MOVEit data breaches are back
A threat actor nicknamed Nam3L3ss published 25 datasets from large companies, exfiltrated through a MOVEit campaign executed in May 2023. Among the victims, Amazon admitted that 2.8 million employees’ records have indeed leaked. Other impacted companies include MetLife, Cardinal Health, HSBC, Fidelity, HP, Canada Post, Delta Airlines, Applied Materials, Charles Schwab, 3M, Lenovo, Bristol Myers Squibb , Westinghouse, Urban Outfitters, British Telecom, and McDonald’s. Nam3L3ss, a previously unknown hacker, stated that the attack has been conducted by another group and that he’s just publishing datasets he found in Darkweb fora. He also promised to release 1,000 additional datasets soon. Its connection to ClOp, the Russian cybercrime behind the 2023 massive MOVEit campaign, remains unclear.
New flaws in the Citrix's video recorder
A few hours after being disclosed, two RCE vulnerabilities in Citrix Virtual Apps (CVE-2024-8068/9) have been scanned for by malicious actors. The flaws impact the Recording Manager component allowing admins to capture, store, or manage recordings of user sessions. While Citrix claimed that attackers must have high privileges prior to exploitation, cybersecurity experts affirmed that the flaw is exploitable by unauthenticated attackers and criticized Citrix’s attempts of downgrading the severity of the vulnerabilities.
Veeam exploited again
A new ransomware group named Frag has been observed exploiting a Veeam vulnerability (CVE-2024-40711).The flaw was used to create new admin accounts in the backup and restore system. Frag is the third threat group last month to exploit the vulnerability, after Akira and Fog.
Mitigate it
Apply SonicWall IPS rules SoapFormatter Malformed Response 1 and 2 (4511 and 4512)
Volt Typhoon renewed...
Since September, the highly sophisticated Chinese state actor Volt Typhoon has rebuilt a large-scale malware botnet, after the dismantlement of the previous one last January by the FBI. Volt Typhoon’s botnets, targeting mostly Cisco and Netgear outdated routers, serve for pre-operational reconnaissance and network exploitation against critical infrastructures. A large amount of devices have been captured in the botnet in only a month of renewed activity.
... and keeps on attacking ISPs
In the meantime, the same Volt Typhoon has infiltrated Singtel, Singapore’ s leading telecom company. During the attack, discovered last June, Volt Typhoon has apparently exploited a Versa SD-WAN vulnerability (CVE-2024-39717) to deploy credential-harvesting web shells. In parallel, following the recent breach of Verizon and AT&T by another Chinese group (Salt Typhoon), a federal agency - the Consumer Financial Protection Bureau (CFPB) - has required its employees to refrain from talking about work issues over their phone.
Mitigate it
Block access to ports 4566 and 4570, except between the Versa Director nodes for HA-pairing traffic; inspect the /var/versa/vnms/web/custom_logo/ folder for any suspicious files having been uploaded
A Remcos new version uses a 2017 Windows flaw
A new campaign is using a new version of the Remcos RAT to exploit an old RCE Windows vulnerability (CVE-2017-0199) which abuses the way Microsoft Office and WordPad parse specially crafted files. The exploitation is triggered while opening a malicious Excel document disguised as a business order and sent through a phishing email. The attackers are consequently gaining full device control.
Mitigate it
Disable Windows HTA handler; In FortiEDR, allow the “Unconfirmed Executable” rule in the Exfiltration Prevention security policy to block the execution of Remcos malware
A new PAN-OS flaw raises concerns
A new RCE vulnerability in PAN-OS Management Interface (CVE-2024-5910) has been observed in the wild. In response, Palo Alto provided its customers with mitigation guidelines: users are required to avoid exposing the management interface to the Internet, to isolate it on a dedicated VLAN, to use jump servers to access the management IP or to limit inbound IP addresses to the management interface. The flaw, due to missing authentication in the Expedition migration tool, might result in an admin account takeover.
Russia exploits a Microsoft NTLM zero-day against Ukraine
Russian threat groups have exploited a vulnerability in Windows NTLM (CVE-2024-43451) as a zero-day against Ukrainian targets. The flaw is a NTLM hash disclosure spoofing vulnerability allowing attackers to steal NTLMv2 hashes. It was patched by Microsoft last week.
TOP15 exploited flaws of 2023
The US and its allies published a list of the Top 15 most exploited vulnerabilities of 2023. The list includes infamous flaws such as in Citrix Netscaler (CVE-2023-3519,CVE-2023-4966), in Fortinet (CVE-2023-27997) or in Confluence servers (CVE-2023-22515). The no-less famous PaperCut, ZeroLogon, MOVEit and Log4j vulnerabilities are also on the list. The countries also warned that zero-day exploitations are increasing and became “a new normal” for threat actors.
New rules for vulnerabilities in pipelines and railways
The Transportation Security Administration (TSA) drafted new cybersecurity rules, forcing around 300 pipelines and rail operators to report annual security evaluations and to produce ad hoc assessments to identify unaddressed vulnerabilities. TSA also required these assessments to be executed by independent professionals and not by ones who “have a personal, financial interest in the results of the assessment”. The new regulation aims at formalizing the guidelines released by TSA after the notorious May 2021 ransomware attack on Colonial Pipeline.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
