Microsoft Exchange flaw CVE-2024-21410 could impact up to 97,000 servers
Researchers from the Shadowserver Foundation have identified approximately 28,000 internet-facing Microsoft Exchange servers vulnerable to CVE-2024-21410, a critical bypass vulnerability. This flaw allows attackers to bypass the SmartScreen user experience and inject code, potentially leading to data exposure or system unavailability.
Exploiting this vulnerability could involve targeting an NTLM client such as Outlook to leak credentials, which can then be relayed to the Exchange server to gain privileges and perform operations on behalf of the victim.
Shadowserver researchers found around 97,000 potentially vulnerable servers, with 28,500 verified as vulnerable to CVE-2024-21410. Most of these servers are located in Germany, followed by the United States.
Analysis from our SOC team
Microsoft has released Patch Tuesday security updates for February 2024 to address this issue.
It is important to update the exchange servers affected by the vulnerability to avoid data exposure or DOS attack.
If the server can’t be patched they will have to be isolated from internet access.
ConnectWise disclosed two critical vulnerabilities affecting their ScreenConnect remote desktop software on Feb. 19, 2024. CVE-2024-1708 and CVE-2024-1709 impact versions 23.9.7 and earlier, potentially allowing remote code execution and authentication bypass, respectively.
The authentication bypass vulnerability is considered highly exploitable, with proof-of-concept exploits already available.
Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally, primarily in the United States but also Europe. ConnectWise confirmed compromised accounts and advised immediate patching for self-hosted or on-premise deployments. Cloud-hosted servers have been updated automatically.
Analysis from our SOC team
As mentioned in the article, the cloud-hosted servers have been automatically updated.
If you are using self-hosted servers you must update to version 23.9.8 to address the vulnerability. If you can’t patch your devices it’s advised to isolate them.
Given the severity and scope of the vulnerabilities, various threat actors are expected to exploit them actively.
A critical vulnerability has been discovered in Apple Shortcuts, posing a significant security risk to macOS and iOS devices. Tracked as CVE-2024-23204, the vulnerability allows attackers to bypass Apple’s Transparency, Consent, and Control (TCC) security framework, enabling them to access sensitive data and system information without requiring user permission.
Shortcuts, a feature designed for task automation on Apple devices, allows users to create and share macros for various functions. However, this vulnerability opens the door for malicious shortcuts to silently collect data without user consent. Bitdefender researchers demonstrated this by creating a proof-of-concept exploit that could exfiltrate data in an encrypted image file.
Analysis from our SOC team
The vulnerability affects devices running versions preceding macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and it’s rated 7.5 out of 10 (high). Apple has released a patch for the vulnerability and urges users to update their Shortcuts software immediately.
To mitigate these risks, users are advised to update their macOS, iPadOS, and watchOS devices, exercise caution when using shortcuts from untrusted sources, and regularly check for security updates from Apple.
In recent days, there has been a surge in vishing alerts, targeting individuals through telephone scams aimed at extracting personal and banking details. Victims typically receive automated calls from a system claiming to be “Card Stop,” informing them of a supposed payment of €2,600 and prompting them to press 1 to prevent it. Upon pressing 1, victims are connected to a fraudulent “Card Stop” employee who requests personal information to allegedly block suspicious transactions.
These calls often originate from unknown or mobile numbers, and the scammers are skilled at sounding convincing. To avoid falling victim to such scams:
- Never disclose personal or financial information over the phone, including passwords, bank card codes, or response codes.
- Avoid returning calls to unknown numbers, especially those from foreign origins.
- Be cautious of unsolicited calls and don’t trust claims made over the phone, as legitimate entities like technology companies, banks, or government agencies won’t request sensitive information over the phone.
- Refrain from granting access to your device by downloading unfamiliar programs.
Analysis from our SOC team
The tips described in the article is what we would like to emphasize on as well. Never share personal or financial information over the phone, organizations never ask such things this way.
Suspicious messages can be forwarded to any of the three email addresses from Safeonweb.
– verdacht@safeonweb.be
– suspect@safeonweb.be
– suspicious@safeonweb.be
If you suspect you’ve been scammed:
– Report the incident to the police, especially if you’ve lost money or been coerced into giving personal information.
– Notify your bank and/or Card Stop immediately if you’ve shared banking details or experienced unauthorized transactions, enabling them to block any fraudulent activity. You can also call their hotline: 078 170 170
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.
