07/17/2024-07/24/2024 CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities, SocGholish Malware Exploits BOINC Project And More.

1. CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence:

• CVE-2012-4792 (CVSS score: 9.3) – A use-after-free vulnerability in Microsoft Internet Explorer allowing remote code execution via a crafted site.
• CVE-2024-39891 (CVSS score: 5.3) – An information disclosure bug in Twilio Authy that reveals if a phone number is registered with Authy.

Twilio resolved CVE-2024-39891 in recent Android and iOS versions after threat actors exploited it to access Authy account data. CISA warns that such vulnerabilities pose significant risks and mandates Federal Civilian Executive Branch (FCEB) agencies to remediate these by August 13, 2024.

2. SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

The SocGholish malware (FakeUpdates) is now delivering AsyncRAT and the legitimate BOINC project. BOINC, managed by the University of California, uses volunteer computing for distributed tasks and rewards users with Gridcoin cryptocurrency. Researchers noted that these installations connect to malicious domains (“rosettahome[.]cn” or “rosettahome[.]top”), acting as command-and-control servers to collect data and transmit payloads.

As of July 15, over 10,000 clients are connected to these domains. Although no additional activities have been observed, infected hosts might be sold as access vectors for further attacks, including ransomware. SocGholish attacks begin with fake browser updates that lead to AsyncRAT or BOINC installations. BOINC is disguised as “SecurityHealthService.exe” to evade detection. The misuse of BOINC has been tracked since June 26, 2024.

3. SolarWinds Patches 8 Critical Flaws in Access Rights Manager Software

SolarWinds has fixed critical security flaws in its Access Rights Manager (ARM) software that could lead to sensitive data access or arbitrary code execution. Of the 13 vulnerabilities, eight are rated Critical (CVSS score 9.6), and five are rated High (CVSS scores 7.6 and 8.3).
The most severe flaws include:

• CVE-2024-23472: Directory Traversal and Information Disclosure
• CVE-2024-28074: Deserialization Remote Code Execution
• CVE-2024-23469: Dangerous Method Remote Code Execution

Exploitation could allow attackers to read, delete files, and execute code with elevated privileges. These issues were resolved in version 2024.3, released on July 17, 2024, after disclosure through Trend Micro’s Zero Day Initiative.

This follows CISA’s inclusion of a high-severity path traversal flaw in SolarWinds Serv-U (CVE-2024-28995) in its Known Exploited Vulnerabilities catalog due to active exploitation reports.

4. TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks

Threat actors, tracked as TAG-100 by Recorded Future’s Insikt Group, are using open-source tools for cyber espionage against global government and private sector entities. Since February 2024, they have targeted organizations across ten countries. The group uses open-source Go backdoors like Pantegana and Spark RAT, exploiting security flaws in products such as Citrix NetScaler, Microsoft Exchange, and Palo Alto Networks GlobalProtect. Starting April 16, 2024, TAG-100 targeted Palo Alto Networks GlobalProtect appliances, exploiting CVE-2024-3400 (CVSS score: 10.0).

This campaign also involved reconnaissance of internet-facing appliances in fifteen countries, including Cuba, France, and Japan. The use of PoC exploits with open-source tools lowers entry barriers for attackers, complicating detection and attribution. Recorded Future highlights the appeal of targeting internet-facing appliances for their limited security defenses.