Krispy Kreme under attack
Play Ransomware (aka UNC4769) has taken credit for the recent attack on the donut and coffee chain Krispy Kreme. The attack, in which business and financial information was stolen, has resulted in the disruption of online ordering systems. Play, one of the largest ransomware groups, is known for exploiting FortiOS and Microsoft Exchange vulnerabilities.
Legacy systems exposed to a new Apache Struts flaw
The vulnerability in Apache Struts 2 reported last week (CVE-2024-5367) is now under active exploitation. Since Struts 2 is widespread among legacy systems which might be barely integrated within modern CI/CD pipeline, its patch requires significant manual work – which raises concerns of wide exploitation windows. Concretely, after upgrading their Apache Struts version, IT admins will have to migrate to the new Action File Upload Interceptor and rewrite applications’ code so that they can handle file uploads. Moreover, the flaw shares similarities with a 2023 vulnerability (CVE-2023-50164), leading to speculations that the current vulnerability stems from inefficient patching. Tens of thousands vulnerable Apache Struts instances have been detected, mostly in industries such as finance, manufacturing, logistics and government.
Mitigate it
Block access from 169.150.226[.]162, 20.207.113[.]112 and 45.200.149[.]171
A critical FortiWLM patched a year after discovery
Fortinet patched a critical vulnerability (CVE-2023-34990) in its Wireless Manager (FortiWLM), described as a relative path traversal flaw. The vulnerability, allowing to retrieve log files including admin session ID tokens, was reported more than a year ago – and it is unclear why it took so long to fix the flaw and assign a CVE ID to it. Chained with another command injection Fortinet vulnerability (CVE-2023-48782), it might enable attackers to take full control of FortiWLM hosts.
Mitigate it
Apply Signal Sciences "Directory Traversal (Traversal)" feature; Enforce Akamai rule IDS 6055741, 6055744, 6055836, 6055855, 6055805
Fortinet EMS flaw remains widely exploited
A new campaign exploiting an SQL injection flaw in Fortinet EMS (CVE-2023-48788) has been observed targeting Internet-facing Windows servers in a wide range of countries. The vulnerability was leveraged to deploy remote desktop software such as AnyDesk and ScreenConnect. In the past, it has been used by various threat actors, including prominent groups such as Ransomhub, Salt Typhoon and Medusa.
Mitigate it
Detect with Tenable Plugin ID 192116
Sophisticated DDOS uses flaws in video recorders
A new Mirai-based botnet is exploiting a vulnerability in DigiEver’s Network Video Recorders (NVR), for which a CVE ID has yet to be assigned. The campaign is hijacking devices through command injection and for the purpose of conducting DDOS operations. The botnet stands out for employing XOR and ChaCha20 encryption while targeting a wide variety of system architectures, such as x86, ARM, and MIPS. It also exploits vulnerabilities in Teltonika routers (CVE-2018-17532) and TP-Link network devices (CVE-2023-1389).
BeyondTrust flaw under active exploitation
A vulnerability in BeyondTrust (CVE-2024-12356), a remote access solution, has been exploited in the wild. The flaw allows command injections and can be triggered through crafted client requests. No privileges or user interaction are required.
Mitigate it
Block access from 24.144.114.85, 142.93.119.175, 157.230.183.1 and 192.81.209.168
When LLMs are manipulating EPSS
A new report reveals that AI-driven adversarial attacks can manipulate exploitation predictions within the EPSS framework. For example, these attacks might inflate the social media coverage of a particular vulnerability and create multiple Github repos with empty exploits to influence EPSS indicators used to evaluate probabilities of exploitation. In parallel, another research showed that, while LLM models encounter difficulties in creating new JavaScript malware, they easily can generate more than 10K variants of a specific malware code. Consequently, 88% of these variants might be tagged as benign and effectively evade detection.
Mitigate it
Mitigate it
Mitigate it
Sources
