Featured Story
Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
Google-owned Mandiant identified new malware used by China-nexus espionage actor UNC5221 and others during post-exploitation targeting Ivanti Connect Secure VPN and Policy Secure devices. These attacks exploit CVE-2023-46805 and CVE-2024-21887 to execute arbitrary commands with elevated privileges.
The vulnerabilities have been exploited since December 2023. Germany’s BSI has confirmed multiple compromised systems. Open-source tools like Impacket, CrackMapExec, iodine, and Enum4linux support the post-exploitation stage.
Ivanti has also disclosed CVE-2024-21888 and CVE-2024-21893, with the latter under active exploitation. CISA urged agencies to disconnect affected systems and investigate before reconnecting.
Ivanti continues to be a high-value target due to repeated zero-day exploits. We recommend isolating unpatched systems and applying updates immediately. See Ivanti’s official blog for patch information.
Other Highlights
Root Access Vulnerability in GNU Library C (glibc) Impacts Many Linux Distros
Qualys discovered multiple glibc vulnerabilities, including CVE-2023-6246, a heap-based buffer overflow allowing privilege escalation via syslog. It affects glibc versions since 2.37 (August 2022) and major Linux distros like Debian, Ubuntu, and Fedora.
Even though this is not remotely exploitable, it impacts a wide range of internal systems. Patch management is essential. We can assist in prioritizing and remediating affected hosts.
Telegram Marketplaces Fuel Phishing Attacks with Easy-to-Use Kits and Malware
Telegram has become a key platform for distributing phishing kits, malware, and even hacker services, with ready-to-use kits selling for as little as $230. This accessibility is driving a surge in phishing campaigns globally.
Phishing remains a top entry point for attackers. Combine technical defenses with training, awareness campaigns, and clear reporting mechanisms to reduce risk.
HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining
HeadCrab malware has evolved into a fileless variant infecting Redis servers. Aqua Security reports over 2,300 infected servers running cryptocurrency mining operations while evading detection through stealthy techniques and kernel-level control.
Redis servers exposed to the internet are prime targets. Prioritize patching, implement access restrictions, and ensure logging and monitoring are enabled.
Beware of Investment Fraud Exploiting Deepfakes
Safeonweb has issued a warning about deepfake-driven investment scams. Fraudsters are using AI-manipulated videos of Belgian public figures to promote fake investment opportunities, luring victims into financial traps.
Verify all financial advice through trusted channels. Be skeptical of unsolicited opportunities, especially those using public figure endorsements. Report suspicious activity to authorities immediately.
