Thousands of Linux servers compromised
Over the past few years, a fileless malware named perfctl has scanned for more than 20,000 Linux misconfigurations and vulnerabilities, and successfully compromised thousands of Linux servers in which it downloaded cryptomining and proxyjacking malware. Besides misconfigurations, it gains initial access by exploiting various vulnerabilities, including a well-known Apache RocketMQ flaw (CVE-2023-33246). It also leverages a Polkit vulnerability (CVE-2021-4043) to gain root privilege on the server. The malware uses rootkits for defense evasion, ceasing “noisy” activities when a user logs on the compromised server.
Mitigate it
For RocketMQ vulnerability, detect with Qualys QID 730868; For polkit, remove the setuid permission from pkexec - chmod 0755 $(which pkexec).
A North Korean group turning against American companies
The infamous North Korean group APT45 (aka Andariel) is currently shifting from cyberespionage to targeting American private companies for financial gains. The threat actor, which has been recently observed as exploiting RDP vulnerabilities against South Korean victims, is known for leveraging diverse vulnerabilities such as Log4j (CVE-2021-44228), an Apache MQ flaw (CVE-2023-46604) and one in TeamCity (CVE-2023-42793). Although it attacks multiple industries, the group has apparently a preference for manufacturing organizations.
Attacks against water facilities
American Water, the largest water and wastewater utility public company in the US, had to shut down some of its systems and web services following a cyberattack which has yet to be contained. In parallel, threat actors used vulnerabilities in Internet-exposed Unitronics programmable logic controllers (PLCs) to infiltrate a municipal water facility in the US – in a way reminiscent to the method used by the Iranian group CyberAv3ngers, which broke into different water plants in November 2023.
Fortinet products impacted by an exploited vulnerability
A Fortinet vulnerability (CVE-2024-23113), discovered last February, is now exploited in the wild. The flaw is a format string vulnerability which might allow to execute arbitrary code through specially crafted requests. It impacts FortiOS, FortiPAM, FortiProxy, and FortiWeb. Around 8% of cloud environments have workloads vulnerable to the vulnerability.
Mitigate it
Remove FGFM access for each interface
A Qualcomm vulnerability
Qualcomm has patched a use-after-free vulnerability (CVE-2024-43047) in the Digital Signal Processor (DSP) service, exploited in the wild as a zero-day possibly by mobile spyware commercial vendors. The flaw requires low privileges and no user interaction.
Ivanti compromised.. again
A critical SQL injection vulnerability in Ivanti’s Endpoint Manager (CVE-2024-29824), disclosed last May, is now exploited in the wild. Recently, vulnerabilities in Ivanti Cloud Services Appliance (CVE-2024-8963) and in Ivanti Virtual Traffic Manager (CVE-2024-7593) have also been observed in the wild.
Mitigate it
Import “mitigation.release.20240126.5” XML file from Ivanti’s management platform
38% of organizations with "toxic triad" cloud workloads
A new cloud security report shows that 38% of organizations have workloads with “toxic triad”: they are publicly exposed, highly privileged and include at least one critical vulnerability. Followingly, unpatched critical vulnerabilities have been detected in 80% of workloads - especially a container escape flaw (CVE-2024-21626), a widely exploited SmartScreen vulnerability (CVE-2024-21412) and two Windows Kernel privilege escalation flaws (CVE-2024-21338/9).
Manufacturing: the most ransomware-targeted sector
A new report, compiling data about ransomware incidents in the past year for 5,000 investigated organizations, shows that the manufacturing sector represents 21% of the attacks - making it three times more vulnerable than other industries. Moreover, 80% of manufacturing companies have unpatched critical vulnerabilities and 67% have KEV-listed flaws. The report emphasizes issues with outdated patch management methods within many manufacturing companies.
Vulnerability exploitation is the top Initial Access Vector
A research reveals that vulnerability exploitation remains the top initial access vector, for both cybercrime and state actors. Vulnerabilities in edge devices -such as Cisco, Palo Alto, Fortinet, Ivanti, Citrix, and F5 – have been particularly targeted. The report also claims that, in many cases, as soon as a new vulnerability is disclosed, active scanning by multiple threat actors is initiated.
NVD backlog issues
Last May, CISA decided to outsource the NVD’s vulnerability enrichment effort. However, as of September 30th, 72% of the reported CVEs (and 47% of the known exploited CVEs) have yet to be analyzed. In 2024, a total of 19,383 vulnerabilities have been so far assigned a CVE ID.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
- https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion
- https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems, https://www.bleepingcomputer.com/news/security/american-water-shuts-down-online-services-after-cyberattack/
- https://www.wiz.io/blog/critical-rce-vulnerabilities-in-fortios-cve-2024-21762-cve-2024-23113, https://thehackernews.com/2024/10/cisa-warns-of-critical-fortinet-flaw-as.html
- https://www.helpnetsecurity.com/2024/10/08/cve-2024-43047/
- https://www.securityweek.com/ivanti-epm-vulnerability-exploited-in-the-wild/
- https://blackkite.com/wp-content/uploads/2024/09/BlackKite_TPRM-Manufacturing-Report-2024.pdf
- https://dam.tenable.com/23e27766-3065-4904-95d7-b1fe015e7d59/tenable-cloud-risk-report-2024.pdf
- https://www.secureworks.com/-/media/Files/US/Reports/state%20of%20the%20threat/secureworks-state-of-the-threat-report-2024.ashx
- https://vulncheck.com/blog/nvd-backlog-exploitation-lurking