Solar Winds has recently addressed a set of critical security vulnerabilities in it’s Access Rights Manager (ARM) software which had the ability to be exploited in order to execute arbitrary code or access highly sensitive information on a system.
The set of 13 vulnerabilities included 8 which were deemed Critical in severity according to the CVSS scoring assigned to them, carrying scores from 9.6 – 10. The rest of the vulnerabilities were still of concern, carrying a severity rating of High, with the scores ranging from 7.6 to 8.3. The 8 Critical flaws can be seen below:
If a threat actor can successfully exploit these vulnerabilities, they will be able to read and delete files, and execute arbitrary code with elevated permissions. These vulnerabilities have been addressed in Version 2024.3 on 17th July 2024 following a responsible disclosure from the Trend Micro Zero Day Initiative (ZDI).
This development comes shortly after CISA added a high-severity path traversal flaw in SolarWinds Serv-U Path to it’s Known Exploited Vulnerabilities list. This vulnerability was tracked as CVE-2024-28995 and was given a CVSS Score of 8.6. This was added due to reports of active exploitation in the wild.
By utilising Norm’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.
References:
SolarWinds Patches 8 Critical Flaws in Access Rights Manager Software (thehackernews.com)
Security Resources | SolarWinds Trust Center Security Advisories (solarwinds.com)
Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager (thehackernews.com)
On the 19th of July 2024, a software update was released by Crowdstrike. It has subsequently caused global disruption and is now being coined the largest IT outage in history.
So what happened?
Crowdstrike is an American cyber security company, providing cyber attack response services, threat intelligence and end-point security. They released a sensor configuration update to Windows systems at 04:09 UTC on the 19th of July. This update triggered a logic error and caused a system crash and the Blue Screen of Death (BSOD) on affected systems.
Configuration files, also known as channel files, are routinely updated in response to new and emerging tactics. Within Windows systems they are found within the directory:
C:\Windows\System32\drivers\CrowdStrike\. On this occasion, the relevant channel file is 291. This file is responsible for controlling how the Falcon sensor evaluates named pipe execution on Windows systems.
A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Named pipes can be used to provide communication between processes on the same computer or between processes on different computers across a network.
It is estimated that this outage has affected around 8.5 million Windows devices. The outage has greatly affected airports, rail networks, hospitals, the retail sectors, to name a few. However, the damage doesn’t stop there. An increase in phishing attempts has been observed due to the outage. The CEO of Crowdstrike, George Kurtz, and Government cyber security agencies across the world have warned individuals and businesses of the rise in malicious actors purporting to be Crowdstrike employees and technology specialists, offering services like recovery assistance.
References:
Helping our customers through the CrowdStrike outage – The Official Microsoft Blog
Technical Details: Falcon Update for Windows Hosts | CrowdStrike
CrowdStrike outage: Phishing jumps as scam artists exploit event | Fortune
From trains to retail, how CrowdStrike outage caused havoc across industries | Microsoft IT outage | The Guardian
MuddyWater, an Iranian threat group linked to the Ministry of Intelligence and Security (MOIS), has intensified its activities in Israel since the start of the Israel-Hamas war in October 2023. The group also targets organisations in Saudi Arabia, Turkey, Azerbaijan, India, and Portugal.
MuddyWater employs phishing campaigns using compromised email accounts, leading to the deployment of legitimate Remote Management Tools (RMM) like Atera Agent and Screen Connect.
Recently, they introduced a new, previously undocumented custom backdoor called BugSleep, specifically for targeting Israeli organisations.
BugSleep allows threat actors to execute commands and transfer files between compromised machines and the command-and-control (C&C) server.
The backdoor is still in development, with continuous improvements and bug fixes by the threat actors.
BugSleep Technical Analysis:
Delivery Mechanism:
Infection Process:
Command-and-Control (C&C) Communication:
Capabilities:
Indicators of Compromise (IoCs):
Attribution:
References:
NEW BUGSLEEP BACKDOOR DEPLOYED IN RECENT MUDDYWATER CAMPAIGNS (research.checkpoint.com)
New BugSleep malware implant deployed in MuddyWater attacks (bleepingcomputer.com)
MuddyWater threat group deploys new malware ‘BugSleep’ (izoologic.com)
norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
