Ivanti patches a high-severity flaw in Standalone Sentry product

Ivanti has released security updates to address a high-severity vulnerability affecting its Standalone Sentry appliances. Tracked as CVE-2023-41724, the flaw is an OS command injection issue that allows a remote unauthenticated attacker on the local network to execute arbitrary OS commands on the target system by passing specially crafted data to the application. The vulnerability impacts all supported versions 9.17.0, 9.18.0, and 9.19.0, as well as older releases. Ivanti said that it is not aware of any exploitation attempts as of yet.

Varonis Threat Labs warned that it has observed a surge in threat actor activity targeting Ivanti Connect Secure vulnerabilities (CVE-2023-46805, and CVE-2024-21887).

Atlassian releases fixes for multiple flaws

Software company Atlassian released security patches to address a number of flaws in its software, including a high-severity vulnerability (CVE-2024-1597) affecting Bamboo Data Center and Server that could be exploited to execute arbitrary SQL queries. The flaw affects Bamboo Data Center and Server v8.2.1 9.0.0 9.1.0 9.2.1 9.3.0 9.4.0, and 9.5.0.

Critical TeamCity flaws exploited to drop ransomware, cryptominers and backdoors

Multiple threat actors are exploiting two recently patched vulnerabilities affecting JetBrains’ TeamCity On-Premises continuous integration and continuous delivery (CI/CD) server to deliver ransomware, cryptocurrency miners, and other malware.

Tracked as CVE-2024-27198 and CVE-2024-27199, the flaws are described as an improper authentication issue, which could lead to the system takeover. The flaws may allow an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server. The flaws impact all TeamCity On-Premises versions through 2023.11.3. The issues have been fixed in version 2023.11.4.

ShadowSyndicate ransomware group is targeting Aiohttp flaw

The ShadowSyndicate ransomware gang appears to be targeting a recently patched vulnerability affecting the Aiohttp asynchronous HTTP client/server framework. Said vulnerability (CVE-2024-23334) is a path traversal issue stemming from input validation error when processing directory traversal sequences in aiohttp.web.static(follow_symlinks=True). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system. The flaw was patched in January of this year.

According to Cyble researchers, there are over 43,000 Internet-exposed aiohttp instances worldwide, with the majority located in the US, Germany and Spain.

An exploit released for high-risk Fortinet FortiClientEMS bug

Security researchers released a proof-of-concept (PoC) code for a high-risk vulnerability affecting Fortinet's FortiClient Enterprise Management Server (EMS) software. The flaw, tracked as CVE-2023-48788, revolves around an SQL injection flaw detected within the DB2 Administration Server (DAS) component. Note, this vulnerability is being exploited in the wild.

New ‘Loop DoS’ attack targets application-layer protocols

Researchers at the CISPA Helmholtz-Center for Information Security devised a new denial-of-service (DoS) attack, dubbed 'Loop DoS,' aimed at application layer protocols. The method pairs two network services, generating an unending loop of communication that inundates systems with substantial traffic that results in a denial of service for involved systems or networks.

The exploit capitalizes on a vulnerability, identified as CVE-2024-2169, within the UDP protocol's implementation. This vulnerability enables IP spoofing and lacks adequate packet verification mechanisms, facilitating the execution of the attack.

In related news, CISA, the FBI and MS-ISAC released a guide that provides technical details and best practices to respond effectively to Distributed Denial of Service (DDoS) attacks.

Chinese hackers exploit ScreenConnect, F5 bugs to attack defense contractors, govt entities

A threat actor known as UNC5174 and Uteus, believed to be associated with the Chinese government, has been observed exploiting F5 BIG-IP (CVE-2023-46747) and Connectwise ScreenConnect (CVE-2024-1709) vulnerabilities in cyberespionage campaigns targeting various entities, including US defense contractors, UK government institutions, and Asian organizations. The threat actor leveraged a mix of custom tools and the SUPERSHELL framework in these attacks.

A new variant of AcidRain modem viper that hit Viasat spotted in the wild

A new version of data wiping malware called AcidRain has been observed in the wild, which is specifically designed for targeting Linux x86 devices.

AcidRain is a data wiping malware that was previously linked to a massive hack of international satellite internet and TV provider Viasat that occurred on February 24, 2022 - a day when Russia invaded Ukraine - and rendered Viasat KA-SAT modems inoperable in Ukraine.

According to SentinelLabs, the new version expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.

The precise targets of AcidPour remain unconfirmed, though its emergence aligns with the ongoing disruption in various Ukrainian telecommunication networks, reportedly offline since March 13, 2024. Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) attributes AcidPour to UAC-0165, a subdivision operating within the larger threat actor entity known as 'Sandworm'.

Russian cyberspies infected the network of a European NGO with TinyTurla-NG backdoor

Cisco’s Talos threat research team has published new details about an ongoing Russian espionage operation by the Turla threat group. Talos said it discovered that post-compromise activity carried out by Turla in this intrusion isn’t restricted to the sole deployment of their backdoors. Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclusions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service.

Ukraine’s cybersecurity authorities warn of a surge in Smoke Loader malware attacks

The State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP), together with Palo Alto Network’s Unit 42 released, a report highlighting Smoke Loader malware attacks targeting Ukraine's financial and governmental sectors. The research, spanning from May to November 2023, sheds light on the tactics and techniques employed by threat actors designated as UAC-0006 by CERT-UA.

Five Eyes intelligence agencies share guidance on how to defend against Chinese hackers

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners released a security advisory for critical infrastructure organizations highlighting dangers posed by a Chinese state-sponsored threat actor known as ‘Volt Typhoon.’

Russian hackers unleash sophisticated phishing campaigns across the globe

The IBM X-Force threat intelligence team has uncovered a series of highly sophisticated phishing campaigns orchestrated by the notorious Russian state-sponsored group APT28 (aka UAC-028, Fancy Bear, and Forest Blizzard) targeting organizations across Europe, the South Caucasus, Central Asia, and North and South America.

The researchers believe that the group may be using the new vulnerabilities to leak NTLMv2 hashes in addition to deploying secondary payloads. The team assesses that the threat actor may take advantage of vulnerabilities that enable the theft of NTLMv2 hashes, including Outlook flaws (CVE-2023-35636, CVE-2024-21413), and the recent Microsoft Exchange vulnerability (CVE-2024-21410).

Chinese espionage campaign Earth Krahang infiltrates govt entities worldwide

A China-linked cyberespionage campaign has been targeting government entities across Southeast Asia, Europe, America, and Africa since at least 2022. The observed campaign involved several infection methods, including the exploitation of vulnerabilities in public-facing servers and spear phishing attacks aiming to deliver two custom backdoors, Reshell and XDealer, as well as the CobaltStrike tool.

Fujitsu discloses malware infection, warns of a possible data leak

Japanese technology giant Fujitsu said it found malware on multiple computers in its network and has warned that the intruders may have stolen files containing personal information and customer data. The tech giant did not specify what kind of malware its systems have been infected with, or the nature of the cyberattack. It also did not disclose what kind of personal information may have been pilfered.

Cybercriminals arrested in Ukraine for hijacking over 100M email and Instagram accounts

Ukrainian police arrested three individuals aged between 20 and 40 who were stealing email accounts and Instagram profiles of internet users. To hijack accounts, the suspects used the brute force method, which involves guessing passwords by trying a large number of password phrases with the use of specialized software. Preliminary investigations revealed that, over the course of a year of criminal activity, the group members amassed databases of stolen accounts from over 100 million internet users worldwide.

E-Root Marketplace operator sentenced to 3.5 years in prison

Moldovan national Sandu Boris Diaconu has been sentenced by the US authorities to 42 months in prison for operating E-Root Marketplace, a network of websites that facilitated the sale of compromised computer credentials on a global scale. The authorities estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace. Diaconu was arrested in May 2021 when he attempted to flee the United Kingdom, and he was extradited to the US in October 2023. Diaconu's sentencing follows his guilty plea on December 1, 2023.

Tornado Cash developer charged in the Netherlands with laundering $1.2 billion

Dutch prosecutors have accused Alexey Pertsev, the developer behind Tornado Cash, of orchestrating the laundering of more than $1.2 billion in illicit funds, according to local media.

Prosecutors outlined 36 transactions deemed illicit, pointing to Pertsev's role in channeling assets through Tornado Cash. Notably, the indictment highlights a transaction of over 175 ETH originating from Ronin Bridge, a crypto protocol linked to the popular game Axie Infinity and victimized by a $625 million hack in 2022. The hack, attributed to North Korean cyber group Lazarus by the US Treasury Department, drew attention to Tornado Cash's purported involvement in laundering proceeds from notable heists, including those of Harmony and Nomad.

Pertsev was arrested in August 2022 in the Netherlands. His fellow developers, Roman Storm and Roman Semonov, were also apprehended in August 2022. Storm is awaiting trial in the US, set for September.

German police shut down the Nemesis darknet marketplace

German police, in cooperation with the Us and Lithuanian law enforcement authorities, dismantled the server infrastructure of Nemesis Market, a dark web marketplace located in Germany and Lithuania. Simultaneously, digital assets amounting to 94,000 euros in cryptocurrency were seized.

Established in 2021, the Nemesis Market had over 150,000 user accounts and over 1,100 seller accounts registered worldwide, with almost 20 percent of seller accounts from Germany, according to current investigative findings. The marketplace offered various illicit goods, including narcotics, stolen data, as well as cybercrime services such as ransomware, phishing, or DDoS attacks.

The US sanctions Russian individuals and firms for cyber influence operations

The US Treasury Department's Office of Foreign Assets Control (OFAC) has announced sanctions against two Russian nationals and their respective companies for their alleged involvement in cyber influence operations.

The individuals targeted are Ilya Andreevich Gambashidze, founder of Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin, CEO and current owner of Group Structura LLC (Structura), both aged 46.

The sanctions were imposed in connection with their purported role in a disinformation campaign known as Doppelganger, targeting audiences in Europe and the United States through the use of fake news sites and social media accounts.