Solar Winds Hotfix for Hardcoded Credentials Issue; New Log4Shell Campaign; Chrome Fixes Ninth Zero-Day of 2024

Should be obvious that this must be patched quickly. Hardcoded credentials tend to leak shortly after the patch is released (if not before).

It's 2024, hardcoded credentials need to be ancient history. Make sure your SQA processes screen for them. The update, WHD 12.8.3 HF2, addresses two issues CVE-2024-28987, WHD hard coded credential vulnerability, CVSS score 9.1 and CVE-2024-28986, WHD Java deserialization RCE vulnerability, CVSS score 9.8, previously fixed in WHD 12.8.3 HF1. The hard coded credential flaw can be exploited by unauthenticated users, the Java deserialization flaw requires an authenticated user. Some good news: HF2 includes the fixes from HF1. The hotfix requires installation of three jar files and manually editing the tomcat_server_template.xml file.

Hardcoded credentials are like catnip to cybercriminals; they are on the prowl and looking to exploit. Given the recent uptick in examples of this sort of exploit and its own recent software security issues, it's a bit surprising that the company didn't fix this before it became a problem. Bottom line: apply the hotfix now.

One more example, as if any were needed, of why a safety first culture, secure by design, is so important to the modern enterprise.

We are observing very consistent scans for Log4j/Log4Shell issues in our honeypots.

We all acknowledged that it would take a long time to patch Log4J/Log4Shell, but were we thinking it'd still be in play almost three years later? There is a cliche about the old tricks still working. Anyway, beyond passing the IOCs from Security Labs to your team, make sure that you're still scanning for vulnerable Log4J, and applying updates when they are released. Make sure mitigations are still in place for those high-impact systems and applications which are difficult to get updated as well as having conversations about both fixed versions and deployment schedules.

The lesson here is that, not only is patching an inefficient way to achieve quality, for some widely used software, it is futile.

Since Microsoft has committed again to 'Security is Job 1,' it is time for Windows patching to happen as frequently and as transparently as browser and mobile OS patching. I think what is needed to make that happen largely overlaps with OS restrictions that are needed to force app developers to 'Secure By Design' anyway.

With this vulnerability Google exceeds its 2023 total of eight zero-days. The update is easy: quit your browser and restart. As a reminder, as a good security practice, reboot your system on a weekly basis.

Seems like we just updated Chrome yesterday. The what's-new page for Chrome 128 highlights Google Lens and Gemini chat. Google Lens was introduced in 2017 but has been enhanced to search videos, livestreams, or images youÕre watching. Gemini, also available at gemini.google.com, should fall under your current GenAI usage. Consider the activity setting under Gemini Apps (myactivity.google.com) which governs the use or review of your data by Google.

The size of the fine is pretty low compared to what this incident has already cost the company - changing their name probably cost more! But, the settlement should drive them to change the lax processes that lead to both incidents - stronger authentication to prevent email chain hijacking and better app/penetration testing to discover pre-production that any legitimate SSN can be used to create fraudulent accounts.

Of the two attacks, the first (BEC) is relatable; the second is more concerning as they automatically linked accounts based on stolen SSN's to legitimate ones. FI's often link your accounts based on your SSN, which provides a single access point to all your accounts, but also includes some of the same risk. Ask your FI what controls are in place when linking account, determine if the linking uses an implied or direct permission, and if more than just the SSN is used to associate the accounts.

These rules are about the operations of the aircraft, not the security of passenger facing systems. With increased connectivity, and an increase in the number of reported cyber-attacks in the airline industry, the FAA is proposing changes to manufacture of aircraft, engines and propeller systems to mitigate these threats which include field loadable software, maintenance laptops, airport/airline/public networks, wireless and cellular communication, USB, Satellite and GPS navigation systems. Proposed designs would need to provide isolation or protection from unauthorized access, prevent unauthorized changes, and mechanisms/processes to ensure cyber protections are maintained.

The FAA has been very successful in its safety mission. After elevators, it has made aviation the second safest form of transportation. These rules simply extend to software the procedures that have been so successful for hardware.

Some excellent research by Quarkslab. What's strange is that the same hardware backdoor key exists in other vendor products. It feels a bit like a well-placed supply chain attack.

Many MIFARE Classic cards are FM11RF08S or FM11RF08 cards which have this backdoor, which dates back to 2007, as do the FM11FR32 and FM1208-10 cards available from the same manufacturer. Double check the version of MIFARE Classic cards you're using, they may be the affected product. If you're using these cards, they are prevalent in hotels in the US, Europe and India, you're going to want to assess your risks.

Whether or not RFID applications are secure by design, cloning is harder than it looks. Attacks are extremely local and do not scale. This is one of those issues where intuition does not serve us well.

CVE-2024-28000, CVSS score of 9.8, allows an unauthenticated user to spoof the username and get admin access. This is due to a user simulation module which had easily guessable non-salted hash. This doesn't impact Windows based WordPress installations as the function relied on a PHP method not implemented in Windows. Make sure you're on LiteSpeed 6.4 or higher. Also make sure that you don't already have a cache service from your provider which could negate the need for this plugin. Wordfence has rules to block this attack and reports blocking nearly 59,000 attacks in the last 24 hours.

Yep, another WordPress plug-in vulnerability. For once, windows-based WordPress installations are not at risk to this vulnerability. For everyone else that uses this plug-in, prioritize this download and install the patch.