HTG Threat Report

Threat Report 3/8/24

Written by Evan Kennedy | Mar 25, 2024 6:57:16 PM
A Vulnerability in Google Chrome
Could Allow for Arbitrary Code Execution
     

Multiple vulnerabilities have been discovered in Google Chrome, which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 


 

Affected Systems:

  • Chrome prior to 122.0.6261.94/.95 for Windows 

  • Chrome prior to 122.0.6261.94 for Mac and Linux 

Risk

  • Large and medium business entities: High
  • Small business entities: High

 

Remediation Recommendations

  • Ensure all devices with Google Chrome have the latest version installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References

  •  https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_27.html


Multiple Vulnerabilities in Apple Products
Could Allow for Privilege Escalation
   
     

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for privilege escalation. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.  

 

Affected Systems:

  • Versions prior to iOS 17.4 and iPadOS 17.4 

    iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later 

     

  • Versions prior to iOS 16.7.6 and iPadOS 16.7.6 

    iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation 

     

Risk

  • Large and medium business entities: High
  • Small business entities: Medium

 

Remediation Recommendations

  • Ensure all Apple products have the latest version(s) installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 


References

 
Multiple Vulnerabilities in Google Android OS
Could Allow for Remote Code Execution
   
   

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.  

 

Affected Systems:

  • Android OS patch levels prior to 2024-03-05 

Risk

  • Large and medium business entities: High
  • Small business entities: Medium

 

Remediation Recommendations

  • Ensure all devices running Android OS have the latest version(s) installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References

  • https://source.android.com/docs/security/bulletin/2024-03-01
 
Multiple Vulnerabilities in Mozilla Products
Could Allow for
Arbitrary Code Execution
 

 

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.   

  • Mozilla Firefox is a web browser used to access the Internet. 
  • Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. 
  • Mozilla Thunderbird is an email client. 

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

 

Affected Systems:

  • Firefox ESR versions prior to 115.9 
  • Thunderbird versions prior to 115.9 
  • Firefox versions prior to 124 



Risk

  • Large and medium business entities: High
  • Small business entities: Medium

 

Remediation Recommendations

  • Ensure all devices running Mozilla products have the latest version(s) installed 
  • Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References


 
Change Healthcare Confirms BlackCat/ALPHV Ransomware Attack, Payment Worth $22 Million Made    

United Health Group confirmedon February 29th that the cyberattack sustained by Change Healthcare two weeks ago was a ransomware attack by the BlackCat/ALPHV gang. BleepingComputerreportsthat Blackcat on February 27th claimed to have stolen six terabytes of data from Change Healthcare and its partners, including medical and dental records, insurance records, payment data, claims information, patients' PII, and active U.S. military/navy personnel PII data. The Record notesthat the gang has since removed the post. 

Then, on March 1st, BlackCat/ALPHV received a payment of 350 Bitcoin (approximately $22 million), as reported by WIRED. The Registersays UnitedHealth Group declined to say whether it paid the ransom.  

The Register also notes that ALPHV may be pulling an exit scam with the $22 million. Recorded Future researcher Dmitry Smilyanets says someone claiming to be the affiliate behind the Change Healthcare attack posted on an underground forum saying that ALPHV suspended their account and then "emptied the wallet and took all the money." 

The Washington Post has published asummary of the impacts of the Change Healthcare attack. Molly Smith, group vice president for public policy at the American Hospital Association, stated, "Our assessment is that this is the most significant attack on the health-care system in U.S. history."