A threat actor is targeting hybrid environments
Storm-0501 (aka UNC2190), a possibly Latvian ransomware group that emerged in 2021, has been observed targeting hybrid networks. The group is performing lateral movement from on-prem to cloud environments using weak credentials in highly privileged on-prem accounts. Previously known for its operations against American schools, it is now focusing on sectors such as government, manufacturing and transportation. To get initial access, the group exploits known vulnerabilities in ZohoManage Engine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion (CVE-2023-29300, CVE-2023-38203).
Mitigate it
Block malicious IPs scanning for the related CVEs; Enable Conditional Access policies; Enable protection to prevent by-passing of cloud Microsoft Entra MFA; Monitor the alert “Ransomware-linked Storm-0501 threat actor detected” in Microsoft Defender for Endpoint; Monitor the alerts “Data exfiltration over SMB” and “Suspected DCSync attack” in Microsoft Defender for Identity.
Salt Typhoon target ISPs
The Chinese Salt Typhoon has recently breached various broadband networks operated by Internet Service Providers in the US. Cisco and Microsoft announced to currently investigate the matter. The group, previously unknown, is possibly related to UNC2286 – a Chinese espionage group targeting the health, hospitality, and telecommunications sectors and exploiting Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2020-0688).
Mitigate it
Implement an IIS Re-Write Rule to filter malicious https requests, disable Unified Messaging (UM), disable Exchange Control Panel (ECP) Vdir or disable Offline Address Book (OAB) Vdir.
Mitigate it
Mitigate it
The CUPS panic
Concerns were raised anticipating the disclosure of vulnerabilities potentially impacting all GNU/Linux systems. The four flaws (CVE-2024-47076, CVE-2024-47175/6/7) are in OpenPrinting Common UNIX Printing System (CUPS), a popular open-source Internet Printing Protocol (IPP) for Linux operating systems. Chained together, the four might allow an attacker to replace IPP URL links with malicious ones, achieving arbitrary code execution. However, it now seems that risks of wide scale exploitation remain relatively low: default configurations seem not vulnerable, exploitation requires manually enabled CUPS services, the attacker must have previous access to a vulnerable server and the exploitation must take place while the victim is printing a job.
Mitigate it
Run a command to stop a running cups-browsed service ($ sudo systemctl stop cups-browsed) and another one to prevent it to start on reboot ($ sudo systemctl disable cups-browsed).
A new flaw impact 35% of cloud environments using NVIDIA
A newly discovered critical vulnerability in Nvidia’s Container Toolkit (CVE-2024-0132) might impact 35% of cloud environments using Nvidia GPUs. The flaw, affecting Container Toolkits with default configuration, could allow a malicious container image to access the host file system, leading to eventual “code execution, denial of service, escalation of privileges, information disclosure, and data tampering”. The risk is particularly acute for environments running third-party container images or allowing external users to deploy AI models.
Rackspace breached
Threat actors have exploited a zero-day RCE in a third-party used by ScienceLogic SL1 platform, resulting in a limited data breach in Rackspace, a cloud hosting provider. In response, the company quickly developed a patch.
Old SAP flaw is now exploited
A five-year-old flaw in SAP Commerce (CVE-2019-0344) is now exploited in the wild. The vulnerability allows to run arbitrary commands on an SAP Commerce system with Hybris user privileges. Hybris is a CRM tool for customer service integrated into the SAP cloud ecosystem.
Zimbra mail servers targeted again
A new vulnerability in Zimbra SMTP servers (CVE-2024-45519) has been actively exploited since September 28. Threat actors are sending emails impersonating Gmail to vulnerable Zimbra servers, containing malicious code in the CC field. The code is then forcing Zimbra to run it as shell commands. In 2023, four different Chinese actors have been observed exploiting another Zimbra flaw (CVE-2023-37580) for cyberespionage purposes.
LockBit targeted again by law enforcement
Following last May's law enforcement operation against LockBit, Europol, the US and the UK announced to have sanctioned 16 members and arrested one executive of EvilCorps, a Russian cybercrime group associated with LockBit. Infrastructure serving the gang has also been dismantled.
Sanctions against APT42
The US charged three APT42 executives, for leading cyberattacks aiming at interfering in the upcoming elections. APT42 is a well-known Iranian state actor, accused last August of launching a phishing operation against a dozen American individuals affiliated with the campaigns of both Harris and Trump, with the aim of credential harvesting.
Govtech vulnerabilities
No less than 19 vulnerabilities have been found in Govtech platforms serving the administration and judicial system in the US. For example,one vulnerability allows for cancelling voter registrations in Georgia, another one exposed court document in Florida, and a flaw in a platform used by one third of US largest cities enabled leakage of citizens’ sensitive information.
Mitigate it
Mitigate it
Sources
