Zero-Day Exploits and Critical Patches Dominate as Black Basta, VMware, and Zscaler Face Scrutiny

Zscaler Patches Critical Privilege Escalation Vulnerability (CVE-2024-5407) in Client Connector for Windows

Zscaler has released a security update for a high-severity privilege escalation vulnerability, CVE-2024-5407, in its Client Connector for Windows. The flaw, with a CVSS score of 7.8, could allow a local attacker with standard user privileges to gain SYSTEM-level access by exploiting the application's repair functionality. This could enable full system compromise, data theft, or the deployment of malware like ransomware. Zscaler strongly urges all customers to update to the patched version 4.4.0.280 immediately to mitigate the risk. While not yet exploited in the wild, its public disclosure increases the likelihood of future attacks.

ZscalerCVE-2024-5407Privilege EscalationWindows SecurityPatch Management +1 more

Zscaler Rushes Patch for Critical Privilege Escalation Flaw in Windows Client Connector

Patch Management

Security Operations

Black Basta Ransomware Gang Caught Exploiting Windows Zero-Day for SYSTEM-Level Access

CRITICAL

Black Basta Ransomware Linked to Active Exploitation of Windows Zero-Day (CVE-2024-26169)

The notorious Black Basta ransomware gang has been observed exploiting a now-patched zero-day vulnerability in the Microsoft Windows Error Reporting Service, tracked as CVE-2024-26169. This critical privilege escalation flaw allowed attackers to gain SYSTEM privileges, bypassing security measures to deploy their ransomware. The threat group Cardinal (Storm-1811), an initial access broker for Black Basta, was also linked to the attacks. Microsoft addressed the vulnerability in its March 2024 Patch Tuesday updates, highlighting the urgent need for organizations to apply security patches to defend against sophisticated ransomware operations.

Black BastaRansomwareCVE-2024-26169Zero-DayWindows +2 more

Ransomware

Threat Actor

VMware Patches Critical RCE Flaws in vCenter and ESXi; Admins Urged to Update Immediately

CRITICAL

VMware Patches Critical Remote Code Execution Vulnerabilities in vCenter Server and ESXi

VMware has released urgent security updates to address three critical vulnerabilities in its vCenter Server and ESXi products. The flaws include two heap-overflow vulnerabilities (CVE-2024-22252, CVE-2024-22253) with CVSS scores of 9.3, and a privilege escalation vulnerability (CVE-2024-22255). The heap-overflow flaws could allow an attacker with access to a virtual machine to escape to the hypervisor and achieve remote code execution, leading to a complete compromise of the host. VMware states there are no workarounds and immediate patching is the only mitigation.

VMwareESXivCenterCVE-2024-22252CVE-2024-22253 +3 more

VMware Patches Critical RCE Flaws in vCenter and ESXi; Admins Urged to Update Immediately

Patch Management

Cloud Security

CISA Adds Actively Exploited SharePoint RCE Chain to KEV Catalog, Mandates Federal Patching

CRITICAL

CISA Warns of Actively Exploited Microsoft SharePoint Vulnerabilities, Adds Two to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two Microsoft SharePoint vulnerabilities, CVE-2023-29357 and CVE-2023-24955, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms the flaws are being actively used in attacks. When chained together, these vulnerabilities allow an unauthenticated attacker to achieve remote code execution (RCE) on affected SharePoint servers. CISA has mandated that all Federal Civilian Executive Branch agencies apply the necessary patches by a specified deadline, and all organizations are strongly urged to patch immediately.

CISAKEVSharePointCVE-2023-29357CVE-2023-24955 +2 more

CISA Adds Actively Exploited SharePoint RCE Chain to KEV Catalog, Mandates Federal Patching

Cyberattack

Regulatory

New 'Migo' Golang Malware Blinds Linux Security Tools on Redis Servers

'Migo' Malware Discovered Targeting Linux Systems to Disable Endpoint Security

A new Golang-based malware named 'Migo' is targeting exposed Redis servers on Linux systems. The malware's primary objective is to disable endpoint security solutions, cloud agents, and other monitoring tools, effectively blinding security teams. After neutralizing defenses, Migo deploys a cryptocurrency miner to hijack the compromised system's resources. The use of Golang makes the malware highly portable and harder to detect. Security researchers note that Migo is under active development, indicating a persistent and evolving threat. Securing Redis instances is a critical mitigation.

MigoMalwareLinuxRedisGolang +2 more

5 min read

Cloud Security

Threat Intelligence

Leaked LockBit 3.0 Builder Continues to Fuel Ransomware Ecosystem, Complicating Attribution

Leaked LockBit Ransomware Builder Empowers New Wave of Cyberattacks

The LockBit 3.0 ransomware builder, which was leaked in September 2022, is still being widely used by a multitude of threat actors to launch their own custom ransomware attacks. This has led to a significant proliferation of smaller, disparate ransomware operations, making attack attribution and defense more challenging for organizations. The leak has effectively 'democratized' a sophisticated ransomware tool, lowering the barrier to entry for less-skilled cybercriminals and creating a long-lasting problem for the cybersecurity community. The attacks have impacted a wide range of industries globally.

LockBitRansomwareCybercrimeMalware BuilderThreat Intelligence

Ransomware

Threat Actor

Microsoft Unleashes Massive April 2024 Patch Tuesday, Fixing 149 Flaws Including Critical RCEs

Microsoft's April 2024 Patch Tuesday Addresses 149 Vulnerabilities, Including Three Critical

Microsoft has released its April 2024 Patch Tuesday update, a substantial release addressing 149 vulnerabilities across its product portfolio. Of these, three are rated as critical: a remote code execution (RCE) flaw in Microsoft SQL Server (CVE-2024-21422), a Windows Secure Boot bypass (CVE-2024-29053), and an RCE in the Microsoft RPC runtime (CVE-2024-21323). The update also covers numerous important-rated flaws in Windows, Office, Azure, and Dynamics 365. Given the volume and criticality of the fixes, organizations are urged to prioritize deployment of these updates to protect against potential exploitation.

Patch TuesdayMicrosoftVulnerabilityRCESQL Server +2 more

Microsoft Unleashes Massive April 2024 Patch Tuesday, Fixing 149 Flaws Including Critical RCEs

Patch Management

Stealthy 'Cuttlefish' Malware Hides on Routers to Steal Credentials from Network Traffic

'Cuttlefish' Malware Infects Routers to Spy on Network Traffic and Steal Data

A sophisticated and stealthy malware named 'Cuttlefish' has been found infecting enterprise-grade routers. The malware is designed to remain hidden while it actively monitors network traffic passing through the device. Its primary goal is to exfiltrate sensitive information, such as usernames, passwords, and other credentials, by intercepting traffic from various protocols. The infection vector is believed to be the exploitation of known vulnerabilities or weak credentials. The malware's persistence and data-stealing capabilities make it a significant threat to corporate security and privacy.

CuttlefishMalwareRouterIoT SecurityNetwork Sniffing +1 more

5 min read

IoT Security

Threat Intelligence

Panda Restaurant Group Discloses Data Breach Impacting Corporate Employee Information

MEDIUM

Panda Restaurant Group Announces Data Breach Affecting Corporate Staff

Panda Restaurant Group, the parent company of the Panda Express fast-food chain, has disclosed a data breach that exposed the personal information of some of its current and former corporate employees. The breach occurred in March 2024 when unauthorized actors gained access to corporate systems and exfiltrated files. The compromised data includes names, Social Security numbers, and driver's license numbers. The company has stated that customer data was not affected and is offering credit monitoring services to the impacted individuals.

Data BreachPanda ExpressPanda Restaurant GroupPIIEmployee Data +1 more

Data Breach

Incident Response

'FakeBat' Malware Loader Uses Malvertising to Distribute RedLine Stealer and Other Payloads

'FakeBat' Malware Loader Spreads Through Malicious Ads Impersonating Popular Software

A new and evolving malware loader, dubbed 'FakeBat', is being distributed through widespread malvertising campaigns. These campaigns use malicious ads that impersonate legitimate download pages for popular business software like Slack, Zoom, and Notion. When a user clicks an ad, they are redirected to a site that downloads the FakeBat loader. FakeBat is then used to deliver a variety of secondary payloads, most notably information stealers like RedLine Stealer and remote access trojans (RATs). The campaign highlights the ongoing threat of malvertising as a primary infection vector.

FakeBatMalvertisingRedLine StealerMalwareInfo-stealer +2 more

Phishing

US Offers $10 Million Bounty for Information on BlackCat (ALPHV) Ransomware Gang Leaders

INFORMATIONAL

US Government Offers $10 Million Reward for Information on BlackCat Ransomware Leaders

The U.S. Department of State's Rewards for Justice program is offering a reward of up to $10 million for information that leads to the identification or location of key leaders of the BlackCat (also known as ALPHV) ransomware gang. This significant bounty is part of a broader U.S. government effort to disrupt the operations of this prolific and destructive cybercrime group, which is known for targeting critical infrastructure and healthcare organizations worldwide using a 'triple extortion' model.