FBI Issues Alert on Russian Threats Targeting Ubiquiti Routers
A joint Cybersecurity Advisory (CSA) issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command and international partners has raised alarms regarding Russian state-sponsored cyber actors’ exploitation of compromised Ubiquiti EdgeRouters.
Identified as the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), these actors, also known as APT28, Fancy Bear and Forest Blizzard (Strontium), have utilized compromised EdgeRouters to harvest credentials, proxy network traffic and host spear-phishing landing pages and custom tools.
Despite recent disruption of a GRU botnet by the US Department of Justice and its international partners (including Belgium), the CSA stressed the necessity of implementing recommended mitigations to safeguard against future compromises and identify existing ones.
Analysis from our SOC team
The techniques observed by Russian state-sponsored cyber actors consists of harvesting credentials, proxying network traffic, and hosting spear-phishing landing pages.
To protect against these threats, it is import to:
– Update firmware: regularly patch routers to address vulnerabilities.
– Use strong passwords: enforce robust password policies and avoid using default passwords.
– Segment your network: isolate critical systems from less critical ones.
If you want more details about the mitigation strategies recommended by the CSA, you can have a look at the advisory here.
Our SOC is also available to assist in case there are any doubts or suspicions about potential compromise.
Multiple threat actors have started exploiting the recently disclosed vulnerabilities, tracked as CVE-2024-1709 (CVSS score of 10) and CVE-2024-1708 (CVSS score of 8.4), in the ConnectWise ScreenConnect software.
Trend Micro researchers observed multiple threat actor groups that are exploiting vulnerabilities in ConnectWise ScreenConnect for different purposes, including ransomware deployment, and data exfiltration attacks. They also confirmed that Black Basta and Bl00dy ransomware groups are actively exploiting both flaws and shared details about their attack chains.
“Following our detailed examination of various threat actors exploiting vulnerabilities in ConnectWise ScreenConnect, we emphasize the urgency of updating to the latest version of the software.” Trend Micro concludes. “Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats.”
Analysis from our SOC team
These events follow on from last week’s vulnerabilities disclosure and our first newsletter article on the subject.
Multiple threat actor groups have now seized the opportunity to exploit the vulnerabilities and perform malicious actions like ransomware deployment and data exfiltration.
If you are using self-hosted server, we emphasize, as Trend Micro, the urgency of addressing these vulnerabilities by immediately updating to the latest version of ConnectWise ScreenConnect (23.9.8 or later).
A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1.
« This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request, » Patchstack researcher Rafie Muhammad said.
LiteSpeed Cache, which is used to improve site performance, has more than five million installations. The latest version of the plugin is 6.1, which was released on February 5, 2024.
Analysis from our SOC team
This flaw allows unauthenticated users to exploit a site-wide stored cross-site scripting (XSS) vulnerability to then perform privilege escalation and sensitive information theft.
It’s recommended that WordPress users make sure their LiteSpeed Cache plugin is up to date (latest one is version 6.1).
Developers of WordPress plugins must also apply thorough input filtering and output handling in their code. Once again, this incident underscores the importance of proactive security measures in code development and maintenance that can have far-reaching consequences for website owners and users.
Attackers have compromised more than 8,000 subdomains from well-known brands and institutions to mount a sprawling phishing campaign that sends malicious emails numbering in the millions each day.
MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay are among the entities caught up in « SubdoMailing » — named by researchers from Guardio Labs who discovered the campaign, which is at the heart of a larger cybercriminal undertaking and undermines the trust and credibility of the compromised organizations, they said.
The campaign is crafted in such a way that emails appear to come from trusted domains and bypass all the industry-standard email-security measures typically in place to block suspicious messages, including Sender Policy Framework (SPF), DKIM, SMTP Server, and DMARC, the researchers said.
Analysis from our SOC team
The nature of the campaign allows malicious emails to evade traditional email security measures, including SPF, DKIM, and DMARC. This not only undermines the trust and credibility of the compromised organizations but also poses serious risks to recipients who may fall victim to phishing attempts.
As email authentication checks cannot be relied upon, it is vital to educate users about the need to be vigilant against phishing attacks.
It is also a good idea to regularly review and secure subdomains associated with your brand (and review those of others). For this purpose, Guardio created a special website for checking whether a site’s abandoned domain is being used in this phishing operation.
