufficient data validation in Mojo,
• CVE-2024-9370 - an inappropriate implementation in the V8 JavaScript engine.

With Chrome’s 3.5 billion users making it a prime target for attackers, users are urged to manually update their browsers and restart them to ensure full protection.

‘FakeUpdate’ Campaign Spreads WarmCookie Backdoor via Fake Browser Updates in France

A new cyberattack campaign, known as ‘FakeUpdate,’ is targeting users in France by distributing the WarmCookie backdoor through fake browser and software update prompts.

Conducted by the threat group ‘SocGolish,’ the attack leverages compromised websites to display seemingly legitimate update notifications for browsers like Google Chrome, Firefox, Edge, and even Java. When users download the fake updates, they unwittingly install the WarmCookie malware, which can steal data, profile devices, execute commands, and deliver further malicious payloads.

Researchers at Gen Threat Labs discovered this latest iteration of WarmCookie with enhanced features, such as DLL execution and PowerShell transfer capabilities.

Users are warned to avoid manually downloading updates, as modern browsers update automatically, and fake update prompts should be treated with caution.

Kia Patches Critical Vulnerability in Dealer Portal Exposing Millions of Cars to Remote Attacks

Kia recently resolved a severe security vulnerability within its dealer portal that could have allowed attackers to access personal information and take control of vehicles remotely.

Discovered by security researcher Sam Curry, the flaw enabled malicious actors to target any Kia vehicle using just a license plate number. Through the Kia dealer portal, attackers could unlock cars, start/stop vehicles, and even add themselves as secondary owners without the victim’s knowledge. This issue affected Kia vehicles regardless of an active Kia Connect subscription, significantly increasing the threat scope.

The vulnerability, impacting Kia’s “kiaconnect.kdealer.com” domain, was reported in June 2024, and Kia patched the flaw in August 2024 after working with the researchers to validate the fix.

Global Law Enforcement Cracks Down on LockBit Ransomware Group

In a major international operation, law enforcement authorities from 12 countries arrested four individuals linked to the notorious LockBit ransomware gang, including a developer, a bulletproof hosting service administrator, and two others involved in LockBit activities.

The crackdown, part of Operation Cronos led by the UK National Crime Agency (NCA), has also led to the seizure of LockBit infrastructure servers.

This global investigation, which began in April 2022, aims to dismantle the ransomware group’s operations. Among the key arrests is a suspected LockBit developer apprehended in August 2024, along with two individuals connected to LockBit and money laundering, and a bulletproof hosting administrator arrested at Madrid airport.

The LockBit gang has been linked to over 7,000 attacks, extorting up to $1 billion from victims worldwide. The operation builds on previous arrests and sanctions against LockBit members and affiliates, including the seizure of 34 servers and decryption keys earlier this year.

New Octo2 Android Malware Targets Users by Impersonating Popular Apps

A new variant of the Octo Android malware, dubbed Octo2, is actively targeting Android users by mimicking popular apps like NordVPN and Google Chrome.

According to ThreatFabric’s analysis, Octo2 is an advanced version of the Octo malware family, which has evolved since its discovery in 2019 as ExoBotCompact. The malware has enhanced capabilities, including improved Remote Access Trojan (RAT) stability, anti-analysis defenses, and a Domain Generation Algorithm (DGA) for quick command-and-control server generation.

Octo2 has been found targeting users in European countries such as Italy, Hungary, and Poland, but researchers warn that its reach may expand.

To avoid falling victim, users are urged to download apps only from official sources, such as the Google Play Store or vendor websites, to prevent malware infections.

Sellafield Nuclear Site Fined €395,290 for Cybersecurity Failings

Sellafield Ltd, operator of one of Europe’s largest nuclear facilities, has been fined €395,290 (£332,500) by the Office for Nuclear Regulation (ONR) for persistent cybersecurity shortfalls between 2019 and 2023.

The breaches left the site’s IT systems vulnerable to unauthorised access and potential data loss. Although no evidence of exploitation was found, the ONR warned that the vulnerabilities could have resulted in operational disruptions and delayed decommissioning.

Despite prior warnings, Sellafield Ltd failed to address the risks effectively, though the company has since made significant improvements to its cybersecurity measures and pleaded guilty to the charges.

Meta Fined €91M by Irish Data Protection Commission Over Password Storage Breaches

Meta, the parent company of Facebook, Instagram, and WhatsApp, has been fined €91 million by the Irish Data Protection Commission (DPC) for improperly storing user passwords in plaintext, a violation of GDPR regulations.

The investigation, initiated in 2019, revealed that Meta had failed to implement appropriate security measures to protect passwords, leading to four breaches of GDPR. Although Meta stated that the stored passwords were not abused or accessed improperly, the fine underscores the importance of securing sensitive user data, especially given the potential risks of unauthorised access to social media accounts.

Meta has since corrected the issue and cooperated with the DPC throughout the investigation.

macOS Sequoia Update Causes VPN and EDR Connection Issues

Apple Mac users running the latest macOS Sequoia 15 release have reported widespread connection issues with networking tools, including Endpoint Detection and Response (EDR) systems like CrowdStrike Falcon and ESET, as well as VPNs like MullvadVPN.

These issues, which result in SSL failures and problems using network commands like ‘wget’ and ‘curl’, appear to stem from a firewall regression in macOS Sequoia.

The problem has been linked to changes in how the OS handles firewall settings, affecting compatibility.

Users are advised to delay upgrading to macOS 15 until a fix is available, while ESET has offered workaround solutions, including updating to compatible software versions and adjusting network filters.

Google’s AI Model PaLM 2 Faces GDPR Scrutiny Over Data Privacy Concerns

Google’s PaLM 2 AI model is under investigation by the Irish Data Protection Commission (DPC) for potential violations of the General Data Protection Regulation (GDPR).

The inquiry focuses on Google’s cross-border transfer of personal data and whether the company performed the necessary Data Protection Impact Assessment (DPIA), as required under Article 35 of GDPR for technologies posing a high risk to individual rights.

PaLM 2 powers Google’s language and research AI products and processes EU user data, raising concerns about privacy safeguards.

This scrutiny follows Google’s recent legal battles in the EU and reflects broader regulatory actions against AI technologies, as seen with Elon Musk’s X and Meta, who have also limited their AI training in the region due to similar concerns. Google has expressed willingness to cooperate with regulators.

Jenkins Credentials Plugin Vulnerability Exposes Encrypted SecretBytes via REST API and CLI

A security vulnerability in Jenkins Credentials Plugin versions 1380.va_435002fa_924 and earlier (except 1371.1373.v4eb_fa_b_7161e9) allows attackers with Item/Extended Read permissions to access unredacted encrypted SecretBytes values, such as Certificate and Secret file credentials, via the item config.xml file through REST API or CLI.

This issue mirrors a previous vulnerability from 2016 (SECURITY-266) and has been addressed in Credentials Plugin version 1381.v2c3a_12074da_b_, but the fix is effective only for Jenkins 2.479 and newer.

Older versions of Jenkins (2.463–2.478) remain vulnerable, even with the updated plugin installed.

Active Exploits Targeting Zimbra Collaboration CVE-2024-45519 Vulnerability

Cybersecurity researchers have identified active exploitation attempts targeting a critical flaw (CVE-2024-45519) in Synacor’s Zimbra Collaboration software.

The vulnerability, located in the postjournal service, allows unauthenticated attackers to execute arbitrary commands on affected installations.

Proofpoint observed attacks starting on September 28, 2024, involving spoofed Gmail emails that exploit the flaw using Base64-encoded commands.

Zimbra has addressed this issue in patches released on September 4, 2024, for versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1.

Users are strongly advised to apply the patch or temporarily disable the postjournal binary to mitigate risks.

Critical Ivanti Endpoint Manager Flaw Added to CISA’s Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Ivanti’s Endpoint Manager (EPM), tracked as CVE-2024-29824, to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation.

The flaw, with a CVSS score of 9.6, is an SQL injection vulnerability in EPM 2022 SU5 and prior versions, enabling attackers on the same network to execute arbitrary code. A proof-of-concept was released by Horizon3.ai in June 2024, highlighting the flaw’s potential for remote code execution via xp_cmdshell.

Ivanti confirmed that a limited number of customers have been targeted, and federal agencies are required to update their systems by October 23, 2024, to mitigate the risk.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇