Five Eyes Agencies Warn of Active Exploitation of Ivanti Gateway Vulnerabilities
The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security.
“Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” the agencies said.
To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware –
- CVE-2023-46805 (CVSS score: 8.2) – Authentication bypass vulnerability in web component
- CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component
- CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
- CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component
- CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component
Mandiant, in an analysis published this week, described how an encrypted version of a malware known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis.
Source: The hacker news / Bleeping computer / Infosecurity magazine / CISA gov cybersecurity advisory
Link: https://thehackernews.com/2024/03/five-eyes-agencies-warn-of-active.html
Link: https://www.infosecurity-magazine.com/news/five-eyes-warn-ivanti/
Link: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks
The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.
The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of Patch Tuesday updates.
“To exploit this vulnerability, an attacker would first have to log on to the system,” Microsoft said. “An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”
Source: The hacker news / Dark reading / Securityweek
Link: https://thehackernews.com/2024/02/lazarus-hackers-exploited-windows.html
Link: https://www.securityweek.com/windows-zero-day-exploited-by-north-korean-hackers-in-rootkit-attack/
NIST Cybersecurity Framework 2.0: 4 Steps to Get Started
The US National Institute of Standards and Technology (NIST) has released the latest draft of its well-regarded Cybersecurity Framework (CSF) this week, leaving companies to mull how a few significant changes to the document affects their cybersecurity programs.
Between the new “Govern” function to incorporate greater executive and board oversight of cybersecurity, and the expansion of the best practices beyond just those for critical industries, cybersecurity teams will have their work cut out for them, says Richard Caralli, senior cybersecurity adviser at Axio, an IT and operational technology (OT) threat management firm.
“In many cases, this will mean that organizations have to take a hard look at existing assessments, identified gaps, and remediation activities to determine the impact of the framework changes,” he says, adding that “new program gaps will emerge that previously may not have been present, especially with respect to cybersecurity governance and supply chain risk management.”
Source: Dark reading / NIST gov news / Bruce Schneier on security / Securityweek
Link: https://www.darkreading.com/ics-ot-security/nist-cybersecurity-framework-2-0-4-steps-get-started
Link: https://www.schneier.com/blog/archives/2024/03/nist-cybersecurity-framework-2-0.html
Link: https://www.securityweek.com/industry-reactions-to-nist-cybersecurity-framework-2-0-feedback-friday/
Link: https://www.securityweek.com/nist-cybersecurity-framework-2-0-officially-released/
Germany takes down cybercrime market with over 180,000 users
The Düsseldorf Police in Germany have seized Crimemarket, a massive German-speaking illicit trading platform with over 180,000 users, arresting six people, including one of its operators.
Known as Crimemarket, it was the largest cybercrime market in the country and a hub for trading illegal drugs, narcotics, and cybercrime services, while it also hosted tutorials/guides for conducting various crimes.
This law enforcement action resulted from years of investigations and numerous searches that produced evidence leading to the identification of the platform’s operators and many users. “In a concerted campaign, investigators across Germany and abroad took action against the largest German-speaking criminal trading platform on the Internet on Thursday evening,” reads a machine-translated announcement.
As part of the operation, 102 search warrants were executed throughout the country simultaneously during the evening of February 29th, 2024.
Source: Bleeping computer
Kali Linux 2024.1 released with 4 new tools, UI refresh
Kali Linux has released version 2024.1, the first version of 2024, with four new tools, a theme refresh, and desktop changes.
Kali Linux is a distribution created for cybersecurity professionals and ethical hackers to perform penetration testing, security audits, and research against networks.
As is typical for the year’s first version, the Kali Team has released new visual elements, including wallpapers and updates to the boot menu and login display.
As with every release, it wouldn’t be fun without some new tools toys to play with.
Below are the four new tools added in Kali 2024.1:
- blue-hydra – Bluetooth device discovery service
- opentaxii – TAXII server implementation from EclecticIQ
- readpe – Command-line tools to manipulate Windows PE files
- snort – Flexible Network Intrusion Detection System
In addition to the new tools, Kali says they upgraded the Kernel version to 6.6.
Source: Bleeping computer / Helpnet security
The Week in Ransomware – March 1st 2024 – Healthcare under siege
Ransomware attacks on healthcare over the last few months have been relentless, with numerous ransomware operations targeting hospitals and medical services, causing disruption to patient care and access to prescription drugs in the USA.
The most impactful attack of 2024 so far is the attack on UnitedHealth Group’s subsidiary Change Healthcare, which has had significant consequences for the US healthcare system. This attack was later linked to the BlackCat ransomware operation, with UnitedHealth also confirming the group was behind the attack. Change Healthcare is an electronic payment exchange service used by doctors, pharmacists, and hospitals to submit billing claims in the US healthcare system. The attack has caused significant disruptions in Change Healthcare’s services, significantly impacting pharmacies that cannot bill customers picking up prescription medicines.
This disruption has trickled down to patients, who, in some cases, are forced to pay full price for their medications until the issue is resolved. However, some medicines can cost thousands of dollars, making it difficult for many to afford the payments.
To make matters worse, the BlackCat ransomware operation, aka ALPHV, claims to have stolen 6TB of data from Change Healthcare during the attack, containing the personal information of millions of people.
The attack has led the FBI, CISA, and the HHS to issue a joint advisory warning of BlackCat attacks on hospitals.
“The cyberattack against Change Healthcare that began on Feb. 21 is the most serious incident of its kind leveled against a U.S. health care organization,” warned Rick Pollack, President and CEO, American Hospital Association (AHA).
Source: Bleeping computer
Download Websites to Find OSINT
Websites are full of useful information that is hidden in source code or small print in obscure subdomain.
This is the first of two articles explaining how to scan websites for useful information.
Here we will walk through how to discover Open Source Intelligence (OSINT) by downloading a website to search it for email addresses, links, crypto addresses, …etc.
To clarify, this method does not search for a specific email address, instead it means searching for any email addresses that appear in the content or source code of the website. This can save the trouble of manually searching the entire website of a company for employees and their contact info. Alternatively, you could download a web forum where you want to find all of the crypto addresses mentioned. Further, websites often have this kind of data in the source code but not the website content.
Source: Secjuice
Link: https://www.secjuice.com/download-a-website-to-search-for-emails-urls-crypto-addressed/