MOVEit is back

Progress disclosed two vulnerabilities in its file sharing software MOVEit: a critical flaw in the SFTP module of MOVEit Gateway (CVE-2024-5805), which serves as a proxy that enables the actual software (MOVEit Transfer) to receive inbound connections; and a serious flaw in the SFTP module of MOVEit Transfer instances (CVE-2024-5806), impacting also MOVEit Cloud. The flaws allow remote threat actors to bypass MOVEit’s authentication mechanism and to freely transfer files or even impersonate an authorized user. Although the second vulnerability (CVE-2024-5806) seems exploitable only in limited scenarios, first exploitation attempts started just a few hours after its disclosure. A vulnerability has also been discovered in the IPWorks SSH library, a third party utilized by MOVEit. Between 1700 and 2700 MOVEit internet-exposed instances have been identified. Another infamous MOVEit vulnerability (CVE-2023-34362) has been at the center of Clop’s massive campaign in mid-2023, affecting dozens of large organizations.

Mitigate it

Block public inbound RDP access to MOVEit Transfer servers and limit outbound access to trusted endpoints; Activate Tenable plugin 201018

Snowflake campaigns continue

At the same that researchers investigating the large breaches in Snowflake accounts receiving death threats, ransom demands ranging from $300,000 to $5 million have been sent to ten large companies. In the meantime, in Snowflake-related hacks, Sp1d3r has exfiltrated a 64Kindividuals’ database from the high-end retailer Neiman Marcus and sold information stolen from L.A. Unified School District; while ShinyHunters put on sale 30 million user records taken from the Australian ticketing company TEG.

A new vulnerability in SolarWinds

A new vulnerability in SolarWinds Serv-U (CVE-2024-28995) is exploited in the wild. The directory transversal flaw, considered trivial to exploit, allows attackers to read files on the host machine. Active exploitations started after Rapid7 publication of a PoC on June13. It also seems that most attacks are trying to access credentials, Serv-U FTP server startup logs, and Windows configuration settings. At least some of the threat actors exploiting the flaw are Chinese speakers.

Mitigate it

Activate Tenable plugin 200179, 114302

The CISA hack and chemical facilities

The attack against two CISA’s systems, which occurred in January and was revealed in April, compromised over 100,000 individuals. It has also been revealed that the threat actors targeted CISA’s Chemical Security Assessment Tool (CSAT) environment. They accessed surveys, vulnerability assessments, site and personnel security documents, names and addresses, and information about cyber and physical security conditions of high-risk chemical facilities. However, they apparently failed to exfiltrate data. The operation was performed through the exploitation of the Ivanti Connect Secure vulnerabilities.

Zyxel patched... again

A newly disclosed vulnerability in end-of-life Zyxel NAS devices (CVE-2024-29973) is exploited in the wild in botnet attacks. Attackers crafting a HTTP POST request can run code on a targeted device. Zyxel patched a similar exploited flaw one year ago (CVE-2023-27992) but in the process added an endpoint with the same mistake.

Chinese espionage campaign on Taiwan

A Chinese state actor named RedJuliett led a large espionage campaign from November 2023 to April 2024, mostly against Taiwanese organizations. For initial access, the group exploited vulnerabilities in edge devices, such as enterprise VPNs, load balancers and firewalls. It also tried to exploit SQLi and directory traversal flaws in Web and SQL applications. In post-compromise, it leveraged Linux privilege elevation vulnerabilities.

Facebook login vulnerability

Hackers are exploiting a SQLi vulnerability in the pkfacebook module for Pretashop (CVE-2024-36680) and stealing credit card information from customers. Pretashop is an open-source ecommerce platform used by 300,000 online stores worldwide. Pkfacebook is a Facebook add-on allowing users to login using their Facebook accounts.

Shoezone hack

A hacker nicknamed netnsher is selling a part of a database exfiltrated from the British shoes retailer Shoezone. The threat actor is also offering the exploit code of the vulnerability it used in the attack, in case it hasn’t been patched yet. Netnsher is a relatively new hacker known for attacks on an Indian billing system and M&T Bank.

China Vs Asian telecoms

A campaign targeting Asian telecom companies has used malwares associated with three different Chinese cyberespionage state actors: APT15 (aka RedFoxTrot, Nomad Panda), UNC251 (aka Mustang Panda) and UNC787 (aka Firefly). The relationship between the three groups is unclear, although it seems possible that tools have been shared between them. APT15 is known for leveraging the ZeroLogon vulnerability (CVE-2020-1472).

Polyfill's wide infections

Last February, a Chinese actor acquired the polyfill.io domain, resulting in an impressive supply-chain attack, as the domain has been weaponized to infect more than 110,000 websites with malware. Polyfill is apopular Jscript library that enables support for modern functionality in web browsers. It is used by the academic database JSTOR, Intuit, the World EconomicForum and others. Google also started to remove ads linking to websites using polyfills.

Fortra FileCatalyst vulnerability

The publication of a PoC for a vulnerability (CVE-2024-5276) in another file sharing software, Fortra FileCatalyst Workflow, is raising concerns. The SQLi vulnerability allows an attacker to create admin users and to manipulate databases, but apparently not to exfiltrate information. FileCatalyst Workflow is a popular browser-based file transfer platform.

Mitigate it

Edit the XMl file at /webapps/workflow/WEB-INF/web.xml following the vendor’s instructions

Attackers are quicker than defenders  

A new report shows that the 2023 mean time to patch a critical vulnerability in web applications has been 35 days. It also makes clear that attackers are quick at exploiting new vulnerabilities, while cybersecurity teams remain relatively slow creating new WAF rules to mitigate them.

Attackers are quicker than defenders (2)

Another report shows that as a new vulnerability is disclosed every 17 minutes, almost 31,000 new CVEs have been registered in 2023, bringing the total number of CVEs to 235,000. It also affirms that 75% of new flaws are exploited within 19 days, and that for 25% of them an exploit was available on the day of their disclosure. Moreover, while it takes an average 19 days for new vulnerabilities to be exploited, the mean remediation time is evaluated at 95-155 days.

Cloud vulnerabilities are on the rise

A survey among cloud security professionals shows that 52% of 2023’s cloud breaches were the result of vulnerability exploitation, whether 1-day (28%) or 0-day (24%).

Project Naptime

Google released Project Naptime, aimed at utilizing LLM models to facilitate vulnerability discovery and research. The project reached medium-to-high results in using diverse LLM models to exploit different kinds of vulnerabilities, such as memory corruption or buffer overflow.

Mitigate it

Mitigate it

Mitigate it

Mitigate it

Sources