TOP-5 IT events of the week according to Jet CSIRT

TOP-5 IT events of the week according to Jet CSIRT

Today in the TOP-5 – fixes for security vulnerabilities from VMware, emergency zero-day patches from Apple, the malicious AI worm Morris II, a fixed version of TeamCity, an overview of attacks by the Shadow group. The news was prepared by Danylo Kiryakov, an analyst of the information security center of Infosystems Jet.

Published security fixes for vulnerabilities in ESXi, Workstation, Fusion

VMware has released patches to address four security vulnerabilities affecting ESXi, Workstation, and Fusion, including two critical vulnerabilities that could lead to RCE. CVE-2024-22252 (CVSS: 9.3) and CVE-2024-22253 (CVSS: 9.3) are related to the use of pointers after freeing memory in the USB XHCI controller. CVE-2024-22254 (CVSS: 7.9) – Out-of-memory buffer write vulnerability in ESXi that an attacker with privileges in a VMX process could use to escape from the sandbox. CVE-2024-22255 (CVSS: 7.1) involves an information disclosure in the USB UHCI controller that an attacker with administrative access to a virtual machine could use to leak memory from VMX.

Organizations are recommended to install the latest patches for the following versions:

ESXi 6.5 – 6.5U3v
ESXi 6.7 – 6.7U3u
ESXi 7.0 – ESXi70U3p-23307199
ESXi 8.0 – ESXi80U2sb-23305545 and ESXi80U1d-23299997
VMware Cloud Foundation (VCF) 3.x – ESXi670-202403001
Workstation 17.x – must upgrade to version 17.5.1
Fusion 13.x (macOS) – must upgrade to version 13.5.1

Emergency Zero-day patches from Apple

Apple has released emergency patches for two zero-day vulnerabilities in iOS that are already being used by attackers in attacks. The first vulnerability, CVE-2024-23225 (CVSS: 7.8), was found in the iOS kernel, the second vulnerability, CVE-2024-23296 (CVSS: 7.8), was found in RTKit. The vulnerabilities involve memory corruption in the kernel and allow an attacker to read and write to the kernel, which can be used to protect kernel memory.

Apple device owners are advised to install security updates as soon as possible.

II worm Morris II as a new type of cyber attacks

A group of scientists from Cornell Tech has introduced a first-of-its-kind malicious AI worm capable of automatically spreading between generative AI agents. This opens up avenues for potential data theft and spamming in connected AI ecosystems. Researchers have developed a worm called Morris II that can attack AI-based mail assistants, breaking the security of ChatGPT and Gemini systems. The focus is on self-replicating hostile queries that resemble traditional SQL Injection and Buffer Overflow attacks. The researchers reported their findings to Google and OpenAI. A representative of the company OpenAI noted the work on strengthening the resistance of its systems to such attacks, while the company Google refused to comment on the research.

A patch for critical JetBrains vulnerabilities has been released

JetBrains has released a patched version of TeamCity. In February 2024, the Rapid7 Vulnerability Research Team discovered two new vulnerabilities, CVE-2024-27198 (CVSS: 9.8) and CVE-2024-27199 (CVSS: 7.3), affecting the JetBrains Team CI/CD server

The most severe vulnerability, CVE-2024-27198 (CVSS: 9.8), allows a remote, unauthenticated attacker to completely compromise a vulnerable TeamCity server. Compromising a TeamCity server allows an attacker to gain complete control over all TeamCity projects, assemblies, agents, and artifacts. The second vulnerability, CVE-2024-27199 (CVSS: 7.3), allows access to a limited amount of information and system modification, including having an unauthenticated attacker replace the HTTPS certificate on the vulnerable TeamCity server with a certificate of the attacker’s choice.

Due to the active exploitation of these vulnerabilities by attackers, users using local versions of the software are advised to upgrade to a new version as soon as possible to eliminate potential threats.

The Shadow group attacked more than 100 Russian companies in a year

FACCT specialists conducted an analysis of the contents of the server observed in the attacks on the territory of Russia and found that the Shadow group began active activities already in September 2022, and not in the spring of 2023, as previously assumed. During this time, Shadow attacked more than 100 Russian companies of various industries, and in 10 cases the attacks were successful. A server with an open directory containing logs and configuration files of a number of pentest tools such as SQLMap, Metasploit, ProxyShell-Scanner, DockerRegistryGrabber, Cobalt Strike, Mythic Athena, Sliver was discovered in early September last year. An SSH public key issued on December 25, 2020 and an OpenVPN SSL certificate dated January 25, 2021 were found on the server. However, attacks using this server began much later. Further investigation revealed the Shadow cyber group’s connection to Comet and DARKSTAR. All victims of the compromise have already been notified of the situation.

Related posts