In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
Gitlab releases fix for critical SAML authentication bypass flaw
Realistically Assessing the Threat of Clickjacking Today
Construction Companies Potentially Vulnerable Through Accounting Software
CISA Warns of Windows Flaw Used in Infostealer Malware Attacks
CISA KEV Updates
GitLab Releases Fix for Critical SAML Authentication Bypass Flaw
GitLab has released a critical security update to address a SAML authentication bypass vulnerability affecting both the Community Edition (CE) and Enterprise Edition (EE) of GitLab. This flaw, identified as CVE-2024-45409, has a CVSS score of 10, indicating its high severity. The vulnerability stems from improper signature verification in the Ruby-SAML library, which could allow an unauthenticated attacker to forge a SAML response and gain access to GitLab as any user.
To mitigate this issue, GitLab has updated the omniauth-saml dependency to version 2.2.1 and the ruby-saml library to version 1.17.0. Users are advised to enable two-factor authentication (2FA) for all accounts and disable the SAML two-factor bypass option.
Source: Bleeping Computer
Realistically Assessing the Threat of Clickjacking Today
An article from Raxis explains that clickjacking is a type of attack where an attacker tricks a user into clicking on something different from what the user perceives, often by embedding a malicious page within an iframe on a legitimate-looking site. This can lead to unintended actions such as unauthorized purchases or revealing sensitive information.
An iframe, short for inline frame, is an HTML element that allows you to embed another HTML document within the current web page.
The article highlights the following key points:
- Mechanism: Clickjacking exploits the lack of proper protections against embedding web pages in iframes.
- Targets: Vulnerable pages typically allow actions that can be executed with a single click, affect logged-in users, and have undesirable effects.
- Defense: Implementing proper security measures, such as the X-Frame-Options header, can prevent clickjacking attacks.
The X-Frame-Options HTTP response header is used to control whether a browser should be allowed to render a page in a frame, iframe, embed, or object. This header helps protect against clickjacking attacks by ensuring that your content is not embedded into other sites without your permission.
Source: Raxis: ClickJacking
Construction Companies Potentially Vulnerable Through Accounting Software
The article discusses a significant cybersecurity issue affecting the construction industry, specifically targeting users of Foundation Software, a widely used accounting software. Here are the key points:
- Vulnerability: Hackers are exploiting default usernames and passwords in older versions of Foundation Software, allowing them to gain unauthorized access through brute force attacks.
- Impact: The attacks have affected various subcontractors, including those in plumbing, HVAC, and concrete sectors.
- Discovery: The cybersecurity firm Huntress identified this emerging threat and reported that many companies had not changed the default credentials that come with the software.
- Mitigation: Foundation Software is urging affected users to switch to their hosted environment and change their credentials to prevent further intrusions.
Source: Recorded Future
CISA Warns of Windows Flaw Used in Infostealer Malware Attacks
CISA Warning: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a recently patched Windows MSHTML spoofing zero-day vulnerability.
The vulnerability in question, identified as CVE-2024-43461, has significant implications:
- Exploitation: It has been actively exploited by the Void Banshee APT hacking group to deploy infostealer malware, which can steal sensitive information from infected systems.
- Target: The primary targets are Windows systems, and the exploitation involves spoofing the MSHTML component, which is used by Internet Explorer and other applications.
- Impact on Federal Agencies: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal agencies secure their systems against this vulnerability, highlighting its severity.
- Broader Risk: Beyond federal agencies, any organization using vulnerable Windows systems is at risk, potentially leading to data breaches and other security incidents.
- Patch Release: The vulnerability was disclosed during this month's Patch Tuesday, and Microsoft initially classified it as not exploited in attacks.
Source: Bleeping Computer
CISA KEV Updates
CISA has added 11 CVE's to their Known Exploited Vulnerability (KEV) catalog this week:
CVE-2024-8963 - Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
CVE-2024-8963 - Apache HugeGraph-Server Improper Access Control Vulnerability
CVE-2020-0618 - Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
CVE-2022-21445 - Oracle ADF Faces Deserialization of Untrusted Data Vulnerability
CVE-2020-14644 - Oracle WebLogic Server Remote Code Execution Vulnerability
CVE-2014-0497 - Adobe Flash Player Integer Underflow Vulnerability
CVE-2013-0643 - Adobe Flash Player Incorrect Default Permissions Vulnerability
CVE-2013-0648 - Adobe Flash Player Code Execution Vulnerability
CVE-2014-0502 - Adobe Flash Player Double Free Vulnerability
CVE-2024-43461 - Microsoft Windows MSHTML Platform Spoofing Vulnerability
CVE-2024-6670 - Progress WhatsUp Gold SQL Injection Vulnerability
Source: Known Exploited Vulnerabilities Catalog | CISA