19 January 2024

Cyber Security Week in Review: January 19, 2024


Cyber Security Week in Review: January 19, 2024

Citrix, Google, VMware, Atlassian address zero-days, high-risk bugs

Citrix rolled out security updates to fix two zero-day vulnerabilities in the NetScaler ADC and NetScaler Gateway appliances. One of the flaws (CVE-2023-6548) is a code injection issue within the management interface, which can be exploited by a remote authenticated hacker for remote code execution via a specially crafted request. The second zero-day, tracked as CVE-2023-6549, is a buffer overflow issue that can be used to trigger a denial-of-service (DoS). A remote attacker can send specially crafted packets to the system, trigger memory corruption and perform a denial of service (DoS) attack. Successful exploitation of this vulnerability requires that the device be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAAvirtualserver.

Separately, Google released security updates for its Chrome browser to patch several high-risk vulnerabilities, including a zero-day bug actively exploited in the wild. Tracked as CVE-2024-0519, the zero-day flaw is described as a buffer overflow issue affecting the V8 JavaScript and WebAssembly engine, which can be exploited for remote code execution. Google withheld additional information on the nature of the attacks the vulnerability was exploited in to prevent further abuse.

VMware and Atlassian warned customers of dangerous vulnerabilities in Aria Automation and Confluence Data Center and Server, respectively.

The Confluence bug (CVE-2023-22527), which is rated critical, is a template injection issue that permits remote code execution. The flaw impacts out-of-date versions of Confluence Data Center and Server (8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3). It was fixed in versions 8.5.4, 8.5.5 (Confluence Data Center and Server), 8.6.0, 8.7.1, and 8.7.2 (Data Center only).

The VMware Aria Automation vulnerability (CVE-2023-34063) is an improper access control issue which, if exploited, could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows. The impacted versions include VMware Aria Automation (8.11.x, 8.12.x, 8.13.x, and 8.14.x) VMware Cloud Foundation (4.x and 5.x).

CISA adds Ivanti EPMM flaw to the list of actively exploited vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) added a now-patched authentication bypass vulnerability (CVE-2023-35082) impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the bug is being exploited in the wild. By exploiting this flaw, attackers could access personally identifiable information (PII) of mobile device users and backdoor compromised servers when chaining the bug with other flaws.

Ivanti zero-day flaws abused by Chinese hackers come under mass exploitation

Multiple threat actors have been exploiting two zero-day flaws (CVE-2023-46805, CVE-2024-21887) impacting Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) devices since January 11, 2024. Volexity said some 1,700 devices were compromised.

The list of victims includes global government and military departments, national telecommunications companies, defense contractors, technology firms, banking, finance, and accounting organizations, worldwide consulting entities, and aerospace, aviation, and engineering firms.

Over 11K Juniper Networks devices are vulnerable to takeover

New data from Censys shows that more than 11,000 Juniper Networks devices are exposed to a new remote code execution (RCE) vulnerability. Tracked as CVE-2024-21591, the issue is an out-of-bounds write error in the J-Web configuration interface across all versions of Junos OS on SRX firewalls and EX switches. A remote non-authenticated attacker can cause a Denial of Service (DoS), or Remote Code Execution (RCE) and obtain root privileges on the device.

PixieFail flaws expose millions of systems to various cyber threats

Security researchers discovered multiple vulnerabilities in the TCP/IP network protocol stack of the open-source reference implementation of the Unified Extensible Firmware Interface (UEFI). The flaws, collectively named ‘PixieFail,’ affect the TianoCore EFI Development Kit II (EDK II), a widely used UEFI specification in modern computers.

If exploited, they can lead to remote code execution, denial-of-service (DoS) attacks, DNS cache poisoning, and the unauthorized leakage of sensitive information.

The CERT Coordination Center published an advisory containing a list of impacted and potentially impacted vendors, along with steps to deploy fixes and mitigations.

Drupal warns of a denial of service vulnerability affecting Drupal Core

The team behind the Drupal content management platform released a security advisory warning of a denial of service vulnerability in Drupal Comment module. The flaw affects Drupal 10.1 and 10.2. Users are recommended to update their systems to the latest Drupal 10.2.2 and Drupal 10.1.8. versions. All Drupal versions prior to 10.1, including Drupal 8 and 9, are end-of-life and do not receive security updates. Drupal 7 is not impacted.

Russian Coldriver APT expands tactics to deliver SPICA backdoor in targeted campaigns

A Russian state-baked hacker group known as Coldriver has expanded its operations to include the use of a custom backdoor called ‘SPICA’ in targeted campaigns against Western officials. SPICA, the first custom malware attributed to Coldriver, is written in the Rust programming language and uses JSON over web sockets for command and control (C2). Its capabilities include executing arbitrary shell commands, stealing cookies from various browsers, uploading and downloading files, perusing the filesystem, and enumerating and exfiltrating documents.

Cyberattack on Ukraine's Kyivstar will cost parent Veon almost $100M

A global digital operator Veon has revealed that the December 2023 cyberattack on its Ukrainian subsidiary, Kyivstar, is expected to cost the company nearly $100 million in sales. The cyberattack, attributed to the Russian military hacker group Sandworm, led to a temporary disruption of Kyivstar's network and services, affecting voice and data connectivity, international roaming, SMS services, and more. Veon said it does not anticipate a significant financial impact on its 2023 consolidated results. However, the company does project a revenue impact of approximately 3.6 billion UAH (~$95 million) for the year ending December 2024, attributed to the customer loyalty measures implemented to compensate for the disruptions.

TA866 returns with a large-scale malicious email campaign

A threat actor known as TA866 has launched a new email campaign after nine months of inactivity. The campaign, spotted on January 11, targeted North America with malicious emails disguised as invoices. The emails contained PDF attachments, which, when opened, triggered a multi-step infection chain through OneDrive URLs, involving JavaScript files, MSI files, and custom tool sets like WasabiSeed and Screenshotter. The attack culminated in the deployment of a malware payload, according to Proofpoint.

Iranian hackers Mint Sandstorm pose as journalists to spy on Israeli-Hamas war experts

Microsoft said it detected a new cyberespionage campaign by the Iran-linked Mint Sandstorm (Phosphorus) hacker group targeting high-profile individuals involved in Middle Eastern affairs at educational and research institutions across Belgium, France, Gaza, Israel, the United Kingdom, and the United States.

The campaign, which has been ongoing since November 2023, employed personalized phishing tactics to manipulate targets into downloading malicious files. Noteworthy developments in Mint Sandstorm's tactics include the use of compromised but legitimate email accounts for sending phishing lures, the adoption of the Client for URL (curl) command to connect to their command-and-control server, and the deployment of a novel custom backdoor known as MediaPl.

Threat actors abuse TeamViewer to deploy ransomware

Cybersecurity firm Huntress shared technical details of two incidents where threat actors attempted to deploy the LockBit ransomware on the corporate systems accessed via the TeamViewer remote access and support software.

Novel campaign exploits vulnerable Docker services, deploys XMRig miner and 9Hits viewer

Cado Security Labs researchers uncovered a malicious campaign targeting vulnerable Docker services. In this novel attack, two containers are deployed onto the compromised instance: the XMRig cryptocurrency miner and the 9Hits Web Viewer application. This marks the first documented case of malware utilizing the 9Hits application as a payload. In this case, 9Hits is used for credit generation for the attacker on the 9Hits platform.

Bigpanzi cybercriminal syndicate infected at least 170,000 Android TVs with malware

A large-scale cybercrime operation has been discovered that is targeting Android TVs, eCos devices, and set-top boxes in order to ensnare the compromised devices in a DDoS botnet. Named ‘Bigpanzi’ by experts with Chinese cybersecurity firm Qianxin X Laboratory, the cybercriminal gang has been active since 2015. Unlike other botnets spreading via zero-day or N-day vulnerabilities, Bigpanzi delivers malware through pirated movie and TV apps or firmware updates containing a backdoor.

Androxgh0st malware hunts for AWS, Azure and Office 365 credentials

CISA and the FBI shared tactics, techniques, and procedures (TTPs) along with Indicators of Compromise associated with threat actors behind the Androxgh0st malware. Androxgh0st targets servers and websites vulnerable to a number of security vulnerabilities that could lead to remote code execution, including CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).

North Korean hackers work with organized crime in Southeast Asia's money-laundering networks

A recent report from the United Nations Office of Drugs and Crime (UNODC) has revealed that North Korean hackers are actively collaborating with fraudsters, drug traffickers, and organized crime networks in Southeast Asia, particularly in the Mekong region, which includes Myanmar, Thailand, Laos, and Cambodia.

According to the UNODC report, Southeast Asia's casinos and junkets, catering to high-wealth players, along with unregulated cryptocurrency exchanges, have become integral components of the region's organized crime banking architecture. The report states that casinos have demonstrated efficiency in moving and laundering significant volumes of both cryptocurrency and traditional cash without detection, establishing channels for seamlessly integrating billions in criminal proceeds into the formal financial system.

Cybercriminal behind multi-million-dollar cryptojacking operation arrested in Ukraine

Ukraine’s police apprehended a 29-year-old individual allegedly responsible for a sophisticated cryptojacking operation that saw nearly $2 million stolen from one of the world’s largest e-commerce entities. The suspected hacker has been infecting the target’s servers since 2021. Initially, he infiltrated 1500 accounts of a subsidiary company using a custom password-cracking tool. He then used the compromised accounts to gain access to the service and install cryptomining malware onto the company’s servers. To sustain the malicious software's operation, the hacker created over a million virtual computers.

Two Russian cybercriminals charged in the US with hacking and data theft

The US authorities charged two Russian nationals, Aleksey Stroganov and Tim Stigal, with a series of fraud and related offenses. The charges are in connection with a sophisticated scheme involving extensive computer intrusions targeting individuals and companies.

Aleksey Stroganov, also known as “Aleksei Stroganov,” “flint,” “flint24,” “Gursky Oleg,” “Oleg Gurskiy,” and “Строганов Алексей Тимофеевич,” was allegedly part of a criminal conspiracy spanning from May 2007 to July 2017. The conspiracy involved hacking into computer networks to steal debit and credit card numbers, as well as personal identifying information associated with the cardholders.

Tim Stigal, also known as “Key” and “Тим Стигал,” is implicated in four separate conspiracies from April 2014 to March 2016. His involvement revolved around the sale of stolen payment card information. Stigal also allegedly attempted to extort one of the corporate victims by threatening to disclose confidential customer data unless a ransom was paid.

Both Russians could face a long-term imprisonment if found guilty.

The UK and Ukraine sign a security cooperation agreement

The UK and Ukraine’s authorities signed a bilateral “Agreement on Security Cooperation,” which primarily concentrates on defense and security cooperation, emphasizing intelligence and security collaboration.

Both nations commit to working together to detect, deter, and disrupt Russian conventional aggression, espionage, and hybrid warfare. The focus extends to enhancing cyber resilience, securing IT infrastructure, and supporting the modernization and reform of Ukraine's security and intelligence architecture.


Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024