Skip to content

Cyber Threat Weekly – #32

Derek Krein
4 min read

The week of June 24th through June 30th picked up with 439 cyber news articles reviewed.  Only a light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with Juniper releases fix for critical authentication bypass bug.

Run pipelines as any user in GitLab, critical flaw.  Russian state actors target TeamViewer corporate IT systems.  The Polyfill CDN supply chain mess.  Social engineers are going after healthcare IT workers.  CISA issues guidance on modern network access.

Identity has been the new perimeter, infostealers are killing us.  Forta FileCatalyst Workflow critical bug, exploit released.  MOVEit Transfer flaw, exploit attempts observed.  Researchers dive into Cobalt Strike samples and infrastructure.


Broken Record Alert:  Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

We should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities for June 24th to June 30th:

CVE-2020-13965 – Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability:
Allows a remote attacker to manipulate data via a malicious XML attachment.

CVE-2022-2586 – Linux Kernel Use-After-Free Vulnerability:
Allows local attackers to escalate privileges.

CVE-2022-24816 – GeoSolutionsGroup JAI-EXT Code Injection Vulnerability:
When programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.


Juniper Authentication Bypass Bug Fix Available

Tracked as CVE-2024-2973, threat actors can exploit and achieve full control.  Affecting Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router product lines.  The silver lining, this flaw only affects systems running in high-availability modes.

https://www.bleepingcomputer.com/news/security/juniper-releases-out-of-cycle-fix-for-max-severity-auth-bypass-flaw/

https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US


Critical GitLab Flaw Fixed

CVE-2024-5655 scoring a 9.6 out of 10, allows threat actors to run pipelines as any user.  Fixes are available for 13 other issues as well.

https://www.bleepingcomputer.com/news/security/critical-gitlab-bug-lets-attackers-run-pipelines-as-any-user/

https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/#run-pipelines-as-any-user


APT29 Targets Corporate IT Systems, Says TeamViewer

Russian threat actors gained access with employee credentials, likely stolen.  TeamViewer maintains the attack was contained to their corporate IT environment.  No evidence of access to client data, product environments, or connectivity platform.

https://therecord.media/teamviewer-cozy-bear-hack-confirmed

https://www.teamviewer.com/en-us/resources/trust-center/statement/


Multiple CDNs (Polyfill.io), Massive Supply Chain Attack Campaign

Researchers found four different CDNs owned by a single operator.  The scope of the campaign has not been fully realized yet.  Polyfill code allows modern functionality in older browsers.  The original Polyfills service project developer says no website requires any ployfills today. 

https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/

https://www.bleepingcomputer.com/news/security/polyfill-claims-it-has-been-defamed-returns-after-domain-shut-down/

https://sansec.io/research/polyfill-supply-chain-attack

https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/


Healthcare IT Workers Targeted by Social Engineering Attacks

Threat actors are attempting to manipulate IT help desk workers for initial access.  Once inside, moving to living-off-the-land behavior eventually leading to ACH transactions. Look for this in other verticals too.

https://www.bankinfosecurity.com/fbi-hhs-warn-health-sector-payment-diversion-schemes-a-25638

https://www.ic3.gov/Media/News/2024/240624.pdf


Modern Network Access Guidance Released by CISA

We need to step it up.  Let’s face it, with the rash of VPN vulnerabilities this year leading to breaches, it’s time to rethink network access.  Single factor RDP web portals are no longer cutting it.  CISA and partners are offering guidance on modern solutions such as zero trust, secure service edge (SSE), and secure access service edge (SASE).  With architecture and updated security technologies, we can step up our game against an aggressive adversary.

https://www.darkreading.com/cyber-risk/cisa-releases-guidance-on-network-access-vpns

https://www.cisa.gov/sites/default/files/2024-06/joint-guide-modern-approaches-to-secure-network-access-security-508c.pdf


Infostealers and Legit Credentials are a Boon for Threat Actors

Legit credentials from infostealers, no MFA / improper MFA configs, and MFA bypass are a recipe for threat actors to continue to thrive.  We need to focus on hygiene, early detection, and our attack surface.

https://blog.talosintelligence.com/infostealer-landscape-facilitates-breaches/


Critical SQL Injection Flaw, Exploit Available, Forta FileCatalyst Workflow

Fix is available for CVE-2024-5276, allows creation of administrative user and some data manipulation. 

https://www.bleepingcomputer.com/news/security/exploit-for-critical-fortra-filecatalyst-workflow-sqli-flaw-released/

https://www.fortra.com/security/advisory/fi-2024-008

https://www.tenable.com/security/research/tra-2024-25


MOVEit Transfer Bug Publicly Disclosed, Exploit Attempts Observed

Two critical flaws with a CVSS score of 9.1 addressed.  So far, no reports of operational impact affecting customers.

https://thehackernews.com/2024/06/new-moveit-transfer-vulnerability-under.html

https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805

https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806

https://www.rapid7.com/blog/post/2024/06/25/etr-authentication-bypasses-in-moveit-transfer-and-moveit-gateway/


Cobalt Strike Profiles Explored

Researchers share infrastructure and beacon profiles based on a profile hosted on a public code repository. 

https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #33

The week of July 1st through July 7th was back down to 379 cyber news articles reviewed.  A relatively light amount of cyber threat trend and adversarial behavior news to share.  Let’s start with an unprecedented password dump, nearly 10 billion unique passwords. HTTP File Server (HFS) Remote Code

Members Public

Cyber Threat Weekly – #31

The week of June 17th through June 23rd was lighter than usual with 342 cyber news articles reviewed.  Only a moderate amount of cyber threat trend and adversarial behavior news to share.  Let’s start with the CDK Global IT outage caused by BlackSuit ransomware. Outdated Android phones targeted by

Members Public

Cyber Threat Weekly – #30

The week of June 10th through June 16th was a bit heavier with 407 cyber news articles reviewed.  Quite a bit of cyber threat trend and adversarial behavior news to share.  Let’s start with a new Linux malware controlled through Discord emojis. Poisoning ML models via pickle files.  Black