IntelBroker sells a Jira zero-day...
The infamous threat actor IntelBroker is selling online a zero-day in Atlassian’s Jira. The vulnerability is supposedly allowing to run arbitrary commands in Jira without requiring any login and it works for the latest desktop version as for Jira with Confluence. IntelBroker claimed it recently exploited the flaw against CBRE, a large real estate company with 32 billion USD revenue, as it apparently accessed the firm’s AWS configuration settings that were written in a Jira ticket.
... and attacks various organizations
In possibly connected additional hacks, IntelBroker has published the source code of three internal tools used by Apple; put on sale customers and products databases of the semiconductor giant AMD, stolen through a third party; and leaked multi-point accesses to a Middle Eastern embassy and to an unidentified European large insurance company. IntelBroker also said it reached an admin access to a Confluence server and to Slack channels used by T-Mobile, from which it exfiltrated source code in June. In response, T-Mobile claimed that the published data comes from an older breach of a third-party. It seems possible that the initial access to the third-party was gained through the exploitation of a vulnerability in Confluence data centers (CVE-2024-1597).
Velvet Ant and outdated F5 devices
A Chinese threat actor, dubbed Velvet Ant, has compromised a large organization and exfiltrated sensitive customer and financial information for at least two and a half years. The group mostly targeted legacy systems, primarily Windows 2003 servers which were lacking any EDR protection. Moreover, among others, the group reached persistence by exploiting vulnerabilities on two outdated F5 Big-IP devices, which were used to establish a SSH tunnel with an external C2server. The two were internet-exposed and not located behind a firewall.
Telerik's wide exploitation
The recently disclosed vulnerability in Telerik (CVE-2024-4358), Progress Software’s report server, is now under wide exploitation. The vulnerability, which is considered easy to exploit, lets attackers to manipulate authentication tokens to create an admin account, followingly used to login to the server. Chained with another Telerik flaw (CVE-2024-1800), it could lead to full RCE.
Mitigate it
In Telerik’s portal, download the URL Rewrite IIS module and add a blocking rule with the pattern “startup/register”
Ivanti again
Concerns are raised following the publication of a PoC for a critical SQL injection vulnerability in Ivanti’s Endpoint Manager (CVE-2024-29824), disclosed in early May. The flaw might allow unauthenticated threat actors to execute arbitrary code. A few months ago, a sequence of Ivanti zero-days has been at the center of massive exploitations by multiple campaigns.
Mitigate it
Import “mitigation.release.20240126.5” XML file from Ivanti’s management platform
911 Firewall issues
Massachusetts’s 911 system suffered from a two-hours outage, apparently following a firewall misconfiguration. For an unclear reason, Comtech’s firewall blocked calls trying to reach the 911 dispatch centers.
3 million stolen from Kraken
A security research company stole 3 million USD from the crypto exchange Kraken, through the exploitation of a critical zero day in its platform. Now fixed, the flaw allowed to initiate a deposit and receive funds without fully completing the deposit.
New VMware vulnerabilities
Broadcom urges to immediately patch three critical vulnerabilities in VMware vCenter (CVE-2024-37079-81), the management platform for virtual machines and ESXi hosts. No active exploitations have been observed until now.
The US warns against VPN vulnerabilities
Government agencies in the US, New Zealand, and Canada advised for modern approaches to network access security, through the adoption of Zero Trust, SSE and SASE solutions. The advisory warns that by exploiting vulnerabilities in VPNs, threat actors might gain access to large enterprise networks. 22 VPN exploited vulnerabilities have been recently inserted in the KEV list.
Vulnerability exploitation is surging
A new report reveals a surge in vulnerability exploitation, as the exploitation rate rose by 17% in 2021-23. More specifically, the report shows that load balancers, Apple operating systems and Microsoft MSSQL are increasingly becoming attractive targets for threat actors.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
- https://x.com/DarkWebInformer/status/1802331875861520786, https://x.com/DarkWebInformer/status/1801794483031351427
- https://twitter.com/DarkWebInformer/status/1802826266355040588, https://twitter.com/DarkWebInformer/status/1803100955946185148, https://twitter.com/DarkWebInformer/status/1803196314441920767, https://www.securityweek.com/amd-investigating-breach-claims-after-hacker-offers-to-sell-data/, https://www.bleepingcomputer.com/news/security/t-mobile-denies-it-was-hacked-links-leaked-data-to-vendor-breach/, https://twitter.com/DarkWebInformer/status/1803500906719367507, https://twitter.com/DarkWebInformer/status/1803403419111080168
- https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/
- https://vulcan.io/blog/fix-cve-2024-4358-cve-2024-1800/
- https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/
- https://www.securityweek.com/massachusetts-911-outage-caused-by-errant-firewall/
- https://thehackernews.com/2024/06/kraken-crypto-exchange-hit-by-3-million.html
- https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-vcenter-rce-vulnerability-patch-now/
- https://www.cisa.gov/sites/default/files/2024-06/Modern%20Approaches%20to%20Network%20Access%20Security-508c.pdf
- https://www.action1.com/wp-content/uploads/2024/06/Software_Vulnerability_Ratings_Report_2024.pdf