Posts

News Security Advisory

Re-release of November 2024 Exchange Server Security Updates

Microsoft users had a tough time to send or load attachments to emails when using Outlook, were unable to connect to the server, and in some cases could not log into their accounts.

Microsoft Exchange Online is a platform for business communication that has a mail server and cloud apps for email, contacts, and calendars.

Microsoft mitigated the issue after identification were able to determine the cause of the outages and is rolling out a fix for the issue. That rollout is gradual, however, as outage reports continue to come in at DownDetector.

Impact

The outage left many users unable to communicate with colleagues, particularly as it coincided with the start of the workday in Europe. Frustration quickly spread across social media, with users reporting issues accessing emails and participating in Teams calls

Re-release of November 2024 Exchange Server Security Updates 

Summary 

OEM Microsoft 
Severity High 
Date of Announcement 27/11/2024 
Product Microsoft Exchange Server 
CVE ID CVE-2024-49040 
CVSS Score 7.5 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

On November 27, 2024, Microsoft re-released the November 2024 Security Updates (SUs) for Exchange Server to resolve an issue introduced in the initial release on November 12, 2024. The original update (SUv1) caused Exchange Server transport rules to intermittently stop functioning, particularly in environments using transport or Data Loss Protection (DLP) rules. The updated version (SUv2) addresses this issue. 

Table of Actions for Admins: 

Scenario Action Required 
SUv1 installed manually, and transport/DLP rules are not used Install SUv2 to regain control over the X-MS-Exchange-P2FromRegexMatch header. 
SUv1 installed via Windows/Microsoft Update, no transport/DLP rules used No immediate action needed; SUv2 will be installed automatically in December 2024. 
SUv1 installed and then uninstalled due to transport rule issues Install SUv2 immediately. 
SUv1 never installed Install SUv2 immediately. 

Remediation Steps 

1. Immediate Actions 

  • Use the Health Checker script to inventory your Exchange Servers and assess update needs. 
  • Install the latest Cumulative Update (CU) followed by the November 2024 SUv2. 

2. Monitor System Performance 

  • After enabling AMSI integration for message bodies, monitor for any performance issues such as delays in mail flow or server responsiveness. 

3. Run SetupAssist Script for Issues 

  • Use the SetupAssist script to troubleshoot issues with failed installations or update issues, and check logs for specific error details. 

References

News Security Advisory

Analysis of WezRat Malware; Check point Findings

New CheckPoint research discovered a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.

Continue Reading
Events

Future of Maritime Innovation at
METS Trade 2024; Intrucept

Maritime industry worldwide is witnessing massive changes in terms of continuous innovation and managing cyber risk on top priority list. In doing so enabling innovation becomes easier along with exploring various options that approaches and addresses cyber security in the maritime sector.

Now maritime professionals are ready to explore the latest industry trends and adopt solutions that dig deeper into maritime organizations’ challenges and priorities related to cyber security.

Intrucept Participates at the METS Trade 2024

Intrucept, a leader in cybersecurity solutions is excited to announce participation at the prestigious METS Trade 2024 in Amsterdam, Date Nov 19-21(2024).

This marks a significant step forward in transforming the maritime industry by combining the power of cutting-edge cybersecurity solutions.

About Intrucept: Ensuring Maritime Security in a Digital Age

As digital threats evolve, Intrucept is at the forefront of cyber security, providing comprehensive protection for maritime operations. From vessel systems to operational networks, we ensure that your fleet stays secure, resilient, and ready for the challenges of tomorrow.

Our solutions are designed to protect against cyberattacks, safeguard sensitive data, and maintain the integrity of vessel operations, all while enhancing overall business efficiency.

Why We’re Joining Forces at METS Trade 2024

At METS Trade 2024, we’ll be showcasing our unique partnership and how combining advanced cybersecurity with innovative engineering can provide unparalleled protection and efficiency for the maritime industry. Together, we are shaping the future of shipping — where digital security and operational excellence go hand in hand.

What You Can Expect from Our Joint Presence at METS 2024

Innovative cybersecurity solutions for shipping operations: Protect your vessels, data, and systems from the growing cyber threat landscape.

State-of-the-art shipping engineering technologies: Learn how we can optimize vessel performance, enhance fuel efficiency, and ensure compliance with global maritime standards.

Collaborative insights: Our team will be on hand to discuss how we can work together to make your operations safer, smarter, and more sustainable.

We invite you to visit our booth at METS Trade 2024 to explore how our solutions can help future-proof your business, improve operational resilience, and safeguard your digital infrastructure.

Details:

Event: METS Trade 2024

Dates: November 19-21, 2024

Location: Amsterdam RAI, Amsterdam, Netherlands

We look forward to meeting you and discussing how we can drive innovation, security, and efficiency in your maritime operations.

Cybersecurity News

Cybersecurity for Maritime Operations

Security Advisory

November 2024 Microsoft Patches: Addressing Zero-Day Exploits and High-Priority Vulnerabilities

Summary

OEM

Microsoft

Severity

High

Date of Announcement

2024-11-13

NO. of Vulnerabilities Patched

89

Actively Exploited

02

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft’s November 2024 Patch Tuesday release addresses 89 security vulnerabilities across various products, including critical updates for Windows, Microsoft Edge, SQL Server, and more. Four zero-day vulnerabilities are part of this release, with two actively exploited in the wild. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 51 Remote Code Execution (RCE) Vulnerabilities
  • 28 Elevation of Privilege (EoP) Vulnerabilities
  • 4 Denial of Service (DoS) Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 3 Spoofing Vulnerabilities
  • 1 Information Disclosure Vulnerabilities
The highlighted vulnerabilities include four zero-day flaws, two of which are currently being actively exploited.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)

CVE-2024-43572

Windows Servers and Windows 10&11

High

7.8

Winlogon Elevation of Privilege Vulnerability

CVE-2024-43583

Windows systems using Winlogon

High

7.8

Windows Hyper-V Security Feature Bypass Vulnerability

CVE-2024-20659

Windows Hyper-V

High

7.1

Windows MSHTML Platform Spoofing Vulnerability
(Exploitation Detected)

CVE-2024-43573

Windows Servers and Windows 10&11

Medium

6.5

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49039

Windows Servers and Windows 10&11

This zero-day allows attackers to escalate privileges within Windows environments. Exploited actively, it is particularly concerning for its ability to grant attackers elevated access.

Elevation of privilege potentially leading to full system control.

CVE-2024-49019

Windows Servers

A flaw in Active Directory Certificate Services allows attackers to gain domain administrator privileges by exploiting misconfigured version 1 certificate templates with overly broad enrollment permissions. This can be triggered by an attacker crafting a certificate request that bypasses security controls.

Elevate privileges to domain administrator, compromising the entire Active Directory environment and enabling full network control.

CVE-2024-49040

Microsoft Exchange Server 2016 and 2019

A vulnerability in Microsoft Exchange Server allows attackers to spoof the sender’s email address in emails to local recipients by exploiting improper verification of the P2 FROM header. This flaw can be used to launch email-based phishing and social engineering attacks.

Attackers can impersonate trusted senders, deceiving recipients into trusting malicious emails, potentially leading to data compromise or malware infections.

CVE-2024-43451

Windows Servers and Windows 10&11

A zero-day that exposes NTLMv2 hashes, enabling “pass-the-hash” attacks for unauthorized network access. This is the third NTLM-related zero-day discovered in 2024.

High risk in network environments; attackers may impersonate users and compromise critical systems.

Additional Critical Patches Address High-Severity Vulnerabilities

  • Azure CycleCloud: Remote Code Execution Vulnerability (CVE-2024-43602).
  • .NET and Visual Studio: Remote Code Execution vulnerability (CVE-2024-43498).
  • Microsoft Windows VMSwitch: Elevation of Privilege vulnerability (CVE-2024-43625).
  • Windows Kerberos: Remote Code Execution vulnerability (CVE-2024-43639).
  • SQL Server: Multiple updates targeting memory vulnerabilities, each with a CVSS score of 8.8, affecting database security.

Remediation

  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
  • Regularly audit Active Directory and Exchange Server configurations to close potential security gaps.
  • Awareness of download files from the internet & regularly review and monitor your security setup, staying updated on new advisories to secure against emerging threats and vulnerabilities.
  • Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.

References

https://msrc.microsoft.com/update-guide/releaseNote/2024-Nov

Security Advisory

Palo Alto Account Takeover Vulnerability Actively Exploited

Summary

OEM

Palo Alto

Severity

Critical

Date of Announcement

2024-07-10

CVSS Score

9.3

CVE

CVE-2024-5910

CWE

CWE-306

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

CISA has included the Palo Alto Networks Expedition tool Missing Authentication Vulnerability in its catalog of actively exploited vulnerabilities. Palo Alto’s Expedition is a migration tool designed to simplify the process of transferring configurations from other vendors to Palo Alto Networks. The issue is tracked under CVE-2024-5910. The vulnerability, which involves missing authentication for a critical function in Expedition, could allow attackers with network access to take over an admin account. This poses a risk to imported configuration secrets, credentials, and other sensitive data within Expedition.

Vulnerability Name

CVE ID

Product Affected

Severity

Fixed Version

Palo Alto Networks Expedition Missing Authentication Vulnerability

CVE-2024-5910

Expedition

Critical

Expedition 1.2.92 and all later versions

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-5910

Expedition from 1.2 before 1.2.92

The vulnerability, caused by missing authentication for an important function in Expedition, could allow attackers with network access to take over an admin account.

Account Takeover

Recommendations

  • Update Expedition to 1.2.92 and the latest versions to mitigate the issue.

General Recommendations

  • Restrict Network Access: Limit network access to Expedition to only trusted and authorized users, hosts, and networks.
  • Enable Strong Authentication: Implement strong authentication for all critical functions in Expedition, including multi-factor authentication (MFA) where possible.
  • Monitor Access Logs: Regularly monitor and review access logs to detect any unusual or unauthorized access attempts.
  • Stay Updated: Stay informed about the latest cybersecurity news and updates to keep track of emerging threats and vulnerabilities.

References

Security Advisory

Critical Remote Code Execution Vulnerability in VMware vCenter Server (CVE-2024-38812)

Summary

OEM

VMware

Severity

Critical

Date of Announcement

2024-10-23

CVSS Score

9.8

CVE

CVE-2024-38812, CVE-2024-38813

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

Critical vulnerabilities have been identified in the vCenter Server that require immediate action. A heap overflow vulnerability in the DCE/RPC protocol could allow a malicious actor with network access to execute remote code by sending specially crafted packets. Additionally, there is a privilege escalation vulnerability that enables an attacker to escalate privileges to root using a similar method. Both vulnerabilities pose significant risks, and it is essential to implement remediation measures promptly to protect your vCenter Server and associated assets.

Vulnerability Name

CVE ID

Product Affected

Severity

Fixed Version

VMware vCenter Server heap-overflow vulnerability

CVE-2024-38812

VMware vCenter Servers and VMware Cloud Foundation

Critical

7.0 U3t, 8.0 U3d and U2e (vCenter Server)

Async Patch for VMware Cloud Foundation

VMware vCenter privilege escalation vulnerability

CVE-2024-38813

VMware vCenter Servers and VMware Cloud Foundation

Critical

7.0 U3t, 8.0 U3d and U2e (vCenter Server)
Async Patch for VMware Cloud Foundation

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-38812

VMware vCenter Server 7.0 and 8.0, VMware Cloud Foundation 4.x and 5.x

The critical vulnerability is caused by a heap overflow in vCenter Server's DCE/RPC protocol implementation. This allows an unauthenticated attacker to remotely execute arbitrary code without user interaction.

Remote code execution.

CVE-2024-38813

VMware vCenter Server 7.0 and 8.0, VMware Cloud Foundation 4.x and 5.x

This is a privilege escalation vulnerability in VMware vCenter Server that allows attackers with network access to escalate their privileges to root by exploiting an improper permission management flaw. By sending specially crafted network packets, a malicious actor can completely takeover the target.

Full administrative control.

Recommendations

Patch Immediately:

Administrators are strongly advised to update their VMware vCenter Server to the latest available versions:

  • vCenter Server 7.0 U3t
  • vCenter Server 8.0 U3d and U2e
  • VMware Cloud Foundation (Async Patching available).
Limit Network Access:

Restrict network access to vCenter Server by configuring firewalls to allow access only from trusted IP addresses.

Monitor for Indicators of Compromise (IoCs):

Security teams should monitor logs and network traffic for unusual activity, including unexpected traffic to or from the vCenter Server.

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968 

Security Advisory

Threat Campaign Targeting WordPress Sites with Malicious Plugins

A rapidly escalating cyber threat targeting WordPress sites with malicious plugins. Malicious actors are breaching WordPress websites to install rogue plugins, which display fake software updates and error messages. These are being used to distribute information-stealing malware.

Threat Overview

Since 2023, a malicious campaign known as ClearFake has been exploiting compromised websites to display fake browser update banners that trick users into downloading malware. This campaign evolved in 2024 with the introduction of ClickFix, a more advanced variant. ClickFix campaigns are more sophisticated and use fake error messages for browsers, web conferences, social media platforms, and even captcha pages to mislead users. The supposed “fixes” are actually PowerShell scripts designed to install malware capable of stealing sensitive information, such as login credentials.

                                   

An example ClickFix overlay pretending to be a Chrome error                        Fake Google update banner
Source: BleepingComputer                                                                                        Source: Randy McEoin

Recent Findings

Bleepingcomputer reported that over 6,000 WordPress sites have been compromised as part of this campaign. The attackers are installing malicious plugins that closely resemble legitimate ones, such as “Wordfence Security” or “LiteSpeed Cache,” to evade detection. These plugins secretly inject malicious JavaScript into the HTML of affected websites, leading to the display of fraudulent updates or error messages.

Here is the list of malicious plugins identified from June to September 2024:

LiteSpeed Cache Classic

Custom CSS Injector

MonsterInsights Classic

Custom Footer Generator

Wordfence Security Classic

Custom Login Styler

Search Rank Enhancer

Dynamic Sidebar Manager

SEO Booster Pro

Easy Themes Manager

Google SEO Enhancer

Form Builder Pro

Rank Booster Pro

Quick Cache Cleaner

Admin Bar Customizer

Responsive Menu Builder

Advanced User Manager

SEO Optimizer Pro

Advanced Widget Manage

Simple Post Enhancer

Content Blocker

Social Media Integrator

The threat actors appear to be utilizing stolen admin credentials to directly log into WordPress sites. These credentials are likely obtained through a combination of brute force attacks, phishing, or pre-existing malware infections. Once they gain access, the attackers are able to install these plugins without the need to visit the login page, streamlining the attack process.

Recommendations

If you are using a WordPress site, we recommend the following immediate actions:

  1. Ensure all the plugins installed are trusted, if anything suspicious remove them immediately.
  2. Keep your passwords to strong, unique ones that are not used anywhere else.
  3. Enable 2FA for all administrative users to protect against unauthorized access.
  4. Regularly review your access logs for any unusual login attempts or plugin installations etc.

Always stay vigilant and take proactive measures to protect your digital assets.

References

Security Advisory

Veeam Vulnerability (CVE-2024-40711) Exploited by Ransomware

Summary

OEM

Veeam

Severity

Critical

Date of Announcement

2024-10-17

CVSS Score

9.8

CVE

CVE-2024-40711

CWE

CWE-502

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

Veeam Backup & Replication software has been found to contain a critical vulnerability (CVE-2024-40711) that is actively being exploited by ransomware actors to distribute Akira and Fog ransomware. This vulnerability allows remote code execution without authentication, which can result in complete system compromise. Attackers are using this security gap to establish unauthorized accounts with administrative rights and spread ransomware on systems that lack protection.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Veeam Backup & Replication Critical Code Execution Vulnerability

CVE-2024-40711

Veeam Backup & Replication

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-40711

Veeam Backup & Replication versions prior to 12.2.0.334

CVE-2024-40711 is a deserialization of untrusted data flaw that can be exploited via a URI /trigger on port 8000. Once exploited, the vulnerability triggers Veeam.Backup.MountService.exe to create a local account named "point" with administrative and Remote Desktop User privileges. Attackers then use this access to deploy ransomware such as Akira and Fog, and in some cases, exfiltrate data using tools like Rclone.

Remote code execution, creation of unauthorized admin accounts, ransomware deployment (Akira and Fog), data exfiltration.

Recommendations

  • Update Veeam Backup & Replication to version 12.2.0.334 or later, which addresses this vulnerability.
  • Ensure VPN gateways are running supported software versions and have MFA enabled.

Threat Indicators and Monitoring

  • Look for the account “point” or similar with elevated privileges.
  • Monitor for unexpected instances of Veeam.Backup.MountService.exe creating or executing net.exe.

References

Security Advisory

Critical Fortinet Vulnerability Exploiting in Wild

Summary

OEM

Fortinet

Severity

Critical

Date of Announcement

2024-10-16

CVSS Score

9.8

CVE

CVE-2024-23113

CWE

CWE-134

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A Critical vulnerability (CVE-2024-23113) has been identified in the FortiOS fgfmd daemon, which enables unauthenticated attackers to remotely execute arbitrary code or commands. This flaw arises from a format string vulnerability (CWE-134) within the fgfmd daemon, where specially crafted requests can initiate arbitrary code execution, potentially resulting in full system compromise. Affected versions include multiple releases of FortiOS, FortiPAM, FortiProxy, and FortiWeb.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Fortinet Products Format Sting Vulnerability

CVE-2024-23113

FortiOS, FortiProxy, FortiPAM, FortiWeb

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-23113

FortiOS (7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13), FortiProxy (7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.15), FortiPAM (1.2 and lower), FortiWeb (7.4.0-7.4.2)

The vulnerability lies in the fgfmd daemon’s handling of format strings in incoming requests, which can be exploited by remote attackers via crafted inputs. Exploitation of this flaw allows attackers to execute unauthorized code or commands on the affected systems.

Remote Code Execution (RCE)

Remediation

Fortinet has released security patches addressing this vulnerability. Here is the below patched versions for the Fortinet products.

  • FortiOS: Upgrade to version 7.4.3, 7.2.7, or 7.0.14 and above.
  • FortiProxy: Upgrade to version 7.4.3, 7.2.9, or 7.0.16 and above.
  • FortiPAM: Migrate to the latest supported version.
  • FortiWeb: Upgrade to version 7.4.3 and above.

Workarounds

It is strongly advised to upgrade to the latest secure versions of the affected products. As there are workarounds suggested by Fortinet team, here is the below.
  • Disable the fgfm access on affected interfaces using the following command:
      config system interface
      edit “portX”
      set allow access ping https ssh
      next
      end
  • Limit FGFM connections to trusted IPs using a local-in policy, which reduces the attack surface but does not fully eliminate the risk.

General Recommendations

  • Conduct regular vulnerability scans and ensure timely security updates of the applications.
  • Segment your network to reduce the potential impact of a compromise.

References

Scroll to top