Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched. Link:https://twitter.com/msftsecintel/status/1722444141081076219
Cisco Security Advisory: Actively exploited Zero-Day CVE-2023-20198 Cisco IOS XE Software Web UI Privilege Escalation Vulnerability. "Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system."
"Hackers potentially linked to the Russian GRU Main Intelligence Directorate carried out a series of highly coordinated cyberattacks targeting Danish critical infrastructure in the nation's largest cyber incident on record, according to a new report.
SektorCERT, a nonprofit cybersecurity center for critical sectors in Denmark, reported that attackers gained access to the systems of 22 companies overseeing various components of Danish energy infrastructure in May. The report published Sunday says hackers exploited zero-day vulnerabilities in Zyxel firewalls, which many Danish critical infrastructure operators use to protect their networks."
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #24/2023 is out! It includes, but not only:
→ 🇺🇸 🇨🇳 The US Navy, NATO, and #NASA are using a shady Chinese company’s #encryption chips
→ 🦠 🏢 #Ransomware Group Starts Naming Victims of #MOVEit Zero-Day Attacks
→ ☁️ 🪣 New Supply Chain Attack Exploits Abandoned #S3Buckets to Distribute Malicious Binaries
→ ☁️ #XSS Vulnerabilities in #Azure Led to Unauthorized Access to User Sessions
→ 🇨🇳 🦠 #Barracuda ESG zero-day attacks linked to suspected Chinese hackers
→ 🇷🇺 🇺🇸 Russian national arrested in Arizona, charged for alleged role in #LockBit ransomware attacks
→ 🇷🇺 🇺🇦 Russia-backed hackers unleash new USB-based malware on #Ukraine’s military
→ 🇺🇸 💰 LockBit Ransomware Extorts $91 Million from U.S. Companies
→ 🇷🇺 🇺🇦 #Microsoft identifies new hacking unit within Russian military intelligence
→ 🦠 Fake Researcher Profiles Spread #Malware through #GitHub Repositories as PoC Exploits
→ 🎣 👟 Massive #phishing campaign uses 6,000 sites to impersonate 100 brands
→ 🇨🇳 Chinese Cyberspies Caught Exploiting #VMware ESXi #ZeroDay
→ 🩹 Microsoft #PatchTuesday, June 2023 Edition
→ ☁️ Microsoft: Azure Portal #outage was caused by traffic “spike”
→ 🇨🇳 🇺🇸 #China's cyber now aimed at infrastructure, warns CISA boss
→ 🇰🇷 🇨🇳 Ex-Samsung executive alleged to have stolen tech to recreate chip plant in China
→ 🇨🇭 🗄️ Swiss Fear Government Data Stolen in Cyberattack
→ 🩹 🔐 #Fortinet fixes critical RCE flaw in #Fortigate SSL-VPN devices, patch now
📚 This week's recommended reading is: "The Cyber Effect: An Expert in Cyberpsychology Explains How Technology Is Shaping Our Children, Our Behavior, and Our Values — and What We Can Do About It" by Prof Mary Aiken
Subscribe to the #newsletter to have it piping hot in your inbox every Sunday ⬇️
ARM Mali GPU Driver Zero-Day CVE-2023-4211: A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory. There is evidence that this vulnerability may be under limited, targeted exploitation. Reported by Google's Threat Analysis Group and Google Project Zero. Link:https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities
Fox-IT observed that the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding. "This explains the much discussed plummet of identified compromised systems in recent days. Using a different fingerprinting method, Fox-IT identifies 37890 Cisco devices that remain compromised." Link:https://www.linkedin.com/posts/fox-it_2_important-we-have-observed-that-the-implant-activity-7122238350849150976-Qy1-/
Via Rob Hansen on Facebook: "Amanda Spindel was the first to alert me to a new zero-day attack on Chrome that's now being seen in the wild. If you're running Chrome or a Chrome-derived browser like Edge or Opera, please update immediately."
(I use mostly the DuckDuckGo and Mozilla Firefox browsers.)
#ISW, May 8 assessment: "Reports indicate that there is an available open-source tool that allows people to search by specific coordinates for Telegram users who have enabled a certain location-sharing setting."
But of course there is. The russian-engineering, roll-your-own-crypto, cryptocoin-shilling, encrypted-but-not-encrypted messaging app to have a zero-day exploited privacy flaw exposing users' location? I can't imagine where such failures would come from.
Hot off the press: Apple zero day: CVE-2024-23222 affects Webkit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.
A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on supported (and some legacy) versions of Windows could spell trouble for enterprise defenders.
Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit.
In CISA's ICS advisory, they revealed that several Hitron Systems Security Camera DVR denial of service vulnerabilities were being actively exploited. These are Zero days reported by Akamai.
CVE-2024-22768 (7.4 high) improper input validation to Denial of Service
CVE-2024-22769 (7.4 high) improper input validation to Denial of Service
CVE-2024-22770 (7.4 high) improper input validation to Denial of Service
CVE-2024-22771 (7.4 high) improper input validation to Denial of Service
CVE-2024-22772 (7.4 high) improper input validation to Denial of Service
CVE-2024-23842 (7.4 high) improper input validation to Denial of Service
watchTowr reports additional zero-days uncovered on a fully patched Ivanti appliance. No further information due to 90 day vulnerability disclosure policy.
Volexity recently disclosed details related to exploitation of Ivanti Connect Secure VPN, revealing how the attacker chained two zero-day vulnerabilities to achieve remote code execution. When investigating the source of compromise, Volexity employed memory forensics, analyzing a memory sample collected from a suspected compromised VPN device, which allowed Volexity to zero in on the source of the compromise. "The lesson for analysts is to independently verify the integrity and trustworthiness of high-value targets using memory forensics, rather than only relying on tools that run on a potentially compromised device."
🔗 https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-exploitation-of-ivanti-connect-secure-vpn-zero-day-vulnerabilities/
New Fortinet zero-day:
CVE-2024-21762 (9.6 critical) FortiOS - Out-of-bound Write in sslvpnd: A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
Note: This is potentially being exploited in the wild.
Fortinet vulnerabilities have historically been targeted by People’s Republic of China (PRC) state-sponsored cyber actors. On 19 January 2023, Mandiant reported the exploitation of FortiOS SSL VPN vulnerability CVE-2022-42475 as a zero-day by suspected Chinese threat actors. Mandiant published a subsequent blog post on 16 March 2023 detailing the exploitation of another FortiOS zero-day CVE-2022-41328 by the Chinese threat actor UNC3886. CISA, FBI and NSA assess that PRC state-sponsored cyber actors are seeking to position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. CISA’s joint cybersecurity advisory on 07 February 2024 states that Chinese Advanced Persistent Threat (APT) Volt Typhoon likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. Fortinet also provided case studies of Volt Typhoon targeting of manufacturing, consulting, local government, and internet service provider sectors, and post-exploitation activity described as Living Off the Land (LotL) techniques.
"Google said it discovered the unknown Variston customer using these zero-days in March 2023 to target iPhones in Indonesia. The hackers delivered an SMS text message containing a malicious link that infected the target’s phone with spyware, and then redirected the victim to a news article by the Indonesian newspaper Pikiran Rakyat."
CISA issues Emergency Directive 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities in response to CVE-2023-46805 (8.2 high, disclosed by Ivanti on 10 January 2024 as exploited zero-days) authentication bypass in Ivanti Connect Secure VPN Version 9.x and 22.x and CVE-2024-21887 (9.1 critical) command injection in Ivanti Connect Secure VPN Version 9.x and 22.x