Cyber Threat Weekly – #32
The week of June 24th through June 30th picked up with 439 cyber news articles reviewed. Only a light amount of cyber threat trend and adversarial behavior news to share. Let’s start with Juniper releases fix for critical authentication bypass bug.
Run pipelines as any user in GitLab, critical flaw. Russian state actors target TeamViewer corporate IT systems. The Polyfill CDN supply chain mess. Social engineers are going after healthcare IT workers. CISA issues guidance on modern network access.
Identity has been the new perimeter, infostealers are killing us. Forta FileCatalyst Workflow critical bug, exploit released. MOVEit Transfer flaw, exploit attempts observed. Researchers dive into Cobalt Strike samples and infrastructure.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
We should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities for June 24th to June 30th:
CVE-2020-13965 – Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability:
Allows a remote attacker to manipulate data via a malicious XML attachment.
CVE-2022-2586 – Linux Kernel Use-After-Free Vulnerability:
Allows local attackers to escalate privileges.
CVE-2022-24816 – GeoSolutionsGroup JAI-EXT Code Injection Vulnerability:
When programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.
Juniper Authentication Bypass Bug Fix Available
Tracked as CVE-2024-2973, threat actors can exploit and achieve full control. Affecting Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router product lines. The silver lining, this flaw only affects systems running in high-availability modes.
Critical GitLab Flaw Fixed
CVE-2024-5655 scoring a 9.6 out of 10, allows threat actors to run pipelines as any user. Fixes are available for 13 other issues as well.
APT29 Targets Corporate IT Systems, Says TeamViewer
Russian threat actors gained access with employee credentials, likely stolen. TeamViewer maintains the attack was contained to their corporate IT environment. No evidence of access to client data, product environments, or connectivity platform.
https://therecord.media/teamviewer-cozy-bear-hack-confirmed
https://www.teamviewer.com/en-us/resources/trust-center/statement/
Multiple CDNs (Polyfill.io), Massive Supply Chain Attack Campaign
Researchers found four different CDNs owned by a single operator. The scope of the campaign has not been fully realized yet. Polyfill code allows modern functionality in older browsers. The original Polyfills service project developer says no website requires any ployfills today.
https://sansec.io/research/polyfill-supply-chain-attack
Healthcare IT Workers Targeted by Social Engineering Attacks
Threat actors are attempting to manipulate IT help desk workers for initial access. Once inside, moving to living-off-the-land behavior eventually leading to ACH transactions. Look for this in other verticals too.
https://www.bankinfosecurity.com/fbi-hhs-warn-health-sector-payment-diversion-schemes-a-25638
https://www.ic3.gov/Media/News/2024/240624.pdf
Modern Network Access Guidance Released by CISA
We need to step it up. Let’s face it, with the rash of VPN vulnerabilities this year leading to breaches, it’s time to rethink network access. Single factor RDP web portals are no longer cutting it. CISA and partners are offering guidance on modern solutions such as zero trust, secure service edge (SSE), and secure access service edge (SASE). With architecture and updated security technologies, we can step up our game against an aggressive adversary.
https://www.darkreading.com/cyber-risk/cisa-releases-guidance-on-network-access-vpns
Infostealers and Legit Credentials are a Boon for Threat Actors
Legit credentials from infostealers, no MFA / improper MFA configs, and MFA bypass are a recipe for threat actors to continue to thrive. We need to focus on hygiene, early detection, and our attack surface.
https://blog.talosintelligence.com/infostealer-landscape-facilitates-breaches/
Critical SQL Injection Flaw, Exploit Available, Forta FileCatalyst Workflow
Fix is available for CVE-2024-5276, allows creation of administrative user and some data manipulation.
https://www.fortra.com/security/advisory/fi-2024-008
https://www.tenable.com/security/research/tra-2024-25
MOVEit Transfer Bug Publicly Disclosed, Exploit Attempts Observed
Two critical flaws with a CVSS score of 9.1 addressed. So far, no reports of operational impact affecting customers.
https://thehackernews.com/2024/06/new-moveit-transfer-vulnerability-under.html
Cobalt Strike Profiles Explored
Researchers share infrastructure and beacon profiles based on a profile hosted on a public code repository.
https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
