A new exploited in Ivanti CSA
Days after its disclosure, threat actors launched a campaign exploiting a vulnerability in Ivanti Cloud Services Appliance (CVE-2024-8190). The OS command injection flaw, requiring admin privileges, is possibly linked with the exploitation of another vulnerability.
Mitigate it
Configure CSA to be dual-homed with eth0 as an internal network.
Qilin against NHS
The information of more than 900,000 British patients, including ones suffering from cancer and STDs, has been published online by Qilin (aka Agenda). The publication came after NHS, UK’s National Health Services,refused to pay a 50M USD ransom. Last June, Qilin performed a widely impactful ransomware attack against a pathology services provider to NHS, resulting in significant outages within various public hospitals in London as in blood donation centers. Qilin is a prolific Russian Ransomware-as-a-Service actor, attacking various industries but focusing recently on healthcare organizations. In the past, it was accessing victims’ networks through phishing or VPN password brute force, but it now seems to increasingly exploit known vulnerabilities – especially CitrixBleed (CVE-2023-4966), a flaw in Veeam (CVE-2023-27532) and Fortinet vulnerabilities.
A Data Breach in Fortinet
A previously unknown threat actor naming itself “FortiBitch” has infiltrated an Azure Sharepoint instance in Fortinet’s networks and leaked 440G of internal information. Fortinet, which refused to pay the ransom fees, has admitted the breach but claimed that it impacts less than 0.3% of its customers.
WhatsUp Gold is targeted again
Since August 30, threat actors have been exploiting two vulnerabilities in WhatsUp Gold (CVE-2024-6670/1), a popular networking monitoring tool developed by Progress. The flaws, patched in mid-August, allow attackers to retrieve users’ encrypted passwords. They have been utilized to download remote access tools and gain persistence on Windows hosts. In early September, it has been revealed that another WhatsUp Gold vulnerability (CVE-2024-4885) was exploited in thewild.
Mitigate it
Apply Tenable plugin 206233.
A new campaign is targeting Internet exposed Selenium Grid servers for cryptomining activities. To install the cryptominer, the attackers download a binary file, itself trying to exploit the PwnKit vulnerability (CVE-2021-4034)– an old infamous flaw allowing to get root privileges within many popular Linux distributions. Selenium Grid servers usually help to run parallel tests across different browsers.
Mitigate it
Remove the SUID-bit from pkexec (# chmod 0755 /usr/bin/pkexec).
Rhysida attacked Seattle ports
Over the last three weeks, the airport and maritime port of Seattle have fallen victim to a large ransomware operation led by Rhysida. The port authority, which refused to pay the ransom demand, had to isolate some of its critical systems resulting in flights’ delay and outages in online reservation system. Rhysida is a Ransomware-as-a-Service provider known for exploiting VPN vulnerabilities and ZeroLogon (CVE-2020-1472).
Void Banshee exploits a MSHTML vulnerability - again
A new MSHTML vulnerability (CVE-2024-43461) is being exploited in the wild by Void Banshee. The flaw allows attackers to craft the name of a file to be downloaded, with aim of luring the user to accept the operation. Specifically, Void Banshee included 26 braille whitespace characters (%E2%A0%80) to hide a malicious file’s hta extension. The flaw has also been used together with a previous MSHTML flaw (CVE-2024-38112), patched last July, which was exploited by Void Banshee and others to download infostealers.
A new flaw in Acrobat PDF Reader
A recently patched Adobe PDF Reader vulnerability (CVE-2024-41869) has apparently been exploited in the wild as a zero-day. The vulnerability is memory corruption flaw that could be exploited to launch arbitrary code.
Mitigate it
Apply Tenable plugins 207071-74
WhatsUp View Once - or twice
An easily exploitable vulnerability allowing the bypass WhatsApp View Once feature (making content disappear from a chat after being viewed by the recipient) has been exploited in the wild. Meta claimed that it is working on a patch.
Exploitation of Windows Installer
A privilege escalation flaw in Windows Installer (CVE-2024-38014) has been observed in the wild. The exploitation is made possible through an easy user interference while running an installer package to repair already installed code. The flaw has been discovered in January 2024 but patched only recently.
DDoS attacks against financial firms is rising
A new report shows that, amid geo-political in Ukraine and the Middle East, between January 2023 and June 2024 DDoS attacks experienced a surge. More particularly, almost 3,000 at layers 3 and 4 attacks impacted the financial sector. Among others, the March 2023 discovery of an SLP vulnerability (CVE-2023-29552), allowing large-scale DDoS amplification, has fueled layers 3 and 4 attacks. In addition, a growing trend of layer 7 (html) attacks on APIs have also been identified, facilitated by the HTTP/2 Reset vulnerability (CVE-2023-44487).
Mitigate it
For CVE-2023-29552: Configure firewalls to filter traffic on UDP and TCP port 427; Detect with Qualys QIDs 216311/2.
Crowdstrike crisis follow-ups
Following the Crowdstrike’s outage crisis, Microsoft will release new capabilities in Windows 11 to let security vendors operate “outside of kernel mode”. The company also called for EDR vendors to adopt Microsoft’s “Safe Deployment Practices” (SDP), encouraging “the gradual and staged deployment of updates sent to customers”.
UK's data centers are now critical infrastructure
The UK government will classify data centers situated in the country as “critical national infrastructure”. The decision aims at enabling a better coordination between private and national cyber defense organizations, as strengthening the cybersecurity regulations around data centers.
Mitigate it
Mitigate it
Sources
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190?language=en_US
- https://therecord.media/data-on-nearly-1-million-nhs-patients-leaked-hospital-ransomware
- https://www.securityweek.com/fortinet-data-breach-impacts-customer-information/
- https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html
- https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking
- https://www.bleepingcomputer.com/news/security/port-of-seattle-says-rhysida-ransomware-was-behind-august-attack/
- https://www.bleepingcomputer.com/news/security/windows-vulnerability-abused-braille-spaces-in-zero-day-attacks/
- https://www.securityweek.com/adobe-patches-critical-code-execution-flaws-in-multiple-products/
- https://zengo.com/whatsapps-view-once-privacy-issue/
- https://www.theregister.com/2024/09/12/worried_about_that_microsoft_installer/
- https://www.akamai.com/resources/state-of-the-internet/financial-services-trends-2024
- https://blogs.windows.com/windowsexperience/2024/09/12/taking-steps-that-drive-resiliency-and-security-for-windows-customers/
- https://www.securityweek.com/uk-data-centers-gain-critical-infrastructure-status-raising-green-belt-controversy/