Two new vulnerabilities are targeting Microsoft SharePoint Server, and if your organisation uses SharePoint, these are critical to address. CVE-2024-38018 and CVE-2024-43464 are both rated critical, highly exploitable, and require immediate action.
Why These Flaws Matter?
Let’s start with CVE-2024-38018. This vulnerability allows attackers with basic Site Member permissions to execute arbitrary code on the SharePoint server. Even basic privileges are enough to open the door to exploitation. Worse still, no user interaction is needed, meaning the attack can occur without anyone clicking on anything. It’s a network-vector exploit, so all it takes is for the attacker to upload a malicious file or exploit the API, and they can run code on your system.
This is especially alarming for enterprises where SharePoint is central to document management and collaboration. The low attack complexity makes it a prime target for cyber criminals looking to compromise sensitive information across entire organisations.
Then there’s CVE-2024-43464, which is equally dangerous but requires Site Owner or higher permissions. This vulnerability involves the deserialisation of untrusted data, allowing attackers to upload a crafted malicious file and trigger remote code execution through SharePoint’s API. Once again, no user interaction is required.
How Easy Is It to Exploit These?
Both vulnerabilities are of low complexity but have high impact. For CVE-2024-38018, all an attacker needs, is Site Member permissions, which is common in many organisations, making exploitation highly likely. CVE-2024-43464 is slightly more restrictive as it requires Site Owner permissions, but the risk remains significant, especially in environments with multiple administrators or loosely controlled permissions.
Even worse, these vulnerabilities can be exploited remotely. Attackers don’t need to be inside your network—they could be miles away, running code on your SharePoint server, potentially stealing data, installing backdoors, or launching further attacks on your infrastructure.
Why These Vulnerabilities Are Dangerous
Neither of these exploits requires user interaction. Just having SharePoint exposed to the internet or connected via vulnerable configurations could put your system at risk. Attackers could remotely execute malicious code, and you may not realise it until it’s too late. These types of vulnerabilities can easily go unnoticed, making them ideal for stealthy, widespread attacks.
What Should You Do Next?
First and foremost, patch your SharePoint servers immediately. Microsoft has released fixes as part of the September 2024 Patch Tuesday, and failing to apply these updates leaves your systems exposed. Additionally, review permissions across your SharePoint sites; ensure that only essential users have Site Member or Site Owner permissions. Finally, monitor your SharePoint server logs for any suspicious activity, especially unusual file uploads or API access attempts.
Using Norm’s Vulnerability Patch Management service can automate patch management and protect your systems against vulnerabilities like these, keeping you safe from potential exploits.
References:
NVD – cve-2024-38018 (nist.gov)
NVD – CVE-2024-43464 (nist.gov)
CVE-2024-38018 – Security Update Guide (msrc.microsoft.com)
CVE-2024-43464 – Security Update Guide (msrc.microsoft.com)
Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws (bleepingcomputer.com)
Patch Tuesday – September 2024 (rapid7.com)
Introduction
This month a backdoor that can install software on Android TV boxes has been discovered. The malware named Vo1d has infected approximately 1.3 million Android TV boxes running outdated operating system versions globally. It has predominantly affected countries in South America, Africa and Asia like Morocco, Russia, Saudi Arabia, Tunisia, Pakistan and Brazil. The malware has predominantly affected TV boxes running outdated versions of Android, such as Android 7.1.2, Android 10.1, and Android 12.13. Notable models include the R4 TV box, KJ-SMART4KVIP TV box, and other similar devices. Many of the boxes are targeted because of their outdated firmware, as it often contains unpatched vulnerabilities that the attacker can subsequently exploit.
Malware Overview
Vo1d is a sophisticated backdoor malware that targets Android TV boxes. It operates by exploiting vulnerabilities in older versions of the Android operating system, allowing attackers to gain root access and take full control of the infected devices. The malware can download and installing additional malicious software without the user’s knowledge, thereby expanding its reach and impact. Devices that have poor network security are also likely targets for attackers. This is because many streaming devices do not have the correct security configurations, often featuring weak firewalls and open services. Open services on devices that are exposed to the internet can result in these services being exploited.
The Vo1d malware primarily infects devices by replacing critical system files with malicious versions. Specifically, it targets the “/system/bin/debuggerd” file, renaming the original as “debuggerd_real” for backup purposes. Additionally, it introduces two new files, “/system/xbin/vo1d” and “/system/xbin/wd”, which contain the core malicious code. Once installed, Vo1d establishes a persistent connection to a command-and-control (C2) server, enabling remote attackers to issue commands and further compromise the device
Potential Risks
The Vo1d malware poses several risks to infected devices and their users, which can be seen listed below:
Mitigation Strategies
To mitigate the risks associated with the Vo1d malware, users and manufacturers should consider the following strategies:
Conclusion
The Vo1d malware represents a significant threat to Android TV box users worldwide. By understanding its infection mechanisms and implementing robust security measures, users can protect their devices and personal data from this and similar threats. Continuous vigilance and adherence to cyber security best practices are essential in mitigating the impact of such malware.
References:
Vo1d malware: New trojan infected 1.3 million Android TV boxes (bgr.com)
Over 1.3 Million Android Devices Infected: Vo1d Malware Campaign Exposed | Black Hat Ethical Hacking
New Vo1d malware infects 1.3 million Android streaming boxes (bleepingcomputer.com)
‘Vo1d’ Trojan Malware Infects 1.3 Million Android-Based TV Boxes Globally (pcmag.com)
Over 1 Million Android TV Boxes Infected By Vo1D Malware (troypoint.com)
Millions of Android streaming boxes hit by damaging malware (msn.com)
‘Vo1d’ Trojan Malware Infects 1.3 Million Android-Based TV Boxes Globally (pcmag.com)
Cyber security researchers have warned of upcoming and ongoing phishing campaigns that have begun abusing refresh entries within HTTP headers in order to deliver spoofed login pages that are built to harvest credentials.
Palo Alto Networks researchers have stated that these attacks differ from other phishing webpage distribution behaviour through HTML content, as these attacks use the response header sent by the server, which happens before the HTML content processing has begun. The Palo Alto Networks Unit 42 researchers have made a statement regarding how the exploit is used, and this can be seen below:
“Malicious links direct the browser to automatically refresh or reload a web page immediately, without requiring user interaction.”
Attacks leveraging this exploit were observed between May & July 2024, targeting large corporations located in South Korea, alongside government agencies in the United States. According to investigations into these attacks, it is estimated that around 2,000 malicious URLs were seen in the attacks. Over 36% of the attacks targeted the business sector, followed by the financial sector at 12.9%.
These attacks are but one of many tactics used by threat actors to obfuscate attempts at stealing sensitive information from unsuspecting users. The infection chains are characterised by the delivery of malicious links through header refresh URLs which containing the target’s email address.
The starting point of the chain is an email which contains a link masquerading as a legitimate domain that, when clicked, redirects the user to a threat actor-controlled page which has been setup for credential harvesting. An extra step taken by threat actors is to have the target’s email address pre-filled by the time they are re-directed to the threat actor page.
Phishing continues to be an effective method of accessing & harvesting sensitive information for threat actors, leading to Business Email Compromises (BECs) and large costs, with research published by the Federal Bureau of Investigation (FBI) stating that BECs have cost international organisations roughly $55 Billion between 2013 & 2023.
The Cyber Safety and Phishing module from Norm can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.
References:
Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks (thehackernews.com)
Phishing Pages Delivered Through Refresh HTTP Response Header (paloaltonetworks.com)
Finding and Stopping Malicious HTTP Redirection (quttera.com)
Refresh – HTTP | MDN (mozilla.org)
Business Email Compromise: The $55 Billion Scam (ic3.gov)
norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
