Snowflake's campaigns

Mandiant revealed that UNC5537 is behind a campaign targeting the Snowflake accounts of 165 enterprises. The attacker used Snowflake instances’ stolen credentials (most of them available from past infostealers’ infections) and targeted accounts without MFA identification. In any case, according to Mandiant, the campaign is unrelated to the compromise of a Snowflake’s former employee. UNC5537 is a new financially motivated group, possibly from North America. It is the fourth allegedly group involved in the recent Snowflake breaches, after ShinyHunters and the less notorious WhiteWarLock and Sp1d3r. In the meantime, it has been revealed that Truist Bank and the insurance information company QuoteWizard have also been compromised.

A new PHP vulnerability

A campaign exploiting a new PHP vulnerability (CVE-2024-4577) has been observed, only two days after its patch release and disclosure. The flaw allows to execute commands in Windows servers using Apache and PHP-CGI. The group behind the operation is apparently TellYouThePass, a ransomware known for targeting SMBs and individuals and for exploiting well known Apache vulnerabilities, such as Log4j (CVE-2021-44228) and ApacheMQ (CVE-2023-46604).

Mitigate it

Disable CGI features in XAMPP; Check Qualys QID 731577

BlackBasta's Windows zero-day

Prior to its dismantlement, BlackBasta has eventually been exploiting a vulnerability in the Windows error reporting service (CVE-2024-26169).The flaw allows attackers to obtain System privileges. It has been used by BlackBasta as a zero-day before being patched by Microsoft last March.

Mitigate it

Activate Tenable Plugins 191930, 191934, 191936-38, 191941-42, 191944, 191947

CheckPoint VPN exploitation gets worse

The CheckPoint VPN vulnerability (CVE-2024-24919) is now widely exploited, and 600 to 800 unique IP addresses daily attempting to exploit it have been recently detected. Last week, it has been reported that the flaw was used by (apparently Russian) threat actors targeting Germany’s largest opposition party.

Mitigate it

Activate Tenable Plugins 114291, 198147

SN BlackMeta against Microsoft and Snapchat

SN BlackMeta claimed to have hacked a Microsoft Developer Center, Microsoft Store and Microsoft Support’s France-located assets through the compromise of Akamai WAF. The pro-Islamist group (using both Arabic and Russian languages) also took responsibility for a politically motivated attack against SnapChat, leading to login disabling and service disruption. Recently, it has also been credited with a DDOS operation against Internet Archive.

Mitigate it

Hacktivists' leak from Israel's

A previously unknown threat actor announced it exploited an API vulnerability in Israel’s government services and information domain. A database with personal information of around 250,000 people has been put on sale.

A new vuln in Windows MSMQ

Microsoft patched a new flaw in the Windows Message Queuing (MSMQ) system (CVE-2024-30080), which might provide attackers sending a crafted MSMQ packet with full server takeover. It affects servers enabling the Message Queuing service and with open TCP port 1801.

Mitigate it

Vulnerabilities in edge devices are expanding

A new report confirms that vulnerabilities in edge devices are growingly exploited in the wild, as the number of these flaws added to the KEV list is now 23% higher than in 2023. Compared with others, vulnerabilities in edge devices are also more serious, with 67% of them being above the 97.5th EPSS percentile.

Mitigate it

A team of researchers built a Chat-GPT4 model to discover and exploit web zero-days, and it succeeded in 8 among 15 cases. For this purpose, they used self-propagating LLM agents using a Hierarchical Planning with Task-Specific Agents (HPTSA) method. The same team has previously reported a successful experiment utilizing Chat-GPT4 to weaponize1-day vulnerabilities.

Mitigate it