The breach into the US Treasury Department was due to the exploitation of the recently reported BeyondTrust vulnerability (CVE-2024-12356). Furthermore, CISA assured that no other federal agency has been impacted. As of January 2, more than 8K vulnerable Internet-facing instances remained, 72% of them in the US. The relatively long patching window is apparently due to a large number of BeyondTrust’s self-hosted deployments.
[mitigate]Block access from 24.144.114.85, 142.93.119.175, 157.230.183.1 and 192.81.209.168[/mitigate]
The Chinese state actor Salt Typhoon (aka UNC2286) continues its campaign against telecommunication companies, and recently broke into Charter, Consolidated Communications and Windstream. In December, the White House announced that the threat group succeeded to compromise and exfiltrate sensitive information from nine American telecoms, including giants such as Lumen, T-Mobile, AT&T, Verizon – the last two now claiming that they finally succeeded to evict the attacker from their networks. Salt Typhoon has recently been spotted targeting various one-day vulnerabilities in third parties, including flaws in Outlook, Fortinet EMS SophosFirewalls and Ivanti Connect Secure VPN.
A campaign attributed to APT27, possibly collaborating with other Chinese state actors, is targeting ISPs and government organizations in Middle Eastern countries. The campaign is spreading the EagerBee backdoor, a sophisticated backdoor designed to evade EDR detections. In a previous campaign using the same malware against high-profile entities in Southeast Asia, initial access was gained through the exploitation of the ProxyLogon vulnerability in Exchange servers (CVE-2021-26855).
A newly released POC for the recent LDAP vulnerability (CVE-2024-49113), nicknamed LDAPNightmare, has proven ability to crash any unpatched Windows server. Concretely, RPC requests sent to the server cause the Local Security Authority Subsystem Service (LSASS) to crash and force the operating system to reboot. The flaw is related to another one in the same component (CVE-2024-49112).
[mitigate]Ensure Domain Controllers are not configured to access the internet and deny RPC inbound traffic from untrusted networks; monitor suspicious CLDAP referral responses, suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV queries[/mitigate]
Casio’s investigation of last October’s ransomware operation concluded that initial access was gained through the exploitation of vulnerabilities in overseas offices, apparently together with phishing emails. The attack, which led to important service disruptions, impacted 6.5K employees and 1.9K business partners. It is attributed to Underground, is a small Russian group targeting Windows systems which has been recently observed exploiting a Microsoft Office RCE flaw (CVE-2023-36884).
Critical Vulnerabilities in Mitel MiCollab (CVE-2024-41713, CVE-2024-55550) are currently exploited in the wild. The two allows to reach admin privileges, then to read local files within the system. MiColab is a platform offering voice and video chat messaging, web conferencing and team collaboration.
Tenable paused its plugin updates because of a bug causing some of the Nessus agents to go offline after downloading updates. In order to restore the agents, users will have to upgrade their Nessus version and to bring back "lost" plugins by manually resetting them.
A RCE flaw has been found in the Nuclei vulnerability scanner (CVE-2024-43405). The issue might allow attackers to bypass Nuclei’s template signature verification system and inject malicious content into code templates. Nuclei is a popular open-source vulnerability scanner that leverages simple YAML-based templates.
A new report shows that in 2024, 250 CVEs have been affiliated to ransomware operations and 75 to state-sponsored threats. 2024 also reflected a decrease in the proportion of zero-days among exploited vulnerabilities. Moreover, against all expectations, serious new flaws in file-sharing software (such as MOVEit and GoAnywhere) were not widely used. The list of 2024 most exploited vulnerabilities includes infamous flaws in PAN-OS (CVE-2024-3400) and ConnectWise (CVE-2024-1709) as in Fortinet EMS (CVE-2023-48788) and in Windows SmartScreen (CVE-2023-36025). Old vulnerabilities in Oracle WebLogic Server (CVE-2020-14882) and Adobe ColdFusion (CVE-2018-15961) were also exploited.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
Unordered list
Bold text
Emphasis
Superscript
Subscript