Ivanti warns of yet another zero-day in Connect Secure and Policy Secure products
Ivanti has released a security advisory warning of two new vulnerabilities in its Connect Secure and Policy Secure products, one of which is being exploited in the wild. The zero-day flaw in question (CVE-2024-21893) is a server-side request forgery (SSRF) issue that stems from insufficient validation of user-supplied input within the SAML component. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. Successful exploitation of this vulnerability could allow a remote attacker to gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
The vulnerabilities were discovered as part of the ongoing investigation into CVE-2023-46805 and CVE-2024-21887, exploited by the China-linked threat actor tracked as UNC5221/UTA0178.
Security researchers have also spotted a new version of one of the web shells known as Wirefire (aka Giftedvisitor) leveraged by a Chinese threat actor in attacks targeting Ivanti Connect Secure zero-days. This version was modified to bypass detection mechanisms and to avoid detections by public YARA rules.
In addition, Synacktiv researchers observed threat actors exploiting CVE-2023-46805 and CVE-2024-21887 to deliver a Rust-based malware called “KrustyLoader” to deploy Sliver, a Golang-based cross-platform post-exploitation framework used by malicious actors as an alternative to the Cobalt Strike tool.
Mandiant released a report detailing new malware used by UNC5221 and other threat actors during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. The observed tools include custom web shells such as Bushwalk, Chainline, Framesting, and a variant of Lightwire.
On January 31 and February 1, Ivanti rolled out patches addressing all known vulnerabilities in Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3 and Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1, respectively.
The US Cybersecurity and Infrastructure Security Agency (CISA) ordered US federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances vulnerable to multiple actively exploited bugs “as soon as possible and no later than 11:59PM on Friday February 2, 2024.”
CISA warns of an actively exploited iOS bug
CISA warned that threat actors are exploiting a vulnerability affecting iOS, iPadOS, macOS, tvOS, and watchOS to compromise Apple devices. Tracked as CVE-2022-48618, the flaw is an improper authentication issue in the kernel. A local application or user with arbitrary read and write capability can bypass Pointer Authentication and compromise the affected system. The vulnerability is being actively exploited in the wild against versions of iOS released before iOS 15.7.1.
Zero-days in Hitron DVRs exploited to install Mirai-based malware
A Mirai-based botnet has been observed exploiting previously undisclosed vulnerabilities affecting multiple DVR device models manufactured by South Korean security equipment maker Hitron Systems.
The six exploited zero-day vulnerabilities are CVE-2024-22768, CVE-2024-22769, CVE-2024-22770, CVE-2024-22771, CVE-2024-22771, CVE-2024-22771, CVE-2024-22771, CVE-2024-22772, CVE-2024-23842. All of them are described as a use of default credentials issue that could be exploited by a remote attacker to compromise the affected device.
Akira ransomware is likely exploiting an old Cisco bug for initial access
The Akira ransomware group is likely exploiting an already patched vulnerability in Cisco appliances as an entry point to targeted networks, researchers from TrueSec believe. The theory is based on the observation that in eight incidents investigated by TrueSec that involved the Akira ransomware and Cisco AnyConnect SSL VPN devices used as an entry point, at least six of the devices were running versions vulnerable to CVE-2020-3259, which was patched in May 2020.
The flaw is an information disclosure issue in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software that can be used by a remote threat actor to access sensitive information.
US govt confirms the disruption of Volt Typhoon’s botnet targeting critical infrastructure
The US Department of Justice and the FBI have confirmed that a court-authorized operation has disrupted a botnet of small office/home office (SOHO) routers controlled by Chinese state-backed hacker group Volt Typhoon.
The botnet, dubbed “KV Botnet,” comprised hundreds of privately owned SOHO routers, mainly vulnerable EOL (End-of-Life) Cisco and NetGear routers. The law enforcement operation deleted the KV Botnet malware from the routers and severed their connection to the botnet, blocking communications with other devices used to control the botnet.
Russian hackers APT28 target Ukraine’s military with phishing attacks to steal credentials
Russian cyberespionage group APT28, affiliated with the Main Directorate of the General Staff of the Russian Armed Forces (GRU), has been observed conducting phishing attacks aimed at obtaining Ukrainian military personnel's credentials that would give it access to the country’s military situational awareness and command and control systems. The phishing campaign involves several attack vectors and is specifically targeting military personnel and units of the Ukrainian Defense Forces.
In addition, HarfangLab researchers published a report detailing a malicious APT28 campaign involving hacked legitimate Ubiquity network devices used as infrastructure, which they believe is part of a December 2023 phishing campaign that targeted Ukraine and Poland with the Masepie malware.
A report from cybersecurity firm Trend Micro highlights APT28’s most recent techniques, including the use of Net-NTLMv2 hash relay attacks to brute-force its way into government, defence and military networks worldwide.
Over 2K PCs in Ukraine found to be infected with DirtyMoe malware
Ukraine's Computer Emergency Response Team (CERT-UA) said it detected a widespread cyberattack that infected more than 2,000 computers across the country with the DirtyMoe (PurpleFox) malware. The CERT team said they identified 486 IP addresses of intermediary control servers between January 20 and January 31, 2024, the majority of which were linked to compromised hardware located in China.
Nation-state hackers broke into Cloudflare’s Atlassian server using auth tokens stolen in the Okta hack
Cloudflare published details regarding the security breach it suffered in November 2023. The company said that an attacker gained access to the Confluence wiki, Jira bug database, and Bitbucket source code management system using an access token and three service account credentials obtained during the Okta compromise in October 2023, which were not rotated. Cloudflare believes that the attack was orchestrated by a nation-state threat actor aiming to obtain “persistent and widespread access to Cloudflare’s global network.”
Police dismantle Grandoreiro banking malware op, arrest key figures
The Federal Police of Brazil announced it has disrupted the operation of a cybercriminal gang behind a massive banking fraud scheme that has netted at least €3.6 million ($3.9 million) since 2019. The investigation into the Grandoreiro operation began following a report from Spain-based Caixa Bank, which identified that the programmers and operators of the banking malware were in Brazil. The criminals used cloud servers to host the infrastructure used in the Grandoreiro malware campaigns.
Interpol-led operation takes down server infrastructure linked to phishing, ransomware, and banking malware
Operation Synergia, led by Interpol and spanning from September to November 2023, has identified and targeted 1,300 suspicious IP addresses and URLs associated with phishing, malware, and ransomware attacks. The operation involved 60 law enforcement agencies from over 50 countries.
Authorities have detained 31 individuals and an additional 70 suspects have been identified. To date, 70% of the command-and-control (C2) servers identified have been taken down, with the remainder currently under investigation. The majority of the C2 servers were located in Europe, where 26 suspects were arrested. Another four suspects were apprehended in South Sudan and Zimbabwe.
German authorities seize over €2 billion in Bitcoin linked to movie piracy portal
German authorities seized more than €2 billion worth of Bitcoin from one of the operators of the now-defunct movie piracy portal, movie2k.to. The funds were voluntarily transferred to officials by the site's programmer, who has been in pre-trial detention since 2019.
Canadian hacker sent to jail for ransomware attacks
Matthew Philbert, a 33-year-old Ottawa man, has been sentenced to two years in prison for orchestrating ransomware attacks that affected numerous victims. Philbert was charged with offenses related to cyberfraud, including coordinating ransomware attacks on individuals, businesses, and government agencies in Canada, as well as engaging in cyber-related offenses in the US.
The attacks typically began with a “malspam campaign,” using emails with infected attachments. The attacks allowed perpetrators to compromise web cameras, steal passwords, conduct unauthorized banking transactions, and deploy malware and ransomware.
Hundreds of network operators’ credentials found circulating in dark web
Following a major cybersecurity breach at Orange España last month, security researchers have detected a significant number of network operators' credentials circulating on the dark web. Cybersecurity firm Resecurity said it identified over 1,572 customers of RIPE, APNIC, AFRINIC, and LACNIC, who were compromised due to malware activity involving well-known password stealers like Redline, Vidar, Lumma, Azorult, and Taurus. These compromised accounts were discovered to be up for sale on underground marketplaces.
A DraftKings hacker sentenced to 18 months in prison
A 19-year-old Wisconsin man, Joseph Garrison, has been sentenced to 18 months in jail for his involvement in the 2022 hack of the DraftKings fantasy sports website, in which the attackers used stolen usernames and passwords to pilfer $600,000 from 1,600 accounts. He pleaded guilty to a single count of conspiracy to commit computer intrusions in November 2023.
Two other individuals, Nathan Austad, 19, and Kamerin Stokes, 21, have been recently arrested and charged in connection with the same hack. Prosecutors allege that Austad and Garrison accessed 60,000 customer accounts and sold the access information through illicit online platforms they controlled, with Stokes implicated in buying the stolen data from Garrison and selling it online.
Former CIA coder and WikiLeaks informant Joshua Schulte gets 40 years in prison
Former CIA programmer Joshua Schulte has been sentenced to 40 years in prison for multiple offenses, including leaking classified hacking tools, known as “Vault 7,” to WikiLeaks. The tools, capable of hacking smartphones for surveillance, were shared in 2017, constituting the largest CIA data breach. Schulte was also convicted of possessing child abuse images. Despite denying the charges, he was found guilty in federal trials in 2020, 2022, and 2023, facing charges of espionage, computer hacking, contempt of court, making false statements to the FBI, and child abuse image possession.
Belarusian and Cypriot national linked to BTC-e charged in the US with money laundering
Aliaksandr Klimenka, a Belarusian, and Cypriot national has been charged in the US with money laundering conspiracy and operating an unlicensed money services business. Klimenka, along with Alexander Vinnik and others, is alleged to have controlled BTC-e, a digital currency exchange, as well as Soft-FX, a technology services company, and FX Open, a financial company, between 2011 and July 2017. Klimenka was arrested in Latvia in December 2023 at the request of the United States and made his initial appearance in San Francisco. If convicted, he could face a maximum penalty of 25 years in prison.
Financially motivated hackers target companies in Italy via news and media hosting sites
A recent report from Mandiant sheds light on the activities of UNC4990, a financially motivated threat actor utilizing weaponized USBs to spread cryptojacking malware. Targeting users in Italy since at least 2020, UNC4990 has evolved its tactics by transitioning from encoded text files to hosting payloads on popular websites like Vimeo, Ars Technica and GitHub. The actor employs tools such as Emptyspace, a versatile downloader, and Quietboard, a backdoor delivered through Emptyspace.
Malicious PyPI packages deliver WhiteSnake info-stealer to Windows systems
Fortinet researchers discovered a series of malicious packages on the Python Package Index (PyPI) repository, designed to infect systems with a dangerous information-stealing malware named WhiteSnake Stealer. The malware, designed to target Windows systems, is hidden within seemingly harmless Python packages, posing a significant threat to unsuspecting users.
Jordan critics targeted with Pegasus spyware
An investigation by a consortium of digital rights groups, led by Access Now and Citizen Lab, revealed a hacking campaign targeting influential figures in Jordan between 2019 and 2023. The campaign utilized Pegasus spyware, developed by the Israeli company NSO Group. Those affected by the cyber-espionage included prominent individuals such as human rights advocates, activists, politicians, journalists, and information technologists critical of the Jordanian government. At least 35 people were identified as victims of this targeted surveillance.
Mercedes-Benz exposed sensitive internal data after leaving GitHub access token online
German automotive corporation Mercedes-Benz accidentally exposed its source code after leaving a GitHub access token online. The leak was discovered by researchers from cybersecurity firm RedHunt Labs after they found a Mercedes employee’s authentication token in a public GitHub repository that gave full access to Mercedes’s GitHub Enterprise Server and the company’s private source code repositories.
Schneider Electric reportedly hit with a Cactus ransomware attack
Energy management consultancy giant Schneider Electric has reportedly fell victim to a Cactus ransomware attack, resulting in the theft of corporate data from its Sustainability Business division. The attackers are said to have stolen terabytes of corporate data and are now threatening to leak the information if a ransom is not paid.
