Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices.
The infection chains entail a successful exploitation of CVE-2023-46805 and CVE-2024-21887, which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges.
The flaws have been abused as zero-days since early December 2023. Germany’s Federal Office for Information Security (BSI) said it’s aware of « multiple compromised systems » in the country.
Furthermore, the attacks are characterized by the use of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux to support post-exploitation activity on Ivanti CS appliances, including network reconnaissance, lateral movement, and data exfiltration within victim environments.
Ivanti has since disclosed two more security flaws, CVE-2024-21888 and CVE-2024-21893, the latter of which has come under active exploitation targeting a « limited number of customers. » The company has also released the first round of fixes to address the four vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued supplemental guidance urging agencies running affected Ivanti to disconnect them from their networks « as soon as possible and no later than 11:59 p.m. on Friday February 2, 2024, » and look for signs of compromise before bringing them back live after applying the patches.
Analysis from our SOC team
Since last year, Ivanti keeps getting plagued by zero-days being discovered and exploited on their devices. Both cyber criminals and state actors are interested in exploiting these devices to get initial access into environments of their interest.
More information about the impacted versions and available patches can be found on Ivanti’s blog: https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
The Qualys Threat Research Unit discovered four security vulnerabilities in the GNU Library C (glibc), including a heap-based buffer overflow tracked as CVE-2023-6246.
GNU C Library (glibc) is a free software library that provides essential system services for Linux and other Unix-like operating systems.
The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.
The vulnerability was introduced in glibc 2.37 in August 2022.
The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these logging functions.
The researchers pointed out that glibc is present in the vast majority of Linux operating system distributions. Qualys tested the vulnerability across Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted.
Analysis from our SOC team
While this vulnerability cannot be exploited remotely, the vulnerability is still very widespread across many devices. This vulnerability, if not patched timely, can be abused to increase the privileges of the attacker in your environment.
As always, proper patch management is an important factor in keeping your environment cyber secure. Internal servers can have a lower priority but should never be exempt purely because they’re internal.
Contact our SOC if you need assistance in identifying vulnerable servers and to receive guidance in patch prioritization.
Cybersecurity researchers are calling attention to the « democratization » of the phishing ecosystem owing to the emergence of Telegram as an epicenter for cybercrime, enabling threat actors to mount a mass attack for as little as $230.
« This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims’ data, » Guardio Labs researchers Oleg Zaytsev and Nati Tal said in a new report.
« Free samples, tutorials, kits, even hackers-for-hire – everything needed to construct a complete end-to-end malicious campaign. » The company also described Telegram as a « scammers paradise » and a « breeding ground for modern phishing operations. »
As a result, what used to be available only on invite-only forums in the dark web is now readily accessible via public channels and groups, thereby opening the doors of cybercrime to aspiring and inexperienced cyber criminals.
« Unfortunately, with just a small investment, anyone can start a significant phishing operation, regardless of prior knowledge or connections in the criminal underworld. »
Analysis from our SOC team
Phishing remains one of the top ways to get access to (corporate) accounts or environments. As the criminal underground matures, services and software like this also matures and becomes more widespread and easily accessible.
Good and well configured mail protection, trained employees and a playbook to use in case of emergency helps reduce and minimize phishing being a threat to your organisation’s environment.
Cybersecurity researchers have detailed an updated version of the malware HeadCrab that’s known to target Redis database servers across the world since early September 2021.
The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve.
The cloud security firm said that « the campaign has almost doubled the number of infected Redis servers, » with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023.
HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.
Analysis from our SOC team
Patching internet-exposed servers ASAP is of the utmost importance if you do not want your servers to get used by criminals in various ways. This article shows that not all criminals are interested in spreading ransomware but prefer a lower impact approach. This way of working potentially allows an attacker to get a longer term investment from their effort as the money comes in slowly but surely.
Contact our SOC if you need assistance in identifying vulnerable servers and to receive guidance in patch prioritization.
Over the past few days Safeonweb has been informed of an alarming upsurge in investment scams exploiting the image of celebrities such as the Prime Minister or the CEO of a Belgian bank (see example below). These scams use deepfakes technology to give the impression of sponsorship, which is in fact totally fraudulent.
Scammers use deepfake technology to create videos or images in which these public figures appear to be giving a pep talk about an investment opportunity. These fake testimonials or interviews are then used to lend credibility to the scam (and lure victims into the trap).
Analysis from our SOC team
As always, Safeonweb provides excellent tips on how to prevent falling victim of such scams.
1- Check the source: Always check the source of any investment advice. Official statements by public figures or financial institutions are usually published on their official communication channels.
2- Be sceptical: If an investment opportunity seems too good to be true, it probably is. Be wary of any investment that promises high returns with little or no risk.
3- Do your research: Before investing, do your own research. Seek information about the company and the investment opportunity from reliable sources and, above all, get professional advice.
If you have lost money or been the victim of extortion, we advise you to report it to the police. You can report it to the local police where you live.
Contact your bank and/or Card Stop on 078 170 170 if you have passed on banking information, if money is disappearing from your bank account or if you have transferred money to a fraudster. This way, any fraudulent transactions can be blocked.
Our SOC is also available to assist in case of suspected scamming.
