WEEKLY TOP TEN: April 22, 2024, 16:30 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- MITRE breached by Ivanti zero-day exploit
MITRE has announced that they have experienced a breach, revealing that even the most prepared companies are still vulnerable to cyberattacks and zero-days. The threat actor utilized two Ivanti Connect Secure zero-day vulnerabilities to exploit a VPN, then moved laterally into MITRE’s VMWare infrastructure. The lateral movement was undetected, which allowed the threat actor to remain persistent. An incident response has been launched and is still ongoing. - Frontier Communications shuts down systems after cyberattack
Frontier Communications has also been breached and is working on restoring systems after shutting down to prevent lateral movement. Frontier has reported that the miscreants have gained access to personally identifiable information. Some customers have reported that service has been down for over 24 hours due to the attack. In addition to internet services, Frontier’s wholesale site and mobile app have also been affected. - Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign
A new cyberattack campaign has been observed exploiting CVE-2023-48788, which allows for SQL injection in Fortinet clients. The attacker’s initial attempt to download and execute ScreenConnect failed, but after a proof of concept was released on March 21st, they could launch PowerShell and download Metasploit’s Powerfun. Afterward, the attackers could download ScreenConnect using Certutil. Due to the use of ScreenConnect and Powerfun, the campaign is currently dubbed Connect:fun. - Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread
Fortinet researchers have observed attackers exploiting a year-old vulnerability (CVE-2023-1389) that allows for command injection in the TP-Link Archer AX21. Fortinet has observed multiple botnets utilizing this vulnerability, such as Moobot, Miori, AGoent, Gafgyt, and Condi. The article explains the attack chain and subsequent attack capabilities of each botnet. Although this vulnerability has been patched for over a year, Fortinet’s IPS signatures still show spikes of 40,000 injections a day. - Cybercriminals pose as LastPass staff to hack password vaults
LastPass is warning of an ongoing campaign targeting its users. The campaign uses CrpytoChameleon, a phishing kit that uses crafted single-sign-on pages to trick users into entering their password information. Attackers begin a series of social engineering techniques, such as calling users pretending to be LastPass employees and directing them to the CryptoChameleon domain. Once there, users are prompted to enter their master password. While LastPass is being targeted specifically in this instance, any cloud password manager can be compromised if the user falls for the phish. - Critical PuTTY Vulnerability Exposes Private Keys
PuTTY versions from 0.68 to 0.8 contain a critical vulnerability (CVE-2024-31497), which can compromise the private key, allowing attackers to log into any server the key is used for. The attacker only needs access to signed messages and the public key to recover the private key. Roughly 60 signed messages are required for an attacker to recover the private key. PuTTY has remediated this vulnerability by switching to a new technique for generating keys. Any currently existing SSH keys should be revoked and regenerated in PuTTY 0.81. - Large-scale brute-force activity targeting VPNs and SSH services with commonly used login credentials
Cisco Talos has reported a global increase in brute-force attacks targeting VPNs, web apps, and SSH services. While brute-force attacks happen daily, Cisco notes a large increase in attacks originating from TOR exit nodes starting on March 18, 2024. These attacks use generic usernames and passwords and do not appear to target any specific organizations. To defend against this, Cisco has provided the IoCs and wordlists used in these attacks. - SAP Applications Increasingly in Attacker Crosshairs, Report Shows
According to a report from Onapsis and Flashpoint, attackers’ interest in SAP has increased dramatically over the past three years. This is in part due to cloud migration and SAP misconfigurations in on-premises deployments. Ransomware attacks on SAP systems have also seen an increase. Many high-profile threat actors, along with APTs, have been observed exploiting SAP vulnerabilities. In addition to increasing attack interest, Crowdfense has announced large bounties for full-chain exploits in SAP products to get ahead of attackers. - United Nations agency investigates ransomware attack and data theft
The United Nations Development Programme is investigating a data breach in which attackers stole human resource and procurement information. The UN released a statement on Tuesday, April 16th, but it did not link the attack to a specific group. On March 27th, the ransomware group 8Base added the UNDP as an entry on its leak website. - Telegram Patches Zero-Day Python Script Vulnerability in Windows Client
A vulnerability in Telegram allowed attackers to bypass security warnings and launch Python scripts automatically on victims’ Windows machines. At first, Telegram dismissed the claim as a hoax and rumor, but a POC was released shortly after. The vulnerability stems from a typo in Telegram’s security features. Telegram blocks malicious scripts and executables, such as files with the extension [.]pyzw; however, due to a typo, Telegram blocked files with [.]pywz instead. This allowed Python files to bypass Telegram’s security features and be executed with no warning or checks. This typo was patched in the latest update.