The United States Cybersecurity & Infrastructure Security Agency (CISA) has added 3 vulnerabilities to its Known Exploited Vulnerabilities Catalogue, including two zero-day vulnerabilities affecting Apple products.
The first vulnerability, tracked as CVE-2024-44308, impacts the JavaScriptCore and can lead to arbitrary code execution when processing malicious web content in multiple Apple products including iPhones, iPads, Safari and macOS. This vulnerability was provided a CVSS score of 8.8, marking it as a high severity vulnerability.
The second vulnerability, tracked as CVE-2024-44309, concerns a cookie management issue in WebKit that can lead to a cross-site scripting attack when processing malicious web content in multiple Apple products including iPhones, iPads, Safari and macOS. This vulnerability has been provided a CVSS score of 6.1, marking it as a medium severity vulnerability.
The third vulnerability, tracked as CVE-2024-21287, concerns an issue within the Oracle Agile PLM Framework which can allow unauthenticated attackers to access sensitive data via HTTP in version 93.6. This vulnerability has been provided a CVSS score of 7.5, marking it as a high severity vulnerability.
While these vulnerabilities have been confirmed to be actively exploited, they have all had patches released to mitigate them. Both Apple and Oracle have released patches to remediate the flaws within their products, and all patches are available now.
References:
U.S. CISA adds Apple, Oracle Agile PLM bugs to its Known Exploited Vulnerabilities catalogue (securityaffairs.com)
Known Exploited Vulnerabilities Catalogue (cisa.gov)
About the security content of iOS 18.1.1 and iPadOS 18.1.1 (support.apple.com)
Oracle Security Alerts CVE-2024-21287 (oracle.com)
Understanding the Threat
A critical vulnerability, identified as CVE-2024-8811, has been discovered in WinZip, a popular file compression and archiving software. This vulnerability could potentially allow remote attackers to bypass security measures and execute malicious code on your system.
How Does It Work?
The Mark-of-the-Web (MoTW) is a security feature designed to identify files downloaded from the internet. It helps prevent accidental execution of potentially harmful files. However, CVE-2024-8811 exploits a flaw in WinZip that can remove this protective mark from downloaded archives.
What are the Risks?
Protecting Yourself
Conclusion
By utilising NormCyber’s Vulnerability Management service, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.
References:
NVD – CVE-2024-8811 (ndv.nist.gov)
CVE-2024-8811 (tenable.com)
In recent research performed by EclecticIQ, a new phishing campaign was identified which targets users by exploiting trusted platforms and infrastructure. It is reported that financially motivated threat actors have been targeting the financial and telecommunications sectors using Google Docs and Weebly. Google Docs has been used to deliver phishing links, and Weebly has been seen to host fake login pages. This combination of legitimate platforms has allowed the attackers to bypass email filters and defences, increasing the difficulty for detection.
The threat actors gameplan works by embedding malicious links within Google Docs, which then redirect the targets to phishing websites hosted by Weebly. The user of Google docs allows the attackers to bypass email security during initial delivery due to its nature as a trusted domain. This allows attackers to evade detection and increase the level of trust between them and the target, increasing the likelihood of success.
It was observed in the campaign that the threat actors used Weebly to imitate the login pages of high-profile brands including AT&T, along with financial institutions in the US and Canada. These pages have been crafted to deceive users into entering their usernames, passwords, multifactor authentication (MFA) codes and other sensitive information the attackers want.
By utilising Google Docs & Weebly, the attackers have been able to mask their malicious intent, as Google Docs hosted files are much less likely to be flagged as malicious by email security tools compared to the traditional methods, alongside the legitimate aesthetics of Weebly hosted domains. Alongside the usage of these legitimate platforms, attackers were observed to be using legitimate embedded tracking tools like Sentry.io and Datadog which monitor user interactions and gather metric including IP addresses, geolocation data and timestamps. These metrics can then be used to refine later phishing attacks for increased success. In some cases, the attacks went even further beyond phishing by initiating SIM swapping attacks to intercept SMS-based MFA codes, which would allow them to bypass a user’s MFA account protections.
The Human Risk Management service from Norm can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.
References:
Google Docs and Weebly Weaponized in New Phishing Scheme (securityonline.info)
Financially Motivated Threat Actor Leveraged Google Docs and Weebly Services to Target Telecom and Financial Sectors (blog.eclecticiq.com)
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
