Veeam Backup Vulnerability, GitHub Patches Flaw, FBI Fakes Cryptocurrency – Cybersecurity News [October 14, 2024]

by DuoCircle

 

We’re back to provide you with the latest cybersecurity news of the week to keep you informed and help secure against evolving threats. This week, we dive into the critical Veeam vulnerability being exploited to spread ransomware, GitHub patching critical flaws in its enterprise servers, the FBI’s use of a fake cryptocurrency to expose manipulation in the crypto market, CISA’s warning on unencrypted cookies in F5 BIG-IP systems, and the alarming number of unpatched Fortinet instances vulnerable to a known flaw. Let’s read the authentic details stated in the news pieces discussed below.

 

Critical Vulnerability with a CVSS Score of 9.8 Identified in Veeam Backup and Replication Software

Veeam Backup & Replication software has been detected for the presence of a critical vulnerability or bug, labeled with a CVE number of CVE-2024-40711. Assignment of CVSS score of 9.8 clearly suggests the severity of risk if, in case, it materializes. This vulnerability, if not patched or mitigated early, can even lead to successful and influential ransomware attack and some have rather materialized in 3D reality.

According to the findings of Sophos’ investigation, they identified that the attackers used compromised VPN credentials (a result of the early data breach) to gain unauthorized access to sensitive networks. After gaining fraudulent authenticated access to the system, the attackers proceeded with remote code execution, closely adhering to the cyber kill chain mechanism.

 

ransomware attack

 

With this, attackers were able to control and execute critical commands on target systems freely and remotely. They exploited Veeam through a specific URI (Uniform Resource Identifier), creating local accounts. They horizontally moved (systems on the same level of hierarchy) within the systems sequentially, injecting them with malware. Though some ransomware attacks were unsuccessful, one led to the deployment of Fog ransomware, targeting Hyper-V servers with data exfiltrated using the Rclone utility.

 

GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access

GitHub has recently addressed several critical security vulnerabilities present in its Enterprise Server (GHES). Some identified flaws can even lead to unauthorized access to an instance. The most severe issue tracked as CVE-2024-9487 has been given a CVSS score of 9.5, highlighting its potential risk of severe nature. This exposed vulnerability allows attackers to bypass SAML single sign-on (SSO) authentication through improper cryptographic signature verification.

If not properly mitigated or patched, it could enable unauthorized user provisioning and provide undesirable access to GitHub resources. GitHub, during a thorough security investigation, realized that this vulnerability was introduced as a regression during the remediation of CVE-2024-4985 (a previous critical vulnerability patched in May 2024, which had a maximum CVSS score of 10.0.)

 

 single sign-on (SSO) authentication

 

In addition to CVE-2024-9487, GitHub also patched two other vulnerabilities recognized under CVE-2024-9539, and the other one didn’t formally receive a CVE designation as of now. The CVE-2024-9539 is an information disclosure flaw with a CVSS score of 5.7. This information disclosure allows attackers to retrieve metadata from victim users via malicious URLs targeting SVG assets.

The second is a sensitive data exposure issue in HTML forms within the management console. GitHub patched its existing critical vulnerabilities in GHES (GitHub Enterprise Server) versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16. Organizations using older versions of the self-hosted GHES are strongly advised to update immediately to mitigate potential security risks beforehand.

 

FBI Creates Fake Cryptocurrency, namely NexFundAI, to Expose Market Manipulators

The FBI created a fake cryptocurrency token and company named NexFundAI. This project was part of Operation Token Mirrors, basically establishing a honeypot with proper configurations and settings to expose malicious manipulation in the cryptocurrency markets via enticing ill-intent market personalities. This operation was successfully executed as planned, and several individuals and entities were arrested on account of serious charges. The arrest included influential market personalities who were possibly engaged in wash trading services and secretly tried to inflate the value of cryptocurrency tokens, resulting in significant financial gains for the perpetrators.

 

 

malicious

 

The DoJ (Department of Justice) has charged 18 individuals and entities, including ZM Quant, CLS Global, and Gotbit, on account of conducting illegal market manipulation and other relevant fraudulent activities. A total amount of $25 million (in cryptocurrency) has been confiscated till now, accumulated during the investigation phases. With this highly confidential project, the authorities were able to successfully identify, examine and eradicate the extent of exploitation in the cryptocurrency business market.

 

CISA Warns F5 BIG-IP Users About Abuse of Unencrypted Confidential Cookies

CISA, a U.S. federal agency responsible for protecting the nation’s critical information security infrastructure, has warned users of F5 BIG-IP systems, making them aware of the existential frauds being conducted behind the lawful curtains. It includes the abuse of unencrypted persistence cookies to map internal servers and identify vulnerable devices within networks. Identification of vulnerable devices on the network during the reconnaissance phase enormously eases the process for threat actors to proceed further with sequential phases of the cyber kill chain.

 

threat actor

 

F5 BIG-IP is a top-rated traffic management solution that consists of modules with their individual distinct operations, with one being the Local Traffic Manager (LTM) module. The LTM module uses a cookie mechanism to ensure consistency and proper management in the session layer of the OSI Network Model. These cookies are specifically designed to contain the private information of the target victims to offer personalized services, often around 1kb in size. With access to this cookie, attackers can extract valuable personal and network information, such as critical IP addresses.

Administrators are urged to configure cookie encryption through the BIG-IP LTM cookie persistence profile and implement strong encryption credentials. BIG-IP recommended security strategies to its clients and customers, suggesting how to encrypt cookies and mitigate potential risks. However, with the present solutions, there is one significant challenge in transitioning to encrypted cookies, which makes the previously issued cookies unusable, leading to a waste of resources and increasing overhead. However, this issue can be positively resolved by administrators manually updating “preferred” settings in the present software environment.

 

More than 86K Fortinet Products and Services Still Vulnerable to Format String FlawMedia

Fortinet products and services remain vulnerable and exposed to a vast cyber security threat landscape even after the early identification and recognition of vulnerabilities. These attacks come under the category of CVE-2024-23113, which is a format string vulnerability allowing remote attackers to execute critical system commands on target systems. This critical flaw was disclosed early on in February 2024, but still, many systems remain unpatched to date, with Asia, North America, and Europe being the most affected regions.

 

cyber security

 

A report suggested by Shadowserver documents statistics identifying over 38,000 instances in Asia as vulnerable, followed by more than 21,000 in North America alone. The exposed vulnerability clearly affects Fortinet products such as FortiOS and FortiProxy, which are critically used and deployed to manage network security in potential organizations.

The flaw, which has been actively exploited in recent attacks, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The federal agencies have been directed by the legal authorities to patch their systems by 30 October 2024 (deadline). The CISA also confirmed the same after Fortinet shared an advisory.

Pin It on Pinterest

Share This