Ransomhub strikes again

Ransomhub is leaking 100G stolen from Florida Department of Health, after the health organization refused to pay a ransom. Ransomhub is a new Russian double extortion actor, linked with the former Knight ransomware and which has quickly become one of the most prolific groups worldwide. It has recently been observed leveraging the ZeroLogon vulnerability (CVE-2020-1472) for initial access.

Twilio hacked through unauthenticated endpoint

ShinyHunters published information about 33 million accounts of Twilio’s two-factor authentication app Authy. The threat actor successfully infiltrated Twilio’s network after compromising an unauthenticated endpoint. ShinyHunters is a notorious threat group, skilled in exploiting Github vulnerabilities and recently responsible for a Snowflake campaign leading to huge breach in TicketMaster.

The Hyper-V vulnerability

Microsoft patched a Hyper-V vulnerability (CVE-2024-38080) that has been exploited in the wild. Hyper-V is Windows native hypervisor for creating virtual machines on Windows or Windows Server. The integer overflow vulnerability allows attackers with local access to gain system privileges on the host machine.

Using HSHTML flaw for phishing

A MSHTML vulnerability (CVE-2024-38112) has been exploited by two different threat actors for eighteen months, infecting targets in Vietnam and Turkey with infostealer malwares. The flaw allows attackers to send a malicious URL to victims which, when clicked upon, will open an HTML application file in Internet Explorer even when Chrome or Edge are defined as the default browser. Reported last May, the flaw has been patched only last week.

Mitigate it

Apply Checkpoint IPS protection ““Internet Shortcut File Remote Code Execution”

GhostScript

A new GhostScript vulnerability (CVE-2024-29510) is apparently already exploited in the wild. The flaw allows to bypass the -dSAFERsandbox and execute arbitrary code. Ghostscript is a widely used toolkit for converting or previewing documents.

Veeam vulnerability exploited again

A vulnerability in Veeam backup systems (CVE-2023-27532) is now exploited in the wild by a new ransomware group named EstateRansomware, targeting organizations in the US, France, UAE, Hong Kong and Malaysia. The threat group gained initial access with a brute force attack on a dormant Fortigate firewall SSLVPN. It subsequently leveraged the flaw to create a malicious account on the backup server, for the purposes of network reconnaissance and credential harvesting. Last year, the vulnerability has been used by the Cuba ransomware to hack critical infrastructures as by the Russian financially motivated group FIN7.

Mitigate it

In case of all-in-one Veeam appliance with no remote backup infrastructure components, block connections to port TCP 9401 in the backup server firewall

APT40 warning

An Australian led coalition of 8 countries warned against APT40, a well-known Chinese state actor infiltrating both government and private networks worldwide. The joint advisory emphasizes APT40’s significant speed in weaponizing exploits, sometimes starting to exploit a flaw only a few hours after the disclosure of a PoC. The group targets vulnerabilities which exploitation requires no user interaction and in the past, it widely used flaws in Log4J (CVE-2021-44228), Confluence (CVE-2021-31207, CVE-2021-26084) and Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).

A new OpenSSH vulnerability

During a review of the RegreSSHion vulnerability (CVE-2024-6387), another flaw in OpenSSH has been found (CVE-2024-6409). Like RegreSSHion, the new flaw is also a result of a race condition in signal handling, but it only impacts versions 8.7p1 and 8.8p1 released with Red Hat Enterprise Linux 9. Moreover, since the race condition is triggered in the privsep child process, which owns limited privileges, its impact is considered less serious.  

RadiusBlast

The publication of an exploit PoC for a vulnerability in the RADIUS protocol (CVE-2024-3596) is raising concerns. RADIUS is a 35-year-old protocol used to control network access that is still widely used in switches, routers, access points and VPN products. The flaw is due to some Access-Request packets lacking authentication or integrity checks. Consequently, it allows man-in-the-middle attackers to produce prefix attacks and ultimately get access to network devices and services. However, the exploitation is not trivial, and it may also require a large amount of cloud computing power.

Vulnerabilities are on the rise

A new report shows that in 84% of incidents involving critical infrastructures, the initial access vector could have been mitigated. Moreover, it reveals an increase in the use of vulnerabilities in public-facing applications (29% of the observed cases), together with a fall in the use of phishing. According to the report, there has been a decrease in the number of zero-days in 2023, as threat actors are growingly focusing on less resource-intensive methods.

Mitigate it

Mitigate it

Mitigate it

Mitigate it

Mitigate it