Mar 14, 2024The Hacker NewsVulnerability / Network Security

Fortinet has warned of a critical security flaw impacting its FortiClientEMS software that could allow attackers to achieve code execution on affected systems.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests,” the company said in an advisory.

The vulnerability, tracked as CVE-2023-48788, carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions –

• FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above)
• FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above)

Horizon3.ai, which plans to release additional technical details and a proof-of-concept (PoC) exploit next week, said the shortcoming could be exploited to obtain remote code execution as SYSTEM on the server.

Fortinet has credited Thiago Santana From the ForticlientEMS development team and the U.K. National Cyber Security Centre (NCSC) for discovering and reporting the flaw.

Also fixed by the company two other critical bugs in FortiOS and FortiProxy (CVE-2023-42789 and CVE-2023-42790, CVSS scores: 9.3) that could permit an attacker with access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests.

The below product versions are impacted by the flaws –

• FortiOS version 7.4.0 through 7.4.1 (Upgrade to FortiOS version 7.4.2 or above)
• FortiOS version 7.2.0 through 7.2.5 (Upgrade to FortiOS version 7.2.6 or above)
• FortiOS version 7.0.0 through 7.0.12 (Upgrade to FortiOS version 7.0.13 or above)
• FortiOS version 6.4.0 through 6.4.14 (Upgrade to FortiOS version 6.4.15 or above)
• FortiOS version 6.2.0 through 6.2.15 (Upgrade to FortiOS version 6.2.16 or above)
• FortiProxy version 7.4.0 (Upgrade to FortiProxy version 7.4.1 or above)
• FortiProxy version 7.2.0 through 7.2.6 (Upgrade to FortiProxy version 7.2.7 or above)
• FortiProxy version 7.0.0 through 7.0.12 (Upgrade to FortiProxy version 7.0.13 or above)
• FortiProxy version 2.0.0 through 2.0.13 (Upgrade to FortiProxy version 2.0.14 or above)

While there is no evidence that the aforementioned flaws have come under active exploitation, unpatched Fortinet appliances have been repeatedly abused by threat actors, making it imperative that users move quickly to apply the updates.

Mar 08, 2024NewsroomVulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting JetBrains TeamCity On-Premises software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2024-27198 (CVSS score: 9.8), refers to an authentication bypass bug that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker.

It was addressed by JetBrains earlier this week alongside CVE-2024-27199 (CVSS score: 7.3), another moderate-severity authentication bypass flaw that allows for a “limited amount” of information disclosure and system modification.

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company noted at the time.

Threat actors have been observed weaponizing the twin flaws to deliver Jasmin ransomware as well as create hundreds of rogue user accounts, according to CrowdStrike and LeakIX. The Shadowserver Foundation said it detected exploitation attempts starting from March 4, 2024.

Statistics shared by GreyNoise show that CVE-2024-27198 has come under broad exploitation from over a dozen unique IP addresses shortly after public disclosure of the flaw.

In light of active exploitation, users running on-premises versions of the software are advised to apply the updates as soon as possible to mitigate potential threats. Federal agencies are required to patch their instances by March 28, 2024.

Feb 28, 2024NewsroomRansomware / Healthcare

The U.S. government is warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector as recently as this month.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the government said in an updated advisory.

“This is likely in response to the ALPHV/BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The advisory comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the seizure of its dark leak sites. But the takedown turned out to be a failure after the group managed to regain control of the sites and switched to a new TOR data leak portal that continues to remain active to date.

It has also ramped up against critical infrastructure organizations in recent weeks, having claimed responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines, and UnitedHealth Group subsidiary Optum.

The development has prompted the U.S. government to announce financial rewards of up to $15 million for information leading to the identification of key members as well as affiliates of the e-crime group.

BlackCat’s ransomware spree coincides with the return of LockBit after similar disruption efforts led by the U.K. National Crime Agency (NCA) last week.

According to a report from SC Magazine, threat actors breached Optum’s network by leveraging the recently disclosed critical security flaws in ConnectWise’s ScreenConnect remote desktop and access software.

The flaws, which allow for remote code execution on susceptible systems, have also been weaponized by the Black Basta and Bl00dy ransomware gangs as well as by other threat actors to deliver Cobalt Strike Beacons, XWorm, and even other remote management tools like Atera, Syncro, and another ScreenConnect client.

Attack surface management firm Censys said it observed more than 3,400 exposed potentially vulnerable ScreenConnect hosts online, with most of them located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland.

“It’s clear that remote access software like ScreenConnect continues to be a prime target for threat actors,” Censys security researcher Himaja Motheram said.

The findings come as ransomware groups like RansomHouse, Rhysida, and a Phobos variant called Backmydata have continued to compromise various organizations in the U.S., U.K., Europe, and the Middle East.

In a sign that these cybercrime groups are shifting to more nuanced and sophisticated tactics, RansomHouse has developed a custom tool dubbed MrAgent to deploy the file-encrypting malware at scale.

“MrAgent is a binary designed to run on [VMware ESXi] hypervisors, with the sole purpose of automating and tracking the deployment of ransomware across large environments with a high number of hypervisor systems,” Trellix said. Details of MrAgent first came to light in September 2023.

Another significant tactic adopted by some ransomware groups is the sale of direct network access as a new monetization method via their own blogs, on Telegram channels, or data leak websites, KELA said.

It also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which surfaced in December 2023 on underground forums and has since been made available for free on BreachForums by its creator.

“The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems,” SentinelOne researcher Jim Walter said.

“It is likely to increase the ransomware builder’s attractiveness and usability, drawing in yet more low-skilled participants to the cybercrime ecosystem. There is also significant risk that it will lead to the development of multiple spin-offs and an increase in attacks.”

Meta Platforms said it took a series of steps to curtail malicious activity from eight different firms based in Italy, Spain, and the United Arab Emirates (U.A.E.) operating in the surveillance-for-hire industry.

The findings are part of its Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices.

“Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media, and messaging apps, and enable microphone,camera, and screenshot functionality,” the company said.

The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries.

These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.

Specifically, a network of fictitious personas linked to RCS Labs, which is owned by Cy4Gate, is said to have tricked users into providing their phone numbers and email addresses, in addition to clicking on bogus links for conducting reconnaisance.

Another set of now-removed Facebook and Instagram accounts associated with Spanish spyware vendor Variston IT was employed for exploit development and testing, including sharing of malicious links. Last week, reports emerged that the company is shutting down its operations.

Meta also said it identified accounts used by Negg Group to test the delivery of its spyware, as well as by Mollitiam Industries, a Spanish firm that advertises a data collection service and spyware targeting Windows, macOS, and Android, to scrape public information.

Elsewhere, the social media giant actioned on networks from China, Myanmar, and Ukraine exhibiting coordinated inauthentic behavior (CIB) by removing over 2,000 accounts, Pages, and Groups from Facebook and Instagram.

While the Chinese cluster targeted U.S. audiences with content related to criticism of U.S. foreign policy towards Taiwan and Israel and its support of Ukraine, the network originating from Myanmar targeted its own residents with original articles that praised the Burmese army and disparaged the ethnic armed organizations and minority groups.

The third cluster is notable for its use of fake Pages and Groups to post content that supported Ukrainian politician Viktor Razvadovskyi, while also sharing “supportive commentary about the current government and critical commentary about the opposition” in Kazakhstan.

The development comes as a coalition of government and tech companies, counting Meta, have signed an agreement to curb the abuse of commercial spyware to commit human rights abuses.

As countermeasures, the company has introduced new features like enabled Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp in an effort to make exploitation harder and reduce the overall attack surface.

That said, the surveillance industry continues to thrive in myriad, unexpected forms. Last month, 404 Media — building off prior research from the Irish Council for Civil Liberties (ICCL) in November 2023 — unmasked a surveillance tool called Patternz that leverages real-time bidding (RTB) advertising data gathered from popular apps like 9gag, Truecaller, and Kik to track mobile devices.

“Patternz allows national security agencies utilize real-time and historical user advertising generated data to detect, monitor and predict users actions, security threats and anomalies based on users’ behavior, location patterns and mobile usage characteristics, ISA, the Israeli company behind the product claimed on its website.

Then last week, Enea took the wraps off a previously unknown mobile network attack known as MMS Fingerprint that’s alleged to have been utilized by Pegasus-maker NSO Group. This information was included in a 2015 contract between the company and the telecom regulator of Ghana.

While the exact method used remains something of a mystery, the Swedish telecom security firm suspects it likely involves the use of MM1_notification.REQ, a special type of SMS message called a binary SMS that notifies the recipient device of an MMS that’s waiting for retrieval from the Multimedia Messaging Service Center (MMSC).

The MMS is then fetched by means of MM1_retrieve.REQ and MM1_retrieve.RES, with the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.

What’s notable about this approach is that user device information such as User-Agent (different from a web browser User-Agent string) and x-wap-profile is embedded in the GET request, thereby acting as a fingerprint of sorts.

“The (MMS) User-Agent is a string that typically identifies the OS and device,” Enea said. “x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile handset.”

A threat actor looking to deploy spyware could use this information to exploit specific vulnerabilities, tailor their malicious payloads to the target device, or even craft more effective phishing campaigns. That said, there is no evidence that this security hole has been exploited in the wild in recent months.

Feb 13, 2024NewsroomVulnerability / Email Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The issue, tracked as CVE-2023-43770 (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of linkrefs in plain text messages.

“Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages,” CISA said.

According to a description of the bug on NIST’s National Vulnerability Database (NVD), the vulnerability impacts Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.

The flaw was addressed by Roundcube maintainers with version 1.6.3, which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with discovering and reporting the vulnerability.

It’s currently not known how the vulnerability is being exploited in the wild, but flaws in the web-based email client have been weaponized by Russia-linked threat actors like APT28 and Winter Vivern last year.

U.S. Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply vendor-provided fixes by March 4, 2024, to secure their networks against potential threats.

Feb 09, 2024NewsroomZero Day Vulnerability / Network Security

Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild.

The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests,” the company said in a bulletin released Thursday.

It further acknowledged that the issue is “potentially being exploited in the wild,” without giving additional specifics about how it’s being weaponized and by whom.

The following versions are impacted by the vulnerability. It’s worth noting that FortiOS 7.6 is not affected.

• FortiOS 7.4 (versions 7.4.0 through 7.4.2) – Upgrade to 7.4.3 or above
• FortiOS 7.2 (versions 7.2.0 through 7.2.6) – Upgrade to 7.2.7 or above
• FortiOS 7.0 (versions 7.0.0 through 7.0.13) – Upgrade to 7.0.14 or above
• FortiOS 6.4 (versions 6.4.0 through 6.4.14) – Upgrade to 6.4.15 or above
• FortiOS 6.2 (versions 6.2.0 through 6.2.15) – Upgrade to 6.2.16 or above
• FortiOS 6.0 (versions 6.0 all versions) – Migrate to a fixed release

The development comes as Fortinet issued patches for CVE-2024-23108 and CVE-2024-23109, impacting FortiSIEM supervisor, allowing a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.

Earlier this week, the Netherlands government revealed a computer network used by the armed forces was infiltrated by Chinese state-sponsored actors by exploiting known flaws in Fortinet FortiGate devices to deliver a backdoor called COATHANGER.

The company, in a report published this week, divulged that N-day security vulnerabilities in its software, such as CVE-2022-42475 and CVE-2023-27997, are being exploited by multiple activity clusters to target governments, service providers, consultancies, manufacturing, and large critical infrastructure organizations.

Previously, Chinese threat actors have been linked to the zero-day exploitation of security flaws in Fortinet appliances to deliver a wide range of implants, such as BOLDMOVE, THINCRUST, and CASTLETAP.

It also follows an advisory from the U.S. government about a Chinese nation-state group dubbed Volt Typhoon, which has targeted critical infrastructure in the country for long-term undiscovered persistence by taking advantage of known and zero-day flaws in networking appliances such as those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco for initial access.

China, which has denied the allegations, accused the U.S. of conducting its own cyber-attacks.

If anything, the campaigns waged by China and Russia underscore the growing threat faced by internet-facing edge devices in recent years owing to the fact that such technologies lack endpoint detection and response (EDR) support, making them ripe for abuse.

“These attacks demonstrate the use of already resolved N-day vulnerabilities and subsequent [living-off-the-land] techniques, which are highly indicative of the behavior employed by the cyber actor or group of actors known as Volt Typhoon, which has been using these methods to target critical infrastructure and potentially other adjacent actors,” Fortinet said.

Feb 01, 2024NewsroomVulnerability / Software Update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2022-48618 (CVSS score: 7.8), concerns a bug in the kernel component.

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Apple said in an advisory, adding the issue “may have been exploited against versions of iOS released before iOS 15.7.1.”

The iPhone maker said the problem was addressed with improved checks. It’s currently not known how the vulnerability is being weaponized in real-world attacks.

Interestingly, patches for the flaw were released on December 13, 2022 with the release of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, although it was only publicly disclosed more than a year later on January 9, 2024.

It’s worth noting that Apple did resolve a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which was shipped on July 20, 2022.

“An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication,” the company said at the time. “A logic issue was addressed with improved state management.”

In light of the active exploitation of CVE-2022-48618, CISA is recommending that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by February 21, 2024.

The development also comes as Apple expanded patches for an actively exploited security flaw in the WebKit browser engine (CVE-2024-23222, CVSS score: 8.8) to include its Apple Vision Pro headset. The fix is available in visionOS 1.0.2.

Jan 26, 2024NewsroomThreat Intelligence / Cyber Attack

Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it’s currently beginning to notify them.

The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

“This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe,” the Microsoft Threat Intelligence team said in a new advisory.

The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention.

The latest disclosure indicates that the scale of the campaign may have been bigger than previously thought. The tech giant, however, did not reveal which other entities were singled out.

APT29’s operations involve the use of legitimate but compromised accounts to gain and expand access within a target environment and fly under the radar. It’s also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activity, such as email collection.

“They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, and exploitation of service providers’ trust chain to gain access to downstream customers,” Microsoft noted.

Another notable tactic entails the use of breached user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. This enables threat actors to maintain access to applications, even if they lose access to the initially compromised account, the company pointed out.

These malicious OAuth applications are ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to exfiltrate data of interest.

In the incident targeting Microsoft in November 2023, the threat actor used a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.

Such attacks are launched from a distributed residential proxy infrastructure to conceal their origins, allowing the threat actor to interact with the compromised tenant and with Exchange Online via a vast network of IP addresses that are also used by legitimate users.

“Midnight Blizzard’s use of residential proxies to obfuscate connections makes traditional indicators of compromise (IoC)-based detection infeasible due to the high changeover rate of IP addresses,” Redmond said, necessitating that organizations take steps to defend against rogue OAuth applications and password spraying.

Jan 23, 2024The Hacker NewsCybersecurity / Server Security

As we enter 2024, Gcore has released its latest Gcore Radar report, a twice-annual publication in which the company releases internal analytics to track DDoS attacks. Gcore’s broad, internationally distributed network of scrubbing centers allows them to follow attack trends over time. Read on to learn about DDoS attack trends for Q3–Q4 of 2023, and what they mean for developing a robust protection strategy in 2024.

Gcore’s Key Findings

DDoS attack trends for the second half of 2023 reveal alarming developments in the scale and sophistication of cyberthreats.

Unprecedented Attack Power

The past three years have brought about a >100% annual increase in DDoS peak (registered maximum) attack volume:

• In 2021, the peak capacity of DDoS attacks was 300 Gbps
• In 2022, it increased to 650 Gbps
• In Q1–Q2 of 2023, it increased again to 800 Gbps
• In Q3–Q4 of 2023, it surged to 1600 Gbps (1.6 Tbps)

Notably, the jump in H2 of 2023 means the cybersecurity industry is measuring DDoS attacks in a new unit, Terabits.

Maximum attack power in 2021–2023 in Gbps

This illustrates a significant and ongoing escalation in the potential damage of DDoS attacks, a trend Gcore expects to see continue in 2024.

Attack Duration

Gcore saw attack lengths varying from three minutes to nine hours, with an average of about an hour. Usually, short attacks are harder to detect as they don’t for proper traffic analysis due to data scarcity, and since they’re harder to recognize, they’re also harder to mitigate. Longer attacks require more resources to fight, requiring a powerful mitigation response; otherwise, the risk is prolonged server unavailability.

Gcore’s longest registered attack lasted nine hours

Predominant Attack Types

UDP floods continue to dominate, constituting 62% of DDoS attacks. TCP floods and ICMP attacks also remain popular at 16% and 12% of the total, respectively.

All other DDoS attack types, including SYN, SYN+ACK flood, and RST Flood, accounted for a mere 10% combined. While some attackers may use these more sophisticated approaches, the majority are still focused on delivering sheer packet volume to take down servers.

Dominant attack types in H2 of 2023

The variation in attack methods necessitates a multifaceted defense strategy that can protect against a range of DDoS techniques.

Global Attack Sources

This global spread of attack sources demonstrates the borderless nature of cyber threats, where attackers operate across national boundaries. Gcore identified diverse attack origins in the latter half of 2023, with the US leading at 24%. Indonesia (17%), the Netherlands (12%), Thailand (10%), Colombia (8%), Russia (8%), Ukraine (5%), Mexico (3%), Germany (2%,) and Brazil (2%) make up the top ten, illustrating a widespread global threat.

Geographical attack source spread

The geographic distribution of DDoS attack sources provides important information for creating targeted defense strategies and for shaping international policy-making aimed at combating cybercrime. However, determining the location of the attacker is challenging due to the use of techniques like IP spoofing and the involvement of distributed botnets. This makes it difficult to assess motivations and capabilities, which can vary from state-sponsored actions to individual hackers.

Targeted Industries

The most-targeted industries in H2 of 2023 highlight the impact of DDoS attacks across diverse sectors:

• The gaming industry remains the most affected, enduring 46% of the attacks.
• The financial sector, including banks and gambling services, came in second at 22%.
• Telecommunications (18%,) infrastructure-as-a-service (IaaS) providers (7%,) and computer software companies (3%) were also significantly targeted.

DDoS attacks by affected industry

Since the previous Gcore Radar report, attackers haven’t changed their focus: The gaming and financial sectors are particularly interesting to attackers, likely due to their financial gains and user impact. This underscores a need for targeted cybersecurity strategies in the most-hit industries, like countermeasures for specific gaming servers.

Analysis

The data from the latter half of 2023 highlights a worrying trend in the DDoS attack landscape. The increase in attack power to 1.6 Tbps is particularly alarming, signaling a new level of threat for which organizations must prepare. For comparison, even a “humble” 300 Gbps attack is capable of disabling an unprotected server. Paired with the geographical distribution of attack sources, it’s clear that DDoS threats are a serious and global issue, necessitating international cooperation and intelligence sharing to mitigate potentially devastating attacks effectively.

The range in attack durations suggests that attackers are becoming more strategic, tailoring their approaches to specific targets and objectives:

• In the gaming sector, for example, assaults are relatively low in power and duration but more frequent, causing repeated disruption to a specific server with the goal of disrupting the player experience to force them to switch to a competitor’s server.
• For the financial and telecom sectors, where the economic impact is more immediate, attacks are often higher in volume with length highly variable.

The ongoing targeting of the gaming, financial sectors, telecommunications, and IaaS industries reflects the strategic choice of attackers to pick services whose disruption has a significant economic and operational impact.

Conclusion

The Gcore Radar report for Q3–Q4 of 2023 serves as a timely reminder of the ever-evolving nature of cyberthreats. Organizations across sectors must invest in comprehensive and adaptive cybersecurity measures. Staying ahead of DDoS threats requires a keen understanding of the changing patterns and strategies of cyber attackers.

Gcore DDoS Protection has a proven record of repelling even the most powerful and sustained attacks. Connect Gcore DDoS Protection to protect your business from whatever the 2024 DDoS landscape brings.

Jan 19, 2024NewsroomCyber Theat / Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it’s being actively exploited in the wild.

The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass that’s a patch bypass for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0).

“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” Ivanti noted in August 2023.

All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below are impacted by the vulnerability.

Cybersecurity firm Rapid7, which discovered and reported the flaw, said it can be chained with CVE-2023-35081 to permit an attacker to write malicious web shell files to the appliance.

There are currently no details on how the vulnerability is being weaponized in real-world attacks. Federal agencies are recommended to apply vendor-provided fixes by February 8, 2024.

The disclosure comes as two other zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices (CVE-2023-46805 and CVE-2024-21887) have also come under mass exploitation to drop web shells and passive backdoors, with the company expected to release updates next week.

“We have observed the threat actor target the configuration and running cache of the system, which contains secrets important to the operation of the VPN,” Ivanti said in an advisory.

“While we haven’t observed this in every instance, out of an abundance of caution, Ivanti is recommending you rotate these secrets after rebuild.”

Volexity, earlier this week, revealed that it has been able to find evidence of compromise of over 1,700 devices worldwide. While initial exploitation was linked to a suspected Chinese threat actor named UTA0178, additional threat actors have since joined the exploitation bandwagon.

Further reverse engineering of the twin flaws by Assetnote has uncovered an additional endpoint (“/api/v1/totp/user-backup-code”) by which the authentication bypass flaw (CVE-2023-46805) could be abused on older versions of ICS and obtain a reverse shell.

Security researchers Shubham Shah and Dylan Pindur described it as “another example of a secure VPN device exposing itself to wide scale exploitation as the result of relatively simple security mistakes.”