The United States Cybersecurity and Infrastructure Security Agency (CISA) has officially added two critical vulnerabilities to its Known Exploited Vulnerabilities catalogue. These vulnerabilities have been actively exploited, and their impact is significant:
CVE-2012-4792: A decade-old use-after-free vulnerability in Microsoft Internet Explorer. Exploitation of this flaw allows threat actors to execute arbitrary code via malicious websites. CVE-2012-4792 has a CVSS score of 9.3.
CVE-2024-39891: An exploitable information disclosure bug affecting Twilio Authy. In an unauthenticated context, attackers can submit requests containing a phone number and receive information about phone number registration with Authy. CVE-2024-39891 has a CVSS score of 5.3.
CISA emphasizes that these vulnerabilities remain attractive attack vectors for malicious threat actors, posing a severe risk to federal enterprises.
Bhutan Targeted by Patchwork Hackers
The threat actor known as Patchwork, or APT-C-09, Dropping Elephant, Viceroy Tiger, Zinc Emerson, and Operation Hangover, has intensified its cyber attacks against entities associated with Bhutan. Notably, this state-sponsored Indian group, previously inactive since 2009, has now adopted red teaming software for its operations.
Flaws in Microsoft Defender Enable ACR, Lumma, and Meduza Stealers
Fortinet FortiGuard Labs has detected an ongoing information stealer campaign affecting Spain, Thailand, and the United States. The campaign leverages booby-trapped files to exploit a now-patched vulnerability (CVE-2024-21412) in Microsoft Defender SmartScreen. This high-severity vulnerability allows attackers to sidestep SmartScreen protection and drop malicious payloads.
The attack chain, according to Cara Lin, a cybersecurity researcher, involves the following steps:
- Attackers lure victims into clicking a crafted link to a URL file, which downloads an LNK file.
- The LNK file then downloads an executable file containing an HTML Application (HTA) script.
- The HTA file decodes and decrypts PowerShell code, retrieving decoy PDF files.
- A shellcode injector deploys either the Meduza Stealer or the Hijack Loader, which launches the ACR Stealer or Lumma.
Notably, ACR Stealer conceals its command-and-control communication using a dead drop resolver (DDR) technique on the Steam community website.
CrowdStrike Incident: Windows Outage Explained
CrowdStrike, a prominent cybersecurity firm, highlights the widespread last Friday outage. The incident, which affected millions of Windows devices, was attributed to an issue with CrowdStrike’s validation system. According to the company’s Preliminary Post Incident Review:
“On Friday, July 19, 2024, at 04:09 UTC, as part of regular operations, CrowdStrike released a content configuration update for the Windows sensor. This update aimed to gather telemetry on possible novel threat techniques—a routine aspect of the dynamic protection mechanisms within the Falcon platform. Unfortunately, the Rapid Response Content configuration update led to a system crash on Windows hosts running sensor version 7.11 and above.”
Notably, Apple macOS and Linux systems remained unaffected during this incident.