The Good: Modern Cyber Operations Disrupt Sophisticated Malware and Counter InsiderThreats
This week, law enforcement organizations from all over the world took significant action to combat cyber threats in a number of cyber arrests and operations.
Three former Homeland Security Department employees, including an Acting Inspector General, were sentenced in the United States for stealing 200, 000 federal employees ‘ personal data and proprietary government software. In order to develop and market a comparable commercial product to other government agencies, the trio admitted to conspiring to share the stolen assets with Indian software developers.
Co-federal operatives in Brazil detained several Grandoreiro malware developers, a banking Trojan horse that frequently targets Latin American nations. The victimology patterns were discovered using a design flaw in Grandoreiro’s network protocol that cybersecurity researchers found. Threat actors use phishing lures and a domain generation algorithm ( DGA ) to evade detection in Grandoreiro, which has been in operation since 2017, which targets banking information through keyloggers. As of this writing, the malware operation has completely stopped following the arrests.
The FBI has successfully disrupted KV Botnet, a component of Volt Typhoon’s arsenal, after hacking its command and control ( C2 ) server. In their attacks on U.S. critical infrastructure, the PRC-based state hackers were known to use the botnet to avoid detection. In order to avoid being discovered during attacks on the communication, energy, transportation, and water sectors, these attacks used compromised equipment, such as cameras and vulnerable routers that were nearing the end of their useful lives. Small office/home office ( SOHO ) router manufacturers received advice from CISA and the FBI on how to protect against ongoing attacks, emphasizing automated security updates and safe web management interfaces.
First CISA Emergency Directive of 2024: The Bad | Continued String of New Ivanti Vulnerabilities Trigger
We discussed the ongoing use of two zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure Gateways products in early January. Unauthorized command-injection attacks could expose targeted systems and restricted resources in the hands of an attacker thanks to CVE-2023-46805 and 2024-21887. According to reports, UNC5221 operators were involved in the attacks where the threat group was seen using a variety of post-exploitation tools, credential harvesters, backdoors, and webshells.
This week’s most recent update adds two additional high-severity flaws that were present in the same Ivanti products. These vulnerabilities, which have been identified as CVE-2024-21888 andCVE- 2024-21893, are both currently the target of specialized wild-time exploitation. While CVE-2024-21888 targets a server-side request forgery, attackers can bypass authentication and access restricted resources by using the privileges at the admin level.
Ivanti claims that CVE-2024-21888 has n’t had an effect on any customers as of yet, but the Utah-based company has confirmed that it has been exploitation in a wild way that seems to be aimed at fewer customers. To stop attackers from establishing persistence in impacted environments, Ivanti advises its customers to perform a factory reset of their appliance before applying the patches.
CISA has mandated that Ivanti Connect Secure and Policy Secure users disable any affected VPN appliances by Saturday, February 3, 2024, in order to safeguard U.S. federal agencies. The first emergency directive of 2024 ( ED-24-01 ), which requires all Federal Civilian Executive Branch (FCEB ) agencies to protect their ICS and IPS devices from Ivanti flaws, includes this as a necessary action.
The emergency directive emphasizes the ongoing dangers posed by a number of Ivanti products that are vulnerable and have been the target of active attacks, such as those that were reported in July and August 2023.
Over 45K Servers Could Be at Risk from The Ugly | Two In-the-Wild Jenkins CI/CD Vulnerabilities
Jenkins, which is frequently used in software development for Continuous Integration ( CI) and Continuous Deployment ( CD ), has been the target of numerous proof-of-concept ( PoC ) exploits.
The first flaw, CVE-2024-23897, which enables unauthenticated attackers with overall/read permissions to access data from arbitrary files on the Jenkins server, has been identified by security researchers. Privilege escalation and arbitrary remote code execution (RCE ) may result if certain conditions are satisfied. Depending on the CLI commands available, even those without this permission can read the first few lines of files.
This vulnerability stems from the CLI’s default feature automatically replacing an @ character followed by a file path with file contents. Attackers exploiting CVE-2024-23897 can read arbitrary files on the Jenkins controller’s file system, potentially compromising sensitive information based on their permissions. Based on recent scans, approximately 45,000 publicly exposed Jenkins instances remain vulnerable to CVE-2024-23897.
Jenkins File Leak/RCE ( CVE- 2024-23897 ) has been used in the wild and successfully reproduced.
It is advised that administrators using Jenkins servers that permit anonymous users or user registration update to the most recent version right away. pic. sj4aIPSx30 on twitter.com
January 25, 2024, — cshou ( @shoucccc )
The second flaw, CVE-2024-23898, allows attackers to carry out arbitrary CLI commands by deceiving users into clicking malicious links thanks to a cross-site WebSocket hijacking vulnerability. Jenkins fixed both flaws in late January, but validated PoCs are now accessible on Git Hub, allowing attackers to scan exposed servers and easily exploit them.
To completely prevent exploitation, Jenkin’s security bulletin advises admin users who ca n’t patch right away to completely block access to the CLI. Jenkins does not need to restart in order to use this workaround, and their knowledge base article contains additional instructions.