simontsui

@simontsui@infosec.exchange

Current open-source cyber threat intelligence, critical vulnerabilities, zero-days, proofs of concept, cybercrime/cyberespionage, threat actors/APTs, IOCs, and other cybersecurity and intelligence news.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

BleepingComputer, to random

CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.

https://www.bleepingcomputer.com/news/security/cisa-roundcube-email-server-bug-now-exploited-in-attacks/

simontsui,

@jerry I broke the KEV Catalog news at 10:09am, I demand headpats and scritches :blobcatadorable: https://infosec.exchange/@simontsui/111919139851462508

simontsui, to random

Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog

#CISA #KEV #KnownExploitedVulnerabilitiesCatalog #vulnerability #eitw #Roundcube #XSS #activeexploitation #CVE_2023_43770

simontsui,

Why you should care about CVE-2023-43770:
ESET Research previously reported on 25 October 2023 that the Winter Vivern APT was exploiting a similar RoundCube cross-site scripting vulnerability CVE-2023-5631 as a zero-day against European overnmental entities and a think tank.

#CISA #KEV #KnownExploitedVulnerabilitiesCatalog #vulnerability #eitw #Roundcube #XSS #activeexploitation #CVE_2023_43770 #WinterVivern #APT #cyberespionage

simontsui, to Cybersecurity

CISA, on behalf of the collective group of industry and government partners that comprise the Joint Cyber Defense Collaborative (JCDC), released JCDC’s 2024 Priorities. Similar to the 2023 JCDC Planning Agenda, JCDC’s 2024 Priorities will help focus the collective group on developing high-impact and collaborative solutions to the most pressing cybersecurity challenges.

🔗 https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative/2024-jcdc-priorities

simontsui,

See related CISA blog: Extending the Breadth and Depth of our Partnerships - JCDC 2024 Priorities

2024 priorities are defined around three focus areas. The first focus area, Defend Against Advanced Persistent Threat (APT) Operations, aligns JCDC strategic and operational efforts to counter known and suspected APT campaigns that target critical infrastructure sectors with the potential to impact National Critical Functions. The second focus area, Raise the Baseline, encompasses JCDC efforts to improve the cybersecurity posture of critical infrastructure entities to reduce the frequency and impact of cyber incidents. The third focus area, Anticipate Emerging Technology and Risks, seeks to decrease the likelihood and impact of AI-related threats and vulnerabilities to critical infrastructure providers.

simontsui, to Software

IEEE Spectrum opinion: Why Bloat Is Still Software’s Biggest Vulnerability A 2024 plea for lean software

"The world ships too much code, most of it by third parties, sometimes unintended, most of it uninspected. Because of this, there is a huge attack surface full of mediocre code."

🔗 https://spectrum.ieee.org/lean-software-development

simontsui, to macos

BitDefender identified a MacOS backdoor written in Rust that has possible link to ALPHV/BlackCat ransomware group. "Specifically, three out of the four command and control servers have been previously associated with ransomware campaigns targeting Windows clients. ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model." IOC provided.
🔗 https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/

simontsui, to random

New Fortinet zero-day:
CVE-2024-21762 (9.6 critical) FortiOS - Out-of-bound Write in sslvpnd: A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.

Note: This is potentially being exploited in the wild.

🔗 https://www.fortiguard.com/psirt/FG-IR-24-015

simontsui,

Other Fortinet security advisories:

  • FG-IR-23-357 FortiClientEMS - Improper privilege management for site super administrator
  • FG-IR-23-268 FortiManager - Informative error messages
  • FG-IR-23-063 FortiNAC - XSS in Show Audit Log
  • FG-IR-24-029 FortiOS - Format String Bug in fgfmd
  • FG-IR-23-301 FortiOS - Fortilink lack of certificate validation
  • FG-IR-23-397 FortiOS & FortiProxy - CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability

Other than CVE-2024-21762 in the original post, the vulnerabilities in these advisories (EDIT: Grammar) were not exploited in the wild.

simontsui,

Why you should care about CVE-2024-21762:

Fortinet vulnerabilities have historically been targeted by People’s Republic of China (PRC) state-sponsored cyber actors. On 19 January 2023, Mandiant reported the exploitation of FortiOS SSL VPN vulnerability CVE-2022-42475 as a zero-day by suspected Chinese threat actors. Mandiant published a subsequent blog post on 16 March 2023 detailing the exploitation of another FortiOS zero-day CVE-2022-41328 by the Chinese threat actor UNC3886. CISA, FBI and NSA assess that PRC state-sponsored cyber actors are seeking to position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. CISA’s joint cybersecurity advisory on 07 February 2024 states that Chinese Advanced Persistent Threat (APT) Volt Typhoon likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. Fortinet also provided case studies of Volt Typhoon targeting of manufacturing, consulting, local government, and internet service provider sectors, and post-exploitation activity described as Living Off the Land (LotL) techniques.

simontsui, to random

Ivanti has a blog update and security advisory for a newly discovered Ivanti Connect Secure XML external entity (XXE) vulnerability CVE-2024-22024 (8.3 high). "We have no evidence of this vulnerability being exploited in the wild"
🔗 Blog: https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways-282024
Advisory: https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

simontsui, to random

Check Point highlights the persistent threat of malicious Word/Excel Documents (maldocs):

  • Old Vulnerabilities Still Pose Risks: Despite being several years old, CVEs from 2017 and 2018 in Microsoft Word and Excel remain active threats in the cybersecurity landscape. Examples include CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802.
  • Widespread Use by Cybercriminals: These vulnerabilities are exploited by well-known malware such as GuLoader, Agent Tesla, Formbook, and others. APT groups also got on the list, with Gamaredon APT being a notable example. They target lucrative sectors like finance, government, and healthcare, indicating a strategic approach by attackers.
  • Challenges in Detection: Despite their age, these MalDocs can evade detection due to their sophisticated construction and the use of various tricks to bypass security measures.

🔗 https://blog.checkpoint.com/security/maldocs-in-word-and-excel-a-persistent-cybersecurity-challenge/

simontsui, to random

Recorded Future has an 18 page report on Ransomware Exploitation of vulnerabilities for the past six years (2017). Here are the key findings:

  • Ransomware groups alone in exploiting three or more vulnerabilities exhibit a clear targeting focus, which defenders can use to prioritize security measures. For example, CL0P has uniquely and infamously focused on file transfer software from Accellion, SolarWinds, and MOVEit. Other ransomware groups with high levels of unique exploitation exhibit similar patterns.
  • All of the vulnerabilities ransomware groups have targeted most widely are in software frequently used by major enterprises and can be easily exploited via penetration testing modules or single lines of curl code. These vulnerabilities are ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), ZeroLogon (CVE-2020-1472), Log4Shell (CVE-2021-44228), CVE-2021-34527, and CVE-2019-19781.
  • Vulnerabilities requiring unique or custom vectors to exploit (for example, malicious files using particular forms of compression) are more likely to be exploited by only one or two groups.
  • Ransomware operators and affiliates are highly unlikely to discuss specific vulnerabilities, but the cybercriminal ecosystem that supports them has discussed publicly known vulnerabilities andproducts as targets of interest for exploitation

🔗 https://www.recordedfuture.com/patterns-targets-ransomware-exploitation-vulnerabilities-2017-2023

simontsui, to cisco

Cisco security advisories:

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in these advisories.

riskybusiness, to random

This week's feature guest is CISA's assistant director for cybersecurity Eric Goldstein. He'll talk about CISA ordering USG agencies to disconnect their Ivanti equipment, the Volt Typhoon campaign and a Politico report into CISA's Joint Cyber Defense Collaborative. Up later today

simontsui,

HOT OFF THE PRESS: CISA: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
🔗 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

#China #cyberespionage #CISA #PRC #IOC #threatintel

simontsui, to news

Politico: Five external computer security professionals involved in CISA's Joint Cyber Defense Collaborative (JCDC) told POLITICO they and many colleagues have stopped contributing or have significantly pared back their involvement. While many of their complaints stem from how the program is organized, the discontent also represents another indirect impact of Donald Trump’s 2020 election fraud claims, now threatening to hamper largely apolitical cybersecurity work: CISA’s efforts to combat disinformation ahead of the 2020 election has made it a favorite target of conservatives, who accuse it of trying to censor their views online.
🔗 https://www.politico.com/news/2024/02/06/far-right-washington-private-hackers-00139413

simontsui, to random

Wake up sheeple: Fortinet just tried to hide two maximum severity vulnerabilities in an older security advisory:

  • CVE-2024-23108 (10.0 critical)
  • CVE-2024-23109 (10.0 critical)

Both have the same description: "An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests."
🔗(10 October 2023) https://www.fortiguard.com/psirt/FG-IR-23-130

simontsui,

Fortinet lied after hiding vulnerabilities in an old advisory: @hacks_zach of Horizon3 posted a screenshot of his email with Fortinet PSIRT showing that he submitted CVE-2024-23108 and CVE-2024-23109. These are patch bypass vulnerabilities of CVE-2023-34992, according to a new and updated Bleeping Computer article.
🔗 Zach Hanley tweet: https://twitter.com/hacks_zach/status/1755309941982646695/photo/1
Bleeping Computer article: https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortisiem-rce-bugs-in-confusing-disclosure/

simontsui,

The Register summarizes Fortinet's week of bungled official responses from a publication's perspective, leading up to the disclosure of an exploited zero-day CVE-2024-21762 in FortiOS SSL VPN.
🔗 https://www.theregister.com/2024/02/09/a_look_at_fortinet_week/

evacide, to random
@evacide@hachyderm.io avatar

Google's new report on the commercial surveillance industry calls out some shady companies that usually manage to fly under the radar, such as Negg Group and Variston: https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-

simontsui,

@evacide Additional Google Threat Analysis Group reporting on Variston:
30 November 2022: https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston/

simontsui, to random

Yet another JetBrains TeamCity On-Prem vulnerability: CVE-2024-23917 (9.8 critical)

If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.

🔗 https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/

#JetBrains #TeamCity #vulnerability #CVE_2024_23917 #authenticationbypass

simontsui,

Why you should care about CVE-2024-23917:
Russian Foreign Intelligence Service (SVR) exploited a similar JetBrains TeamCity authentication bypass vulnerability CVE-2023-42793 (9.8 critical) worldwide, as reported in a CISA cybersecurity advisory dated 13 December 2023, less than 2 months ago.

simontsui, to vmware

VMware security advisory for VMware Aria Operations for Networks. No mention of exploitation.

  • Local Privilege Escalation vulnerability CVE-2024-22237 (7.8 high)
  • Cross Site Scripting Vulnerability CVE-2024-22238 (6.4 medium)
  • Local Privilege Escalation vulnerability CVE-2024-22239 (5.3 medium)
  • Local File Read vulnerability CVE-2024-22240 (4.9 medium)
  • Cross Site Scripting vulnerability CVE-2024-22241 (4.3 medium)

:link: https://www.vmware.com/security/advisories/VMSA-2024-0002.html

simontsui, to chrome

Hot off the press! CISA adds CVE-2023-4762 (8.8 high Google Chrome Type Confusion in V8 JavaScript Engine) to the Known Exploited Vulnerabilities Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog

simontsui,

Note: CVE-2023-4762 was initially disclosed by Google in a security advisory on 05 September 2023 (reported anonymously). In a post from 22 September 2023 (17 days later), Google Threat Analysis Group (TAG) assessed commercial spyware vendor Intellexa exploited CVE-2023-4762 as a zero-day:

The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.

This bug had already been separately reported to the Chrome Vulnerability Rewards Program by a security researcher and was patched on September 5th. We assess that Intellexa was also previously using this vulnerability as a 0-day.

simontsui, to news

The Record: Chinese state-sponsored hackers broke into an internal computer network used by the Dutch Ministry of Defence last year, according to the Netherlands. Both the country’s military (MIVD) and civilian (AIVD) security services said the ministry had been hacked for espionage purposes after the threat actor exploited a vulnerability in FortiGate devices.
🔗 https://therecord.media/dutch-find-chinese-hackers-networks-fortinet

#news #TheRecord #China #cyberespionage #Fortinet #threatintel #Netherlands #MIVD #AIVD

simontsui,

(TLP:CLEAR) NCSC-NL report:

  • The Ministry of Defence (MOD) of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects were limited because of prior network segmentation.
  • Incident response uncovered previously unpublished malware, a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code.
  • The COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls thatcould reveal its presence. It survives reboots and firmware upgrades.
  • MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.
  • MIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s)scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
  • Organizations that use FortiGate devices can check if they are affected using the detection methods described in section 4 of this report. Refer to section 5 for advice for incident response.
  • Action that organizations can take to prevent future malicious activity: for all internet-facing (edge)devices, install security patches from the vendor assoon as they become available. More preventive steps are described in section 5 of this report.

🔗 https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear

#news #TheRecord #China #cyberespionage #Fortinet #threatintel #Netherlands #MIVD #AIVD

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • rosin
  • thenastyranch
  • tester
  • DreamBathrooms
  • mdbf
  • magazineikmin
  • tacticalgear
  • Youngstown
  • ethstaker
  • osvaldo12
  • slotface
  • everett
  • kavyap
  • JUstTest
  • khanakhh
  • ngwrru68w68
  • Leos
  • modclub
  • cubers
  • cisconetworking
  • Durango
  • InstantRegret
  • GTA5RPClips
  • provamag3
  • normalnudes
  • anitta
  • lostlight
  • All magazines
    •