News – Page 3 – BU-CERT

Microsoft discloses Office zero-day, still working on a patch

Posted on 9 August 2024

From bleepingcomputer.com

Microsoft has disclosed a high-severity zero-day vulnerability affecting Office 2016 and later, which is still waiting for a patch.

Tracked as CVE-2024-38200, this security flaw is caused by an information disclosure weakness that enables unauthorized actors to access protected information such as system status or configuration data, personal info, or connection metadata.

The zero-day impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

Even though Microsoft’s exploitability assessment says that exploitation of CVE-2024-38200 is less likely, MITRE has tagged the likelihood of exploitation for this type of weakness as highly probable.

“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microosoft’s advisory explains.

“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”

The company is developing security updates to address this zero-day bug but has yet to announce a release date.

Critical 1Password flaws may allow hackers to snatch your passwords (CVE-2024-42219, CVE-2024-42218)

Posted on 9 August 2024

From helpnetsecurity.com

Two vulnerabilities (CVE-2024-42219, CVE-2024-42218) affecting the macOS version of the popular 1Password password manager could allow malware to steal secrets stored in the software’s vaults and obtain the account unlock key, AgileBits has confirmed.

Discovered by the Robinhood Red Team during a security assessment of 1Password for Mac and then privately reported to the software’s makers, the vulnerabilities have been fixed in two consecutive versions of the software: v8.10.36 (released on July 9) and v8.10.38 (released on August 6).

AgileBits says that they have received no reports that these issues were discovered or exploited by anyone else.

USPS Text Scammers Duped His Wife, So He Hacked Their Operation

Posted on 9 August 2024

From wired.com

The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered.

Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she’d inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers.

Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people’s cards to be protected from fraudulent activity.

0.0.0.0 Zero-Day: An 18-Year-Old Browser Exploit Lets Hackers Attack Mac, Linux Computers

Posted on 9 August 2024

From linkedin.com

Israeli cyber security company Oligo has uncovered an 18-year-old vulnerability which they have dubbed “0.0.0.0 Day,” – a critical flaw that allows malicious websites to bypass browser security measures in Google Chrome, Mozilla Firefox, and Apple Safari, enabling them to interact with services on a local network. This flaw enables unauthorized access and remote code execution on local services by attackers from outside the network.

Notably, this vulnerability only affects Linux and macOS devices, leaving Windows users unaffected.

The root of this issue lies in the inconsistent implementation of security mechanisms across various browsers, compounded by a lack of industry-wide standardization. Consequently, the seemingly innocuous IP address 0.0.0.0 can be exploited by attackers to target local services, which may include those used for development, operating systems, and internal networks.

The impact of the 0.0.0.0 Day vulnerability is widespread, affecting both individuals and organizations. The discovery of active exploitation campaigns, such as ShadowRay, highlights the urgency of addressing this vulnerability.

Sitting Ducks DNS attacks let hackers hijack over 35,000 domains

Posted on 4 August 2024

From bleepingcomputer.com

Threat actors have hijacked more than 35,000 registered domains in so-called Sitting Ducks attacks that allow claiming a domain without having access to the owner’s account at the DNS provider or registrar.

In a Sitting Ducks attack, cybercriminals exploit configuration shortcomings at the registrar level and insufficient ownership verification at DNS providers.

Researchers at DNS-focused security vendor Infoblox and at firmware and hardware protection company Eclypsium discovered that there are more than a million domains that can be hijacked every day via the Sitting Ducks attacks.

CISA Warns of Exploitable Vulnerabilities in Popular BIND 9 DNS Software

Posted on 25 July 2024

From thehackernews.com

The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could be exploited to trigger a denial-of-service (DoS) condition.

“A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.

The list of four vulnerabilities is listed below –

CVE-2024-4076 (CVSS score: 7.5) – Due to a logic error, lookups that triggered serving stale data and required lookups in local authoritative zone data could have resulted in an assertion failure
CVE-2024-1975 (CVSS score: 7.5) – Validating DNS messages signed using the SIG(0) protocol could cause excessive CPU load, leading to a denial-of-service condition.
CVE-2024-1737 (CVSS score: 7.5) – It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing
CVE-2024-0760 (CVSS score: 7.5) – A malicious DNS client that sent many queries over TCP but never read the responses could cause a server to respond slowly or not at all for other clients

ServiceNow Exploits Used in Global Reconnaissance Campaign

Posted on 25 July 2024

From securityonline.info

Resecurity has uncovered a widespread campaign exploiting critical vulnerabilities in ServiceNow, a popular platform for digital workflows. The flaws, identified as CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, allowed unauthenticated attackers to execute code remotely and steal sensitive data.

The widespread use of ServiceNow, particularly within major corporations and government entities, has made it a prime target for threat actors. Resecurity’s investigation uncovered a rapid surge in malicious activity immediately following the public release of a proof-of-concept exploit. Attackers, armed with this knowledge, wasted no time in scanning the internet for vulnerable instances, primarily leveraging CVE-2024-4879 to execute code remotely and exfiltrate sensitive data.

Estimating the impact is challenging, but ServiceNow is an extremely popular platform for managing digital workflows in modern IT environments. According to the output of FOFA, a popular network search engine from China, approximately 300,000 ServiceNow instances could be potentially probed remotely. These instances may have different ACL (Access Control Lists) or other access limitations at both the network and application levels, making this only an approximate estimation.