A 6 years long campaign compromising Sophos Firewalls...
The cybersecurity company Sophos detailed a years-long operation during which it installed custom implants in its own devices to capture a Chinese threat actor targeting multiple zero-days in Internet-facing firewalls, including a 2020 SQLi flaw (CVE-2020-12271). Since 2018, the threat group, which Sophos tags Tstark, has installed custom malware on compromised firewalls and taken full control of devices in both public and private organizations worldwide. In one case, it successfully infiltrated the Indian office of a Sophos subsidiary, possibly to collect intelligence about Sophos systems. The FBI is asking the public to contribute relevant information about the identity of the threat actors.
Mitigate it
Detect with Tenable Plugin ID 136175
... and installing the Pygmy Goat malware
The British government revealed a backdoor named Pygmy Goat, which it detected on compromised Sophos XG firewall devices used in government networks. The threat actor behind Pygmy Goat has apparently been targeting FortiGate devices prior its Sophos ones. While the advisory did not describe Pygmy Goat as part of the long-term Chinese campaign against Sophos firewalls, it is plausible that the two cases are connected.
Vulnerabilities for hijacking SOHO devices into a botnet
Microsoft revealed a botnet composed of 8,000 SOHO devices from multiple brands (TP-Link, Zyxel, Asus, Axentra, D-Link, NETGEAR) and which allowed diverse Chinese threat actors to perform password spray attacks. The devices were hijacked into the botnet through the exploitation of both zero-day and one-day RCE vulnerabilities in the different routers. Among other groups, the Chinese Storm-0940 utilized the botnet for cyberespionage operations against government, defense or academic organizations in North America and Europe.
Mitigate it
Monitor alert “Storm-0940 actor activity detected” in Microsoft Defender for Endpoint
IntelBroker against Cisco...
Cisco claimed that the data IntelBroker exfiltrated from a misconfigured public-facing DevHub portal last October does not contain any information enabling future breaches of Cisco Systems. In the meantime, IntelBroker said that its access has been reached through an exposed API token used in a Cisco's JFrog environment. He also stated that Cisco offered him 200K USD to delete the information.
...and against Nokia
The same IntelBroker also broke into a SonarQube server of a software company, through which it exfiltrated source code, encryption keys, hardcoded credentials and SMTP accounts from Nokia. The Finnish company is investigating the allegations. Possibly through the same third party, were also leaked the personal information of 290K people connected to the MIT Technology Review and the IOS source code of the luxury brand Cartier.
One of the largest ransomware operations against the public sector
In one of the largest recent data breaches against the public sector, the city of Columbus, Ohio admitted that it suffered last July from a ransomware attack. The incident resulted in the outage of multiple municipal services and in the leakage of the personal information of 500K citizens – more than half of Columbus residents. Rhysida, an infamous Russian cybercrime known for exploiting VPN vulnerabilities and the ZeroLogon flaw, took credit for the attack.
A compromised Jira and the Schneider Electric's data breach
An unknown threat actor calling itself Hellcat broke into the Jira environment of Schneider Electric, resulting in the exfiltration of sensitive data including bugs, projects and plugins. The hackers required a 125K USD ransom but promised to cut it by half if Schneider publicly admits the breach. Schneider Electric is a French large corporate specialized in energy management and automation. In early 2024, its sustainability business division has already been compromised by the Cactus ransomware.
An AI-based honeypot succeeded to catch an exploit in the wild
Through an AI-powered tool operating within its honeypot system, Greynoise has discovered an automated exploit trying to use a zero-day in live streaming cameras (CVE-2024-8956/7) used by industrial, healthcare, and government organizations. The flaw allows attackers to take full control of cameras and consequently manipulate video feeds or even enlist the camera device into a botnet.
The first LLM-discovered zero-day
Google announced its LLM framework Big Sleep (formerly Naptime) has discovered a zero-day in SQLite. The flaw is a buffer overflow resulting in system crash or arbitrary command execution. According to Google, this is the first time “an AI agent finds a previously unknown exploitable memory-safety issue in widely used real-world software". Disclosed last June, Project Big Sleep aims at utilizing AI models to mimic human behavior when detecting vulnerabilities.
Most organizations have unpatched flaws for more than a year
A new report shows that 71% of organizations (and 42% of applications) have non-remediated vulnerabilities for periods of time longer than a year. In general, flaws were detected in 73% of active applications, a decrease from 80% in 2016. The proportion of critical vulnerabilities among unpatched flaws also decreased.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
