A threat group is exploiting a vulnerability in Mirth Connect (CVE-2023-43208), disclosed in October 2023. Mirth Connect is a popular cross-platform interface engine for hospitals and clinics. Around 440 internet-exposed vulnerable servers have been located worldwide. The threat group has been eventually identified with Storm-1175, a Chinese group deploying the Medusa Ransomware, although other point to UNC5437. It is also possible that the first exploitations took place as early as January 2024. In the meantime, the US government announced a new $50M-funded program to help hospitals automating vulnerability mitigation across all systems and devices used in their environments.

Mitigate it

Apply FortiGuard signature “NextGen.Healthcare.Mirth.Connect.Command.Injection”; Activate Tenable Plugin 183969; In CheckPoint IPS, activate the “NextGen Mirth Connect Command Injection” Protection.

In a new BYOVD campaign, a cryptojacking malware is utilizing vulnerable kernel drivers to disable EDRs, among them Microsoft Defender. The threat actor also exploits Defender vulnerabilities (CVE-2023-24860, CVE-2023-36010) to delete access logs, event logs and databases. In parallel, it has been revealed that another campaign is recently deploying the same cryptominer (XMRig) by exploiting the Log4j flaw (CVE-2021-44228).

Mitigate it

Activate Tenable Plugin 174162 and Qualys IDs (110453-4, 92084-5, 92087, 92089-90)

The Russian Linux-based Ebury botnet, first discovered 15 years ago, has resurfaced and already compromised 400,000 Linux servers worldwide for cryptocurrency theft and financial fraud. Together with the use of stolen credentials, the botnet accesses its victims through zero-days in Linux servers’ administrator software.

A new report shows that Void Manticore (aka Storm-842), a group affiliated to the Iranian Ministry of Intelligence, is behind the high-profile attacks on various Israeli and Albanian entities. Void Manticore mostly gets initial access by exploiting an old Microsoft Sharepoint vulnerability (CVE-2019-0604).

Mitigate it

Activate Tenable plugins (122155,122859, 1112365-8)

Omnivision, the semiconductors manufacturing giant, has reported a ransomware attack which occurred in September 2023 and led to leak of confidential documents, non-disclosure agreements and passport scans. The Cactus ransomware, a group known for encrypting its own malware and exploiting flaws in enterprise software (such as in Qlik Sense), took credit for the attack.

Multiple threat actors, including the Indian state actor DoNotTeam, are exploiting a “flawed design” vulnerability in Foxit PDF Reader. The exploitations serve various purposes, such as phishing or espionage activities. Foxit is an Acrobat’s competitor with more than 700 million customers worldwide, especially in the government and tech sectors.

Two old vulnerabilities in end-of-life D-Link routers are now exploited in the wild and have been inserted into the KEV list (CVE-2014-100005,CVE-2021-40655). The first, which allows attackers to make configuration changes in D-Link devices, is a decade-old vulnerability patched in 2014.

A new critical memory corruption vulnerability (CVE-2024-4323)in Fluent Bit, an open-source log data collector and processor with billions of downloads, is raising concerns. The flaw, nicknamed “Linguistic Lumberjack”, enables DoS attacks (for which a PoC has already been published). It might also allow information disclosure and RCE, although exploitation for these purposes is considered more complex and time-consuming. Fluent Bit is used by the major cloud providers (Azure, AWS, GCP) and large tech companies such as Cisco, Adobe, Intel, Splunk and others.

Github has patched for a critical RCE vulnerability (CVE-2024-4985) which affects enterprise server instances relying upon SSO authentication. By exploiting the flaw, attackers can forge a SAML response to gain access to an admin account. Although no traces of active exploitation have been found, in recent months a few threat actors have leveraged Github flaws for initial access, among them IntelBroker and ShinyHunters.  

Mitigate it

search for Qualys QID 379849

Intercontinental Exchange (ICE), a multinational company operating financial exchanges worldwide, will pay a $10M penalty to SEC for not having reported in time a breach which occurred in 2021 and involved the exploitation of a VPN vulnerability by a state actor. It took 4 days for ICE to evaluate the impact of the exploitation, after a third party reported it has been compromised.

A new report shows that in 2023, 53% of widespread exploited vulnerabilities were weaponized before their patch release. The report also finds that the “Time to Known Exploitation”, i.e the time between a vulnerability disclosure and its first exploitation event, is shortening: 44% of mass exploitation took place less than a day after their disclosure, while average time to exploitation was 22 days. Moreover, the report claims that in 30% of the attacks, initial access was gained through vulnerability exploitation; and that 36% of mass exploitations used vulnerabilities in network edge devices, a proportion that doubled since 2022.

Mitigate it

A new report, based on 10 million sensors’ telemetry, shows that in the second half of 2023, exploitations occurred on average 4.7 days after the vulnerability disclosure - 43% faster than in the first half of the year. Moreover, in 86% of the cases in which a vulnerability has been exploited for gaining initial access, at the time of the exploitation the flaw was already known and a patch for it was readily available.

Mitigate it

Mitigate it

Sources