24.11.24 Threat Report

Apple Issues Emergency Security Updates to Address Critical Vulnerabilities

Apple has released urgent software updates to fix two critical security flaws that are currently being exploited by attackers. These vulnerabilities could allow malicious web content to execute harmful code or perform cross-site scripting (XSS) attacks. Users are urged to update their devices immediately to reduce the risk of exploitation.

‍

The updates address security weaknesses in multiple Apple platforms, including iOS, iPadOS, macOS, visionOS, and the Safari web browser.

‍

Details of the Vulnerabilities

‍

CVE-2024-44308 (CVSS Score: 8.8)

1. Description: A flaw in JavaScriptCore that could enable attackers to execute arbitrary code through malicious web content.
2. Impact: High, as this allows full code execution.

CVE-2024-44309 (CVSS Score: 6.1)

1. Description: A vulnerability in WebKit's cookie management system that could be used for cross-site scripting (XSS) attacks via harmful web content.
2. Impact: Medium, with potential data exposure.

‍

Security Enhancements

Apple has addressed these vulnerabilities with:

• Enhanced input validation for CVE-2024-44308.
• Improved state management for CVE-2024-44309.

‍

Affected Devices and Updates

• iOS 18.1.1 / iPadOS 18.1.1: For iPhone XS and later, newer iPad Pro models, iPad Air (3rd gen+), iPad (7th gen+), and iPad mini (5th gen+).
• iOS 17.7.2 / iPadOS 17.7.2: For older iPhone XS and later, iPad Pro (13-inch, 2nd gen+), and other compatible devices.
• macOS Sequoia 15.1.1: For devices running macOS Sequoia.
• visionOS 2.1.1: For Apple Vision Pro.
• Safari 18.1.1: For Macs running macOS Ventura and macOS Sonoma.

‍

Recommendations

All users should update their devices as soon as possible to safeguard against these actively exploited vulnerabilities. To install the updates, navigate to your device’s Settings > General > Software Update section and follow the on-screen instructions.

‍

Palo Alto Network Firewalls Compromised via Critical Vulnerabilities

Attackers have exploited two critical vulnerabilities in Palo Alto Networks firewalls, compromising thousands of devices and deploying malicious software. The breaches have allowed attackers to install web-accessible backdoors, cryptocurrency miners, and other malware, effectively taking control of the affected firewalls.

‍

Approximately 2,000 firewalls were compromised, according to reports from Shadowserver and Onyphe. This number has reduced to around 800, likely due to remediation efforts following the release of patches. Despite these reports, Palo Alto Networks maintains that the exploitation is limited to "a small number" of installations.

‍

The exploited devices were exposed via their PAN-OS management interfaces, which are accessible either from the internet or through internal networks.

‍

Vulnerabilities and Exploits

CVE-2024-0012 (Critical, CVSS Score: 9.3)

1. Description: An authentication bypass vulnerability.
2. Impact: Allows attackers to gain unauthorised access.

‍

CVE-2024-9474 (Medium, CVSS Score: 6.9)

1. Description: A privilege escalation flaw.
2. Impact: Enables attackers to elevate privileges for arbitrary administrative actions.

‍

Exploitation Timeline

• Exploited as zero-day vulnerabilities prior to the patch release.
• Attack intensity increased following the public disclosure of a proof-of-concept exploit.
• Deployed malware includes web shells, Sliver implants, and cryptocurrency miners.

‍

Recommendations

1. Apply the latest patches immediately.
2. Restrict PAN-OS management interface access to trusted networks.
3. Monitor for Indicators of Compromise (IoCs), including known Sliver implants.
4. Conduct thorough firewall log reviews for signs of unauthorised access.

‍

While Palo Alto Networks has acknowledged the vulnerabilities and exploitation, it has refrained from providing precise numbers regarding compromised devices. The company continues to stress the importance of securing management interfaces to prevent further exploitation.

‍

Russian Cyber Campaign Targets Europe and Asia with HATVIBE and CHERRYSPY Malware

A Russian-linked cyber espionage campaign targeting organisations in Europe and Asia has been identified. The campaign, attributed to the TAG-110 threat actor group, employs HATVIBE and CHERRYSPY malware for intelligence gathering.

‍

Attribution and Threat Actor Details

The activity, attributed to TAG-110 by Recorded Future’s Insikt Group, overlaps with:

• UAC-0063: Tracked by CERT-UA (Computer Emergency Response Team of Ukraine).
• APT28: A well-known Russian cyber espionage group active since at least 2021.

‍

The campaign appears to align with Russian geopolitical objectives, particularly in post-Soviet states and NATO-aligned countries.

‍

Malware Overview

1. HATVIBE
   • Function: A custom HTML application loader used to deploy additional malware.
   • Role: Serves as the initial stage of the attack, delivering the secondary payload, CHERRYSPY.
2. CHERRYSPY
   • Function: A Python-based backdoor designed for espionage and data exfiltration.
   • Role: Facilitates long-term access to compromised systems for data gathering.

‍

Attack Methodology

• Initial Access Vectors:
  • Exploitation of vulnerabilities in public-facing web applications, such as Rejetto HTTP File Server.
  • Phishing emails tailored to lure victims into downloading malicious payloads.
• Targets:
  • Government entities.
  • Scientific research institutions.
  • Human rights groups.

‍

Strategic Objectives

According to Recorded Future, this campaign is part of a broader Russian strategy to:

• Monitor Geopolitical Developments: Particularly in regions of strategic interest such as post-Soviet states.
• Maintain Regional Influence: Central Asia remains a priority due to Russia’s waning control and influence in the area.
• Destabilise NATO Countries: Cyber operations have targeted critical infrastructure in European nations including Estonia, Finland, Latvia, Lithuania, Norway, and Poland.

‍

These activities are consistent with Russia’s hybrid warfare doctrine, blending cyber espionage, sabotage, and influence operations to weaken adversaries without triggering direct conflict.

‍

Broader Implications

Russia’s cyber operations have intensified following its invasion of Ukraine in February 2022. Observers warn of:

• Increased Sabotage: Likely focused on disrupting NATO allies' critical infrastructure and undermining their support for Ukraine.
• Hybrid Warfare Escalation: Persistent cyber and physical attacks designed to destabilise political and military alliances in Europe.

‍

The Gerasimov Doctrine, which outlines Russia’s hybrid war strategy, suggests that these activities will escalate in destructiveness while staying below the threshold of outright war with NATO.

‍

Recommendations

1. Patch Known Vulnerabilities: Secure public-facing applications, particularly legacy systems like Rejetto HTTP File Server.
2. Enhance Email Security: Implement advanced phishing defences and conduct regular training for employees.
3. Monitor Network Activity: Look for indicators of compromise (IoCs) associated with HATVIBE and CHERRYSPY.
4. Strengthen Incident Response: Ensure robust response plans are in place for rapid containment of threats.
5. Collaborate with Authorities: Share threat intelligence with national CERTs and cybersecurity agencies.

‍

This campaign highlights Russia’s continued use of cyber operations as a tool of geopolitical influence and destabilisation. Organisations in targeted regions should remain vigilant, adopting comprehensive cybersecurity measures to mitigate the risk of compromise.