Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk
A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.
The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.
“A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process,” Red Hat’s Joel Smith said in an alert.
“Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access.”
Source: The hacker news / Bleeping computer / Kubernetes security advisory
Link: https://thehackernews.com/2024/10/critical-kubernetes-image-builder.html
Hackers Abuse EDRSilencer Tool to Bypass Security and Hide Malicious Activity
Threat actors are attempting to abuse the open-source EDRSilencer tool as part of efforts to tamper endpoint detection and response (EDR) solutions and hide malicious activity. Trend Micro said it detected “threat actors attempting to integrate EDRSilencer in their attacks, repurposing it as a means of evading detection.”
EDRSilencer, inspired by the NightHawk FireBlock tool from MDSec, is designed to block outbound traffic of running EDR processes using the Windows Filtering Platform (WFP).
It supports terminating various processes related to EDR products from Microsoft, Elastic, Trellix, Qualys, SentinelOne, Cybereason, Broadcom Carbon Black, Tanium, Palo Alto Networks, Fortinet, Cisco, ESET, HarfangLab, and Trend Micro.
By incorporating such legitimate red teaming tools into their arsenal, the goal is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
“The WFP is a powerful framework built into Windows for creating network filtering and security applications,” Trend Micro researchers said. “It provides APIs for developers to define custom rules to monitor, block, or modify network traffic based on various criteria, such as IP addresses, ports, protocols, and applications.”
“WFP is used in firewalls, antivirus software, and other security solutions to protect systems and networks.”
Source: The hacker news / Bleeping computer / Dark reading
Link: https://thehackernews.com/2024/10/hackers-abuse-edrsilencer-tool-to.html
Link: https://www.darkreading.com/endpoint-security/bad-actors-manipulate-red-team-tools-evade-detection
GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access
GitHub has released security updates for Enterprise Server (GHES) to address multiple issues, including a critical bug that could allow unauthorized access to an instance.
The vulnerability, tracked as CVE-2024-9487, carries a CVS score of 9.5 out of a maximum of 10.0
“An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server,” GitHub said in an alert.
The Microsoft-owned company characterized the flaw as a regression that was introduced as part of follow-up remediation from CVE-2024-4985 (CVSS score: 10.0), a maximum severity vulnerability that was patched back in May 2024.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2024/10/github-patches-critical-flaw-in.html
Link: https://www.securityweek.com/github-patches-critical-vulnerability-in-enterprise-server/
CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2024-28987 (CVSS score: 9.1), the vulnerability relates to a case of hard-coded credentials that could be abused to gain unauthorized access and make modifications.
“SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal function
nality and modify data,” CISA said in an advisory.
Details of the flaw were first disclosed by SolarWinds in late August 2024, with cybersecurity firm Horizon3.ai releasing additional technical specifics a month later.
The vulnerability “allows unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset requests and shared service account credentials,” security researcher Zach Hanley said.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-in.html
Oracle Patches Over 200 Vulnerabilities With October 2024 CPU
Oracle on Tuesday announced 334 new security patches as part of its October 2024 Critical Patch Update (CPU), including 186 fixes for vulnerabilities that can be exploited remotely without authentication.
SecurityWeek has identified roughly 220 unique CVEs in Oracle’s October 2024 CPU. Approximately three dozen security patches resolve critical-severity flaws. The same as in April and July 2024, Oracle Communications received the largest number of security patches. Out of 100 fixes, 81 address unauthenticated, remotely exploitable bugs.
On Tuesday, Oracle also announced large numbers of patches for MySQL (45 fixes – 12 for issues that can be exploited remotely without authentication), Fusion Middleware (32 – 25), Financial Services Applications (20 – 15), and E-Business Suite (18 – 1).
Several other products received roughly a dozen new security patches each, including Communications Applications (13 fixes – 10 for unauthenticated, remotely exploitable flaws), Analytics (12 – 7), and PeopleSoft (12 – 2).
At least half a dozen fixes were announced for Oracle Commerce, Java SE, Blockchain Platform, Enterprise Manager, Systems, and Database Server.
Source: Securityweek / Oracle Critical Patch Update Advisory
Link: https://www.securityweek.com/oracle-patches-over-200-vulnerabilities-with-october-2024-cpu/
Link: https://www.oracle.com/security-alerts/cpuoct2024.html
VMware Patches High-Severity SQL Injection Flaw in HCX Platform
VMWare on Wednesday called urgent attention to a critical remote code execution flaw haunting users of its enterprise-facing HCX application mobility platform.
The vulnerability, tagged as CVE-2024-38814, carries a CVSS severity score of 8.8/10 and allows attackers with non-administrator privileges to execute remote code on the HCX manager.
“A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager,” according to an advisory from the virtualization technology vendor.
Source: Securityweek
Link: https://www.securityweek.com/vmware-patches-high-severity-sql-injection-flaw-in-hcx-platform/
From Defense to Offense: The Misuse of Red Teaming Tools by Cybercriminals
Red teaming tools, which are essential for security testing, can also be repurposed by malicious actors for cybercriminal activities. Although red team tools offer many benefits, their dual-use nature also poses substantial risks, underscoring the need for strong ethical guidelines and effective detection capabilities.
Cybercriminals can misuse open-source software for malicious purposes, underscoring the importance of stringent security measures and continuous monitoring of supply chains. AI can identify and triage potential threats from open-source repositories, drastically reducing analysis time and prioritizing critical projects.
Evolving red teaming methodologies with proactive detection and constant monitoring of emerging tools will enhance organizational defenses against cyber threats.
Source: Trendmicro Research paper
The cybersecurity skills gap contributed to a $1.76 million increase in average breach costs
Understaffing in cybersecurity — the “skills gap” — is driving up the cost of data breaches in recent years, according to a decade of reports by IBM.
The 2024 IBM Data Breach Report found that more than half of breached organizations experienced severe security staffing shortages, a 26.2% increase from the previous year. They found this through a statistical analysis of the data gathered from in-depth interviews of more than 600 organizations that suffered data breaches in the prior year.
The 2024 report makes the link between staffing shortages and cybersecurity clear:
“As we’ve seen across the industry, cybersecurity teams are consistently understaffed. This year’s study found more than half of breached organizations faced severe security staffing shortages, a skills gap that increased by double digits from the previous year. This need for trained security staff is growing as the threat landscape widens. The continuing race to adopt gen AI across nearly every function in the organization is expected to bring with it unprecedented risks and put even more pressure on these cybersecurity teams.”
Source: IBM Security intelligence
Product Security Bad Practices
As outlined in CISA’s Secure by Design initiative, software manufacturers should ensure that security is a core consideration from the onset of software development. This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs) and provides recommendations for software manufacturers to mitigate these risks.
Source: CISA guide
Link: https://www.cisa.gov/resources-tools/resources/product-security-bad-practices