Threat Intel Brief for September 9 - September 15, 2024

In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.

In this weekly Threat Intelligence Brief we look back at top stories and security-related callouts to provide relevant and actionable insights for the information security consumer.

We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.

In this edition:
Abusing Refresh HTTP Response Header (Phishing)
North Korean threat actors spoofing legitimate orgs to deliver malware
Microsoft September 2024 Patch Tuesday
CISA KEV updates

Abusing Refresh HTTP Response Header (Phishing)

Unit 42 researchers observed large-scale phishing campaigns using refresh entries in HTTP response headers, with around 2,000 malicious URLs detected over a one-month period. These attacks redirect browsers to malicious pages automatically, primarily targeting individuals in the financial sector, internet portals, and government domains through spoofed webmail login pages. The use of legitimate or compromised domains makes it difficult to detect these malicious URLs, increasing the effectiveness of the campaigns.

The technique works by embedding the targeted user's email into the refresh field of the HTTP response header. This will trigger an automatic refresh of the malicious webpage and pre-fill the user's email address into the spoofed login portal.

Source: Unit42

North Korean threat actors spoofing legitimate orgs to deliver malware

Microsoft researchers identified the North Korean threat actor Storm-1877 targeting software developers by pretending to be legitimate companies and delivering malware variants across Windows, Linux, and Mac. Previously, Storm-1877 used fake job offers to deliver malware aimed at stealing cryptocurrency, but the group has now evolved its tactics, enhancing its operational effectiveness.

The new approach from Storm-1877 involves the attempted deployment of malware disguised as video conferencing applications. Several of the domains used were crafted to imitate legitimate subdomains coming from Zoom. Unit 42 also detailed activity from this same threat actor back in November.

Source: Microsoft Threat Intelligence (Defender/XDR) / Unit42

Microsoft September 2024 Patch Tuesday

79 total vulnerabilities fixed, including 7 rated as critical severity. Affected products include Windows, Office, SQL Server, Azure, Dynamics and ESU.

4 actively exploited zero-day vulnerabilities patched, including:

CVE-2024-38014: Windows Installer Elevation of Privilege - CVSS 7.8
CVE-2024-38217: Windows Mark of the Web Security Feature Bypass - CVSS 5.4
CVE-2024-38226: Microsoft Publisher Security Feature Bypass - CVSS 7.3
CVE-2024-43491: Microsoft Windows Update Remote Code Execution - CVSS 9.8

Official Microsoft release notes with links to all the individual CVEs can be found here: https://msrc.microsoft.com/update-guide/releaseNote/2024-Sep

Source: bleepingcomputer

CISA KEV updates

CISA has added 8 CVE's to their Known Exploited Vulnerability (KEV) catalog this week:

CVE-2024-8190 - Ivanti Cloud Services Appliance OS Command Injection Vulnerability - CVSS 7.2
CVE-2024-38226 - Microsoft Publisher Protection Mechanism Failure Vulnerability - CVSS 7.3
CVE-2024-43491 - Microsoft Windows Update Use-After-Free Vulnerability - CVSS 9.8
CVE-2024-38014 - Microsoft Windows Installer Improper Privilege Management Vulnerability - CVSS 7.8 CVE-2024-38217 - Microsoft Windows Mark of the Web (MOTW) Protection Mechanism Failure Vulnerability - CVSS 5.4
CVE-2016-3714 - ImageMagick Improper Input Validation Vulnerability - CVSS NA
CVE-2017-1000253 - Linux Kernel PIE Stack Buffer Corruption Vulnerability - CVSS NA
CVE-2024-40766 - SonicWall SonicOS Improper Access Control Vulnerability - CVSS 9.3

Don't know where to begin with vulnerability management?

Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA .

Source: Known Exploited Vulnerabilities Catalog | CISA