The HighPoint Security Hub – Jan 16, 2024

Navigating the ever-evolving landscape of cyber threats is a constant challenge. “The Security Hub” is here to make it easier, offering a succinct overview of the most pressing developments from the past two weeks.

This week, Apple hardware was used to target senior Kaspersky employees, CISA flagged critical vulnerabilities in Sharepoint and the number of malware loader attacks spiked.

Global Developments

1. An Apple hardware feature has been abused to take over devices in an attack targeting dozens of senior Kaspersky employees. Operation Triangulation was described by Kaspersky as ‘the most sophisticated attack chain’ it has ever observed to date. The spyware is believed to have been active since at least 2019. Read more.
2. A newly discovered SLAM attack poses a risk to both AMD and future Intel CPUs, allowing attackers to steal sensitive data from affected processors. SLAM takes advantage of a memory feature that allows software to use untranslated address bits in 64-bit linear addresses for storing metadata. Read more.
3. Ivanti has released a patch to address a critical flaw impacting its Endpoint Manager solution. The flaw, if exploited, could lead to remote code execution on vulnerable servers. Read more.

Commonly Used Tools and Gadgets

1. Cisco has patched a Unity Connection security vulnerability that allows unauthenticated attackers to gain root privileges remotes. Unpatched devices using the virtual messaging and voicemail solution are vulnerable to attacks that allow threats to execute commands across their operating systems. Read more.
2. The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical vulnerability in Microsoft Sharepoint that could allow attackers to gain administrator privileges. Microsoft released initial patches in June 2023, but federal agencies are urging them to apply new patches by January 31 2024 to secure against active threats Read more.
3. Microsoft released their first update of the year with a patch for 48 vulnerabilities. The January 2024 update shows no evidence of active attacks, making it the second consecutive update with no zero-days. Read more.
4. Hackers are using a new exploitation technique referred to as Simple Mail Transfer Protocol. This enables threat actors to send spoof emails with fake sender addresses to bypass security measures, allowing for targeted phishing attacks Read more.
5. Juniper released an advisory in response to vulnerabilities that could allow cyber threats to exploit affected systems. Read more.

Malware and Ransomware

1. A new malware loader is being utilised by threat actors to deliver widespread information stealers. Numbers have spiked from just single digit daily numbers to hundreds per day. Experts consider the popularity to be due to ready-made malware solutions being usable to even the least technically skilled threat actors. Read more.
2. A new variant of the Bandook remote access trojan has recently been used via phishing attacks aiming to access Windows machines. The malware is distributied via PDF and can be used to gain control of infected systems. Read more.
3. Researchers have created a decryptor that exploits a vulnerability in the Black Basta ransomware. This decryptor allows victims of an attack to recover their files for free. However, Black Basta developers have acted quickly to patch this vulnerability, preventing the decryptor from being used in newer attacks. Read more.