Let's face it - if patch management was a silver bullet then we wouldn't need vulnerability management, and threat actors know this. Vulnerabilities get picked up by threat actors and exploited as 1-days. In this week's Threat SnapShot, we'll look at a few recent Windows vulnerabilities that have been added to the CISA Known Exploited Vulnerability catalog and are actively used by threat actors like Water Hydra and Raspberry Robin. The first, a SmartScreen bypass (CVE-2023-36025 and CVE-2024-21412), allows code execution through crafted short links.

We know threat actors use RMM tools for command and control and to blend in with other legitimate activity in networks. But how about exploiting RMM tools for fun, profit, and remote code execution? In this week's Threat SnapShot, we'll look at two recent vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) an authentication bypass and directory traversal that can be combined together to achieve remote code execution.

Did you catch the Moniker Link vulnerability from Microsoft's recent "Patch Tuesday"? It's not often that a 9.8 CVSS remote code execution flaw is identified in one of Microsoft's products. But does it live up to the hype? Tracked as CVE-2024-21413, this security flaw could lead to NTLM credential theft and potentially allow remote code execution through manipulated hyperlinks in Microsoft Outlook.

Remote Monitoring and Management (RMM) tools, traditionally utilized by IT departments to oversee and manage network infrastructure, software, and systems remotely, have increasingly become a double-edged sword in cybersecurity. The recent breach of AnyDesk, a popular RMM software, underscores the criticality of securing these tools against exploitation. Adversaries like Scattered Spider exploit these legitimate tools for malicious purposes, leveraging them to gain unauthorized access, maintain persistence, and conduct lateral movement within targeted networks.

Phishing attacks got a little more interesting last year with the addition of.zip as a domain name. Attackers started using it in phishing campaigns, playing on a user's assumption that they were downloading the popular archive file. In this week's Threat SnapShot, we'll take a closer look at how attackers have used the.zip domain for phishing, as well as detection and hunting strategies you can use to keep your organization safe..

In this bonus Threat SnapShot, we wanted to highlight a few of the most relevant and impactful vulnerabilities from December and January.