Cyber threats
Barometer
Highlight of the month
For once, the summer period doesn’t really seem to have marked a break for threat actors. Data leaks and the emergence of new malware continue apace. In terms of detection, probably the most significant event of August 2024 was the publication by a Xiao Wei, a Chinese researcher from the Cyber KunLun Institute, of a “remote code execution” (RCE) vulnerability, assessed as critical (CVSSv3.1: 9.8) on Windows operating systems and identified as CVE-2024-38063. The particularity of this vulnerability lies in its “wormable” aspect, meaning that it could be used to enable malware to self-replicate without user interaction. We are reminded of the spectre of Wannacry.
The vulnerability, of type integer underflow (CWE-191), resides in the TCP/IP stack on Windows systems, and more specifically in IPv6 management. Among the possible workarounds proposed by Microsoft is disabling IPv6. However, as the BleepingComputer site notes, the publisher also states in its documentation that IPv6 is necessary for Vista, 2008 Server and later systems to function properly.
Shortly after the vulnerability was published, proofs of concept (such as this one) proliferated, as did the countermeasures now deployed by cybercriminals for high-profile vulnerabilities, as well as detailed analyses of the vulnerability, such as the one published by Marcus Hutchins (@malwaretechguy).
It’s interesting to note that both the proofs of concept and the analyses point to the use of this vulnerability to perform a denial of service, but leave the execution of the code execution part as a possibility.
The absence of mass exploitation since the vulnerability was released on August 15 seems to suggest that large-scale reproduction is more complex than first thought. Nevertheless, if it were possible to stabilize the exploitation of this vulnerability, or to extend the range of possible actions, the consequences could be significant. In this context, we strongly recommend that you apply the patches already released by Redmond as soon as possible.
TOP
COMMON VULNERABILITIES & EXPOSURES (%)
TOP
TARGETED BUSINESS SECTORS (%)
Definition of the month
A worm is a type of virus distinguished by its ability to reproduce and spread autonomously through computer systems. Worms usually use network or system vulnerabilities to propagate themselves.
The very first known case of infection by a computer worm dates back to 1988, when Robert Tappan Morris, then a computer science student at Cornell University, wanted to count the number of computers connected to the Internet. To propagate, the “Morris Worm” exploited several vulnerabilities in Unix systems, notably a flaw in the “sendmail” messaging service and another in the “finger” protocol. It also used brute-force attacks to guess user account passwords. Once installed on a system, the worm attempted to replicate itself on other machines by scanning connected networks.
Although theoretically designed to verify the existence of a copy of itself on the target machine, an error in its source code led the worm to repeatedly infect the same machines, resulting in a progressive over-consumption of resources, with many of the affected systems slowing down or even paralyzing. This incident, which affected more than 10% of the 60,000 terminals connected to the Internet in 1988, raised awareness of the need to protect against cyberthreats, and led to the creation of some of the first computer incident response teams, such as CERT.
TOP
MALWARE FAMILIES (%)
TOP
THREAT CATEGORIES (%)
About the Cyber Threat Barometer
Malware, critical vulnerabilities, advanced persistent threats, industries particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected by Gatewatcher CTI, our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than 4000 data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.