The biggest cyber attacks and vulnerabilities from July 2024

Insights and trends from recent cyber threats and vulnerabilities from July.

Arjun Pednekar, Technical Director, Cognisys

Arjun Pednekar

31st July 2024

Welcome to our monthly update where we delve into some of the most significant cyber attacks and vulnerabilities that have been reported. In July, we witnessed a critical security regression in OpenSSH, a severe outage in CrowdStrike Falcon, and a sophisticated phishing operation targeting KnowBe4. Read on to find out more about these incidents and other cyber attacks and vulnerabilities that made the headlines in July.

1. New critical SSH vulnerability released

On 1st July, a security regression (CVE-2024-6387) was found in OpenSSH’s server (sshd), a vulnerability previously patched in 2006. This high-severity issue, called regreSSHion, with a CVSS v3 base score of 8.1, involves a remote race condition that makes it difficult to exploit, requiring multiple attempts and overcoming Address Space Layout Randomisation (ASLR).

OpenSSH is a widely used tool for secure remote login via SSH, providing encryption and various secure tunnelling and authentication features. The vulnerability, which allows unauthenticated remote code execution as root on glibc-based Linux systems, affects OpenSSH versions earlier than 4.4p1 (if not patched for CVE-2006-5051 and CVE-2008-4109) and versions from 8.5p1 to just before 9.8p1. As of now, no active exploitation of this vulnerability has been reported. Exploiting it is complex, requiring knowledge of the Linux target and potentially lengthy brute-force attempts. This incident underscores the critical importance of timely updates to prevent such vulnerabilities from being exploited.

2. Severe outage in CrowdStrike Falcon

In a related incident, a severe outage in CrowdStrike Falcon, caused by a flaw in Falcon sensor versions 7.11 and above, had a significant impact on various industries. The flaw, introduced in channel file 291, a configuration update for behavioural protections, specifically affected how Falcon evaluates named pipe execution on Microsoft Windows. The flawed update led to the Falcon sensor crashing, resulting in Windows system crashing and Blue Screens of Death (BSOD).

The problematic channel file 291 had a timestamp of 2024-07-19 0409 UTC. Although CrowdStrike identified the error and released a corrected version with a timestamp of 2024-07-19 0527 UTC, many users had already updated, leading to widespread system issues. This incident underscores the critical integration of CrowdStrike Falcon into mission-critical operations across various industries, amplifying the impact of the outage.

3. KnowBe4 hires fake engineer

KnowBe4 recently hired a software engineer for their internal IT AI team, following a thorough recruitment process, including interviews, background checks, and reference verifications. However, once the new hire received their Mac workstation, they immediately began loading malware. Despite the HR team conducting four video interviews and confirming the individual’s photo matched the application, it was later revealed that the identity was stolen.

The person used a valid US-based identity that was “AI-enhanced.” The EDR software detected the malware and alerted KnowBe4’s Security Operations Center (SOC). Upon contacting the new hire, suspicions quickly arose. KnowBe4 shared their findings with Mandiant and the FBI, uncovering that the new hire was a fake IT worker from North Korea using an AI-generated photo. The case is now part of an active FBI investigation.

4. Phishing campaign exploits Proofpoint vulnerability

A significant phishing campaign exploited a security vulnerability in Proofpoint’s email filtering systems, sending an average of three million spoofed emails daily from January to June. These emails appeared to be from well-known companies like Disney, IBM, Nike, Best Buy, and Coca-Cola, all of which are Proofpoint customers. The fake messages were convincingly authenticated with legitimate Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures, making them appear trustworthy to recipients.

The phishing emails aimed to lure victims into visiting malicious sites that would phish for their credit card details by offering fake subscription renewals at seemingly low prices. Victims who entered their card information were charged over 100 times the advertised amount with no actual service provided. At its peak, the campaign sent 14 million malicious emails daily. Guardio Security discovered the flaw and alerted Proofpoint in May, aiding in mitigating the issue.

Two cyber security consultants discussing on the stairs, relevant to July 2024's biggest cyber attacks and vulnerabilities

5. Ransomware groups exploit VMware ESXi Flaw

In another alarming development, multiple ransomware groups have exploited a recently patched security flaw (CVE-2024-37085) in VMware ESXi hypervisors. The vulnerability, CVE-2024-37085, has a CVSS score 6.8 and allows an authentication bypass via Active Directory integration. Threat actors can gain full administrative access to an ESXi host by re-creating or renaming the configured AD group “ESXi Admins.”

VMware released an advisory about the flaw in late June 2024, highlighting the ease of escalating privileges. Microsoft reported on 29th July that ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have used this technique to deploy Akira and Black Basta ransomware. The attacks underscore the critical need for timely patching and vigilant security practices in enterprise environments, as proactive measures are crucial in preventing such incidents.

6. ServiceNow vulnerabilities exploited: Data of 105 databases for sale

A threat actor on BreachForums claims to have harvested email addresses and associated hashes from over 105 ServiceNow databases by exploiting two recently disclosed critical vulnerabilities. These vulnerabilities, CVE-2024-4879 and CVE-2024-5217, have CVSS scores of 9.3 and 9.2, respectively. Researchers from Resecurity’s HUNTER team warned last week that these flaws were being actively exploited.

The threat actor is selling the stolen data for $5,000. CVE-2024-4879 is an input validation vulnerability in ServiceNow’s “Vancouver” and “Washington DC” versions, allowing unauthenticated remote code execution. CVE-2024-5217 is a similar flaw affecting these and earlier editions. Both vulnerabilities are easy to exploit and require no user interaction. This incident highlights significant security risks and the urgency for organisations to patch these critical flaws.

7. Stargazer Goblin’s GitHub malware network uncovered

A threat actor, dubbed Stargazer Goblin, has created a network of over 3,000 GitHub accounts to distribute malware and malicious links, reports Check Point. This network, known as the Stargazers Ghost Network, has been operational since August 2022 and functions as a distribution-as-a-service (DaaS) operation. Victims are lured to phishing repositories, where information-stealing malware such as Atlantida Stealer, Lumma Stealer, Rhadamanthys, RisePro, and RedLine are distributed.

Stargazer Goblin began advertising this service on underground forums in July 2023 and has earned over $100,000, including $8,000 from mid-May to mid-June 2024 alone. The network uses multiple GitHub accounts to star and verify malicious links to appear legitimate. Automation aids in creating phishing templates targeting various social platforms. Many repositories contain download links to external sites, with some hosting password-protected archives to evade GitHub’s scanners.

8. RockYou2024 leak: 10 billion passwords exposed

Finally, a popular hacking forum has seen the leak of a massive file named RockYou2024 (rockyou.txt), containing nearly 10 billion unique plaintext passwords. This compilation includes passwords from both old and recent data breaches. The list is valuable for cyber criminals because it features real-world passwords, making it useful for brute-force attacks against accounts. However, given the list size, direct online attacks could be more practical. It is more suited for offline password cracking by those who have stolen password databases.

The leaked passwords could be combined with other breach data, such as username-password pairs, to exploit reused passwords. If threat actors also have hashed password lists, they might try to match these hashes. Although plaintext passwords simplify attacks compared to pass-the-hash methods, the latter approach is still relevant for vulnerable services. At Cognisys, we have a password cracking service that uses a state-of-the-art machine we call “Kraken” to review password hashes.

Did you know that human error is a major contributor to cyber security incidents?

In busy workplaces, employees sometimes take shortcuts that can pose serious risks. For example, letting a family member use a work laptop might unintentionally spread malware throughout the company’s network, causing major damage. Such seemingly harmless actions can lead to costly disasters. The World Economic Forum reports that 95% of cyber security incidents stem from human error, making it crucial for us to be cautious and attentive in our actions.

Stay secure, stay informed, and most importantly, stay engaged. Your active participation in the cyber security community is crucial for our collective safety. Why not talk to us about your cyber security requirements?

Subscribe to receive the latest cyber insights