Today’s Cybersecurity Threats and Trends - 09/18/2024

iOS Zero-Click and VMware's vital vulnerability update.

Author

J.W. Croley
September 18, 2024

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and information regarding cybersecurity threats to the non-tech and technical professional alike. If this sounds like something that would help someone you know, please share the newsletter!

1. Temp.Hermit Trojanized Trickery

Primary Threat: North Korean threat group UNC2970, also known as Temp.Hermit, is back with a sophisticated campaign targeting the energy, aerospace, and government sector employees using a trojanized PDF reader. According to Mandiant's report, this attack vector involves deploying backdoors through seemingly legitimate PDF files and readers, allowing the threat actors to gain initial access and maintain persistence within the targeted networks. These attacks are part of an ongoing cyber-espionage campaign aimed at stealing sensitive information from key sectors.

  • MITRE Tactics: Initial Access, Persistence

  • Risk: High – The use of trojanized software for targeted attacks poses a significant risk to critical infrastructure and government entities.

2. VMware Vuln Voided With Vital Update

Primary Threat: VMware has released a patch for several critical vulnerabilities. The most critical of which could allow remote code execution on vulnerable systems by utilizing a heap-overflow vulnerability in the DCE/RPC protocol. The vulnerability affects multiple VMware products, including some versions of vCenter Server and ESXi. The VMware security advisory details the affected products and the steps to mitigate the issue. Administrators are urged to apply the patch immediately to prevent exploitation.

  • MITRE Tactics: Execution, Privilege Escalation

  • Risk: Critical – Unpatched VMware systems could be remotely compromised, leading to full system control and data breaches.

Unlock your potential with our partner…

Whether you're a beginner or an expert, Hack The Box provides a dynamic and engaging environment to test your hacking mettle. Join me and thousands of other professionals in this thriving community and take your cybersecurity expertise to the next level.

Start your journey today!

3. Foundations Found Crumbling

Primary Threat: Multiple construction firms have been breached through brute-force attacks on the Foundation accounting software. Attackers exploited weak and unchanged default account passwords to gain access to the software, leading to data theft and potential financial losses. Huntress’s research details how the attackers used these breaches to compromise sensitive financial and project data. Companies using Foundation are advised to review their security practices, including enforcing strong passwords, changing default passwords, and multi-factor authentication (MFA).

  • MITRE Tactics: Initial Access, Credential Access

  • Risk: High – Compromised accounting software can lead to severe financial and reputational damage for the affected firms.

4. Apple Calendar Invite Zero-Click

Primary Threat: A critical zero-click remote code execution (RCE) vulnerability in macOS Calendar has been discovered, which could allow attackers to gain unauthorized access to iCloud data. This bug exploits a vulnerability in how calendar invites are handled, requiring no user interaction to execute. Researcher Mikko Kenttälä outlined the vulnerability chain that could lead to full device compromise. Apple users are advised to stay vigilant and update their systems regularly.

  • MITRE Tactics: Initial Access, Execution

  • Risk: Critical – Zero-click vulnerabilities pose a severe threat due to their ability to compromise devices without user interaction.

5. Dr. Web Discloses Direct Attack

Primary Threat: Russian cybersecurity firm Doctor Web has disclosed that it was the target of a sophisticated hacking attack. A news bulletin on the companies website explains that they had to bring their servers offline so they could investigate the breach. Doctor Web's official statement details the nature of the attack and their subsequent response, emphasizing the importance of internal security even within cybersecurity companies.

  • MITRE Tactics: Initial Access, Exfiltration

  • Risk: High – This incident highlights that even cybersecurity firms are targets, underscoring the need for robust internal defenses.

IN SUMMARY:

Today's threats highlight the relentless efforts of state-sponsored hackers, critical software vulnerabilities, and targeted attacks on specific industries.

North Korean hackers are setting their sights on the energy and aerospace sectors using Trojanized PDF readers, while VMware grapples with a critical flaw in its ESXi.

Construction firms are under siege through brute-force attacks on Foundation accounting software, and a zero-click RCE bug in macOS Calendar exposes iCloud data to potential exploitation.

Even cybersecurity firms like Doctor Web aren't immune, facing targeted attacks that show no one is beyond reach.

Stay vigilant, patch regularly, and never underestimate the evolving tactics of cyber adversaries… And as always, ‘its better to be paranoid than to be pwnd!’

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)