Critical vulnerabilities have been discovered across multiple systems, including Microsoft Exchange Servers, the Bricks Builder Theme for WordPress, VMware, ScreenConnect, Joomla, and Apple Shortcuts. Urgent patching and prompt updates can protect systems from unauthorized access, data breaches, and potential exploitation by threat actors.
Organizations must prioritize implementing effective security measures and conducting frequent audits. To secure sensitive data, cybersecurity specialists, software vendors, and end users should encourage collaborative efforts against malicious activities. Recurring exploits have targeted similar companies, so monitor the recent vulnerability news to remain up to date on the latest threats.
February 19, 2024
Microsoft Exchange Servers Vulnerable to Privilege Escalation Attacks
Type of vulnerability: Critical severity privilege escalation vulnerability.
The problem: CVE-2024-21410 allows remote attackers to carry out NTLM relay attacks on Microsoft Exchange Servers, providing them with privileged access. Exploitation provides illegal access to sensitive material, such as email communications, which may jeopardize company confidentiality. Up to 97,000 servers are exposed, potentially allowing unwanted access to sensitive data and exploitation for subsequent network intrusions.
The fix: System administrators are encouraged to install the Exchange Server 2019 Cumulative Update 14 (CU14), which was issued in February 2024 and enabled NTLM credentials Relay Protection. The Cybersecurity and Infrastructure Security Agency (CISA) identified CVE-2024-21410 as a “Known Exploited Vulnerability” and set a March 7, 2024 deadline for implementing patches or mitigations.
Read our guide on privilege escalation attacks next to learn about the detection and prevention strategies for your privileged accounts and data.
Bricks WordPress RCE Flaw Exploited by Hackers
Type of vulnerability: Critical remote code execution (RCE) flaw.
The problem: CVE-2024-25600 lets hackers execute malicious PHP code on affected websites running the Bricks Builder Theme. Attackers were seen attempting to disable security plug-ins. With over 25,000 active installations, the issue poses a significant threat to website integrity and user data. Exploitation could result in illegal access or data theft, and potentially jeopardize the entire website’s security.
The fix: On February 13, the Bricks team released version 1.9.6.1, which addresses the issue. Users are strongly recommended to quickly upgrade their Bricks Builder Theme installations to this current version to reduce the risk of exploitation. Furthermore, to improve website security and resilience against future vulnerabilities, implement security plug-ins and keep the themes and plug-ins updated on a regular basis.
February 20, 2024
VMware Plug-in Vulnerable to Session Hijacking
Type of vulnerability: Security vulnerabilities affecting the deprecated VMware EAP.
The problem: CVE-2024-22245 and CVE-2024-22250 put Windows domains vulnerable to authentication relay and session hijack attacks. Attackers can use these issues to transmit Kerberos service tickets and obtain control of privileged enhanced authentication plug-in (EAP) connections, possibly granting unauthorized access to sensitive systems and data. Despite VMware’s three-year-old deprecation statement, unprotected systems remain at risk.
The fix: System administrators must remove both the in-browser plug-in/client (VMware Enhanced Authentication Plug-in 6.7.0) and the Windows service (VMware Plug-in Service). They can do so by using the provided PowerShell commands to uninstall or disable the service.
Administrators may also want to employ alternative authentication methods recommended by VMware. This includes using Active Directory over LDAPS, Microsoft Active Directory Federation Services (ADFS), Okta, or Microsoft Entra ID (formerly Azure AD) to reduce the risk posed by the deprecated EAP.
February 21, 2024
5 Vulnerabilities Impact Joomla CMS
Type of vulnerability: Mail address escaping, XSS, and remote code execution.
The problem: Joomla vulnerabilities include inadequate session termination (CVE-2024-21722), open redirect (CVE-2024-21723), XSS in media selection (CVE-2024-21724), mail address escaping (CVE-2024-21725), and remote code execution via XSS (CVE-2024-21726). Attackers use these issues to execute arbitrary code, modify sessions, and launch XSS attacks. These pose serious threats to site integrity and user data.
CVE-2024-21725 is most likely to be exploited. CVE-2024-21726, while moderate, allows remote code execution via XSS, which requires user input and may lead to broader attacks if administrators open fraudulent links.
The fix: Joomla has provided updates for versions 5.0.3 and 4.4.3, which address the highlighted vulnerabilities. Users need to promptly upgrade their Joomla installations to reduce the risk of exploitation. While precise technical information has not been revealed to prevent broad attacks, immediate action is required to protect websites from prospective threats.
ScreenConnect Servers Compromised, Urgent Patch Needed
Type of vulnerability: Authentication bypass and path traversal flaws.
The problem: ConnectWise ScreenConnect’s authentication bypass (CVE-2024-1709) and path traversal (CVE-2024-1708) issues pose severe security risks, allowing a full system compromise. Attackers use these flaws to circumvent login procedures, obtaining unauthorized access and potentially compromising sensitive data. The path traversal bug allows attackers to travel outside directory boundaries and gain access to key system files.
Exploitation causes data breaches, system instability, and service disruptions, affecting organizational security and continuity. Furthermore, threat actors use the authentication bypass issue to spread LockBit ransomware on infiltrated networks, specifically targeting vulnerable ScreenConnect servers. Despite law enforcement efforts, LockBit attacks continue to target important infrastructure such as municipal governments and healthcare providers.
The fix: To prevent risks, urgently update on-premise servers to version 23.9.8. ConnectWise ensures that cloud instances are secure. Implement detection guidelines to monitor for unauthorized access. Federal authorities recommend safeguarding computers by February 29.
Looking for a guide on patching vulnerabilities? Check out patch management best practices and steps.
February 22, 2024
Vulnerability in Apple Shortcuts Raises Security Concerns
Type of vulnerability: Security vulnerability in Apple’s Shortcuts.
The problem: CVE-2024-23204 enables attackers to create malicious Shortcuts files that can evade Apple’s Transparency, Consent, and Control (TCC) security system. It allows illegal access to sensitive data on macOS and iOS devices without user approval.
Attackers can covertly extract personal information and system data, jeopardizing user privacy and perhaps leading to identity theft or other criminal activity. Bitdefender’s investigation shows that data can be exfiltrated using encrypted image files, highlighting the severity of potential misuse and the need for mitigation.
The fix: Apple has rolled out security updates for macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3. Users should upgrade the Shortcuts software as soon as possible. The increasing incidence of Apple security vulnerabilities emphasizes the importance of frequent upgrades and exercising vigilance when using shortcuts from untrustworthy sources.
February 23, 2024
Lockbit Ransomware Relaunches Operations After Takedown
Type of vulnerability: System vulnerabilities in initial access, privilege escalation, and credential access.
The problem: LockBit ransomware, formerly known as “ABCD” ransomware, has gained traction in recent months as a separate threat in the extortion tool market. LockBit is a malicious application that encrypts computers and demands a ransom payment for access.
Authorities shut down LockBit’s infrastructure on February 20, but the gang restarted operations within days, citing failure to update PHP servers as the entrance point for law enforcement. The hack revealed vital data, including decryption keys and affiliate information, jeopardizing victims’ security and potentially revealing sensitive data.
The fix: Organizations may take a variety of preventive measures to reduce cybersecurity risks, such as increasing password complexity, segmenting networks, frequently updating software, enabling multifactor authentication, and raising awareness about phishing threats. CISA released a list of mitigations against LockBit’s activity. Enhanced law enforcement efforts continue against LockBit ransomware operators, including offering incentives for any lead information.
Read next:
- VulnRecap 2/19/24 – News from Microsoft, Zoom, & SolarWinds
- 6 Best Vulnerability Management Software & Systems in 2024
- What Is Patch Management? Vulnerability Protection Done Right
