OpenSSH vulnerability ‘regreSSHion’ sparks urgent patching

In the past week, a series of significant cybersecurity threats have emerged globally, ranging from targeted espionage campaigns by North Korean hackers using malicious browser extensions to critical vulnerabilities affecting widely used technologies like OpenSSH and Cisco NX-OS. Hacktivist groups continue to pose risks to financial institutions in India through DDoS attacks and social engineering tactics, while unknown actors exploit Microsoft MSHTML flaws to distribute surveillance malware. These incidents underscore the ongoing need for vigilance and proactive security measures across all sectors to mitigate the evolving cyber threat landscape effectively.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. North Korean hackers use TRANSLATEXT to steal sensitive information

North Korean threat actor Kimsuky has been linked to a malicious Google Chrome extension called TRANSLATEXT, designed to steal sensitive information for intelligence gathering. Identified in early March 2024, this campaign targets South Korean academia, particularly those studying North Korean political affairs. Kimsuky, active since 2012 and affiliated with the Lazarus cluster, has previously used a known Microsoft Office flaw (CVE-2017-11882) to distribute malware.

The TRANSLATEXT extension, disguised as Google Translate, collects email addresses, credentials, cookies, and browser screenshots, and communicates with an attacker-controlled Blogger Blogspot URL to execute commands. Security recommendations include updating systems, enhancing email security, using strong authentication, and monitoring browser extensions.

2. Novel OpenSSH flaw could allow root-level RCE on Linux systems

The security community is on high alert due to CVE-2024-6387, a critical vulnerability in OpenSSH known as “regreSSHion,” which exposes Linux environments to remote unauthenticated code execution, potentially leading to root-level access. This flaw, affecting OpenSSH versions 8.5p1 to 9.8p1 on glibc-based Linux systems, stems from a signal handler race condition in sshd, allowing attackers to manipulate system memory through precise timing.

The complexity of the exploit requires multiple attempts and significant skill, but the potential impact is severe. The net effect of exploiting CVE-2024-6387 is a full system compromise, allowing threat actors to execute arbitrary code with the highest privileges, bypass security mechanisms, steal data, and maintain persistent access. Users are urged to update to OpenSSH version 9.8p1 or later, set login timeout to zero as a temporary mitigation, limit SSH access using firewall rules, use jump hosts or bastion servers, and deploy host-based intrusion prevention tools.

3. Cisco NX-OS zero-day exploited to spread custom malware

Cisco has addressed a zero-day vulnerability in NX-OS exploited by threat actors in April to deploy custom malware on susceptible switches. Tracked as CVE-2024-20399, the flaw allows local attackers with Administrator privileges to execute arbitrary commands with root permissions due to insufficient validation of CLI command arguments.

Affected devices include Cisco Nexus switches like the MDS 9000 Series and Nexus 3000 to 9000 Series in standalone NX-OS mode. Cisco advises immediate patching of all vulnerable devices, regular credential rotation for administrative users, and enhanced monitoring of system logs to detect any malicious activity, despite the vulnerability’s ability to bypass syslog messages.

4. Regional governing body alerts Indian BFSI sector to heightened cyberattack risks

Indian banks are facing heightened cyber threats following warnings from a regional governing body about potential attacks, primarily orchestrated by hacktivist groups such as Lulzsec. These attacks, motivated by geopolitical tensions and leveraging freely available tools, aim to exploit vulnerabilities in modern online banking services, posing significant risks to Indian digital wallets and banking applications.

Hacktivist activities include DDoS assaults, data breaches, and social media account hijackings, impacting not only banks in India but also those in the UK, Europe, the U.S., and Israel. Recommendations include investing in DDoS protection services, implementing traffic filtering, optimizing network infrastructure, and maintaining vigilant monitoring of network activities and server logs to swiftly detect and mitigate threats.

5. Threat actors exploit Microsoft MSHTML vulnerability to spread MerkSpy malware

Unknown threat actors are exploiting the recently patched CVE-2021-40444 vulnerability in Microsoft MSHTML to distribute MerkSpy, a surveillance tool targeting users in Canada, India, Poland, and the U.S. This campaign begins with a malicious Word document triggering remote code execution via MSHTML, allowing the download of “olerender.html” to execute shellcode and install further payloads.

MerkSpy establishes persistence by modifying the Windows Registry and captures sensitive data such as screenshots and login credentials, transmitting them to attacker-controlled servers. Simultaneously, a smishing campaign impersonating Apple targets U.S. users with fake SMS messages leading to credential harvesting websites. Recommendations include utilizing advanced threat protection, enhancing email security, conducting cybersecurity training, and deploying Endpoint Detection and Response (EDR) solutions to mitigate these threats effectively.