BU-CERT – Page 10 – Bournemouth University Computer Emergency Response Team

Check Point Security Gateway Information Disclosure Vulnerability (CVE-2024-24919)

Posted on 10 June 2024

From blog.qualys.com

Check Point Security Gateway is a secure web gateway that is an on-premises or cloud-delivered network security service. Check Point enforces network security policies, including firewall, VPN, and intrusion prevention capabilities.

Check Point published a zero-day advisory on May 28, 2024, regarding CVE-2024-24919 with a CVSS score of 8.6. As per the advisory, the vulnerability results in attackers accessing sensitive information and gaining domain privileges.

The vulnerability impacts various products from Check Point like CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog.

Check Point said, “The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled…”

TotalCloud Insights: Uncovering the Hidden Dangers in Google Cloud Dataproc

Posted on 10 June 2024

From blog.qualys.com

Summary

The Apache Hadoop Distributed File System (HDFS) can be vulnerable to data compromise when a Compute Engine cluster is in a public-facing virtual private cloud (VPC) or shares the VPC with other Compute Engine instances.
Google Cloud Platform (GCP) provides a default VPC called ‘default.’ This VPC allows inbound connections only on ports 22 and 3389 while permitting all inbound connections within the internal subnet. This configuration can pose a significant security risk when both Dataproc clusters and Compute Engine instances share the default subnet VPC. It can lead to potential data corruption or theft, both serious concerns.
The Google Security Team labeled the attack flow as an ‘Abuse Risk.’
Qualys TotalCloud now notifies customers of misconfigured Dataproc clusters that are vulnerable to exploitation, offering remediation steps and code for prompt resolution.

Sticky Werewolf Expands Cyber Attack Targets in Russia and Belarus

Posted on 10 June 2024

From thehackernews.com

Cybersecurity researchers have disclosed details of a threat actor known as Sticky Werewolf that has been linked to cyber attacks targeting entities in Russia and Belarus.

The phishing attacks were aimed at a pharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and the aviation sector, expanding beyond their initial focus of government organizations, Morphisec said in a report last week.

“In previous campaigns, the infection chain began with phishing emails containing a link to download a malicious file from platforms like gofile.io,” security researcher Arnold Osipov said. “This latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers.”

LogSnare – Mastering IDOR And Access Control Vulnerabilities Through Hands-On Learnin

Posted on 7 June 2024

From kalilinuxtutorials.com

LogSnare is an intentionally vulnerable web application, where your goal is to go from a basic gopher user of the LogSnare company, to the prestigious acme-admin of Acme Corporation.

The application, while hosting multiple vulnerabilities, serves as a valuable educational tool.

However, the real lesson to be learned here is how to prevent and catch these attacks leveraging proper validation and logging.

After logging in to the demo application, in the top navbar you’ll see a validation toggle which allows you to toggle security controls in real-time.

Microsoft Details On Using KQL To Hunt For MFA Manipulations

Posted on 7 June 2024

From gbhackers.com

It is difficult to secure cloud accounts from threat actors who exploit multi-factor authentication (MFA) settings.

Threat actors usually alter compromised users’ MFA attributes by bypassing the requirements, disabling MFA for others, or enrolling rogue devices in the system.

They do so stealthily, mirroring helpdesk operations and making it hard to notice the noise of directory audit logs.

To protect themselves against this insidious attack vector on clouds, organizations need to strengthen monitoring and controls around MFA configuration changes.

Cybersecurity researchers at Microsoft recently detailed using the KQL (Kusto Query Language) to hunt for MFA manipulation.

Ukraine says hackers abuse SyncThing tool to steal data

Posted on 7 June 2024

From bleepingcomputer.com

The Computer Emergency Response Team of Ukraine (CERT-UA) reports about a new campaign dubbed “SickSync,” launched by the UAC-0020 (Vermin) hacking group in attacks on the Ukrainian defense forces.

The threat group is linked to the Luhansk People’s Republic (LPR) region, which Russia has occupied almost in its entirety since October 2022. The hacker’s activities commonly align with Russia’s interests.

The attack utilizes the legitimate file-syncing software SyncThing in combination with malware called SPECTR.

Vermin’s apparent motive is to steal sensitive information from military organizations.

SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign

Posted on 7 June 2024

From thehackernews.com

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting defense forces in the country with a malware called SPECTR as part of an espionage campaign dubbed SickSync.

The agency attributed the attacks to a threat actor it tracks under the moniker UAC-0020, which is also called Vermin and is assessed to be associated with security agencies of the Luhansk People’s Republic (LPR). LPR was declared a sovereign state by Russia days prior to its military invasion of Ukraine in February 2022.

Attack chains commence with spear-phishing emails containing a RAR self-extracting archive file containing a decoy PDF file, a trojanized version of the SyncThing application that incorporates the SPECTR payload, and a batch script that activates the infection by launching the executable.