CyberSecurity Newsletter February 19th 2024
In this week’s news: The Great Fortinet Toothbrush Debacle and some CVEs, AnyRun introduces a Threat Intelligence Lookup , Microsoft Exchange Server vulns, Cisco and MS Defender exploited in the wild, Cloudflare have more information on the Thanksgiving day event and Bank of America and Robert Half suffer data breaches.
The Fortinet Toothbrush Debacle, which would be a great album name for a punk band: https://www.itpro.com/security/fortinet-will-want-to-forget-last-week-after-botched-vulnerability-disclosures-and-a-war-of-words-over-an-electric-toothbrush-caused-chaos
Fortinet’s FortiGuard disclosed two critical vulnerabilities affecting FortiOS. CVE-2024-23113, a format string vulnerability, and CVE-2024-21762, an out-of-bounds write vulnerability, could allow unauthenticated threat actors to execute arbitrary code or commands: https://arcticwolf.com/resources/blog-uk/cve-2024-21762-and-cve-2024-23113-multiple-critical-vulnerabilities-in-fortinet-one-likely-under-active-exploitation/
Malware sandbox leader ANY.RUN introduced the Threat Intelligence Lookup platform that helps security researchers find the relevant threat data from the sandbox tasks of ANY.RUN: https://cybersecuritynews.com/any-run-threat-intelligence-lookup/
Microsoft acknowledged that a newly disclosed critical security flaw in Exchange Server has been actively exploited in the wild: https://thehackernews.com/2024/02/critical-exchange-server-flaw-cve-2024.html
IntelBroker and Sanggiero, claim to possess a trove of data from Robert Half, which is being sold for $20,000 in Monero (XMR) cryptocurrency: https://www.hackread.com/hackers-claim-robert-half-data-breach/
CISA warns that the Akira Ransomware gang is exploiting the Cisco ASA/FTD vulnerability CVE-2020-3259 (CVSS score: 7.5) in attacks in the wild: https://securityaffairs.com/159244/cyber-crime/cisa-cisco-cve-2020-3259-akira-ransomware.html
Bank of America is warning customers of a data breach exposing their personal information after Infosys McCamish Systems (IMS), one of its service providers, was hacked last year: https://www.bleepingcomputer.com/news/security/bank-of-america-warns-customers-of-data-breach-after-vendor-hack/
A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders: https://thehackernews.com/2024/02/darkme-malware-targets-traders-using.html https://malware.news/t/apt-exploits-microsoft-zero-day-in-malware-attacks/78751
Security researchers Mathy Vanhoef and Héloïse Gollier, have recently uncovered several critical vulnerabilities in the Wi-Fi authentication protocols used in modern WPA2/3 networks: https://cybersecuritynews.com/new-wi-fi-authentication-bypass-flaw/
Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed DSLog on susceptible device: https://thehackernews.com/2024/02/ivanti-vulnerability-exploited-to.html
Rapid7 has identified an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and QuTS hero: https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
Prudential Financial has disclosed that its network was breached last week, with the attackers stealing employee and contractor data before being blocked from compromised systems one day later: https://www.bleepingcomputer.com/news/security/prudential-financial-breached-in-data-theft-cyberattack/
EU Court of Human Rights Rejects Encryption Backdoors: https://www.schneier.com/blog/archives/2024/02/eu-court-of-human-rights-rejects-encryption-backdoors.html
Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign: https://malware.news/t/russia-aligned-tag-70-targets-european-government-and-military-mail-servers-in-new-espionage-campaign/78871
Wyze says camera breach let 13,000 customers briefly see into other people’s homes: https://www.theverge.com/2024/2/19/24077233/wyze-security-camera-breach-13000-customers-events
A Russia-linked hacking group is exploiting a known bug in a popular webmail server to spy on government and military agencies in Europe, as well as Iranian embassies in Russia: https://therecord.media/russia-aligned-hackers-target-european-and-iranian-embassies-cyber-espionage
Cloudflare has just detailed how suspected government spies gained access to its internal Atlassian installation using credentials stolen via a security breach at Okta in October: https://www.theregister.com/2024/02/02/cloudflare_okta_atlassian
New research from Palo Alto Networks’ Unit 42 team has revealed that Insidious Taurus (also known as Volt Typhoon) is recognised by U.S. government agencies and their international counterparts as cyber actors sponsored by the People’s Republic of China (PRC). The group is primarily engaged in infiltrating U.S. critical infrastructure IT networks, presumably to lay the groundwork for potential disruptive or destructive cyberattacks should a significant crisis or conflict arise with the U.S: https://industrialcyber.co/threat-landscape/unit-42-details-insidious-taurus-prc-sponsored-cyber-group-targeting-us-critical-infrastructure/
A Ukrainian national charged with operating the Raccoon Infostealer malware-as-a-service (MaaS) has made an appearance in a US court after being extradited from the Netherlands: https://www.securityweek.com/ukrainian-raccoon-infostealer-operator-extradited-to-us/
SolarWinds has released their Access Rights Manager version 2023.2.3, in which several vulnerabilities associated with Deserialization and Directory Traversal leading to Remote code execution have been fixed: https://gbhackers.com/solarwinds-arm-flaw/
Recently, five CVEs have been discovered in Ivanti Connect Secure, a software product designed to offer secure remote access to corporate resources and applications. This product is currently trusted by numerous service providers and government entities. These vulnerabilities encompass authentication bypass, command injection, privilege escalation, server-side request forgery, and XML external entity issues, potentially resulting in remote code execution on affected systems. The presence of public exploits in the wild raises significant security concerns for users of this product: https://blog.securelayer7.net/ivanti-connect-secure-5-cve-vulnerability/