Month: September 2024

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

• PHP 8.1 versions prior to 8.1.30
• PHP 8.2 versions prior to 8.2.24
• PHP 8.3 versions prior to 8.3.12 

RISK:

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for remote code execution. Details of the vulnerabilities are as follows:

Tactic: Execution (TA0041):

     Technique: Command and Scripting Interpreter (T1059)

• OS Command Injection: The vulnerability allows a remote attacker to send specially crafted HTTP request to the application and execute arbitrary OS commands on the system due to improper input validation in PHP-CGI implementation. (CVE-2024-8926)
• Security features bypass: The vulnerability allows a remote attacker to  bypass implemented security restriction and gain unauthorized access to the application due to environment variable collision, which can lead to cgi.force_redirect bypass. (CVE-2024-8927)
• Insufficient Logging: The vulnerability allows an attacker to alter logs from child processes due to an unspecified error. (CVE-2024-9026)
• Input validation error: The vulnerability allows a remote attacker to pass specially crafted input to the application and bypass implemented security restrictions due to insufficient validation of user-supplied input when parsing multipart form data. (CVE-2024-8925)

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches provided by PHP to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool. 
     
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. 
•  

• Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
     
• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
     
• Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. (Mitigation M1042: Disable or Remove Feature or Program)
  • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
  • Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassessbi-annually, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassessbi-annually, or more frequently.
  • Safeguard 4.1: Establish and Maintain a Secure Configuration Process: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 4.8: Uninstall or Disable Unnecessary Services on Enterprise Assets and Software: Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Safeguard 18.5: Perform Periodic Internal Penetration Tests: Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.
     

REFERENCES:

PHP:
https://www.php.net/ChangeLog-8.php 

CyberSecurity Help:
https://www.cybersecurity-help.cz/vdb/SB2024092724 

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8926
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8927
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8925

OVERVIEW:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Chrome prior to 129.0.6668.70/.71 for Windows and Mac
• Chrome prior to 129.0.6668.70 for Linux 

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows: 

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

• Use after free in Dawn (CVE-2024-9120)
• Inappropriate implementation in V8 (CVE-2024-9121)
• Type Confusion in V8 (CVE-2024-9122)
• Integer overflow in Skia (CVE-2024-9123)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

RECOMMENDATIONS:
We recommend the following actions be taken: 

• Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
     
• Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
   
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
     
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
     
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
     

REFERENCES:

Google:
https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_24.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9123

Featured Developer Toolbox > Explore the latest tools and services to help you build intelligent modern applications. Add AI to your apps, build distributed apps for the cloud, streamline your workflow, bring your data into custom copilots, and more.

What’s New New Hugging Face Models on Azure AI > Check out the most recently added models to the Azure AI model catalog, including the highly-ranked multilingual models, tuned for Asian languages.   Explore the Official OpenAI .NET Library > This library is an essential tool for any .NET developer trying to develop intelligent apps using OpenAI.   Catch up on the Latest DevEx research with Nicole Forsgren > Developer experience (DevEx) aims to empower developers to code efficiently by providing a customized and optimized coding environment.

Events See Local Events > Microsoft Ignite / November 18 -22 / Chicago and online > Registration is now open. Experience keynotes, attend sessions, meet with partners and customers, and more.   The Microsoft AI Tour / Multiple cities and dates > Learn directly from industry leaders, Microsoft, and partner experts who will show you how to develop and use AI responsibly.   GitHub Universe / October 29-30 / San Francisco > Join thousands of developers, cloud architects, cybersecurity professionals, and more to fine tune your skills and learn the latest in AI, DevEx, and security.   Microsoft 365 Developer Podcast: Custom engine copilots > Jeremy Thake and Joey Glocke discuss custom engine copilots in Microsoft 365 and more.   .NET Aspire Day 2024 / On demand > The .NET Aspire and Azure product teams dive deep into essential Azure services to build world-class cloud native applications with .NET. (YouTube)

Learning Doodle to Code is now on GitHub > The Doodle to Code GitHub repository includes doodles, detailed breakdowns of Generative AI concepts, step-by-step technical guidance, and source code for projects.   Announcing 30 Day Plans on Microsoft Learn > Curated content combined with learning milestones, and achievement outcomes help you get project-ready and improve your technical skills in 30 days or less.   Build Apps with Visual Studio in the Cloud with Dev Box > See how to create and run dev boxes, preconfigured, ready-to-code workstations that are optimized for building applications. (YouTube)

NIST Cybersecurity White Paper (CSWP) 31, Proxy Validation and Verification for Critical AI Systems: A Proxy Design Process, is now available. The goal of this work is to increase trust in critical AI systems (CAIS) by developing proxy systems to verify and validate a CAIS.

This document presents a five-phase process for identifying and/or building non-critical proxy systems that have high similarity to critical artificial intelligence (AI) or machine learning (ML) systems. The non-critical proxy system is used to indirectly validate and verify the critical system by enabling the creation of difficult or dangerous test cases in a way that imbues confidence in the scenarios. The results of the test cases presented to the non-critical proxy can then be imputed to the critical system. The process involves a way to demonstrate and measure “similarity” between the two systems.

Read More

The National Cybersecurity Center of Excellence (NCCoE) has released for public comment a draft of the Supply Chain Traceability Manufacturing Meta-Framework. The comment period is open through November 15, 2024. 

Ensuring supply chain traceability is critical for maintaining product authenticity, compliance, and security in today’s complex, globalized manufacturing ecosystems. As products move through their manufacturing process stages—production, assembly, and distribution—stakeholders face increasing challenges in maintaining visibility into the history and provenance of these products. Improving the traceability of goods and materials throughout the supply chain is critical to identifying disruptions and mitigating these risks.

This publication presents a Meta-Framework designed to address these challenges by providing a structured, industry-tailorable approach to capturing, linking, and retrieving traceability data across diverse supply chains. The goal of the framework is to enhance end-to-end traceability, providing stakeholders with the tools needed to trace product provenance, ensure regulatory compliance, and bolster the resilience of the U.S. manufacturing supply chain.

We Want to Hear from You!

Please review the draft and submit comments online by using the link below [1]. We welcome your input and look forward to your comments.  

Join our Community of Interest

By joining the Community of Interest (COI), you will receive project updates and the opportunity to share your expertise to help guide this project. Request to join our NCCoE Manufacturing Supply Chain COI by visiting our project page [2].

URL References:

[1] https://www.nccoe.nist.gov/projects/manufacturing-supply-chain-traceability-using-blockchain-related-technologies#project-promo

[2] https://www.nccoe.nist.gov/projects/manufacturing-supply-chain-traceability-using-blockchain-related-technologies#join-the-coi

OVERVIEW:
Multiple vulnerabilities have been discovered in Foxit PDF Reader and Editor, the most severe of which could result in arbitrary code execution. Foxit PDF Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• 2024.2.3.25184 and earlier versions for Windows.
• 2024.2.3.25184 and all previous 2024.x versions for Windows.
• 2023.3.0.23028 and all previous 2023.x versions for Windows.
• 13.1.3.22478 and all previous 13.x versions for Windows.
• 12.1.7.15526 and all previous 12.x versions for Windows.
• 11.2.10.53951 and earlier versions for Windows.
• 2024.2.3.64402 and all previous 2024.x versions for macOS.
• 2023.3.0.63083 and all previous 2023.x versions for macOS.
• 13.1.2.62201 and all previous 13.x versions for macOS.
• 12.1.5.55449 and all previous 12.x versions for macOS.
• 11.1.9.0524 and earlier versions for macOS.
• 2024.2.2.64388 and earlier versions for macOS.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Foxit PDF Reader and Editor, the most severe of which could result in arbitrary code execution. Details of these vulnerabilities are as follows:  

Tactic: Execution (TA0002):
Technique: User Execution: Malicious File (T1204.002):

• The application could be exposed to a Use-After-Free vulnerability and crash when handling certain checkbox field objects, Annotation objects, or AcroForms, which attackers could exploit to execute remote code or disclose information. This occurs as the application uses a wild pointer or an object that has been freed without proper validation, fails to properly synchronize the annotation items when handling the Reply Note of an annotation using JavaScript, or fails to correctly update the font cache after deleting a page. (CVE-2024-28888, CVE-2024-7725)
• The application could be exposed to a Privilege Escalation vulnerability when performing an update or installing a plugin, which attackers could exploit to delete arbitrary files or execute arbitrary code so as to carry out privilege escalation attacks. This occurs due to the incorrect permission assignment on the resources used by the update service, improper signature validation and incomplete certificate check for the updater, weak randomness setting for the name of the temporary folder during a plugin installation, or improper DLL loading without using the built-in manifest file. (CVE-2024-38393)
• The application could be exposed to an Out-of-Bounds Read/Write vulnerability and crash when parsing certain PDF files or handling certain Annotation objects, which attackers could exploit to execute remote code. This occurs as the application reads or writes data beyond the boundaries of an allocated object or buffer. (NO CVE ASSIGNED)

Details of lower-severity vulnerabilities are as follows:

• The application could be exposed to a Side-Loading vulnerability when performing an update, which attackers could exploit to run malicious payloads by replacing the update file with a malicious one. This occurs as the application fails to validate the integrity of the updater when running the update service. (CVE-2024-41605)
• The application could be exposed to a Null Pointer Dereference vulnerability and crash when scrolling certain PDF files with an abnormal StructTreeRoot dictionary entry, which attackers could exploit to launch a Denial of Service attack. This occurs due to the use of a null pointer without proper validation. 
• A potential issue where the application could be exposed to a Privilege Escalation vulnerability during the deactivation or uninstallation if the application is reinstalled without prior uninstallation, which attackers could exploit to execute malicious actions. This occurs due to the inadequate permission setting for the /usr/local/share/foxit folder used during the installation so that low-privilege attackers can easily tamper with the script files in the directory. 

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Foxit to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
     
• Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
   
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
     
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
     
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Foxit:
https://www.foxit.com/support/security-bulletins.html?srsltid=AfmBOooLCtdUTMd0tlqH_ZPf9_ye4PeyjiMy5oH9RZjMNWwSkKxnepxc
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41605

Supplemental Spreadsheet: Cybersecurity Framework 1.1 to 2.0 Core Transition Changes Overview

As organizations start to transition from using CSF 1.1 to implementing CSF 2.0, NIST is providing users with a resource to compare and contrast CSF 1.1 and CSF 2.0. This new supplemental document is intended as an aid to anyone who is transitioning a CSF 1.1 Organizational Profile, conducting mapping, or converting other CSF 1.1 Core content to use the CSF 2.0 Core. This document also provides information about how Categories and Subcategories have transitioned from NIST CSF 1.1 to 2.0. This document, along with other CSF 2.0 supplemental materials can be found on our Computer Security Resource Center page under the ‘supplemental material’ section.

Broadcom recently issued important patches for VMware, addressing two critical vulnerabilities in its vCenter Server platform, the more severe of them being CVE-2024-38812. Due to the vulnerability, the company cites risk of potential Remote Code Execution (RCE) attacks.

Go here for details

Summary
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm
since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.

To mitigate this malicious cyber activity, organizations should take the following actions today:
 Prioritize routine system updates and remediate known exploited vulnerabilities.
 Segment networks to prevent the spread of malicious activity.
 Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services,
especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.

Read the full article here

Image Source: McAfee

Security researchers recently discovered an Android mobile malware dubbed SpyAgent. Using optical character recognition (OCR), SpyAgent parses through saved screenshots to search for cryptocurrency seed phrases. These phrases are 12-24 words and are provided as a backup key to restore access to cryptocurrency wallets. Threat actors can use these seed phrases to access stolen cryptocurrency wallets.

SpyAgent’s campaign begins with a phishing attack by sending malicious links through text or direct messages on social media platforms. Threat actors pose as a reputable business or a trusted person to trick users into clicking malicious links. Once clicked, these links will direct its target to an imitation website, often created to mimic the appearance of a legitimate website. Users will be prompted to install an app that loads the SpyAgent malware onto the victim’s device. If installed, the malicious app will request permission to access sensitive information and the ability to run in the background, which, if granted, will allow the threat actors to compromise the infected device further.

While the primary goal is to steal cryptocurrency seed phrases, researchers have found that it also targets phone contacts, text messages, photos, and device information. This campaign has mostly been localized to South Korea but has begun a tentative expansion into the United Kingdom. Security researchers have also found signs that an iOS variant is in early development. Cryptocurrency has often been the target of malware campaigns, including one targeting MacOS Bitcoin and Exodus wallet users this past January and an older Android malware campaign utilizing OCR to capture cryptocurrency wallet credentials.

Recommendations

Refrain from clicking links found in text messages and direct messages sent from unverified sources. Type official website URLs into browsers manually. Avoid installing apps outside the Google Play store, and be wary of granting invasive and unnecessary permissions to apps. Obtain software from legitimate developers or companies after analyzing customer reviews. Forward SMiShing messages to 7726 (SPAM) and report the messages to mobile carriers.