Researchers warned that pirated applications have been employed to deliver a backdoor to Apple macOS users.

Jamf Threat Labs researchers warned that pirated applications have been utilized to distribute a backdoor to Apple macOS users.

The researchers noticed that the apps appear similar to ZuRu malware, they allow operators to download and execute multiple payloads to compromise machines in the background.

The pirated applications discovered by Jamf Threat Labs are being hosted on Chinese pirating websites.

During their investigation, the researchers detected an executable name .fseventsd. The executable attempts to avoid detection by starting with a period and using the name of a process built into the operating system. It’s not signed by Apple, however, at the time of the research it was not detected by any anti-virus on VirusTotal.

Using VirusTotal, Jamf Threat Labs researchers discovered that the .fseventsd binary was initially uploaded as part of a larger DMG file. Further investigation on VirusTotal revealed three pirated applications that contained the same malware. The experts also discovered many pirated applications hosted on the Chinese website macyy[.]cn. The experts also identified two more trojanized DMGs following a similar pattern that had not been reported on VirusTotal.

The malware-laced DMG files include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

Each pirated application included the following components:

• Malicious dylib, a library loaded by the application that acts as a dropper.
• Backdoor: a binary downloaded by dylib that uses the Khepri open-source C2 and post-exploitation tool
• Persistent downloader: a binary downloaded by dylib that is used to maintain persistence and downloads additional payloads

“Each application bundle has had its Mach-O executable modified with an additional load command.” reads the analysis published by Jamf. “This technique of hooking malware in via malicious dylib is considered fairly advanced as far as macOS malware goes. However, it does result in breaking the application signature. As a result, the apps are being distributed online as unsigned applications — a detail that many users who are downloading pirated applications likely don’t care about.“

Upon executing the FinalShell.dmg application, the dylib library loads the backdoor “bd.log” and the downloader “fl01.log” from a remote server.

The bd.log backdoor is written to the path “/tmp/.test”, this executable remains hidden in the temporary directory and storing the malware in this folder will cause the deletion of the backdoor when the system shuts down.

The backdoor is written in this path every time the pirated application is loaded and the dropper is executed.

“The executable found at the directory /Users/Shared/.fseventsd acts as a persistent downloader, enabling the execution of arbitrary payloads retrieved from the attacker’s server.” continues the analysis.

The malware creates a LaunchAgent to maintain persistence and sends an HTTP GET request to the attacker’s server.

The researchers discovered many similarities between this malware and the ZuRu malware that has been active since at least 2021 [1], [2].

Both malware primarily targets victims in China.

“The ZuRu malware was originally found in pirated applications iTerm, SecureCRT, Navicat Premium and Microsoft Remote Desktop Client. Upon opening the infected application, the user was presented with an operational app, but logic held within an added dylib would execute a Python script in the background to grab sensitive files and upload them to an attacker server.” concludes the report. “It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, pirated applications)

Resecurity researchers warn of massive leak of stolen Thai personally identifiable information (PII) on the dark web by cybercriminals.

Resecurity has detected a noticeable increase in data leaks from consumer-focused platforms in Thailand, confirming that threat actors are actively targeting the personal data of citizens now at the beginning of 2024. Thailand is swiftly becoming a key player in the digital arena, particularly in the field of Information and Communication Technology (ICT), within the Asia-Pacific region. Notably, from the latter part of 2022 to the early months of 2023, there has been a significant drop in incidents of data breaches in the country.

But as we step into 2024, this trend might see a change. There are reports of cybercriminals, one known in the shadowy corners of the Dark Web as Naraka, circulating large amounts of stolen personal identifiable information (PII) of Thai citizens. It’s believed that these sensitive details were sourced from various breached platforms.

Threat actors target Thai-based e-commerce, fintech and government resources due to a large presence of personal documents both in text and graphical form used for KYC (“Know Your Customer”). Compared to 2023, there has been an increase in the frequency of attacks, as evidenced by the rising number of leaked data incidents involving consumers and businesses from Thailand on the Dark Web. In the early part of January 2024 alone, at least 14 significant data breaches exposing citizens’ information were posted on cybercriminal forums, nearly surpassing the annual volume of compromised records identified last year.

Threat actors use stolen PII data to defraud Thai citizens and attack financial organizations, which are actively developing and cultivating digitization in the region to service 71.6 million people population

More details are available in the report published by REsecurity:

https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – dark web, Thailand)

Researchers warn of a spike in attacks exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell.

Trustwave researchers observed a surge in attacks exploiting a now-patched flaw in Apache ActiveMQ, in many cases aimed at delivering a malicious code that borrows the code from the open-source web shell Godzilla.

Threat actors conceal the web shell within an unknown binary format evading security and signature-based scanners. Once deployed, the ActiveMQ’s JSP engine compiles and executes the web shell.

In November 2023, researchers at Rapid7 reported the suspected exploitation of the recently disclosed critical vulnerability CVE-2023-46604 in the Apache ActiveMQ.

Apache ActiveMQ is an open-source message broker software that serves as a message-oriented middleware (MOM) platform. It is developed by the Apache Software Foundation and written in Java. ActiveMQ provides messaging and communication capabilities to various applications, making it easier for them to exchange data and communicate asynchronously.

Rapid7 identified exploitation attempts of the CVE-2023-46604 flaw to deploy HelloKitty ransomware in two different customer environments.

CVE-2023-46604 (CVSS score: 10.0) is a remote code execution vulnerability that impacts Apache ActiveMQ. A remote attacker with network access to a broker can exploit this flaw to run “arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”

Apache addressed the flaw with the release of new versions of ActiveMQ on October 25, 2023. The researchers pointed out that the proof-of-concept exploit code and vulnerability details are both publicly available.

The vulnerability affects the following versions –

• ActiveMQ 5.18.0 before 5.18.3
• ActiveMQ 5.17.0 before 5.17.6
• ActiveMQ 5.16.0 before 5.16.7
• ActiveMQ before 5.15.16
• ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
• ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
• ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
• ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

In the attacks observed by Trustwave SpiderLabs, the malicious file was planted in the “admin” folder within the ActiveMQ installation directory. The folder contains the server scripts for the ActiveMQ administrative and web management console.

“Interestingly, the Jetty JSP engine which is the integrated web server in ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary.” reads the analysis published by Trustwave. “Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed.”

Once the web shell has been deployed, the threat actor can connect to it through the Godzilla management user interface and achieve complete control over the target system.

The Godzilla Web Shell supports multiple functionalities including:

• Viewing network details
• Conducting port scans
• Executing Mimikatz commands
• Running Meterpreter commands
• Executing shell commands
• Remotely managing SQL databases
• Injecting shellcode into processes
• Handling file management tasks

The report includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ActiveMQ) 

Adaptive phishing campaigns are emerging as an increasingly sophisticated threat in the cybersecurity landscape.

The phenomenon

This phenomenon represents an evolution of traditional phishing tactics, as attackers seek to overcome defenses using more personalized and targeted approaches. In an adaptive phishing campaign, attackers gather specific information about victims through various sources, such as social media, public websites, and previous data breaches. This data is then used to tailor attacks, making them more convincing and harder to detect.

One of the key elements of these campaigns is social engineering, which aims to psychologically manipulate victims. Attackers may use personal information, such as names, job roles, or company details, to create fake messages that appear to come from trusted sources.

This significantly increases the likelihood that victims will fall into phishing traps. Adaptive phishing campaigns can be delivered through e-mail, text messages, social media, or even phone calls. Attackers often exploit current events or emergency situations to elicit emotional responses and induce victims to act hastily without carefully evaluating the legitimacy of the communications.

As Cert-AgiD (https://t.me/certagid/599) has also recently put the spotlight on this issue, I take this opportunity to tell you about the “My Slice” campaign which I have personally taken over.

“My slice”, the details of the Italian campaign

Last year, a highly targeted phishing campaign that I renamed “My slice” (derived from the name of a variable in the javascript code of the landing page) targeted e-mail account holders of Italian organisations.

The e-mail message attempts to pass itself off as support from its company, which warns the caller that the memory limit of his e-mail account has been exceeded. This would prevent e-mails from being sent and received. To remedy the problem, the message invites you to check the status of your e-mail account via the proposed support page, otherwise the box will be deleted from the management servers.

The propounded web page is highly customized (https://elinajaguar[.]com/wp-admin/index.html) and looks like a form with logos and names of the targeted organization with a preset e-mail address and a password field to be typed.

Following the request, you end up handing over your login information to the scammers while being redirected to your organization’s home page. In fact, the information entered in the form is sent via a “POST” method to a manned server listening on the same domain.

To setup the highly targeted phishing campaign, the attackers:

• First they pass the target’s e-mail address as a parameter to the phishing page. The “Clicca qui” link (https://elinajaguar[.]com/wp-admin/index.html#[[email protected]]) passes the targeted e-mail address by pointing to it after the “#” character;

• with a JS function they extract the e-mail domain name and invoke the http://logo.clearbit[.]com/[domain name] service to derive the company logo. The organisation’s domain name is extracted, based on the victim’s e-mail address, from the string following the @ symbol (in this case from “[email protected]” the domain name obtained is example.com);
• Finally with another JS function they plan to redirect the user after form submission to the home page of the target organization. The home page address is created by putting the string “http://www.” before the domain name obtained in the previous step (in this case from “example.com” the home page address is www.example.com).

How to Protect Yourself

To protect against these evolving threats, it is crucial to adopt good cybersecurity practices. Organizations and individuals should be aware of adaptive phishing techniques and implement cybersecurity training to educate users on how to recognize and avoid online scams.

In addition, the use of advanced security solutions, such as anti-phishing filters and AI-based threat detection systems, can help mitigate the risk of falling victim to these sophisticated campaigns.

In conclusion, the phenomenon of adaptive phishing campaigns underscores the need for a proactive approach to cybersecurity. Only through awareness, training and the adoption of advanced defense measures can we effectively protect our personal and business information from this growing digital threat.

Below are the IoCs of the campaign:

https://urlscan.io/result/08e72fcf-0f89-46c2-864c-f4d404764358/

https://urlscan.io/result/232d8b5f-aead-4064-8451-2b4d37d5c2a3/

About the author: Salvatore Lombardo (Twitter @Slvlombardo)

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

Apple addressed the first zero-day vulnerability that impacts iPhones, Macs, and Apple TVs. The issue is actively exploited in the wild.

Apple released security updates to address a zero-day vulnerability, tracked as CVE-2024-23222, that impacts iPhones, Macs, and Apple TVs. This is the first actively exploited zero-day vulnerability fixed by the company this year.

The vulnerability is a type confusion issue that resides in the WebKit, an attacker can exploit this issue by tricking the victims into visiting maliciously crafted web content to achieve arbitrary code execution. 

“Processing maliciously crafted web content may lead to arbitrary code execution.” reads the advisory published by the company. “Apple is aware of a report that this issue may have been exploited.”

The IT giant addressed the vulnerability with improved checks. The issue has been fixed in iOS 16.7.5 and later, iPadOS 16.7.5 and later, and macOS Monterey 12.7.3 and later, and with tvOS 17.3 and later.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2024-23222)

Cybersecurity researcher Bob Dyachenko and CyberNews researchers discovered the largest data leak ever discovered.

The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak is almost certainly the largest ever discovered.

There are data leaks, and then there’s this. A supermassive Mother of all Breaches (MOAB for short) includes records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, has discovered billions upon billions of exposed records on an open instance whose owner is unlikely ever to be identified.

• You can check if your data was exposed in historic data breaches using the Cybernews data leak checker. Our team is working hard to update the tool and provide you with means to check if your data was exposed in the MOAB.

However, the researchers believe that the owner has a vested interest in storing large amounts of data and, therefore, could be a malicious actor, data broker, or some service that works with large amounts of data.

“The dataset is extremely dangerous as threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts,” the researchers said.

The supermassive MOAB does not appear to be made up of newly stolen data only and is most likely the largest compilation of multiple breaches (COMB).

While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.

A quick run through the data tree reveals an astoundingly large number of records compiled from previous breaches. The largest number of records, 1.4 billion, comes from Tencent QQ, a Chinese instant messaging app.

However, there are supposedly hundreds of millions of records from Weibo (504M), MySpace (360M), Twitter (281M), Deezer (258M), Linkedin (251M), AdultFriendFinder (220M), Adobe (153M), Canva (143M), VK (101M), Daily Motion (86M), Dropbox (69M), Telegram (41M), and many other companies and organizations.

The leak also includes records of various government organizations in the US, Brazil, Germany, Philippines, Turkey, and other countries.

According to the team, the consumer impact of the supermassive MOAB could be unprecedented. Since many people reuse usernames and passwords, malicious actors could embark on a tsunami of credential-stuffing attacks.

“If users use the same passwords for their Netflix account as they do for their Gmail account, attackers can use this to pivot towards other, more sensitive accounts. Apart from that, users whose data has been included in supermassive MOAB may become victims of spear-phishing attacks or receive high levels of spam emails,” the researchers said.

The leak’s scale is of yet unseen proportions. For example, in 2021, Cybernews reported a COMB that contained 3.2 billion records – only 12% of the supermassive MOAB of 2024.

The full and searchable list of the leaks composing the MOAB is available in the original post published by CyberNews:

https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

About the author: Vilius Petkauskas, Deputy Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds VMware vCenter Server Out-of-Bounds Write bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a VMware vCenter Server Out-of-Bounds Write bug, tracked as CVE-2023-34048, to its Known Exploited Vulnerabilities (KEV) catalog.

vCenter Server is a critical component in VMware virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers.

In October, VMware addressed the flaw CVE-2023-34048 (CVSS score 9.8). Recently, the virtualization giant updated its advisory on January 18, 2023, revealing that it is aware of exploitation “in the wild.”

“As of January 18, 2024 VMware is aware of exploitation “in the wild.”” reads the advisory.

This week, Mandiant researchers reported that China-linked APT group UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021.

In June 2023, Mandiant researchers observed the cyberespionage group UNC3886 exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867.

Researchers from Mandiant first detailed the activity of the group in September 2022 when they discovered a novel malware persistence technique within VMware ESXi Hypervisors.

The technique was used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux.

The highly targeted and evasive nature of this attack leads the experts to believe that the attack was carried out for cyberespionage purposes by a China-linked actor tracked as UNC3886.

In the attack investigated by Mandiant in September 2022, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.

Further investigation conducted by Mandiant revealed additional techniques used by the group UNC3886 used to target multiple organizations avoiding EDR solutions. 

In late 2023, Mandiant noticed that a VMware vmdird service crashed minutes prior to the deployment of the backdoors being deployed.

“Analysis of the core dump of “vmdird” by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048, the out-of-bounds write vCenter vulnerability in the implementation of the DCE/RPC protocol patched in October 2023, which enables unauthenticated remote command execution on vulnerable systems.” reads the report published by Mandiant.

Mandiant observed crashes across multiple UNC3886 cases between late 2021 and early 2022.

The researchers also noticed that most environments where these crashes were observed had log entries preserved, however, the ‘vmdird’ core dumps were removed.

“VMware’s default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks.” concludes the report. “As mentioned in the VMware advisory, this vulnerability has since been patched in vCenter 8.0U2 and Mandiant recommends VMware users updating to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 12, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The Black Basta ransomware gang claimed to have hacked the UK water utility Southern Water, a major player in the UK water industry.

Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area.

The company is a major player in the UK water industry, it employs over 6,000 people and has an annual turnover of over £1 billion. It is committed to providing its customers with high-quality water and wastewater services.

The Black Basta ransomware group added Southern Water to the list of victims on its Tor data leak site and threatened to leak the stolen data on February 29, 2024.

Black Basta posts UK water utility Southern Water.

/southernwater.co[.]uk@GossiTheDog @UK_Daniel_Card @SOSIntel @joetidy pic.twitter.com/erEvd0DtBT

— Dominic Alvieri (@AlvieriD) January 22, 2024

The group claims to have stolen 750 gigabytes of sensitive data, including users’ personal documents and corporate documents.

The gang published some screenshots as proof of the attack, including passports, ID cards, and personal information of some employees.

At this time, it is unknown what ransom the group has demanded from the victim.

The Black Basta ransomware group has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.

In early January, independent security research and consulting team SRLabs discovered a vulnerability in Black Basta ransomware’s encryption algorithm and exploited it to create a free decryptor.

A joint research by Elliptic and Corvus Insurance revealed that the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall. 

The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.

In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.

The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.

SRLabs analyzed the encryption algorithm used by the ransomware and discovered a specific weakness in the variant used by the gang around April 2023. The ransomware employs encryption based on a ChaCha keystream, which is utilized to perform XOR operations on 64-byte-long chunks of the file.

The researchers determined that the position of the encrypted blocks is determined by the file size, as indicated in the mentioned ranges.py. Depending on the file size, the ransomware encrypts the initial 5000 bytes.

The position of the encrypted blocks is determined by the file size. Depending on the file size, the ransomware encrypts the first 5000 bytes.

“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.” reads the post published by the researchers. “The recovery hinges on knowing the plaintext of 64 encrypted bytes of the file. In other words, knowing 64 bytes is not sufficient in itself since the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware’s logic of determining which parts of the file to encrypt. For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images.”

The experts pointed out that the weakness doesn’t impact the encryption process for the first 5,000 bytes of a file, for this reason, these bytes cannot be recovered. This means that files below the size of 5000 bytes cannot be recovered.

SRLabs developed tools that enable users to analyze encrypted files and determine if decryption is possible.

The decryptauto tool may allow to recover files containing encrypted zero bytes.

“Depending on how many times and to what extent the malware encrypted the file, manual review is required to fully recover a file.” continues the researchers.

The bad news is that Black Bast has fixed the issue. The decryptor only allows to recover files encrypted before December 2023.

“The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for free. However, BleepingComputer has learned that the Black Basta developers fixed the bug in their encryption routine about a week ago, preventing this decryption technique from being used in newer attacks.” reported Bleeping Computer.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Black Basta)

Financial services company LoanDepot disclosed a data breach that impacted roughly 16.6 million individuals.

LoanDepot is a financial services company that primarily operates as a mortgage lender. It is one of the largest nonbank lenders in the United States. The company provides a range of mortgage and non-mortgage loan products and services.

LoanDepot disclosed this week a data breach that impacted roughly 16.6 million individuals. The data breach is the result of a ransomware attack that was detected earlier this month. The Company shut down certain systems to prevent the threat from spreading.

“The Company has been working diligently with outside forensics and security experts to investigate the incident and restore normal operations as quickly as possible. The Company has made significant progress in restoring our loan origination and loan servicing systems, including our MyloanDepot and Servicing customer portals.” reads an update on cyber incident provided by the company. “Although its investigation is ongoing, the Company has determined that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems.”

The company immediately launched an investigation into the incident with the help of cybersecurity experts. LoanDepot also notified law enforcement and regulators.

“loanDepot, Inc. (the “Company”) recently identified a cybersecurity incident affecting certain of the Company’s systems. Upon detecting unauthorized activity, the Company promptly took steps to contain and respond to the incident, including launching an investigation with assistance from leading cybersecurity experts, and began the process of notifying applicable regulators and law enforcement.” reads the Form 8-K filing with the Securities and Exchange Commission (SEC) on January 4, 2024.

“Though our investigation is ongoing, at this time, the Company has determined that the unauthorized third party activity included access to certain Company systems and the encryption of data. In response, the Company shut down certain systems and continues to implement measures to secure its business operations, bring systems back online and respond to the incident.”

The company is offering credit monitoring and identity protection services for free to the impacted individuals.

“Unfortunately, we live in a world where these types of attacks are increasingly frequent and sophisticated, and our industry has not been spared. We sincerely regret any impact to our customers,” said loanDepot CEO Frank Martell. “The entire loanDepot team has worked tirelessly throughout this incident to support our customers, our partners and each other. I am pleased by our progress in quickly bringing our systems back online and restoring normal business operations.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The Australian government announced sanctions for a member of the REvil ransomware group for the Medibank hack that occurred in 2022.

The Australian government announced sanctions for Aleksandr Gennadievich Ermakov (aka GustaveDore, aiiis_ermak, blade_runner, JimJones), a Russian national who is a member of the REvil ransomware group. The man is responsible for the cyber attacks that in 2022 hit the Australian insurance provider Medibank.

“This morning I can announce that Australia has used cyber sanctions powers for the very first time on a Russian individual for his role in the breach of the Medibank Private network. As you might recall, more than 9 million records of Australians, including names, dates of birth, Medicare numbers and sensitive information were stolen in the 2022 attack, and the majority published on the dark web. It was an egregious violation, it impacted some of the most vulnerable members of the Australian community. I can confirm that thanks to the hard work of the Australian Signals Directorate and the AFP we have linked Russian citizen and cyber criminal Aleksandr Ermakov to the attack.” said Penny Wong, Foreign Minister. “The sanctions imposed are targeted financial sanctions and a travel ban. This will mean it is a criminal offence punishable with up to 10 years’ imprisonment to provide assets to Ermakov, or to use or deal with his assets including through cryptocurrency wallets or ransomware payments. This is the first time Australia’s autonomous cyber sanctions have been used. It sends a clear message that there are costs and consequences for targeting Australia and for targeting Australians. “

In November 2022, Medibank announced that personal data belonging to around 9.7M of current and former customers were exposed as a result of a recent ransomware attack.

Medibank is one of the largest Australian private health insurance providers with approximately 3.9 million customers.

The company discovered the ransomware attack on October 12, the attackers had access to data belonging to around 5.1 million Medibank customers, around 2.8 million ahm customers, and around 1.8 million international customers.

In early November 2022, the threat actors leaked stolen data associated with roughly 10 million individuals.

Australian police investigated the case and discovered that Ermakov had a crucial role in the hack of the company. The Home Affairs and Cyber Security Minister of Australia has affirmed that Ermakov was not apprehended by Russian authorities in connection with the police operation targeting the REvil group.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Fortra addressed a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) product.

Fortra warns customers of a new authentication bypass vulnerability tracked as CVE-2024-0204 (CVSS score 9.8), impacting the GoAnywhere MFT (Managed File Transfer) product.

Fortra GoAnywhere Managed File Transfer is a comprehensive solution for secure file transfer, data encryption, and compliance management. It provides a centralized platform for managing and automating file transfers between disparate systems and applications, enabling secure and controlled data movement across an organization’s network.

An unauthorized user can exploit the flaw CVE-2024-0204 to create admin users using the administration portal of the appliance. The flaw was reported by Mohammed Eldeeb & Islam Elrfai from Spark Engineering Consultants on December 1, 2023.

The vulnerability impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier. Fortra addressed the issue with the release of GoAnywhere MFT 7.4.1.

“Upgrade to version 7.4.1 or higher.” reads the advisory published by the vendor. “The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. “

Fortra is not aware of attacks in the wild exploiting this vulnerability.

In February, 2023, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting another zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere Managed File Transfer secure file transfer tool.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortra)

Splunk addressed multiple vulnerabilities in Splunk Enterprise, including a high-severity flaw impacting Windows installs.

Splunk addressed multiple vulnerabilities in Splunk Enterprise, including a high-severity flaw, tracked as CVE-2024-23678 (CVSS score 7.5), impacting the Windows version.

According to the advisory, Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3 does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine.

Deserialization of untrusted data can allow malicious code to be executed on the system. This is because the serialized data can contain instructions that the application will execute when it deserializes the data. For example, if an application deserializes a malicious JSON object, the object could contain JavaScript code that would be executed when the application parses the JSON object.

This vulnerability only affects Splunk Enterprise for Windows.

Customers are recommended to upgrade versions 9.0.8, 9.1.3, or higher. The vendor pointed out that the vulnerability does not affect the Cloud Platform.

The issue was discovered by Danylo Dmytriiev (DDV_UA).

The company did not reveal if it is aware of attacks in the wild exploiting this vulnerability.

Below are other vulnerabilities addressed by the company:

SVD-2024-0107	2024-01-22	Server Response Disclosure in RapidDiag Salesforce.com Log File	Medium	CVE-2024-23677
SVD-2024-0106	2024-01-22	Sensitive Information Disclosure of Index Metrics through “mrollup” SPL Command	Medium	CVE-2024-23676
SVD-2024-0105	2024-01-22	Splunk App Key Value Store (KV Store) Improper Handling of Permissions Leads to KV Store Collection Deletion	Medium	CVE-2024-23675

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2024-23678)

A ransomware attack against the Finnish IT services provider Tietoevry disrupted the services of some Swedish government agencies and shops.

The online services of multiple Swedish government agencies, universities, and commercial activities were disrupted by an Akira ransomware attack that hit the Finnish IT services and enterprise cloud hosting Tietoevry.

Tietoevry is a Finnish multinational information technology (IT) and consulting company that provides managed services and cloud hosting for the enterprise.

The company said that the ransomware attack took place on Friday night and impacted only one data center in Sweden. The company immediately launched an investigation into the incident and is working to restore its services. Tietoevry notified law enforcement and impacted customers. Impacted customers include Sweden’s largest cinema chain Filmstaden (the attack disrupted its online ticket system) and the discount retail chain Rusta.

“The attack was limited to one part of one of our Swedish datacenters, impacting Tietoevry’s services to some of our customers in Sweden. Tietoevry immediately isolated the affected platform, and the ransomware attack has not affected other parts of the company’s infrastructure. Tietoevry has taken highest level of action to investigate, mitigate and resolve the situation.” reads a press release published by the company. “A large team of experts are working on several tracks in parallel around the clock on this. We have notified the directly affected customers and are in dialogue with them for updates on the situation.”

BleepingComputer first reported that the security breach was the result of an Akira ransomware attack.

The company later confirmed the news of an Akira ransomware attack.

“The malicious attack based on Akira ransomware on one of our datacenters in Sweden took place during the night of January 19-20. Tietoevry takes the situation very seriously and has an extensive team of experts and technicians working around the clock to minimize the impact and restore services.” reads an update published by the services provider.

The attack impacted the company’s managed Payroll and HR system named Primula, which is used by Sweden government agencies, including the centralized human resources system used by Sweden’s national government service center (Statens Servicecenter).

At present, Tietoevry cannot provide a definite timeframe for the complete restoration process due to the complexity of the security breach. The overall duration may span several days, possibly weeks.

“Currently, Tietoevry cannot say how long the restoration process as a whole will take – considering the nature of the incident and the number of customer-specific systems to be restored, the total timespan may extend over several days, even weeks. We are focused on resolving this as soon as technically possible, in close collaboration with the customers in question.” concludes the update.

The company did not disclose details about the attack, it is unclear if threat actors also stolen data from its systems.

In January 2024, the Finish National Cybersecurity Center (NCSC-FI) reported an increase in Akira ransomware attacks, targeting organizations in the country. Threat actors are wiping NAS and backup devices.

Akira ransomware infections were first reported in Finland in June 2023, however, in December the number of attacks increased. According to the NCSC-FI, six out of seven infections were caused by Akira family malware.

The ransomware attack reported in late 2023, targeted organizations’ networks using poorly secured VPN gateway on Cisco ASA or FTD devices. The attackers exploited the vulnerability CVE-2023-20269 in Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). An unauthenticated, remote attacker can exploit the vulnerability to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.

The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Akira ransomware attack)

Researchers released PoC exploit code for a recently disclosed critical authentication bypass flaw in Fortra’s GoAnywhere MFT (Managed File Transfer).

Researchers with cybersecurity firm Horizon3’s Attack Team published technical details of the recently disclosed vulnerability CVE-2024-0204 impacting Fortra GoAnywhere MFT.

The security experts also published a proof-of-concept (PoC) exploit that allows the creation of new admin users on vulnerable instances exposed online.

“The advisory mentions that the endpoint /InitialAccountSetup.xhtml can be deleted and the service restarted to mitigate the issue. Looking through the application directories, we find that this endpoint is mapped to the com.linoma.ga.ui.admin.users.InitialAccountSetupForm class by inspecting the file GoAnywhere/adminroot/WEB-INF/forms-faces.xml.” reads the analysis published by Horizon3.

Yesterday, Fortra warned customers of a new authentication bypass vulnerability tracked as CVE-2024-0204 (CVSS score 9.8), impacting the GoAnywhere MFT (Managed File Transfer) product.

Fortra GoAnywhere Managed File Transfer is a comprehensive solution for secure file transfer, data encryption, and compliance management. It provides a centralized platform for managing and automating file transfers between disparate systems and applications, enabling secure and controlled data movement across an organization’s network.

An unauthorized user can exploit the flaw CVE-2024-0204 to create admin users using the administration portal of the appliance. The flaw was reported by Mohammed Eldeeb & Islam Elrfai from Spark Engineering Consultants on December 1, 2023.

Fortra initially issued private advisories to customers on December 4, recommending them of applying mitigations immediately.

we @IslamRalsaid1 got some zero-days vulnerabilities in "goanywhere" product , patch your instance ASAP#0day #bugbounty pic.twitter.com/pazqDpYKmZ

— mohammed eldeeb (@malcolmx0x) December 5, 2023

The vulnerability impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier. Fortra addressed the issue with the release of GoAnywhere MFT 7.4.1.

“Upgrade to version 7.4.1 or higher.” reads the advisory published by the vendor. “The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. “

Fortra is not aware of attacks in the wild exploiting this vulnerability.

Horizon3 researchers created an exploit using a path traversal issue to gain access to the vulnerable endpoint (/InitialAccountSetup.xhtml). Once reached the endpoint, they were able to start the procedure for the account creation.

“We considered the patches we observed and this logic, and without a way to pass the isAdminUserCreated check we were unsure exactly how this bypass could occur. Instead of using logic, and instead using our spidey senses, we considered if possibly there was a path normalization issue.” continues the analysis. “Classically for Tomcat based applications, there exist path traversal issues when the request contains /..;/. Trying to request the supposed vulnerable endpoint now with a request that looks like https://192.168.1.1:8001/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml leads to the application now routing us to the setup page again!”

Organizations should check for any new additions to the ‘Admin users’ group in the GoAnywhere administrator portal as an indicator of compromise. Once a suspicious Admin user has been found, it is essential to analyze the log to determine its activity.

The availability of Horizon3’s PoC exploit code can trigger hacking campaigns targeting unpatched GoAnywhere MFT instances.

In February, 2023, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting another zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere Managed File Transfer secure file transfer tool.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortra)

Thousands of GitLab servers are vulnerable to zero-click account takeover attacks exploiting the flaw CVE-2023-7028.

GitLab has recently released security updates to address two critical vulnerabilities impacting both the Community and Enterprise Edition.

The most critical vulnerability, tracked as CVE-2023-7028 (CVSS score 10), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.

“An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.” reads the advisory published by GitLab.

The flaws impact the following versions:

• 16.1 prior to 16.1.5
• 16.2 prior to 16.2.8
• 16.3 prior to 16.3.6
• 16.4 prior to 16.4.4
• 16.5 prior to 16.5.6
• 16.6 prior to 16.6.4
• 16.7 prior to 16.7.2

GitLab addressed the flaw with the releases 16.7.2, 16.5.6, and 16.6.4. The company backported security patches to 16.1.6, 16.2.9, and 16.3.7.

The company is not aware of attacks in the wild exploiting the vulnerability CVE-2023-7028. Self-managed customers are recommended to review their logs to check for possible attempts to exploit this vulnerability:

• Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
• Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month.

Researchers from ShadowServer reported that 5,379 instances exposed online are vulnerable to this flaw.

Running GitLab? We are sharing instances vulnerable to CVE-2023-7028 (Account Takeover via Password Reset without user interactions) – 5379 instances found worldwide (on 2024-01-23). Top: US (964) & Germany (730)

Check for signs of compromise and patch: https://t.co/XqIbXO5GBp pic.twitter.com/6f3v9oHaOG

— Shadowserver (@Shadowserver) January 24, 2024

Most of the vulnerable servers are in the United States (964), Germany (730), and Russia (721).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-7028)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Atlassian Confluence Data Center and Server Template Injection bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Atlassian Confluence Data Center and Server Template Injection bug, tracked as CVE-2023-22527, to its Known Exploited Vulnerabilities (KEV) catalog.

Atlassian recently warned of a critical remote code execution vulnerability, tracked as CVE-2023-22527 (CVSS score 10.0), in Confluence Data Center and Confluence Server that impacts older versions.

The vulnerability is a template injection vulnerability that can allow remote attackers to execute arbitrary code on vulnerable Confluence installs.

The flaw affects Confluence Data Center and Server versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3. Most recent supported versions of Confluence Data Center and Server are not affected by this issue.

“A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version. Customers using an affected version must take immediate action.” reads the advisory published by the vendor. “This RCE (Remote Code Execution) vulnerability affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023 as well as 8.4.5 which no longer receives backported fixes in accordance with our Security Bug Fix Policy. Atlassian recommends patching to the latest version.”

The company addressed the vulnerability with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only).

Atlassian recommends customers to install the latest version.

The security bulletin states that there is no known workarounds or mitigation to remediate this vulnerability.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 14, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Known Exploited Vulnerabilities catalog, Confluence Data Center)

Hewlett Packard Enterprise (HPE) revealed that Russia-linked APT group Midnight Blizzard gained access to its Microsoft Office 365 email system.

Hewlett Packard Enterprise (HPE) revealed that alleged Russia-linked cyberespionage group Midnight Blizzard gained access to its Microsoft Office 365 cloud-based email environment.

The attackers were collecting information on the cybersecurity division of the company and other functions.

The Midnight Blizzard group (aka APT29, SVR group, Cozy Bear, Nobelium, BlueBravo, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is known for the SolarWinds supply chain attack that in 2020 hit more than 18,000 customer organizations, including Microsoft.

HPE became aware of the intrusion on December 2023 and immediately launched an investigation into the security breach with the help of external cybersecurity experts.

The investigation revealed that the attackers gained access to the company environment and exfiltrated data since May 2023. The cyberspies compromised a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.

“On December 12, 2023, Hewlett Packard Enterprise Company (the “Company,” “HPE,” or “we”) was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE’s cloud-based email environment. The Company, with assistance from external cybersecurity experts, immediately activated our response process to investigate, contain, and remediate the incident, eradicating the activity.” reads FORM8-K filing with the U.S. Securities and Exchange Commission (SEC). “Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

The investigation is still ongoing, however, the IT giant determined that the intrusion is likely linked to another attack conducted by the same APT group, of which they were notified in June 2023.

As early as May 2023, the company discovered unauthorized access to and exfiltration of a limited number of SharePoint files.

“Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity.” continues the company. “Upon undertaking such actions, we determined that such activity did not materially impact the Company.”

The company notified law enforcement and regulatory authorities. HPE emphasized that, as of the filing date, the incident has not significantly affected its operations.

Recently Microsoft warned that some of its corporate email accounts were compromised by the same Russia-linked group Midnight Blizzard. Microsoft notified law enforcement and relevant regulatory authorities.

Microsoft discovered the intrusion on January 12, 2024, and immediately launched an investigation into the security breach. The IT giant confirmed to have locked out the threat actors and mitigated the attack.

“On January 12, 2024, Microsoft (the “Company” or “we”) detected that beginning in late November 2023, a nation-state associated threat actor had gained access to and exfiltrated information from a very small percentage of employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, on the basis of preliminary analysis.” reads a Form 8-K filing with the SEC. “We are examining the information accessed to determine the impact of the incident. We also continue to investigate the extent of the incident.”

The state-sponsored hackers first compromised the company systems in late November 2023 with a password spray attack. Password spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.

Microsoft revealed that the threat actors gained access to a legacy non-production test tenant account and used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. The attackers gained access to the accounts of members of the company’s senior leadership team and employees in cybersecurity, legal, and other functions. The company also confirmed that attackers have exfiltrated some emails and attached documents. The APT group initially targeted email accounts to gather intelligence on investigations conducted by Microsoft on Midnight Blizzard’s activities. Microsoft is notifying impacted employees.  

The company pointed out that the attackers did not exploit any vulnerability in Microsoft products or services. Microsoft also added that there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.” wrote Microsoft. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

According to the Form 8-K, the incident has not had a material impact on the Company’s operations.

“The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” reads the document.

Unlike Microsoft, HPE has yet to disclose technical details of the security breach.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

Cisco addressed a critical flaw in its Unified Communications and Contact Center Solutions products that could lead to remote code execution.

Cisco released security patches to address a critical vulnerability, tracked as CVE-2024-20253 (CVSS score of 9.9), impacting multiple Unified Communications and Contact Center Solutions products.

An unauthenticated, remote attacker can exploit the flaw to execute arbitrary code on an affected device.

The root cause of the issue is the improper processing of user-provided data that is being read into memory. An attacker can exploit the flaw by sending a crafted message to a listening port of an unpatched device. 

“This vulnerability is due to the improper processing of user-provided data that is being read into memory. An attacker could exploit this vulnerability by sending a crafted message to a listening port of an affected device.” reads the advisory published by the IT giant. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user. With access to the underlying operating system, the attacker could also establish root access on the affected device”

The vulnerability impacts the following products in the default configuration:

• Unified Communications Manager (Unified CM) (CSCwd64245)
• Unified Communications Manager IM & Presence Service (Unified CM IM&P) (CSCwd64276)
• Unified Communications Manager Session Management Edition (Unified CM SME) (CSCwd64245)
• Unified Contact Center Express (UCCX) (CSCwe18773)
• Unity Connection (CSCwd64292)
• Virtualized Voice Browser (VVB) (CSCwe18840)

There are no workarounds to fix the issue, however, the company reported that it is possible to mitigate the vulnerability by establishing access control lists (ACLs) on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services.

The Cisco PSIRT is not aware of attacks in the wild exploiting this flaw.

The vulnerability was reported by Julien Egloff from Synacktiv.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Unified Communications)

The 2023 RedSense report covers long-term observations we have made regarding intel trends and interconnectivity.

These observations were made by analyzing numerous 2023 threat findings and discoveries, and include references to case studies that were reported on by RedSense throughout the year.

Trend Analysis Ghost Group Operations:

A notable increase in covert ‘ghost groups’ like Zeon/Ryuk/Conti1, providing backend support to groups such as BlackCat, Akira, and LockBit 3.0. These groups, while maintaining anonymity, offer capabilities like negotiation support, phishing campaigns, and initial access brokerage.

Double Jeopardy in Post-breach Exploitation:

Cybercriminals are leveraging ‘Double Jeopardy’ tactics, weaponizing a single attack multiple times. This is achieved through the reuse of publicly available data and the sharing of stolen data across various threat groups, complicating attribution and response efforts.

Future Victimology Techniques:

Utilization of data from previous breaches to streamline future target identification, as seen with BlackBasta and BlackSuit groups. This approach not only increases efficiency but also compounds the long-term impacts of data breaches.

Diversification of Ransomware Actors:

The emergence of non-Eastern European ransomware methodologies, marked by groups like Scattered Spider. New malware types such as DarkGate and BlackNET demonstrate a broadening of the ransomware actor profile.

AI Exploitation in Cyberattacks:

Increased attempts to exploit AI technologies for malicious purposes. Development of AI-powered tools like WormGPT and FraudGPT, and AI-driven vishing attacks indicate a significant shift in attack methodologies.

Black SEO Malware Distribution Techniques:

Rise in black hat SEO tactics, including malvertising and SEO poisoning. These methods, used to disseminate malware like AuroraStealer, IcedID, and RedLine Stealer, highlight the exploitation of online platforms for malware distribution.

Intensification of Public Shaming in Ransomware:

Escalation in public shaming tactics by ransomware groups to pressure victims into paying. Tactics include explicit data publication and aggressive online shaming campaigns, adding a psychological dimension to the extortion process.

Increased Law Enforcement Actions and Takedowns:

The year witnessed a rise in law enforcement activities targeting ransomware groups, reflecting improved digital forensic techniques and international cooperation in cybercrime response.

Conti’s Persistent Influence:

Despite its dismantlement, Conti’s operational methodologies continue to influence current ransomware activities. The adaptation and use of Conti’s source code by groups like BlackSuit and BlackBasta demonstrate the enduring impact of this group.

Experimentations in Malware Locker/Loader Technology:

Ransomware groups are experimenting with various malware lockers and loaders to enhance operational efficacy and evade detection. The transition of the Royal group to BlackSuit and BlackBasta’s use of Pikabot and DarkGate exemplify this trend.

Exploitation of the Citrix Bleed Vulnerability (CVE 2023-4966):

The widespread exploitation of the Citrix Bleed vulnerability by groups like BlackSuit, BlackBasta, ALPHV, and LockBit 3.0, particularly targeting government and defense sectors, underscores the trend of exploiting critical software vulnerabilities.

Conclusion

The 2023 trends noted by RedSense indicate a complex, chaotic and highly entangled year for ransomware. What we have found indicates that the threat ecosystem is experiencing massive internal shifts which may be sign that it will be unrecognizable by year’s end.

Author Bio: Marley Smith currently works on the Intelligence Team of the cybersecurity and threat prevention firm RedSense. As Principal Threat Researcher, Smith conducts in-depth investigations of ransomware syndicates, novel malware, state-affiliated threat groups, as well as the dynamics with which today’s cybercrime ecosystem evolves. Research Review: Yelisey Bohuslavskiy, partner & Chief Research Officer at RedSense; co-founder of Advanced Intelligence, LLC.

More details are included in the original report available at:

https://redsense.com/publications/yearly-intel-trend-review-2023/

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, 2023 RedSense report)

Researchers hacked the Tesla infotainment system and found 24 zero-days on day 2 of Pwn2Own Automotive 2024 hacking competition.

White hat hackers from the Synacktiv Team (@Synacktiv) compromised the Tesla infotainment system on the second day of the Pwn2Own Automotive 2024 hacking competition. The bug hunters chained two vulnerabilities to hack the Tesla infotainment system, they earned $100,000 and 10 Master of Pwn Points.

Success! The @synacktiv team’s big win is confirmed: a 2-bug chain used to exploit the Tesla Infotainment earns them $100,000 and 10 Master of Pwn Points. #Pwn2Own pic.twitter.com/TWv5MXw9XR

— Zero Day Initiative (@thezdi) January 25, 2024

The Synacktiv Team also hacked the Automotive Grade Linux operating system by chaining three vulnerabilities. The team earned $35,000 for this hack.

Confirmed! The @synacktiv team’s 3-bug chain against Automotive Grade Linux is a success. They increase their lead in the competition. #Pwn2Own pic.twitter.com/1iwf94gEGD

— Zero Day Initiative (@thezdi) January 25, 2024

The NCC Group EDG team successfully hacked Alpine Halo9 iLX-F509 by chaining two vulnerabilities. The team played the popular video game DOOM on the device.

Confirmed! NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) successfully used a 2-bug chain against the Alpine Halo9 iLX-F509. Style points for playing DOOM on the device! #Pwn2Own pic.twitter.com/WIVnJ4EVl5

— Zero Day Initiative (@thezdi) January 25, 2024

During the second day, participants earned a total of $382,500 for demonstrating 24 zero-days.

That’s a wrap for Day 2 of #Pwn2Own Automotive. We’ve already awarded over $1,000,000 in prizes this week (¥150 million!) Tune back in tomorrow here or at the ZDI blog for the final day of the contest! Here are the current standings leading into the final day: pic.twitter.com/BZ5jopem9X

— Zero Day Initiative (@thezdi) January 25, 2024

The bug hunters earned $1,101,500 since the start of the competition, demonstrating a total of 48 zero-days.

Additional details about the hacking attempts and their results for the Pwn2Own Day Two are available here:

https://www.zerodayinitiative.com/blog/2024/1/24/pwn2own-automotive-2024-day-two-results

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own)

Jenkins maintainers addressed several security vulnerabilities, including a critical remote code execution (RCE) flaw.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

The maintainers of the open-source platform have addressed nine security vulnerabilities, including a critical flaw, tracked as CVE-2024-23897, that could lead to remote code execution (RCE). The vulnerability was reported by the researcher Yaniv Nizry from Sonar who wrote a detailed analysis of the issue.

Jenkins has a built-in command line interface (CLI) to access the platform from a script or shell environment. The open-source software uses the args4j library to parse CLI command arguments and options on the Jenkins controller. The parser uses a functionality that replaces the ‘@’ character followed by a file path in an argument with the content of the file (‘expandAtFiles’). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

An attacker can abuse the default character encoding of the Jenkins controller process to read arbitrary files on the controller file system.

An attacker with “Overall/Read” permission can read entire files, while an attacker without it can read the first three lines of the files depending on the CLI commands.

Below are some notes from the advisory:

• Attackers with Overall/Read permission can read entire files.
• Attackers without Overall/Read permission can read the first few lines of files. The number of lines that can be read depends on available CLI commands. As of publication of this advisory, the Jenkins security team has found ways to read the first three lines of files in recent releases of Jenkins without having any plugins installed, and has not identified any plugins that would increase this line count.

The maintainers pointed out that exploiting this flaw makes it possible to read binary files containing cryptographic keys used for various Jenkins features, even with some limitations.

Once the attacker has obtained the binary secrets it can conduct multiple attacks, including Remote code execution via Resource Root URLs, Remote code execution via “Remember me” cookie, Remote code execution via stored cross-site scripting (XSS) attacks through build logs, Remote code execution via CSRF protection bypass, Decrypt secrets stored in Jenkins, Delete any item in Jenkins, Download a Java heap dump.

The issue has been addressed in versions 2.442, LTS 2.426.3 by disabling the command parser feature.

The advisory also recommends to turn off access to the CLI as a workaround.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

Microsoft revealed that Russia-linked APT Midnight Blizzard has been targeting organizations worldwide in a cyberespionage campaign.

Microsoft announced that the Russia-linked APT Midnight Blizzard that hit the company in late November 2023 has been targeting organizations worldwide as part of a large-scale cyberespionage campaign.

The IT giant also confirmed that is currently notifying impacted organizations.

Recently, Hewlett Packard Enterprise (HPE) revealed that alleged Russia-linked cyberespionage group Midnight Blizzard also gained access to its Microsoft Office 365 cloud-based email environment.

The attackers were collecting information on the cybersecurity division of the company and other functions.

The Midnight Blizzard group (aka APT29, SVR group, Cozy Bear, Nobelium, BlueBravo, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is known for the SolarWinds supply chain attack that in 2020 hit more than 18,000 customer organizations, including Microsoft. Microsoft states that this APT is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the US and Europe.

HPE became aware of the intrusion on December 2023 and immediately launched an investigation into the security breach with the help of external cybersecurity experts.

The investigation revealed that the attackers gained access to the company environment and exfiltrated data since May 2023. The cyberspies compromised a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.

“Microsoft was able to identify these attacks in log data by reviewing Exchange Web Services (EWS) activity and using our audit logging features, combined with our extensive knowledge of Midnight Blizzard.” said the Microsoft Threat Intelligence team. “Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”

The Midnight Blizzard group uses a variety of TTPs to gain initial access, perform lateral movement, and maintain persistence. It focuses on gathering intelligence in support of Russian foreign policy interests.

The group was observed using multiple initial access methods, including stolen credentials and supply chain attacks. The group was spotted exploiting on-premises environments to laterally move to the cloud, and service providers’ trust chain to gain access to downstream customers.

“Midnight Blizzard is also adept at identifying and abusing OAuth applications to move laterally across cloud environments and for post-compromise activity, such as email collection.” continues the report. “OAuth is an open standard for token-based authentication and authorization that enables applications to get access to data and resources based on permissions set by a user.”

Midnight Blizzard employed residential proxies to obfuscate connections and evade detection. Microsoft emphasizes the importance for organizations to implement measures to safeguard against rogue OAuth applications and password spraying.

Microsoft did not name other organizations hit by Midnight Blizzard. The IT giant states that the investigation is still ongoing, and it plans to provide additional details in the future as appropriate.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cyberespionage)

The Russian national malware developer Vladimir Dunaev was sentenced to more than 5 years in prison for his role in the TrickBot operation.

The Russian national Vladimir Dunaev (40) has been sentenced in the US to 64 months in prison for his role in the development and distribution of the TrickBot malware.

Vladimir Dunaev was extradited to the U.S. in October 2021.

Dunaev, also known as FFX, was involved in the development of a browser injection module for the Trickbot malware.

The man was arrested at the end of August 2021 at the Seoul International Airport, he has remained stuck in the Asian country since February 2020 due to the COVID-19 lockdown imposed by the local government and the cancelation of international travel.

According to The Record, which first reported the news, after the travel restrictions were lifted, the suspect had an ugly surprise, his passport had expired. Mr. A, this is the pseudonym used to identify the individual, was forced to live in Seoul waiting for the replacement of his passport from the local Russian embassy.

The Seoul High Court Criminal Division 20 (Chief Judge Jeong Seon-jae Baek Suk-jong Lee Jun-hyun) charged Mr. A for being a developer for the TrickBot gang since 2016.

Dunaev pleaded guilty on November 30, 2023, he admitted to conspiring to engage in computer fraud and identity theft, as well as conspiring to commit wire fraud and bank fraud.

“Dunaev developed browser modifications and malicious tools that aided in credential harvesting and datamining from infected computers, facilitated and enhanced the remote access used by Trickbot actors, and created a program code to prevent the Trickbot malware from being detected by legitimate security software.” reads the press release published by DoJ. “During Dunaev’s participation in the scheme, 10 victims in the Northern District of Ohio, including Avon schools and a North Canton real-estate company, were defrauded of more than $3.4 million via ransomware deployed by Trickbot.”

TrickBot is a popular Windows banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features, including powerful password-stealing capabilities. The malicious code had infected millions of computers worldwide.

TrickBot initially partnered with Ryuk ransomware which used it for initial access in the network compromised by the botnet. Then Ryuk was replaced by Conti Ransomware gang who had been using Trickbot for the same purpose.

In 2021, the Conti gang used in exclusive the TrickBot to achieve initial access to the network of organizations worldwide.

Financial sanctions were imposed on numerous suspected Trickbot members by the Treasury Department’s Office of Foreign Assets Control (OFAC) in both February and September 2023.

“This case and subsequent sentencing sends a strong message to cybercriminals and other bad actors who target individuals and businesses with malicious intent,” said Special Agent in Charge Greg Nelsen of the FBI Cleveland Field Office. “The complexities of this case required careful coordination among our domestic and international partners and their commitment to meticulous investigative work. I am proud of the synchronized effort to see that justice was served.” 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Trickbot)

Bug bounty hunters earned more than $1.3 million for hacking Teslas, infotainment systems, and electric vehicle chargers at the Pwn2Own Automotive competition.

The Zero Day Initiative’s Pwn2Own Automotive competition has ended, participants demonstrated 49 zero-day vulnerabilities affecting automotive products earning a total of $1,323,750.

The amazing Synacktiv team won the competition and earned a total of $450,000. The team demonstrated successful attacks against Tesla’s modem and the infotainment system.

The first ever #Pwn2Own Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to @synacktiv, the Masters of Pwn! Stay with us here and at the ZDI blog as we prepare for Pwn2Own Vancouver in March. pic.twitter.com/ov2B1rtA8c

— Zero Day Initiative (@thezdi) January 26, 2024

In second place is the team fuzzware.io with $177,500, followed by the team Midnight Blue/PHP Hooligans with $80,000.

The biggest payout was awarded to the team fuzzware.io that exploited a buffer overflow to hack the EMPORIA EV Charger Level 2. They earned $60,000 and 6 Master of Pwn Points.

Success! Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of https://t.co/ELqV0E3vQ5 used a buffer overflow to exploit the EMPORIA EV Charger Level 2. They earn $60,000 and 6 Master of Pwn Points. #Pwn2Own pic.twitter.com/H3BphVAlfy

— Zero Day Initiative (@thezdi) January 26, 2024

The team fuzzware.io also chained to flaws to hack the Phoenix Contact CHARX SEC-3100. However, one of the bugs was previously known, for this reason, the attempt was classified as a a bug collision. They earned $22,500 and 4.5 Master of Pwn Points.

The researcher Connor Ford of Nettitude demonstrated a stack-based buffer overflow to hack the JuiceBox 40 Smart EV Charging Station. He earned $30,000 and 6 Master of Pwn Points.

The full list of the exploits demonstrated on day three of PWN2OWN AUTOMOTIVE 2024 is available here.

https://www.zerodayinitiative.com/blog/2024/1/25/pwn2own-automotive-2024-day-three-results

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own)

The Main Intelligence Directorate of Ukraine’s Ministry of Defense states that pro-Ukraine hackers wiped 2 petabytes of data from a Russian research center.

The Main Directorate of Intelligence of the Ministry of Defense of Ukraine revealed that pro-Ukraine hackers group “BO Team” wiped the database of the Far Eastern Scientific Research Center of Space Hydrometeorology “Planet.”

The Russian center processes data received from satellites and also provides relevant products to more than 50 state entities, including the Ministry of War, the General Staff and the services of the Ministry of Defense of the Russian Federation.

“Cyber ​​volunteers-patriots from the group “BO Team” carried out the attack against the Far Eastern (the largest of the three) branch of NDC space hydrometeorology “planet”.” reads the press release published by Main Directorate of Intelligence of the Ministry of Defense of Ukraine. “The consequences are devastating.”

The hackers wiped 2 petabytes of data from 280 servers with serious consequences for the operations of the center.

The press release speculates that the financial losses for the Russian agency are at least $10 million.

The impact of the incident is devastating, partly exacerbated by sanctions against Russia, which complicates the provision of hardware and software.

The cyberattack also impacted the air conditioning and humidification systems, and the emergency power supply of the center building.

“In general, dozens of strategic companies of the Russian Federation, which work for “defense” and play a key role in supporting the Russian occupation forces, will remain without critically important information and services for a long time.” concludes the press release.

The press release doesn’t include technical details about the attack. It is unclear how the BO Team breached the Russian Agency and if it used malware to wipe the data.

It is unclear if the cyber operation was supported by the Ukrainian intelligence.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Russian research center, Ukraine)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Pro-Ukraine hackers wiped 2 petabytes of data from Russian research center

Participants earned more than $1.3M at the Pwn2Own Automotive competition

A TrickBot malware developer sentenced to 64 months in prison

Russian Midnight Blizzard APT is targeting orgs worldwide, Microsoft warns

Watch out, experts warn of a critical flaw in Jenkins

Pwn2Own Automotive 2024 Day 2 – Tesla hacked again

Yearly Intel Trend Review: The 2023 RedSense report

Cisco warns of a critical bug in Unified Communications products, patch it now!

Russia-linked APT group Midnight Blizzard hacked Hewlett Packard Enterprise (HPE)

CISA adds Atlassian Confluence Data Center bug to its Known Exploited Vulnerabilities catalog

5379 GitLab servers vulnerable to zero-click account takeover attacks

Experts released PoC exploit for Fortra GoAnywhere MFT flaw CVE-2024-0204

Akira ransomware attack on Tietoevry disrupted the services of many Swedish organizations

Splunk fixed high-severity flaw impacting Windows versions

Watch out, a new critical flaw affects Fortra GoAnywhere MFT

Australian government announced sanctions for Medibank hacker

LoanDepot data breach impacted roughly 16.6 individuals

Black Basta gang claims the hack of the UK water utility Southern Water

CISA adds VMware vCenter Server bug to its Known Exploited Vulnerabilities catalog

Mother of all breaches – a historic data leak reveals 26 billion records: check what’s exposed

Apple fixed actively exploited zero-day CVE-2024-23222

“My Slice”, an Italian adaptive phishing campaign

Threat actors exploit Apache ActiveMQ flaw to deliver the Godzilla Web Shell

Cybercriminals leaked massive volumes of stolen PII data from Thailand in Dark Web

Backdoored pirated applications targets Apple macOS users

LockBit ransomware gang claims the attack on the sandwich chain Subway

Cybercrime

Dark web threats and dark market predictions for 2024  

Cybercriminals Leaked Massive Volumes Of Stolen PII Data From Thailand In Dark Web  

Update on ransomware attack in Sweden: Restoration work progressing at Tietoevry 

Russian National Sentenced for Involvement in Development and Deployment of Trickbot Malware  

Using Google Search to Find Software Can Be Risky  

Malware

Jamf Threat Labs discovers new malware embedded in pirated applications  

Apache ActiveMQ Vulnerability Leads to Stealthy Godzilla Webshell  

Outsmarting Ransomware’s New Playbook

Global ransomware threat expected to rise with AI, NCSC warns  

Hacking

Hacking Neural Networks  

Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing  

CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive

Over 5,300 GitLab servers exposed to zero-click account takeover attacks  

Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins  

In major gaffe, hacked Microsoft test account was assigned admin privileges  

PWN2OWN AUTOMOTIVE 2024 – DAY THREE RESULTS  

Intelligence and Information Warfare 

Tech Giant HP Enterprise Hacked by Russian Hackers Linked to DNC Breach

Midnight Blizzard: Guidance for responders on nation-state attack

They destroyed the enemy “planet” – details of the cyber attack against the center of space hydrometeorology of the Russian Federation  

Russian War against Ukraine Lessons Learned Curriculum Guide  

N. Korea attempts to use generative AI for hacking attacks: spy agency

Cybersecurity

Is artificial intelligence the solution to cyber security threats?  

Apple fixes first zero-day bug exploited in attacks this year

Mother of all breaches – a historic data leak reveals 26 billion records: check what’s exposed

Cyber sanctions in response to Medibank Private cyber attack     

Fortra warns of new critical GoAnywhere MFT auth bypass, patch now

CrowdStrike CEO: Microsoft Explanation For Russia Hack Doesn’t Add Up  

Yearly Intel Trend Review: 2023  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Medusa ransomware gang claimed responsibility for the attack against the Kansas City Area Transportation Authority (KCATA).

On January 23, 2023, the Kansas City Area Transportation Authority (KCATA) suffered a ransomware attack.

The Kansas City Area Transportation Authority (KCATA) is a public transit agency in metropolitan Kansas City. It operates the Metro Area Express (MAX) bus rapid transit service in Kansas City, Missouri, and 78 local bus routes in seven counties of Missouri and Kansas.

As of 2022, the company reported an annual ridership of 10,572,100.

The company disclosed that attack on January 24, it immediately launched an investigation into the incident and notified appropriate authorities. The company hired external experts to restore impacted systems.

“A ransom cyber-attack hit the KCATA early Tuesday, January 23. We have contacted all appropriate authorities including the FBI.” reads the notice published by the company.

The KCATA states that the incident is not affecting its services, including fixed-route buses, as well as the Freedom and Freedom-On-Demand paratransit services.

“The main customer impact is the inability to make calls to regional RideKC call centers, including any KCATA landline.” continues the notice. “KCATA is working around the clock with our outside cyber professionals and will have systems back up and running as soon as possible”

KCATA did not disclose specific information about the attack, including details about the ransomware family that compromised its systems or whether a data breach occurred.

Meantime, the Medusa ransomware gang claimed responsibility for the attack against KCATA.

The ransomware gang added the company to its Tor leak site and published samples of the alleged stolen data as proof of the data breach.

The ransomware gang threatens to release all the stolen data unless the company pays a $2 million ransom. The Medusa group also offers the victims the option to extend the deadline by paying $100,000/day.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Kansas City Area Transportation Authority, ransomware)

Multiple proof-of-concept (PoC) exploits for recently disclosed critical Jenkins vulnerability CVE-2024-23897 have been released.

Researchers warn that several proof-of-concept (PoC) exploits targeting the recently disclosed critical Jenkins vulnerability, CVE-2024-23897, have been made public.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

The maintainers of the open-source platform have addressed nine security vulnerabilities, including a critical flaw, tracked as CVE-2024-23897, that could lead to remote code execution (RCE). The vulnerability was reported by the researcher Yaniv Nizry from Sonar who wrote a detailed analysis of the issue.

Jenkins has a built-in command line interface (CLI) to access the platform from a script or shell environment. The open-source software uses the args4j library to parse CLI command arguments and options on the Jenkins controller. The parser uses a functionality that replaces the ‘@’ character followed by a file path in an argument with the content of the file (‘expandAtFiles’). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

An attacker can abuse the default character encoding of the Jenkins controller process to read arbitrary files on the controller file system.

An attacker with “Overall/Read” permission can read entire files, while an attacker without it can read the first three lines of the files depending on the CLI commands.

The maintainers pointed out that exploiting this flaw makes it possible to read binary files containing cryptographic keys used for various Jenkins features, even with some limitations.

The popular cyberesecurity researcher Florian Roth warned of a couple of weaponized PoC exploits have been released.

This vulnerability in #Jenkins is serious CVE-2024-23897

POCs have been published https://t.co/nGtbf8fehdhttps://t.co/pzY0NSL5bA

report by @SonarSource https://t.co/VNAUg2PDN8 pic.twitter.com/vbiWGmj47M

— Florian Roth (@cyb3rops) January 26, 2024

Critical CVE-2024-23897 in Jenkins allows unauthenticated attackers to partially leak files and authenticated attackers to leak entire files – which can lead to RCE in many cases!

Weaponized exploits are already published – https://t.co/j0Ko58YcI4

For remediation – https://t.co/8hCma88vGf

— JFrog Security (@JFrogSecurity) January 28, 2024

The researcher German Fernandez warned of a massive exploitation of the vulnerability, querying Shodan, he found more than 75000 internet-facing instances.

CVE-2024-23897: Unauthenticated Arbitrary File Read vulnerability could lead to RCE on Jenkins servers.

Exploits are already available.https://t.co/xreXZ88kIZ

— Germán Fernández (@1ZRR4H) January 26, 2024

The availability of “PoC exploits” will cause several threat actors to start exploiting the vulnerability in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Jenkins)

Ukraine’s security service (SBU) detained an alleged member of the pro-Russia hacker group “the Cyber Army of Russia.”

Ukraine’s security service, the SBU, announced that it has identified and detained an alleged member of the pro-Russia hacker group known as the Cyber Army of Russia. The news was first reported by The Record Media. The hacktivists group is known for having launched DDoS attacks against Western organizations and Ukrainian government agencies. However, Ukrainian intelligence speculates that the group’s operations are directly controlled by the Kremlin.

The SBU revealed that the man was living in the city of Kharkiv (Ukraine) and was recruited by Russian intelligence via Telegram.

Police searched the man’s apartment and seized three mobile phones, a laptop, and a flash drive containing information that would substantiate the allegations.

Apart from conducting DDoS attacks, the man is suspected of disclosing strategic information to Russian intelligence. The information secretly provided to Moscow includes military secrets such as the locations of Ukrainian troops and military weaponry in the country.

Russian military used this information to coordinate recent missile strikes. If found guilty, the man could face up to 12 years in prison.

In early December, Ukraine’s SBU announced they shut down two surveillance cameras that were allegedly hacked by the Russian intelligence services to spy on air defense forces and critical infrastructure in Kyiv.

The surveillance cameras were located in residential buildings and were used to monitor the surrounding area and a parking lot. Once the state-sponsored hackers hacked the cameras, they used them to spy on the air defense and critical infrastructure in the same area. The camera used to monitor the parking lot was used to spy on the surrounding territory, including critical infrastructure facilities

The hackers changed the viewing angle and connected the cameras to the YouTube streaming platform.

The footage was used by the Russian army to support the missile strike on Kyiv on January 2.

Since the beginning of the Russian invasion of Ukraine, the SBU has disabled about 10,000 IR cameras, which the Russian army could use to adjust missile attacks on Ukraine.

The SBU calls to owners of surveillance cameras to stop online broadcasts from their devices, the agency also urges citizens to report detected footage from such cameras.

In October 2023, the SBU detained a Ukrainian man who had installed cameras on the streets of his city and passed information on Ukrainian military movements to Russian intelligence.

In March 2022, the SBU arrested a hacker who provided technical support to Russian troops during the invasion, the man provided mobile communication services inside the Ukrainian territory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SBU)