Following a large law enforcement operation, the US and its allies revealed the identity of LockBitSupp, the infamous (and until now anonymous) Lockbit administrator: a Russian national named Dmitry Khoroshev. However, in parallel LockBit took responsibility for two recent devastative attacks: the operation against a French hospital in Cannes, which refused to pay a ransom and took most of the hospital’s systems offline; and one against the city of Wichita in Kansas, that had to shut down its online payment systems. It is unclear how LockBit accessed its victims, although it has been observed widely exploiting the CitrixBleed vulnerability in early 2024.

‍

The GRU-afiliated APT28 continued operating its botnet of Ubiquity SOHO routers, even after being allegedly dismantled by the FBI last January. The botnet, established in 2016 (and not in 2022, as previously published), has been weaponized for diverse purposes, including SSHbrute forcing, pharmaceutical spam, proxying stolen credentials on phishing sites, cryptomining, and spear phishing. Germany and the Czech Republic also claimed that it served a long-term espionage campaign against their political parties, from which APT28 exfiltrated Net-NTLMv2 hash files thanks to the exploitation of an Outlook vulnerability (CVE-2023-23397).

IntelBroker has offered access to a large cybersecurity firm with 1.8 billion dollars revenue, hinting at Zscaler. In response, Zscaler denied any incident within its customer and production environments, even though it took offline an isolated test server for forensic investigation. Besides Zscaler, IntelBroker also published information stolen from Vietnam’s Post Corporation and started to leak data from Barclays and HSBC reached through thecompromise of a third party. The possibly Serbian threat actor, gaining initial access by exploiting vulnerabilities, recently gained notoriety after attacking high profile organizations, such as the NSA, HPE, Home Depot, Accor and others.

‍

CISA and the FBI urge software manufacturers to eliminate path traversal vulnerabilities, which has been used recently against critical infrastructure and the health sector. The advisory has been issued in response to the disclosure of a flaw in Cisco AppDynamics Controller (CVE-2024-20345) and to the wide exploitation of the ConnectWise ScreenConnect vulnerability (CVE-2024-1708).

A path traversal vulnerability in various Android popular applications, dubbed “Dirty Stream”, exposes over one billion mobile phones to arbitrary code execution and token theft. Among those are Xiaomi’s file manager app (with over1 billion installs) and WPS Office (with 500 million installs).

‍

Two OData and SQL injection vulnerabilities (CVE-2024-21793, CVE-2024-26026) have been found in F5 BIG-IP Next Central Manager API. The flaws let attackers take full control of the manager, allowing them to create accounts on F5 devices. Moreover, compromised accounts might not be visible in the Next Central manager itself, helping attackers to gain persistence.

‍

More than 50% of the 90,000 internet-exposed Tinyproxy hosts are vulnerable to a new flaw (CVE-2023-49606). When exploiting the vulnerability, an attacker can send a crafted HTTP connection header that might lead to the reuse of freed memory, resulting in remote code execution. Tinyproxy maintainers openly criticized Cisco Talos for disclosing a PoC without properly alerting them about the flaw.

‍

After being harshly criticized by the Cyber Safety Review Board, Microsoft announced an overhaul of its cybersecurity strategy, with the aim of making security the company’s top priority. Microsoft will accelerate its response to new vulnerabilities, by increasing transparency and reducing the Time-to-Mitigate for high-severity cloud security vulnerabilities. It also will remove all entity lateral movement pivots between tenants, environments, and clouds.

‍

CISA launched the “Vulnrichment” program, aimed at enriching CVEs with metadada such as CPE, CWE, CVSS score and KEV listing. It will also release the data in JSON files format for swifter sharing and integration of vulnerability information. The initiative aims to fill the gap left by NIST, after it significantly slowed down its enrichment efforts of the National Vulnerability Database (NVD).

‍

A new report shows that among 1 million reviewed organizations, 35% had at least one vulnerability included in CISA’s Known Exploited Vulnerabilities (KEV) list. Moreover, the research reveals that while organizations remain slow at remediating KEV-listed vulnerabilities(only 40% of KEVs are remediated before the deadline decided by CISA), the remediation pace for non-KEVs was even worse: in average, it takes 6 months to remediate half of all detected KEV flaws versus two years for non-KEVs. KEV vulnerabilities were found particularly frequent within large organizations, especially in sectors such as education, government and technology.

‍