Key Takeaways

This week, the U.S. Cyber Security and Infrastructure Agency (CISA) incorporated seven vulnerabilities to its Known Exploited Vulnerability (KEV) catalog based on evidence of active exploitation.  

The team at Cyble Research and Intelligence Labs analyzed multiple high- and critical-severity CVEs impacting products and software used worldwide. One such vulnerability is CVE-2024-38812, which impacts the VMware vCenter Server and can be remotely exploited without any user interaction. 

CRIL also assessed a high probability of certain vulnerabilities that attackers can use in malicious campaigns, including data breaches and supply chain attacks. Namely, CVE-2024-29847, which impacts Ivanti Endpoint Manager, CVE-2024-45694, an arbitrary code exaction vulnerability impacting D-Link wireless routers, and CVE-2024-45409, which impacts GitLab CE/EE instance.

CRIL’s dark web monitoring sensors observed 15 instances on underground forums and Telegram channels, where vulnerability and Proof of Concepts (POC) discussions were taking place. Some of the notable ones are: CVE-2024-8504, CVE-2024-8503, CVE-2024-29847, CVE-2024-38014, VMware Workstation client, TOTOLINK routers and TP Link Archer C6U/C6 routers.

Overview

This Weekly Vulnerability Intelligence Report explores vulnerability updates between September 11 and September 17. The Cyble Research and Intelligence Labs team investigated 24 vulnerabilities this week, among other disclosed vulnerabilities, to present critical, high, and medium degree insights.

The Week’s Top Vulnerabilities

CVE-2024-45409: Improper Verification of Cryptographic Signature in GitLab Community Edition (CE) and Enterprise Edition (EE)

The critical SAML authentication bypass vulnerability impacting self-managed installations of the GitLab Community Edition (CE) and Enterprise Edition (EE). Security Assertion Markup Language (SAML) is a single sign-on (SSO) authentication protocol that allows users to log in across different services using the same credentials. An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. 

CVSS Score: 10

Internet Exposure: No 

Patch Available: Yes 

CVE-2024-38812: Heap-based Buffer Overflow in VMware vCenter Server

The critical heap-overflow vulnerability impacts the VMware vCenter Server, a centralized management platform for VMware vSphere environments that provides a single interface to manage and monitor multiple ESXi hosts and the virtual machines running on them. A malicious actor with network access to the vCenter Server may trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution. 

CVSS Score: 9.8

Internet Exposure: Yes

Patch Available: Yes 

CVE-2024-29847: Deserialization of Untrusted Data in Ivanti Endpoint Manager

The critical vulnerability impacts Ivanti Endpoint Manager is a comprehensive solution designed for managing and securing endpoints across various operating systems and devices. It integrates Unified Endpoint Management (UEM) capabilities, allowing IT teams to oversee a diverse range of devices from a single platform. Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6 or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. 

CVSS Score: 9.8

Internet Exposure: Yes 

Patch Available: Yes 

CVE-2024-6671, CVE-2024-6670: SQL Injection in Progress WhatsUp Gold

The criticalSQL Injection vulnerabilities impact Progress WhatsUp Gold, a comprehensive network monitoring software designed to provide visibility and control over network devices, servers, applications, and virtual environments. It allows IT teams to monitor performance metrics and ensure the health of their infrastructure, whether deployed on-premises or in the cloud. The exploitation of the vulnerabilities allows an unauthenticated attacker to retrieve the user’s encrypted password. 

Recently, researchers disclosed that attackers are leveraging publicly available exploit code to exploit critical vulnerabilities.  

CVSS Score: 9.8 respectively

Internet Exposure: Yes 

Patch Available: Yes 

CVE-2024-45694: Stack-based Buffer Overflow in D-Link Routers

Impact Analysis: The critical stack-based buffer overflow vulnerability impacts the web service of certain models of D-Link wireless routers. Unauthenticated, remote attackers can exploit this vulnerability to execute arbitrary code on the device. 

CVSS Score: 9.8

Internet Exposure: No

Patch Available: Yes

CVE-2024-6678: Authentication Bypass by Spoofing in GitLab Community Edition (CE) and Enterprise Edition (EE)

Impact Analysis: The high severity vulnerability impacts GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2. The exploitation of the vulnerability allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances, leading to the disruption of automated workflows of targeted organizations. 

CVSS Score: 8.8

Internet Exposure: No 

Patch Available: Yes 

Vulnerabilities and Exploits Discussed in the Underground

CRIL observed multiple instances of vulnerability discussions and the promulgation of proof-of-concepts (POCs) in underground forums and channels.

On a Telegram channel named ‘Proxy Bar,’ the administrator shared POCs for several critical and high-severity vulnerabilities, including CVE-2024-8504 (OS Command Injection), CVE-2024-8503 (SQL injection), CVE-2024-40711 (RCE in Veeam Backup and Replication software) and CVE-2024-38080 (Privilege Escalation in Windows Hyper-V).

On the Telegram channel CyberDilara, the administrator shared a POC for CVE-2024-38014, A high severity vulnerability in the Windows Installer that allows for elevation of privileges.

Hackers Factory also shared a POC for CVE-2024-28000, a critical privilege escalation vulnerability affecting the LiteSpeed Cache plugin for WordPress, which allows unauthorized users to gain Administrator-level access to a WordPress site.

TA tikila claimed to have three a 0-day vulnerabilities affecting VMware Workstation, TOTOLINK routers, and TP-Link Archer C6U/C6 routers.

Cyble’s Recommendations

Stay Up-to-Date with Patches

Make it a priority to update all your systems with the latest vendor patches. Vulnerabilities get exploited quickly, and having a schedule for regular updates ensures you’re not left exposed. Apply critical patches as soon as they’re released—don’t delay.

Streamline Your Patch Management

Building a solid patch management process is key. It starts with knowing what’s in your system, followed by assessing, testing, and deploying patches in an orderly fashion. Automating this process can save time and prevent human error.

Segment Networks for Better Protection

Don’t put all your eggs in one basket. Segregating your network can safeguard your most critical assets by limiting their exposure. Use firewalls, VLANs, and tight access controls to ensure only authorized users have access.

Have a Response Plan Ready

When incidents happen—and they will—having a well-rehearsed incident response plan is a lifesaver. It should clearly define how you’ll detect, react to, and recover from threats. Regularly test and update this plan to ensure it’s aligned with the latest risks.

Monitor and Log Activities 

You can’t fix what you can’t see. Monitoring and logging malicious activity is crucial. Use SIEM solutions to collect and analyze logs in real-time, helping you catch threats before they escalate.

Stay Informed on Security Alerts

Stay ahead of threats by subscribing to security alerts from vendors and authorities. Make sure to evaluate the impact of these alerts on your organization and act swiftly.

Test for Vulnerabilities

Conduct regular Vulnerability Assessments and Penetration Testing (VAPT) to expose weak points in your defenses. Pair these exercises with audits to confirm you’re following security protocols.

Know Your Assets

Keeping a current inventory of internal and external assets, like hardware and software, is essential. Asset management tools can help maintain visibility, so you stay on top of everything in your network.

Strengthen Password Security

Weak passwords are an open door for hackers. Start by changing default passwords immediately and enforcing a strong password policy across your organization. Coupling that with multi-factor authentication (MFA) adds an extra layer of protection, making it harder for unauthorized users to gain access.

The post HED: Weekly IT Vulnerability Report for September 11 – September 17, 2024 appeared first on Cyble.

Blog – Cyble – ​Read More

Executive Summary

In September 2024, the pro-Russian hacktivist group Just Evil and possibly the state-backed Beregini group led a coordinated cyberattack on Lithuanian energy infrastructure. The attackers claimed to target the PV monitoring solution used by the state-owned Energy holding company Ignitis Group.  

Just Evil is a faction that emerged from the split of the Killnet group, while Beregini exemplifies the complex interplay of hacktivism and state-sponsored cyber operations within the context of the Russia-Ukraine conflict. It operates under the guise of a Ukrainian group while aligning closely with pro-Russian interests.

Just Evil allegedly accessed the power monitoring dashboard of 22 Ignitis’ clients, including hospitals and military academies, via a compromised PV Monitoring Platform in the city of Kaunas. This is the latest in a series of cyberattacks on Ignitis, following earlier DDoS incidents in 2022 and more in 2024, impacting the company’s energy distribution services.

Previous Attacks on Lithuanian Energy Infrastructure

The first significant attack against Ignitis was orchestrated by Killnet in 2022 in retaliation to Lithuania’s ban on the transit of goods to Russia’s Kaliningrad region. The severity of the attack can be adjudged from the fact that the Lithuanian National Cyber Security Centre had to intervene to contain it, and this was widely reported in the media.

In early February 2024, the Russian cybercriminal group Just Evil allegedly gained unauthorized access to the Ignitis ON app control panel, a service that helps electric vehicle owners charge their cars.

The hacktivist group provided video evidence of shutting down user access to charging stations and deleting the users from the control panel. They also demanded a ransom to cease the attacks and for not leaking the user data. As per local media, Ignitis accepted the breach and did not pay the ransom. As a result, Just Evil leaked user data containing details of over 20,000 EV car owners, employee data, access keys, and firmware for car charging stations.

Just Evil later on also advertised selling admin access to Igntis ON platform for Euros 50,000. 

A few days later, the group claimed that they were able to gain access to the Ignitis On app via a vulnerability called ‘Human Factor’, possibly indicating social engineering and the use of valid credentials to gain access. The group also mentioned defacing the panel after gaining illicit access.

Analysis of the Incident Targeting PV Solar Monitoring Solution

Upon closer investigation of the screenshots shared by Just Evil on their telegram channel, Cyble Research & Intelligence Labs (CRIL) investigated the plausibly impacted PV monitoring solutions of Ignitis and ascertained them to be Sungrow’s iSolarCloud. Our open-source search also cemented the fact that Ignitis does use iSolarCloud for managing solar-generated electricity. Hence, considering the compromised panel screenshots, Just Evil’s claims seem credible.  

iSolarCloud by Sungrow offers several features for centralized management, monitoring, and optimization of solar energy systems. The platform offers real-time monitoring of solar systems, tracking energy production, consumption, and inverter performance. It provides data analytics for performance trends, efficiency tracking, and fault alerts, allowing remote diagnostics and predictive maintenance.  

 While the TA claimed to target multiple Lithuanian entities such as hospitals, gymnasiums, and educational facilities, CRIL assessed that the TA was able to access the solar power plants of the institutions mentioned above via the iSolarCloud Platform that provides a centralized PV management solution for managing them, rather than individually compromising them. Considering the names of Lithuanian entities as indicated in the screenshot below, we assess that this iSolarCloud Platform may be in use by Ignitis.  

Looking at the group’s history of attacks, CRIL appraises that the ‘Use of Valid Credentials’ could be the likely initial attack vector in this incident. Conjugate to this hypothesis, Cyble Vision, too, identified recently compromised credentials pertaining to ISolarCloud instances in Europe.

Using Cyble’s ODIN scanner, CRIL investigated other PV monitoring solutions from Lithuania and found that they were exposed on the Internet and could be targeted in the near future.

Conclusion

Solar energy generation and distribution are critical to a nation’s essential services. The recent attack on a centralized PV monitoring platform, which targeted multiple locations simultaneously, represents a significant threat to Lithuania’s energy sector. As observed by Cyble Vision, numerous compromised credentials exist for iSolarCloud platform users from various regions, including Europe and China. CRIL suggests that such compromised credentials could pose a serious risk, potentially being used to target critical infrastructure systems.

Globally, the solar energy sector has increasingly become a target for cybercriminals, with incidents such as ransomware attacks, data breaches, and remote access exploitation growing in frequency.

The impact of such attacks extends beyond immediate operational disruptions, potentially undermining national energy security, causing financial damage, and affecting public trust in renewable energy technologies.

Recommendations

Enhance Network Segmentation: Use firewalls and virtual LANs (VLANs) to separate critical control systems from non-essential networks. Isolate monitoring platforms from other network segments to limit the lateral movement of threats.

Implement Strong Authentication Measures: A key method of preventing unauthenticated access due to compromised credentials is implementing mandatory multi-factor authentication (MFA) for accessing solar monitoring and control systems. Employ strong, unique passwords and regularly update them.

Regular Security Audits and Penetration Testing: Foster a cyber-aware culture with routine security assessments and penetration tests on solar energy systems, including inverters, monitoring platforms, and network devices, to help detect and address vulnerabilities before they can be exploited.

Patch Management and Firmware Updates: Establish a robust patch management policy to ensure all systems, including inverters and monitoring platforms, are up-to-date with the latest security patches and firmware updates. Regularly check for updates from equipment manufacturers.

Implement Advanced Threat Detection and Response: Remember to utilize intrusion detection systems (IDS) alongside intrusion prevention systems (IPS) and Security Information and Event Management (SIEM) tools to oversee, identify, and address potentially malicious activities throughout the network.

Secure Remote Access: Restrict remote access to critical systems through VPNs, limit access to authorized personnel only, and monitor remote sessions for any unusual activity. Disable unused ports and services to reduce attack surfaces.

Employee Training and Awareness Programs: Train employees and operators on cybersecurity best practices, including recognizing phishing attempts and proper handling of sensitive information. Regularly update staff on emerging threats and attack vectors specific to the solar sector.

Incident Response Planning and Disaster Recovery: Create detailed incident response and disaster recovery plans tailored to the solar sector. Ensure that response procedures are in place to quickly isolate and mitigate attacks, minimize downtime, and restore normal operations.

Implement Dark Web Monitoring: Regularly monitor dark web forums, marketplaces, and other underground channels for stolen credentials, sensitive data, or discussions related to your solar infrastructure. Utilize threat intelligence platforms to detect compromised information early, allowing for proactive measures such as credential resets, system audits, and enhanced security protocols to prevent further exploitation.

Minimize Internet Exposure of Critical Systems: Restrict Internet exposure of critical solar monitoring and control systems by ensuring they are not directly accessible from the public internet. Use secure gateways, VPNs, and access controls to shield critical assets. Implement strict firewall rules and regularly scan your network for exposed services to reduce the risk of unauthorized access.

References:

https://faq.isolarcloud.com/web_faq/manage/#/_en_US/a2
https://web3.isolarcloud.com.hk/#/login
https://en.sungrowpower.com/productDetail/987/cloud-platform-isolarcloud

The post Solar Monitoring Solutions in Hacktivists’ Crosshairs appeared first on Cyble.

Blog – Cyble – ​Read More