TLP WHITE
1.0 Introduction
The Cyber Incident Quarterly Summary Report Q4 2024 provides an overview of computer security incidents handled by the Cyber999 Incident Response Centre of CyberSecurity Malaysia in Q4 2024.
This quarterly Cyber Incident Report also highlights statistics of incidents dealt with by Cyber999 Incident Response Centre in Q4 2024 according to their categories and security alerts and advisories released in this quarter. It should be noted that the statistics provided in this report reflect only the total number of incidents reported and handled by the Cyber999 Incident Response Centre, excluding elements such as monetary value or aftermaths of the incidents. Computer security incidents dealt with by the Cyber999 Incident Response Centre involved IP addresses and domains from Malaysia.
CyberSecurity Malaysia works closely with ISPs, CERTs, Special Interest Groups (SIGs) and Law Enforcement Agencies (LEAs), from local and international, to remediate and mitigate computer security incidents affecting Malaysia's organisations and the public.
2.0 Trends in Q4 2024
Malaysia's internet users were forecast to continuously increase between 2024 and 2029 by two million users (+5.74 percent) [1]. In general, the Cyber999 Incident Response Centre receives incident reports from Internet users, members of the public, home users, small and medium enterprises (SMEs), industries, academia, and non-profit organisations (NGOs). We proactively seek and gather insights on cyber threats through partnerships and collaborations worldwide that could impact Internet users and organisations in Malaysia and aid in mitigating these threats. The Cyber999 Incident Response Centre received 1,550 incidents in Q4 2024, compared to 1,623 incidents in Q3 2024. This indicates a 4 percent decrease in Q4 2024.
Tables 1 to 3 below provide details of the incidents and their figures reported in Q3 2024 and Q4 2024.
| Categories of Incidents | Quarters | Percentage (%) | |
|---|---|---|---|
| Q3 2024 | Q4 2024 | ||
| Denial of Service | 8 | 3 | -62.5 |
| Intrusion | 71 | 75 | 6 |
| Data Breach | 168 | 151 | -10 |
| Intrusion Attempt | 140 | 97 | -31 |
| Vulnerabilities Report | 21 | 34 | 62 |
| Malicious Codes | 57 | 42 | -26 |
| Fraud | 1139 | 1108 | -3 |
| Spam | 57 | 40 | -30 |
| TOTAL | 1623 | 1550 | -4 |
Table 1: Comparison of Incidents Reported in Q3 2024 and Q4 2024
| Categories of Incidents | Months | ||
|---|---|---|---|
| Oct | Nov | Dec | |
| Denial of Service | 0 | 1 | 2 |
| Intrusion | 26 | 33 | 16 |
| Data Breach | 53 | 53 | 45 |
| Intrusion Attempt | 30 | 34 | 33 |
| Vulnerabilities Report | 11 | 12 | 11 |
| Malicious Codes | 18 | 9 | 15 |
| Fraud | 372 | 334 | 402 |
| Spam | 12 | 7 | 21 |
| TOTAL | 522 | 483 | 545 |
Table 2: Breakdown of Incidents Based on Months in Q4 2024
| Categories and Sub-categories of Incidents | Months | ||
|---|---|---|---|
| Oct | Nov | Dec | |
| Denial of Service | |||
| Denial of Service - DoS | 0 | 1 | 2 |
| Fraud | |||
| Fraud - Bogus Email | 0 | 7 | 12 |
| Fraud - Business Email Compromise | 3 | 1 | 0 |
| Fraud - Fraud Site | 6 | 4 | 3 |
| Fraud - Impersonation & Spoofing | 29 | 85 | 138 |
| Fraud - Job Scam | 2 | 1 | 4 |
| Fraud - Love/Parcel Scam | 2 | 1 | 0 |
| Fraud - Phishing | 330 | 235 | 245 |
| Vulnerabilities Report | |||
| Misconfiguration Information Disclosure | 7 | 7 | 7 |
| System Vulnerabilities | 3 | 2 | 1 |
| Web Vulnerabilities | 1 | 3 | 3 |
| Intrusion | |||
| Intrusion - Account Compromise | 25 | 14 | 11 |
| Intrusion - Defacement | 1 | 19 | 5 |
| Intrusion Attempt | |||
| Login Brute Force | 9 | 17 | 16 |
| Port Scanning | 0 | 0 | 0 |
| Vulnerability Probes | 21 | 17 | 17 |
| Malicious Codes | |||
| Botnet C&C | 1 | 1 | 2 |
| Malware | 10 | 7 | 11 |
| Malware Hosting | 7 | 1 | 2 |
| Content Related | |||
| Data Breach | 53 | 53 | 45 |
| Spam | |||
| Spam | 12 | 7 | 21 |
| TOTAL | 522 | 483 | 545 |
Table 3: Breakdown of categories and sub-categories of incidents in Q4 2024
Figure 1 illustrates and provides an overview of the incidents reported in Q4 2024 in a chart. Figure 2 illustrates the percentage of incidents based on their classification.
Figure 1: Breakdown of incidents based on categories in Q4 2024
Figure 2: Percentage of incidents reported by categories in Q4 2024
In summary, based on the above statistics, categories of incidents (Vulnerabilities Report and Intrusion) reported to us have increased in Q4 2024 compared to Q3 2024, while other categories have decreased. The intrusion incident increased to 6 percent from Q3 2024 and Vulnerabilities Report increased to 62 percent. In Q4 2024, the most reported incidents were Fraud, Data Breach and Intrusion Attempts. Fraud represents (71 percent) of the total reported incidents to us, followed by Data Breaches (10 percent) and Intrusion Attempts (6 percent).
Based on current trends, fraud incidents will most likely continue to grow in Malaysia in 2025. New tactics and techniques in online scams and fraud that concatenate social engineering and malicious code could also expand in Malaysian cyberspace.
Data breach incidents have slightly decreased by 10% for this quarter. Nevertheless, they still remain a threat to Malaysia and could potentially increase in the future if proper measures are not in place to deter them. Hence, organisations and Internet users are urged to take proper security measures to prevent data breaches.
Meanwhile, for fraud incidents other than phishing URLs, new tactics and techniques in online scams that concatenate social engineering and malicious code could grow in Malaysian cyberspace.
2.1 Top Fraud Incidents Reported in Q4 2024
Fraud continuously prevails within the constituency, targeting various citizens, from students to professionals. It has become a preferred method of criminals as awareness is still lacking among the public, making them an easier target. One thousand one hundred-eight fraud incidents were handled this quarter, representing a 3 percent decrease compared to Q3 2024. All the fraud incidents were received from organisations and public users.
The top fraud incidents reported to the Cyber999 Incident Response Centre are as follows:
Table 4: Top Fraud Incidents Reported in Q4 2024
| Types of Fraud | Number of Incidents |
|---|---|
| Phishing | 810 |
| Impersonation and Spoofing | 252 |
| Bogus Email | 19 |
| Fraudulent Website | 13 |
| Job Scam | 7 |
| Business Email Compromised – BEC Scam | 4 |
| Love and Parcel Scam | 3 |
Our statistics show that over three-quarters of fraud incidents reported are phishing, representing 73percent of total fraud incidents reported in Q4 2024. We observed the following phishing trends in Malaysia based on the incidents reported to us:
A. Contextualised and Localised Phishing Themes
Government Aid Scams: Phishing emails or SMS impersonate legitimate government programs (e.g., bantuan/sumbangan kerajaan), offering financial aid but requiring victims to provide personal details or click malicious links.
Fake Promotions and Discounts: Popular brands like Lazada, Shopee, or local retailers are spoofed, luring victims with fraudulent discounts or free vouchers.
Traffic Summons Scams: Messages claim unpaid police summons, providing fake payment links to steal financial credentials.
Subscription Services: Services like Netflix or Spotify are impersonated, tricking victims into renewing subscriptions or fixing payment issues on fake websites.
B. Mobile-Focused Phishing (Smishing and App-Based)
Smishing (SMS Phishing): Attackers send fraudulent SMS messages mimicking banks, e-wallets, or delivery services (e.g., J&T Delivery Service, Post Malaysia) with malicious links.
C. Phishing Calls (Vishing)
Phone Scams: Attackers impersonate government agencies (e.g., police or LHDN, MCMC), banks, companies, or even CyberSecurity Malaysia, pressuring victims to disclose sensitive information. Common tactics include threats of legal action, account suspension, or overdue payments.
Therefore, Internet users and organisations must be vigilant when conducting online transactions or performing e-commerce transactions to avoid becoming victims of online fraud.
2.1.1 Scam Calls Continue Impersonating CyberSecurity Malaysia and Several Malaysia Law Enforcement Agencies
This quarter, we observed scam calls continuing to impersonate CyberSecurity Malaysia and several local law enforcement agencies (LEA). The scam calls were made to users' mobile numbers, purportedly from CyberSecurity Malaysia and other agencies, such as the Ministry of Communications and Multimedia, Malaysian Communications and Multimedia Commissions (MCMC), National Scam Response Center (NSRC)and several LEAs. The scammer's modus operandi is to call potential victims, saying that they, the LEAs, will terminate users’ phone numbers due to receiving several cases from different states involving illegal activities. The primary objective of the scam call is to create panic among potential victims and force victims to follow the scammer's orders to obtain/harvest personal details.
We have released an Alert on this scam as a precaution to the general public, as below:
https://www.mycert.org.my/portal/advisory?id=MA-1212.122024
2.2 Top Malware Incidents Reported in Q4 2024
The top malware incidents reported to us include malware hosting, ransomware, malicious APK, backdoors, and trojans. The top reported malware incidents are related to malicious APKs. This type of incident is typically received from Internet banking users and sometimes from local financial institutions.
A malicious APK is an Android Package (APK) file containing malware designed to harm devices, steal data, or perform unauthorised actions. APK files are used to distribute and install applications on Android devices, and malicious versions exploit this format to spread malware. They often mimic popular apps (e.g., social media, games, or utilities) to trick users into downloading. Attackers may distribute these files through phishing emails, social media, fake websites, or third-party app stores.
Table 5: Types of Malicious APKs Reported in Q4 2024
| Types of Malicious APK | Number of Incidents |
|---|---|
| mykakaks cleaning service apk | 2 |
| MR ENERGY apk | 1 |
| live stream app | 1 |
| cleaning service apk | 2 |
| cypd apk | 1 |
| fuming trading apk | 1 |
| cod apk | 1 |
| statement pdf apk | 1 |
The second top-reported incident within the malware category is malware hosting. Malware hosting primarily targeted vulnerable servers with outdated security patches and updates. These incidents are usually received from foreign entities, such as anti-virus vendors and special interest groups, regarding servers in Malaysia that are hosting malware. System Administrators must be vigilant and keep systems up to date with the latest patches and security updates to prevent servers from being compromised and hosting malware.
Ransomware incidents increased in Q4 2024 compared to the previous quarter. For Q3 2024, we received 9 incidents, while for Q4 2024, we received 16 incidents, indicating an increase of 78 percent compared to Q3 2024. Ransomware is malicious software (malware) that infects a computer and restricts access until the requested ransom is paid. It is also considered one of the costliest attacks, as it is enormous to recover all the data and rectify infected machines.
Our finding identified that businesses are most impacted by ransomware incidents in Malaysia, consistent across the globe. Active Directory(AD) servers have become primary targets in Malaysia. Compromising AD servers can significantly amplify the impact of a ransomware attack. Using tools like PsExec, Group Policy Objects (GPOs), or Windows Management Instrumentation (WMI) to execute ransomware on all connected systems. Ryuk and Conti have been observed targeting AD servers for mass deployment and faster network-wide encryption. We also observed attackers exploit vulnerabilities in virtualisation platforms like VMware, and ESXi servers can be targeted directly, allowing attackers to gain control over multiple VMs simultaneously. Ransomware operators use phishing attacks, brute force, or stolen credentials to access VM management consoles or servers. LockBit has been observed deploying scripts to attack VMware environments, including deleting backups and snapshots.
Looking at the current trends, ransomware incidents will continue to grow in Malaysia in 2025. Although reported ransomware incidents have slightly increased in this quarter, organisations and Internet users must always take proper security measures against ransomware incidents. Good backup management, password security, and cyber security awareness are essential in combating ransomware and other types of malware. Implementing the backup procedure, policy, and best practices among organisations and public users is also essential.
Table 6: Ransomware Variants Reported in Q42024
| Types of Ransomware Variant | Number of Incidents |
|---|---|
| Hunters international | 1 |
| Lockbit | 3 |
| NETCrypton variant | 1 |
| Faust Ransomware | 1 |
| MedusaLocker | 2 |
| Akira | 1 |
| Endpoint ransomware | 1 |
| Bixi Ransomware | 1 |
| Crypto24 | 1 |
| Ransomhub | 1 |
| Valencia | 2 |
| Arcus media | 1 |
Apart from ransomware, we also handled incidents involving botnets that infected computers in Malaysia. A botnet (short for robot network ) is a network of computers or devices infected by malicious programs and controlled by a single attacker called a botmaster or bot herder . These infected devices, called bots or zombies , enable the attacker to control them remotely. Botnets are commonly used in:
- Distributed Denial-of-Service (DDoS) Attacks: to overwhelm a target system, server, or network, making it unavailable to legitimate users .
- Massive Spam Campaigns: Sending large amounts of phishing or spam emails.
- Credential Theft: Logging keystrokes to steal passwords or sensitive information.
- Cryptojacking: Using infected devices to mine cryptocurrency without consent.
Below is the list of top botnets that infected computers, primarily belonging to individuals and organisations in Malaysia, as reported to the Cyber999 Incident Response Centre in Q4 2024:
Table 7: Types of Botnet and Infected IPs in Malaysia in Q4 2024
| Types of Botnets | Total Infected IPs |
|---|---|
| avalanche-andromeda | 5,262,332 |
| ngioweb | 3,572,998 |
| android.vo1d | 3,508,305 |
| socks5systemz | 1,218,466 |
| adload | 509,895 |
| vipersoftx | 333,608 |
| downadup | 224,192 |
| android.triada | 218,425 |
| avalanche | 187,297 |
| pseudomanuscrypt | 151,174 |
Apart from ransomware, botnets and malware hosting, we also handled incidents related to infostealer in Q4 2024. Infostealer is malicious software created to breach computer systems and steal sensitive information, including login details. Generally, data from the infostealers contained login credentials from various sources, including information saved on web browsers (such as passwords and credit logins), auto-filled logins, FTP clients, email apps, instant messaging clients, and VPNs.
Below is a list of infostealers associated with data breach reported to us in Q4 2024:
Table 8: Info stealers reported in Q4 2024
| Types of Info Stealers | Number of Incidents |
|---|---|
| Joker stealer | 2 |
| Anubis stealer | 14 |
| Redline stealer | 10 |
| Starlink stealer | 1 |
2.3 Data Breach Incidents are Continuous in Malaysia
Concerning data breach incidents in Malaysia, we continue to receive them daily, though there is a 10 percent decrease this quarter. Hence, it highlights the need for better security measures to ensure data security and public trust in the constituency. High-profile data breaches often involve massive datasets, including personal identifier information (PII) like full names, identification numbers, home addresses, telephone numbers and financial details, and commonly PII from national databases. Serious security measures must consistently be implemented to prevent and mitigate data breaches, especially for PII.
We are also observing a trend where perpetrators exfiltrate or steal sensitive data from organisations and hold the data hostage. Perpetrators will then threaten the organisation to release or sell the data on the dark web unless the organisation pays ransom within a timeframe set by the perpetrators. In the case of extortion by perpetrators, we always advise organisations to refer the matter to the LEAs, such as the police, for assistance.Other trends we observed in this quarter include resurfacing of previous data breaches. Perpetrators claimed and posted on the dark web that they have breached data belonging to specific organisations. However, our analysis confirmed these are resurfaces of previous data breaches that happened a few years back and not new breaches.
Table 9: Data Breaches Reported in Q4 2024
| Types of Data Breach | Description |
|---|---|
| Personal Identifier Information (PII) | Full name, identity card numbers, home address, age, handphone number, date of birth, and salary. |
| Account Credential | Username and password of email accounts, username and password of Internet banking accounts. |
| Appliances Credential | Admin panel access, Joomla, WordPress, FTP access, wp-admin access, etc. |
3.0 Security Advisories and Alerts Released in Q4 2024
In Q4 2024, the Cyber999 Incident Response Centre issued 73 Security Advisories and one Alerts, each with descriptions, mitigation steps, and recommendations for organisations and Internet users to follow. The security advisories involved Mozilla, Microsoft, Apple, VMware, and several other CVEs listed in Table 10. The security alerts concern growing online fraud and malware threats that we identified as potentially serious to citizens and organisations in Malaysia. If not correctly identified and mitigated, such threats could have serious consequences for citizens and organisations.
Table 10: List of Significant CVEs in Q4 2024
Here is the table with the CVEs and their descriptions:
| CVE ID | Description |
|---|---|
|
CVE-2024-9120 |
Use after free in Dawn Google Chrome on Windows prior to 129.0.6668.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-9121 |
Inappropriate implementation in V8 Google Chrome prior to 129.0.6668.70 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. |
|
CVE-2024-9122 |
Type Confusion in V8 Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. |
|
CVE-2024-9123 |
Integer overflow in Skia Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. |
|
CVE-2024-43489 |
Remote Code Execution Vulnerability Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability |
|
CVE-2024-43496 |
Remote Code Execution Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability |
|
CVE-2024-38221 |
Spoofing Microsoft Edge (Chromium-based) Spoofing Vulnerability |
|
CVE-2024-6989 |
Use-after-free vulnerability in Loader Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-8362 |
Use-after-free vulnerability in WebAudio Google Chrome prior to 128.0.6613.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-7967 |
Heap buffer overflow found in Fonts Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-8193 |
Heap buffer overflow in Skia Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-8198 |
Heap buffer overflow in Skia Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-7976 |
Inappropriate implementation in FedCM Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. |
|
CVE-2024-45694 |
D-Link WiFi router - Stack-based Buffer Overflow Stack-based Buffer Overflow in D-Link wireless routers allowing unauthenticated remote code execution |
|
CVE-2024-45695 |
D-Link WiFi router - Stack-based Buffer Overflow Stack-based Buffer Overflow in D-Link wireless routers allowing unauthenticated remote code execution |
|
CVE-2024-45696 |
D-Link WiFi router - Hidden Functionality Hidden functionality in D-Link wireless routers allowing attackers to enable telnet service using specific packets |
|
CVE-2024-45697 |
D-Link WiFi router - Hidden Functionality Hidden functionality in D-Link wireless routers where telnet service is enabled when WAN port is plugged in |
|
CVE-2024-45698 |
D-Link WiFi router - OS Command Injection D-Link wireless routers do not properly validate user input in telnet, allowing remote OS command injection |
|
CVE-2024-45424 |
Zoom Workplace Apps - Business Logic Error |
|
CVE-2024-28990 |
SolarWinds Access Rights Manager (ARM) Hardcoded Credentials Authentication Bypass Vulnerability SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. |
|
CVE-2024-28991 |
SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution. |
|
CVE-2024-47330 |
Broken Access Control vulnerability on multiple WordPress plugins by Supsystic Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9. |
|
CVE-2024-43237 |
WordPress Tag Groups plugin <= 2.0.3 - Sensitive Data Exposure vulnerability Exposure of Sensitive Information to an Unauthorized Actor vulnerability in TaxoPress WordPress Tag Cloud Plugin – Tag Groups.This issue affects WordPress Tag Cloud Plugin – Tag Groups: from n/a through 2.0.3. |
|
CVE-2024-9073 |
GutenGeek Free Gutenberg Blocks for WordPress <= 1.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload The GutenGeek Free Gutenberg Blocks for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. |
|
CVE-2024-47305 |
WordPress Use Any Font plugin <= 6.3.08 - Cross Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability in Dnesscarkey Use Any Font allows Cross Site Request Forgery.This issue affects Use Any Font: from n/a through 6.3.08. |
|
CVE-2024-47303 |
WordPress Elementor Addons by Livemesh plugin <= 8.5 - Cross Site Scripting (XSS) vulnerability Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through 8.5. |
|
CVE-2024-38259 |
Microsoft Mgmt Console Microsoft Management Console Remote Code Execution Vulnerability |
|
CVE-2024-38014 |
Windows Installer Windows Installer Elevation of Privilege Vulnerability |
|
CVE-2024-38260 |
RD Licensing Service Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability |
|
CVE-2024-38119 |
Network Address Translation Windows Network Address Translation (NAT) Remote Code Execution Vulnerability |
|
CVE-2024-38217 |
MOTW, TCP/IP Windows Mark of the Web Security Feature Bypass Vulnerability |
|
CVE-2024-21416 |
TCP/IP Windows TCP/IP Remote Code Execution Vulnerability |
|
CVE-2024-38240 |
Remote Access Connection Manager Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
|
CVE-2024-43491 |
Windows Update An attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. |
|
CVE-2024-38226 |
Publisher Microsoft Publisher Security Feature Bypass Vulnerability |
|
CVE-2024-43465 |
Excel Microsoft Excel Elevation of Privilege Vulnerability |
|
CVE-2024-38018 |
SharePoint Microsoft SharePoint Server Remote Code Execution Vulnerability |
|
CVE-2024-9680 |
Use-after-free in Animation Timelines An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0. |
|
CVE-2024-9602 |
Type of Confusion in V8 Google Chrome prior to 129.0.6668.100 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. |
|
CVE-2024-9603 |
Type of Confusion in V8 Google Chrome prior to 129.0.6668.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-9391 |
Prevent users from exiting full-screen mode in Firefox Focus for Android A user who enables full-screen mode on a specially crafted web page could potentially be prevented from exiting full screen mode. This may allow spoofing of other sites as the address bar is no longer visible. |
|
CVE-2024-9392 |
Compromised content process can bypass site isolation A compromised content process could have allowed for the arbitrary loading of cross-origin pages. |
|
CVE-2024-9393 |
Cross-origin access to PDF contents through multipart responses An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. |
|
CVE-2024-9394 |
Cross-origin access to JSON contents through multipart responses An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. |
|
CVE-2024-9395 |
Specially crafted filename could be used to obscure download type A specially crafted filename containing a large number of spaces could obscure the file's extension when displayed in the download dialog. |
|
CVE-2024-9396 |
Potential memory corruption may occur when cloning certain objects It is currently unknown if this issue is exploitable but a condition may arise where the structured clone of certain objects could lead to memory corruption. |
|
CVE-2024-9397 |
Potential directory upload bypass via clickjacking A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. |
|
CVE-2024-9398 |
External protocol handlers could be enumerated via popups By checking the result of calls to `window.open` with specifically set protocol handlers, an attacker could determine if the application which implements that protocol handler is installed. |
|
CVE-2024-9399 |
Specially crafted WebTransport requests could lead to denial of service A website configured to initiate a specially crafted WebTransport session could crash the Firefox process leading to a denial of service condition. |
|
CVE-2024-9400 |
Potential memory corruption during JIT compilation A potential memory corruption vulnerability could be triggered if an attacker had the ability to trigger an OOM at a specific moment during JIT compilation. |
|
CVE-2024-9401 |
Memory safety bugs Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
|
CVE-2024-9402 |
Memory safety bugs Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
|
CVE-2024-9403 |
Memory safety bugs Memory safety bugs present in Firefox 130. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. |
|
CVE-2024-9936 |
Undefined behaviour in selection node cache When manipulating the selection node cache, an attacker may have been able to cause unexpected behavior, potentially leading to an exploitable crash. |
|
CVE-2024-9954 |
Use after free in AI Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-9955 |
Use after free in Web Authentication Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-9957 |
Use after free in UI Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-9958 |
Inappropriate implementation in PictureInPicture Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. |
|
CVE-2024-9959 |
Use after free in DevTools Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. |
|
CVE-2024-9960 |
Use after free in Dawn Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-9961 |
Use after free in Parcel Tracking Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-9962 |
Inappropriate implementation in Permissions Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. |
|
CVE-2024-9963 |
Insufficient data validation in Downloads Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. |
|
CVE-2024-9964 |
Inappropriate implementation in Payments Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. |
|
CVE-2024-9965 |
Insufficient data validation in DevTools Google Chrome on Windows prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. |
|
CVE-2024-9966 |
Inappropriate implementation in Navigations Google Chrome prior to 130.0.6723.58 allowed a remote attacker to bypass content security policy via a crafted HTML page. |
|
CVE-2024-38814 |
Authenticated SQL injection in VMware HCX An authenticated SQL injection vulnerability in VMware HCX was privately reported to VMware. A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager. |
|
CVE-2024-20412 |
Cisco Firepower Threat Defense Software Static Credential Vulnerability A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could allow an unauthenticated, local attacker to access an affected system using static credentials. This vulnerability is due to the presence of static accounts with hard-coded passwords on an affected system. An attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials. A successful exploit could allow the attacker to access the affected system and retrieve sensitive information, perform limited troubleshooting actions, modify some configuration options, or render the device unable to boot to the operating system, requiring a reimage of the device. |
|
CVE-2024-20424 |
Cisco Secure Firewall Management Center Software Command Injection Vulnerability A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient input validation of certain HTTP requests. An attacker could exploit this vulnerability by authenticating to the web-based management interface of an affected device and then sending a crafted HTTP request to the device. A successful exploit could allow the attacker to execute arbitrary commands with root permissions on the underlying operating system of the Cisco FMC device or to execute commands on managed Cisco Firepower Threat Defense (FTD) devices. To exploit this vulnerability, the attacker would need valid credentials for a user account with at least the role of Security Analyst (Read Only). |
|
CVE-2024-20329 |
Cisco Adaptive Security Appliance Software SSH Remote Command Injection Vulnerability A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute operating system commands as root. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by submitting crafted input when executing remote CLI commands over SSH. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. An attacker with limited user privileges could use this vulnerability to gain complete control over the system. |
|
CVE-2024-20351 |
Cisco Firepower Threat Defense Software Denial of Service Vulnerability A vulnerability in the TCP/IP traffic handling function of the Snort Detection Engine of Cisco Firepower Threat Defense (FTD) Software and Cisco FirePOWER Services could allow an unauthenticated, remote attacker to cause legitimate network traffic to be dropped, resulting in a denial of service (DoS) condition. This vulnerability is due to the improper handling of TCP/IP network traffic. An attacker could exploit this vulnerability by sending a large amount of TCP/IP network traffic through the affected device. A successful exploit could allow the attacker to cause the Cisco FTD device to drop network traffic, resulting in a DoS condition. The affected device must be rebooted to resolve the DoS condition. |
|
CVE-2024-20330 |
Cisco Firepower Threat Defense Software Denial of Service Vulnerability A vulnerability in the Snort 2 and Snort 3 TCP and UDP detection engine of Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Appliances could allow an unauthenticated, remote attacker to cause memory corruption, which could cause the Snort detection engine to restart unexpectedly. This vulnerability is due to improper memory management when the Snort detection engine processes specific TCP or UDP packets. An attacker could exploit this vulnerability by sending crafted TCP or UDP packets through a device that is inspecting traffic using the Snort detection engine. A successful exploit could allow the attacker to restart the Snort detection engine repeatedly, which could cause a denial of service (DoS) condition. The DoS condition impacts only the traffic through the device that is examined by the Snort detection engine. The device can still be managed over the network. |
|
CVE-2024-20339 |
Cisco Firepower Threat Defense Software TLS Denial of Service Vulnerability A vulnerability in the TLS processing feature of Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an issue that occurs when TLS traffic is processed. An attacker could exploit this vulnerability by sending certain TLS traffic over IPv4 through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition and impacting traffic to and through the affected device. |
|
CVE-2024-20260 |
Cisco Adaptive Security Virtual Appliance SSL VPN Denial of Service Vulnerability A vulnerability in the VPN and management web servers of the Cisco Adaptive Security Virtual Appliance (ASAv) and Cisco Secure Firewall Threat Defense Virtual (FTDv), formerly Cisco Firepower Threat Defense Virtual, platforms could allow an unauthenticated, remote attacker to cause the virtual devices to run out of system memory, which could cause SSL VPN connection processing to slow down and eventually cease all together. This vulnerability is due to a lack of proper memory management for new incoming SSL/TLS connections on the virtual platforms. An attacker could exploit this vulnerability by sending a large number of new incoming SSL/TLS connections to the targeted virtual platform. A successful exploit could allow the attacker to deplete system memory resulting in a denial of service (DoS) condition. The memory could be reclaimed slowly if the attack traffic is stopped, but a manual reload may be required to restore operations quickly. |
|
CVE-2024-20402 |
Cisco Adaptive Security Appliance SSL VPN Memory Management Denial of Service A vulnerability in the SSL VPN feature for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a logic error in memory management when the device is handling SSL VPN connections. An attacker could exploit this vulnerability by sending crafted SSL/TLS packets to the SSL VPN server of the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. |
|
CVE-2024-20268 |
Cisco Adaptive Security Appliance SNMP Denial of Service A vulnerability in the Simple Network Management Protocol (SNMP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an unexpected reload of the device. This vulnerability is due to insufficient input validation of SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device using IPv4 or IPv6. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. |
|
CVE-2024-20485 |
Cisco Adaptive Security Appliance Persistent Local Code Execution Vulnerability A vulnerability in the VPN web server of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a specific file when it is read from system flash memory. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High. |
|
CVE-2024-20426 |
Cisco Adaptive Security Appliance IKEv2 VPN Denial of Service A vulnerability in the Internet Key Exchange version 2 (IKEv2) protocol for VPN termination of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted IKEv2 traffic to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. |
|
CVE-2024-20408 |
Cisco Adaptive Security Appliance Dynamic Access Policies Denial of Service A vulnerability in the Dynamic Access Policies (DAP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly. To exploit this vulnerability, an attacker would need valid remote access VPN user credentials on the affected device. This vulnerability is due to improper validation of data in HTTPS POST requests. An attacker could exploit this vulnerability by sending a crafted HTTPS POST request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. |
|
CVE-2024-20495 |
Cisco Adaptive Security Appliance Remote Access VPN Denial of Service A vulnerability in the Remote Access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition on an affected device. This vulnerability is due to improper validation of client key data after the TLS session is established. An attacker could exploit this vulnerability by sending a crafted key value to an affected system over the secure TLS session. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. |
|
CVE-2024-20494 |
Cisco Adaptive Security Appliance TLS Denial of Service A vulnerability in the TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper data validation during the TLS 1.3 handshake. An attacker could exploit this vulnerability by sending a crafted TLS 1.3 packet to an affected system through a TLS 1.3-enabled listening socket. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. |
|
CVE-2023-20063 |
Cisco Firepower Threat Defense Software and Firepower Management Center Code Injection A vulnerability in the inter-device communication mechanisms between devices that are running Cisco Firepower Threat Defense (FTD) Software and devices that are running Cisco Firepower Management (FMC) Software could allow an authenticated, local attacker to execute arbitrary commands with root permissions on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by accessing the expert mode of an affected device and submitting specific commands to a connected system. A successful exploit could allow the attacker to execute arbitrary code in the context of an FMC device if the attacker has administrative privileges on an associated FTD device. Alternatively, a successful exploit could allow the attacker to execute arbitrary code in the context of an FTD device if the attacker has administrative privileges on an associated FMC device. |
|
CVE-2024-37383 |
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. |
|
CVE-2024-51378 |
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. |
|
CVE-2024-10826 |
Use after free in Family Experiences Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-10827 |
Use after free in Serial Google Chrome prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-10487 |
Out of bounds write in Dawn Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. |
|
CVE-2024-10231 |
Type confusion in V8 Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-10229 |
Inappropriate implementation in Extensions Google Chrome prior to 130.0.6723.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. |
|
CVE-2024-5921 |
GlobalProtect App: Insufficient Certificate Validation Leads to Privilege Escalation An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint. GlobalProtect App for Android is under evaluation. |
|
CVE-2024-10979 |
PostgreSQL PL/Perl environment variable changes execute arbitrary code Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. |
|
CVE-2024-49138 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
|
CVE-2024-49112 |
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution |
|
CVE-2024-12381 |
Type Confusion in V8 Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
CVE-2024-12382 |
Use after free in Translate Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
4.0 Conclusion
Overall, the number of computer security incidents reported to the Cyber999 Incident Response Centre in Q4 2024 was 1,550. The reported incidents decreased slightly by 4 percent compared to Q3 2024, without any significant or severe incidents observed this quarter. Nevertheless, organisations and individuals must always be vigilant with readiness and preventive and mitigation steps against potential threats. Perpetrators are very motivated, eager, and determined to use new and sophisticated tactics and techniques to execute cyber-attacks.
Hence, we strongly recommend that all internet users be constantly aware of today's cybercrime trends and adhere to the best cyber hygiene practices. This also includes secure handling of emails from unknown sources, safe web browsing, purchasing goods online, and using social media applications. Users must keep systems up to date with the latest security patches and updates to prevent their computers from being compromised or infected with malware. Always check the legibility of the applications, portal, merchants, services, and products before conducting any online transaction.
As the complexity of cyber threats continues to increase, organisations and individuals could be potential targets if they are not equipped with security awareness. Providing security awareness campaigns to citizens and organisations is among the best efforts to improve national cyber security and public trust.
Malaysian Internet users and organisations may contact us to report cyber security incidents at the below contact:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my
References:
[1] https://www.statista.com/statistics/553752/number-of-internet-users-in-malaysia/