The electronics manufacturing company Keytronics announced that last May, it fell victim to a ransomware attack led by the infamous BlackBasta group. As a result, the activities of Keytronics' American and Mexican sites were suspended for two weeks. BlackBasta has recently launched wide vulnerability exploitation campaigns, using flaws in ScreenConnect (CVE-2024-1708/9), in Windows error reporting service (CVE-2024-26169) and in ESXi hypervisors (CVE-2024-37085).
A new vulnerability in Progress WhatsUp Gold (CVE-2024-4885), a popular networking monitoring tool, is under active exploitation. The exploitation allows threat actors to run arbitrary commands with elevated privileges, although not as an admin.
[mitigate]Monitor exploitation attempts at the'/NmAPI/RecurringReport' endpoint and restrict access to trusted IP addresses on ports 9642 and 9643.[/mitigate]
The operations of McLaren Healthcare hospitals, a not-for-profit company running 13 hospitals across Michigan, have been disrupted following a ransomware attack conducted by INC Ransom. INC Ransom is an opportunistic data extortion group known for having hacked Xerox and Yamaha Motors through the exploitation of a Citrix Netscaler vulnerability (CVE-2023-3519).
OneBlood, a large not-for-profit blood center serving more than 250 hospitals in the US, has been attacked by a ransomware operation apparently exploiting the new vulnerability in ESXi hypervisors (CVE-2024-37085). The flaw is currently at the center of several campaigns led by various known threat actors.
[mitigate]Manually deny access of the “ESX Admins” group by changing settings in the ESXi hypervisor; Track Defender for Endpoint alert “Suspicious modifications to ESX Admins group”.[/mitigate]
RansomEXX has compromised Brontoo, a fintech company providing secure payment solution to various Indian banks including the central bank of India. The initial access, possibly gained by the infamous IntelBroker, has been achieved through the exploitation a vulnerability in Jenkins (CVE-2024-23897), a Java-based open-source automation platform with 44%share of the CI/CD market. The RCE flaw allows attackers to read arbitrary files on the controller file system and followingly provides access to cryptographic keys. RansomEXX is a ransomware group usually targeting large organizations, especially in the government and healthcare sectors.
Disable Jenkins’ CLI endpoint and create a post-initialization script so that the endpoint remains disabled after restart; disable the SSH server plugin that provides access to Jenkins CLI through SSH1.
New varieties of Mirai-based botnets are exploiting a directory traversal vulnerability vulnerability in Apache OFBiz (CVE-2024-32113), a widely used Java-based framework for creating ERP applications. The exploitation is easily executed by inserting a semicolon in a URL request. The flaw, which has been patched last May, is apparently related to another ApacheOFBiz vulnerability (CVE-2024-38856).
[mitigate]Apply Checkpoint IPS rule “ApacheOFBiz Path Traversal”.[/mitigate]
There seems to be a surge in attacks conducted by Magniber, a ransomware targeting mostly individuals and SMBs worldwide. Among other methods, Magniber is skilled in weaponizing Windows zero-days, such as a 2023 Windows SmartScreen bypass flaw (CVE-2023-24880).
Since 2023, the Chinese state actor APT41 has infiltrated a Taiwanese governmental institute conducting research on advanced computing. While the initial access remains unclear, a loader exploiting a 2018 Windows RCE vulnerability(CVE-2018-0824) was utilized to inject malware. APT41, a group operating for both espionage and financial gain, is known for leveraging old pre-2019 vulnerabilities.
Last April, the North Korean APT45 (aka Andariel) exploited vulnerabilities in a VPN communication protocol to replace update files with remote access malware, with the aim of spying on South Korean construction and machinery companies. In parallel, in January APT43 (aka Kimsuky), another North Korean group, exploited a vulnerability in the file upload mechanism of a South Korean construction company’s website to modify the login process with malicious code. It is unclear if the two are connected.
A design vulnerability in Defender SmartScreen and Windows Smart App Control (SAC) has possibly been used threat actors, as it as been exhibited in viruses dating back to 2018. SmartScreen is a security feature detecting malicious links when clicked upon and aimed at protecting users from online threats. SAC, launched with Windows 11, has added further protection by blocking malicious or untrusted apps. The vulnerability lies in the handling of LNK files and its exploitation allows attackers to bypass the security controls by using different techniques, such as LNK stomping, signing malware or reputation hijacking, seeding and tampering.
Crowdstrike published a root cause analysis of the large incident that resulted in worldwide outages on July 19 and announced several changes to avoid such events occurring in the future. Concretely, Crowdstrike will soon provide customers with more control over update installations. It will also implement stricter testing and validation procedures over Falcon’s configuration system and updates. The company is currently handling different lawsuits from its shareholders and customers, including a widely publicized dispute with Delta Airlines.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
Unordered list
Bold text
Emphasis
Superscript
Subscript