Casio Hacked

The Japanese technology company Casio has been compromised by Underground Ransomware, resulting in service outages and the theft of sensitive information. Underground is a small group targeting Windows systems since mid-2023 and apparently related to the former Russian notorious cybercrime RomCom. It has been recently observed exploiting a Microsoft Office RCE flaw (CVE-2023-36884) for initial access.

Mitigate it

In Microsoft Defender for Endpoint’s Attack Surface Reduction module, allow the rule “Block all Office applications from creating child processes”; add office apps to registry keys “ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftInternet” and ”ExplorerMainFeatureControlFEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION”.

APT29 vulnerabilities revealed

In a special advisory, the US and the UK listed 24 vulnerabilities used by APT29 (aka Midnight Blizzard), the Russian state actor behind the 2020 SolarWinds campaign and the 2024 attacks on the cloud environments of HPE and Microsoft. The advisory asserts that, besides its targeted campaigns, APT29 is actively attempting to exploit known vulnerabilities in Internet-facing infrastructures in opportunistic ways. Among the flaws are vulnerabilities in Ivanti Endpoint Manager (CVE-2023-35078), TeamCity (CVE-2023-42793), Microsoft Exchange (CVE-2023-36745), Citrix Netscaler (CVE-2023-4966), Sharepoint servers (CVE-2023-29355/57) and Android (CVE-2023-40076/77/88).

Iranian state actors are leveraging a Windows Kernel flaw...

In its recent cyberespionage campaign against the Gulf countries, the Iranian state actor APT34 (aka OilRig) showed a growing level of sophistication. The group exploited vulnerabilities for privilege escalation, including a Windows kernel flaw (CVE-2024-30088), for which it utilized an exploit binary from an open-source tool. Moreover, it has also been observed deploying a backdoor in Microsoft Exchange servers for credentials theft.  

... and using ChatGPT for vulnerability exploitation

OpenAI published that in its recent attacks against water facilities, the Iranian group CyberAv3ngers made use of ChatGPT for “vulnerability exploitation, detection evasion, and post-compromise activity”. Concretely, the attackers asked ChatGPT for Internet-exposed industrial ports, for PLCs used in Jordan and for default password to diverse devices. They also unsuccessfully tried to use the LLM for vulnerability scanning or stealing users’ MacOS passwords.  Another Iranian group, nicknamed Storm-0817, has used ChatGPT for “vulnerability research, malware development, and social engineering”.

Chinese state actors behind the Ivanti campaigns

An investigation of the campaign exploiting the Ivanti CSA zero-day (CVE-2024-8190), chaining it with four other Ivanti flaws (CVE-2024-8963,CVE-2024-9379-81), has raised a possible attribution to UNC4841 – a Chinese state actor known for its 2023 cyberespionage operations targeting different vulnerabilities in Barracuda WAF (CVE-2023-2868, CVE-2023-7101/2). After exploiting Ivanti CSA flaws to gain initial access, the attackers conducted lateral movement, deployed web shells, exfiltrated data, accessed assets by brute-force attacks, and proxied traffic through the compromised Ivanti appliance.

Mitigate it

In Ivanti CSA, ensure dual-homed CSA configurations with eth0 as an internal network.

IntelBroker hacks Cisco

The infamous threat actor IntelBroker claims to have recently hacked Cisco, from which it stole Github and Gitlab projects, source code, hardcoded credentials, API tokens, Jira tickets, AWS private buckets, Azure storage buckets and more. Through Cisco’s hack, it allegedly stole production source code from many leading corporates, including Microsoft, Chevron, Bank of America, Barclays, T-Mobile and Verizon. In response, Cisco announced it is investigating the claims.

Is Flax Typhoon after a new vulnerability? 

An unpatched vulnerability (CVE-2024-9441) in Linear Emerge E3, for which exploits have been published, is raising concerns. The command injection flaw allows unauthenticated attackers to invoke to “forgot password” function. Flax Typhoon (aka UNC5007), a Chinese actor that recently built a 260K devices botnet and has been observed exploiting no less than 66 vulnerabilities, has in the past used a very similar flaw (CVE-2019-7256).

Veeam exploited again

A new Veeam Backup vulnerability (CVE-2024-40711) is used by ransomware actors to create malicious accounts and deploy malwares, among them the Fog and Akira ransomwares. In the attacks, initial access has been granted through forcing VPN gateways lacking MFA protection. In the past, Veeam vulnerabilities have been associated with diverse ransomware groups, such as Cuba and Qilin.

Mitigate it

Apply SonicWall IPS rules SoapFormatter Malformed Response 1 and 2 (4511 and 4512).

BlackBasta is looking for Windows zero-days

BlackBasta, the well-known Russian ransomware group, advertised its intention to acquire Windows zero-days. The group is interested in RCE vulnerabilities, including in local network, that require no user interaction. A few months ago, BlackBasta was observed targeting Linux flaws in ESXi Hypervisors.

Attacks continues on the healthcare sector

Major ransomware groups are continuing their operations against the health sector. Recently, RansomHub, one of the most prolific groups worldwide, broke into PracticeSuite, a medical practice management software with 45K customers; Rhysida attacked Axis Health System, a Colorado-based healthcare company; INC Ransom targeted Doctors Regional Cancer Center, a cancer-focused clinic in Maryland; and BianLian compromised Boston’s Children Health Physicians. The four groups are all highly skilled in vulnerability exploitation. In parallel, a new Microsoft report claims to have identified 389 ransomware attacks against healthcare companies in the US from June 2023 to July 2024. Microsoft also reveals a 2.75x increase in targeted ransomware attacks.

CISA warns against abuse of F5 BIG-IP cookies

CISA claims that threat actors are utilizing unencrypted persistent cookies in F5 BIG-IP Local Traffic Manager (LTM). The cookies are then used for network reconnaissance and specifically to exploit vulnerabilities found in other devices. 

Mitigate it

Configure BIG-IP LTM to encrypt HTTP cookies following F5’s instructions.

Vulnerabilities in traffic lights? 

A vulnerability affecting tens of thousands of traffic lights in the Netherlands can be exploited to remotely switch them from green or red. In response, the Dutch road authority claimed that patching the flaw requires replacing each impacted traffic light separately – a process not expected to end before 2030.

A new security feature in Windows

Microsoft keeps on upgrading its security measures following the Crowdstrike outage incident. The company has introduced a new feature in Windows, changing the way administrator permissions are granted. To reduce the risk of privilege escalation, the system will now create a shadow admin account which should disappear as soon as the task is completed.

Mitigate it

Mitigate it

Mitigate it

Sources