Many remain vulnerable to BeyondTrust flaw

The breach into the US Treasury Department was due to the exploitation of the recently reported BeyondTrust vulnerability (CVE-2024-12356). Furthermore, CISA assured that no other federal agency has been impacted. As of January 2, more than 8K vulnerable Internet-facing instances remained, 72% of them in the US. The relatively long patching window is apparently due to a large number of BeyondTrust’s self-hosted deployments.

‍

‍

[mitigate]Block access from 24.144.114.85, 142.93.119.175, 157.230.183.1 and 192.81.209.168[/mitigate]

Cyber war with China is escalating

The Chinese state actor Salt Typhoon (aka UNC2286) continues its campaign against telecommunication companies, and recently broke into Charter, Consolidated Communications and Windstream. In December, the White House announced that the threat group succeeded to compromise and exfiltrate sensitive information from nine American telecoms, including giants such as Lumen, T-Mobile, AT&T, Verizon – the last two now claiming that they finally succeeded to evict the attacker from their networks. Salt Typhoon has recently been spotted targeting various one-day vulnerabilities in third parties, including flaws in Outlook, Fortinet EMS SophosFirewalls and Ivanti Connect Secure VPN.

‍

Chinese actors targeting Middle Eastern ISPs

A campaign attributed to APT27, possibly collaborating with other Chinese state actors, is targeting ISPs and government organizations in Middle Eastern countries. The campaign is spreading the EagerBee backdoor, a sophisticated backdoor designed to evade EDR detections. In a previous campaign using the same malware against high-profile entities in Southeast Asia, initial access was gained through the exploitation of the ProxyLogon vulnerability in Exchange servers (CVE-2021-26855).

‍

LDAPNightmare POC is out

A newly released POC for the recent LDAP vulnerability (CVE-2024-49113), nicknamed LDAPNightmare, has proven ability to crash any unpatched Windows server. Concretely, RPC requests sent to the server cause the Local Security Authority Subsystem Service (LSASS) to crash and force the operating system to reboot. The flaw is related to another one in the same component (CVE-2024-49112).

‍

[mitigate]Ensure Domain Controllers are not configured to access the internet and deny RPC inbound traffic from untrusted networks; monitor suspicious CLDAP referral responses, suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV queries[/mitigate]

Attackers gained access to Casio through vulns

Casio’s investigation of last October’s ransomware operation concluded that initial access was gained through the exploitation of vulnerabilities in overseas offices, apparently together with phishing emails. The attack, which led to important service disruptions, impacted 6.5K employees and 1.9K business partners. It is attributed to Underground, is a small Russian group targeting Windows systems which has been recently observed exploiting a Microsoft Office RCE flaw (CVE-2023-36884).  

‍

‍

New vulnerabilities exploited in video conferencing platform

Critical Vulnerabilities in Mitel MiCollab (CVE-2024-41713, CVE-2024-55550) are currently exploited in the wild. The two allows to reach admin privileges, then to read local files within the system. MiColab is a platform offering voice and video chat messaging, web conferencing and team collaboration.

‍

Tenable outages

Tenable paused its plugin updates because of a bug causing some of the Nessus agents to go offline after downloading updates. In order to restore the agents, users will have to upgrade their Nessus version and to bring back "lost" plugins by manually resetting them.  

‍

‍

Another vulnerability scanner with issues

A RCE flaw has been found in the Nuclei vulnerability scanner (CVE-2024-43405). The issue might allow attackers to bypass Nuclei’s template signature verification system and inject malicious content into code templates.  Nuclei is a popular open-source vulnerability scanner that leverages simple YAML-based templates.

‍

250 ransomware affiliated CVEs in 2024

A new report shows that in 2024, 250 CVEs have been affiliated to ransomware operations and 75 to state-sponsored threats. 2024 also reflected a decrease in the proportion of zero-days among exploited vulnerabilities. Moreover, against all expectations, serious new flaws in file-sharing software (such as MOVEit and GoAnywhere) were not widely used. The list of 2024 most exploited vulnerabilities includes infamous flaws in PAN-OS (CVE-2024-3400) and ConnectWise (CVE-2024-1709) as in Fortinet EMS (CVE-2023-48788) and in Windows SmartScreen (CVE-2023-36025). Old vulnerabilities in Oracle WebLogic Server (CVE-2020-14882) and Adobe ColdFusion (CVE-2018-15961) were also exploited.

‍