Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services
Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
„These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies,“ Cisco Talos said.
Successful attacks could pave the way for unauthorized network access, account lockouts, or denial-of-service conditions, the cybersecurity company added.
The attacks, said to be broad and opportunistic, have been observed targeting the below devices –
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Mikrotik
- Draytek
- Ubiquiti
Cisco Talos described the brute-forcing attempts as using both generic and valid usernames for specific organizations, with the attacks indiscriminately targeting a wide range of sectors across geographies. The source IP addresses for the traffic are commonly associated with proxy services. This includes TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack, among others.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / CISCO Talos intelligence group
Link: https://thehackernews.com/2024/04/cisco-warns-of-global-surge-in-brute.html
Link: https://www.securityweek.com/cisco-multiple-vpn-ssh-services-targeted-in-mass-brute-force-attacks/
Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability
Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild.
Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the shortcoming are available in the following versions –
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1, and
- PAN-OS 11.1.2-h3
Patches for other commonly deployed maintenance releases are expected to be released over the next few days.
„This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,“ the company clarified in its updated advisory.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / Helpnetsecurity / Palo Alto security advisory / SANS internet storm center
Link: https://thehackernews.com/2024/04/palo-alto-networks-releases-urgent.html
Link: https://www.helpnetsecurity.com/2024/04/17/cve-2024-3400-attacks/
Link: https://security.paloaltonetworks.com/CVE-2024-3400
Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack
he maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.
The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum.
„The effect of the vulnerability is to compromise the private key,“ the PuTTY project said in an advisory.
„An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.“
Source: The hacker news / Bleeping computer / Securityweek / Helpnetsecurity / Putty bug record
Link: https://thehackernews.com/2024/04/widely-used-putty-ssh-client-found.html
Link: https://www.securityweek.com/critical-putty-vulnerability-allows-secret-key-recovery/
Link: https://www.helpnetsecurity.com/2024/04/16/cve-2024-31497/
Link: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
CrushFTP warns users to patch exploited zero-day “immediately”
CrushFTP warned customers today in a private memo of an actively exploited zero-day vulnerability fixed in new versions released today, urging them to patch their servers immediately.
As the company also explains in a public security advisory published on Friday, this zero-day bug enables unauthenticated attackers to escape the user’s virtual file system (VFS) and download system files.
However, those using a DMZ (demilitarized zone) perimeter network in front of their main CrushFTP instance are protected against attacks.
„Please take immediate action to patch ASAP. A vulnerability was reported today (April 19th, 2024), and we patched it immediately. [..] This vulnerability exists in the wild,“ the company warned customers via email. „The bottom line of this vulnerability is that any unauthenticated or authenticated user via the WebInterface could retrieve system files that are not part of their VFS. This could lead to escalation as they learn more, etc.“
The company also warned customers with servers still running CrushFTP v9 to immediately upgrade to v11 or update their instance via the dashboard.
„There is a simple rollback in case you have an issue or regression with some functionality. Update immediately,“ CrushFTP warned.
Source: Bleeping computer
Cisco discloses root escalation flaw with public exploit code
Cisco has released patches for a high-severity Integrated Management Controller (IMC) vulnerability with public exploit code that can let local attackers escalate privileges to root.
Cisco IMC is a baseboard management controller for managing UCS C-Series Rack and UCS S-Series Storage servers via multiple interfaces, including XML API, web (WebUI), and command-line (CLI) interfaces.
„A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root,“ the company explains.
„To exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device.“
Tracked as CVE-2024-20295, this security flaw is caused by insufficient validation of user-supplied input, a weakness that can be exploited using crafted CLI commands as part of low-complexity attacks.
Source: Bleeping computer / Securityweek
Link: https://www.securityweek.com/cisco-says-poc-exploit-available-for-newly-patched-imc-vulnerability/
The Week in Ransomware – April 19th 2024 – Attacks Ramp Up
While ransomware attacks decreased after the LockBit and BlackCat disruptions, they have once again started to ramp up with other operations filling the void.
A relatively new operation called RansomHub gained media attention this week after a BlackCat affiliate used the newer operation’s data leak site to extort Change HealthCare once again. Change HealthCare allegedly already paid a ransom, which was stolen from an affiliate in an exit scam by the BlackCat/ALPHV ransomware operation. However, the affiliate behind the attack claims to have kept the stolen data and is now extorting the company again through RansomHub.
So far, the Change Healthcare attack has cost UnitedHealth Group $872 million, with losses expected to continue.
Another disruptive attack we learned more about this week is the Daixin operation claiming the cyberattack on Omni Hotels. This attack caused the hotel chain to shut down its IT systems, impacting reservations and requiring hotel staff to let guests into their rooms.
Other attacks targeted chipmaker Nexpira, the United Nations Development Programme (UNDP), Octapharma Plasma, and the Atlantic States Marine Fisheries Commission (ASMFC).
There were other cyberattacks this week, such as the one on Frontier Communications, but they have not been confirmed to be ransomware.
Source: Bleeping computer
Unpacking the NIST cybersecurity framework 2.0
The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.
NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards and create a new model that reflects evolving security challenges.
While the core of the CSF remains the same, there are several notable additions to the new version. Here’s what enterprises need to know about the new framework, how it impacts operations and how IT teams can effectively apply CSF version 2.0 to daily operations.
Source: IBM security intelligence
Link: https://securityintelligence.com/articles/nist-cybersecurity-framework-2/