Laszar

24 Apr, 2024

Nation & State

MITRE Hacked by State-Sponsored Group via Ivanti Zero-Days

MITRE revealed on Friday that one of its R&D networks was hacked a few months ago by a foreign state-sponsored threat actor leveraging zero-day vulnerabilities in an Ivanti product.

The attack occurred in early January, but it was only discovered this month. It targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network that is used for research, development, and prototyping.

Following the discovery of the breach, MITRE took the NERVE environment offline and launched an investigation. The organization determined that the attack involved exploitation of two Ivanti Connect Secure VPN device vulnerabilities for initial access.

The vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, were zero-days at the time of the attack. They came to light on January 10, when cybersecurity firm Volexity warned that they had been exploited by hackers backed by the Chinese government to compromise Ivanti VPN devices.

Ivanti immediately provided mitigations, but it took the company nearly three weeks to start releasing proper patches.

Widespread exploitation of the Ivanti flaws started roughly a week after they came to light. Considering that MITRE was targeted before the zero-days were disclosed, the organization may have been targeted by the Chinese threat actors, but it has not shared any attribution details beyond saying that it was a foreign nation-state threat actor.

Google Cloud’s Mandiant is aware of several China-linked threat actors that have exploited the Ivanti VPN vulnerabilities in their attacks.

MITRE said the attackers performed reconnaissance, exploited the Ivanti zero-days, and bypassed its multi-factor authentication system using session hijacking.

“From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account,” MITRE explained. “They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”

MITRE’s investigation is ongoing, but at this point there is no evidence that its core enterprise network or partners’ systems are impacted by the incident.

MITRE is a not-for-profit company operating federally funded R&D centers on behalf of U.S. government sponsors. The company is widely known in the cybersecurity for its ATT&CK knowledge base of adversary tactics and techniques based on real-world cyberattack observations.

MITRE has shared information on the observed ATT&CK techniques, as well as best practice tips for detecting such attacks, and recommendations for hardening networks.

CVE-2023-46805 and CVE-2024-21887 have also been used to hack into systems belonging to the cybersecurity agency CISA, which revealed earlier this month that the incident could affect 100,000 individuals.

Late last month MITRE opened a new AI Assurance and Discovery Lab for discovering and managing risks in AI-enabled systems.

21 Feb, 2024

Swiss Cyber Security Days 2024

Shaping Cyber Resilience

Secure your place for a secure future and discover the top-class programme with representatives from NATO, the Swiss Armed Forces and ETH Zurich Space, among others, on the BERNEXPO site!

Information :

Swiss Cyber Security Days

15 Feb, 2024

Security Summit

SecurityWeek’s Security Summit events are a series of topic-specific virtual conferences that allow attendees from around the world to immerse in a virtual world to discuss the latest cybersecurity trends and gain insights into security strategies and emerging cyber threats faced by businesses.

2024 Virtual Events Schedule

1. Attack Surface Management Summit | February 15, 2024
2. Supply Chain Security and Third-Party Risk Summit | March 20, 2024
3. Ransomware Resilience & Recovery Summit | April 17, 2024
4. Threat Detection and Incident Response Summit | May 22, 2024
5. CISO Forum Virtual Summit – June 18-19, 2024
6. Cloud Security Summit | July 17, 2024
7. Identity & Zero Trust Strategies Summit | August 7, 2024
8. ICS Cybersecurity Conference – October 21-24, 2024 | Atlanta + Hybrid
9. Cyber AI & Automation Summit |- December 4, 2024

Information : Security Summits

12 Feb, 2024

Vulnerabilities : Exploitation of Another Ivanti VPN Vulnerability Observed

Organizations urged to hunt for potential compromise as exploitation of a recent Ivanti enterprise VPN vulnerability begins. by Ionut Arghire

Exploitation of a recently disclosed XML external entity (XXE) vulnerability impacting Ivanti enterprise VPN and network access products has commenced, multiple security researchers warned over the weekend.

Affecting the SAML component of Ivanti Connect Secure, Policy Secure, and ZTA gateway appliances and tracked as CVE-2024-22024 (CVSS score of 8.3), the issue can be exploited to access certain restricted resources without authentication.

Last week, Ivanti announced that patches for the bug were released for Connect Secure versions 9.x and 22.x, Policy Secure versions 9.x and 22.x, and ZTA gateways versions 22.x.

Attack surface management firm WatchTowr, which Ivanti eventually credited for finding the bug, says that exploitation of CVE-2024-22024 is possible with a basic, publicly available payload for out-of-bounds XXE.

WatchTowr also notes that Ivanti introduced the vulnerability in the latest versions of the affected products, when attempting to address a different vulnerability in the SAML component.

Given the increased attention Ivanti’s VPN products have been receiving lately due to the exploitation of zero-day vulnerabilities, the cybersecurity firm did not release proof-of-concept (PoC) code targeting CVE-2024-22024, but shared information on how organizations can detect the bug in their environments.

Over the weekend, however, PoC exploits for the bug were made public, and security researchers started warning organizations that they should check their logs to identify potential exploitation attempts.

Responding to Kevin Beaumont on X, security researcher David Vorel said he observed devices being compromised shortly after the latest patches were installed on them and a factory reset was performed, suggesting that the bug had been under active exploitation already.

Ivanti says that customers should apply the patches for CVE-2024-22024 regardless of whether they installed the patches released on January 31 or February 1, which address several other flaws, including two zero-days.

If those patches have been installed and a factory reset was performed, however, customers do not need to factory reset their appliances once again.

Ivanti has yet to confirm that CVE-2024-22024 is being exploited in malicious attacks.

“We have no evidence of this vulnerability being exploited in the wild as it was found during our internal review and testing of our code, and responsibly disclosed by watchTowr,” Ivanti notes, urging customers to update their appliances as soon as possible.

Information : Exploitation of Another Ivanti VPN Vulnerability Observed

12 Feb, 2024

Vulnerabilities

ExpressVPN User Data Exposed Due to Bug

ExpressVPN disables split tunneling on Windows after learning that DNS requests were not properly directed. by Ionut Arghire

ExpressVPN last week disabled split tunneling on its Windows clients to prevent an issue where DNS requests were not properly directed to its servers.

The issue, introduced in May 2022 in version 12.23.1 of ExpressVPN, resulted in DNS requests remaining unprotected in certain conditions, the VPN solutions provider announced.

Normally, when a user is connected to ExpressVPN, their DNS requests are sent to the company’s servers.

Due to the bug, the requests were sent to a third party, typically the internet services provider (ISP), unless otherwise configured, which could determine the domain visited by the user, but not individual pages and other behavior.

“All contents of the user’s traffic remain encrypted by the VPN and unviewable by the ISP or any other third party,” ExpressVPN explains.

The bug impacted versions 12.23.1 through 12.72.0 of ExpressVPN for Windows, if the split-tunneling feature was used and the ‘Only allow selected apps to use the VPN’ mode was enabled.

The split tunneling feature is meant to allow users to limit the applications that can send their traffic through the VPN solution.

According to ExpressVPN, the bug impacted less than 1% of its Windows users, given that the issue could not be reproduced without split tunneling activated or with split tunneling used in ‘Do not allow selected apps to use the VPN’ mode.

“No other VPN protections, such as encryption, were affected,” ExpressVPN explains.

Version 12.73.0 of ExpressVPN for Windows was rolled out last week to disable split tunneling entirely, and users are advised to upgrade their installations as soon as possible. The feature will remain disabled until the underlying issue is identified and addressed.

Users in urgent need of split tunneling may downgrade to version 10 of ExpressVPN for Windows, in which the feature functions as intended.

Information : ExpressVPN User Data Exposed Due to Bug

10 Feb, 2024

State

UN Experts Investigating 58 Suspected North Korean Cyberattacks Valued at About $3 Billion

U.N. experts are investigating 58 suspected North Korean cyberattacks valued at approximately $3 billion, with the money reportedly being used fund development of weapons of mass destruction. by Associated Press

U.N. experts say they are investigating 58 suspected North Korean cyberattacks between 2017 and 2023 valued at approximately $3 billion, with the money reportedly being used to help fund its development of weapons of mass destruction.

And the high volume of cyberattacks by North Korean hacking groups who report to the Reconnaissance General Bureau, North Korea’s primary foreign intelligence organization, is reportedly continuing, the panel of experts said in the executive summary of a new report to the U.N. Security Council obtained Friday by The Associated Press.

The report covering the period from July 2023 to January 2024 and reflecting contributions from unidentified U.N. member nations and other sources, was sent to the 15-member council as North Korean leader Kim Jong Un has raised tensions in the region. He is threatening to annihilate South Korea if provoked and escalating weapons demonstrations. In response, the United States, South Korea and Japan have strengthened their combined military exercises.

Amid the increased military and political tensions on the Korean Peninsula, the experts said North Korea “continued to flout (U.N.) sanctions,” further developed its nuclear weapons, and produced nuclear fissile materials – the weapons’ key ingredients.

The experts said a light-water reactor at North Korea’s main nuclear complex at Yongbyon “appeared to be operational.” South Korea’s defense minister said in late December that the reactor would likely be formally operational by the summer, amid suspicions the North may use it as a new source of fissile materials for nuclear weapons.

North Korea has long produced weapons-grade plutonium from its widely known 5-megawatt reactor at Yongbyon. The light-water reactor would be an additional source of bomb fuels, and observers say its bigger capacity could allow it to produce more plutonium. Yongbyon has a uranium enrichment facility as well.

The panel said activities at North Korea’s Punggye-ri nuclear test site “continued.” U.S. and South Korean officials have said North Korea is likely preparing to conduct its seventh nuclear test from the site, which would be the first since 2017.

Outside estimates on the size of North Korea’s nuclear arsenal vary, ranging from 20-60 to more than 100. Experts say North Korea can add six to 18 bombs each year. Since his diplomacy with the U.S. collapsed in 2019, Kim Jong Un has repeatedly vowed to build more nuclear weapons and introduce high-tech weapons to cope with what he calls intensifying U.S. hostility.

The panel said that during the six-month period ending in January, the Democratic People’s Republic of Korea or DPRK — the North’s official name — launched at least seven ballistic missiles — one a three-stage intercontinental ballistic missile, one possibly an intermediate-range missile and five short-range ballistic missiles.

After two failed attempts, the DPRK successfully placed a military observation satellite in orbit, the experts said. And a diesel submarine was retrofitted as a “tactical nuclear attack submarine” and added to the North’s military arsenal.

The panel, which monitors U.N. sanctions against North Korea, said the DPRK continues importing refined petroleum products in violation of Security Council resolutions, using “combinations of obfuscation methods” to evade maritime sanctions.

The DPRK’s recorded trade volume in 2023 surpassed the total for 2022, the experts said, including a large variety of consumer goods, “some of which could be classified as luxury items” that are banned by U.N. sanctions.

The panel said it is also investigating reports from member states about the DPRK supplying arms and ammunition in violation of U.N. sanctions.

The United States, Ukraine and six allies accused Russia last month of using North Korean ballistic missiles and launchers in a series of devastating aerial attacks against Ukraine, in violation of U.N. sanctions.

South Korea’s military said in November that it suspected North Korea had sent an unspecified number of short-range ballistic missiles, anti-tank missiles and portable anti-air missiles to Russia, in addition to rifles, rocket launchers, mortars and shells in violation of U.N. sanctions.

During the six-month period, the experts said, “trends include DPRK targeting of defense companies and supply chains, and increasingly sharing infrastructure and tools.”

The panel said it also investigated reports of numerous DPRK nationals working overseas, including in information technology, restaurants and construction, and earning income in violation of U.N. sanctions.

And in another sanctions violation, they said, “The DPRK continues to access the international financial system and engage in illicit financial operations.”

U.N. sanctions are not supposed to hurt ordinary North Koreans, but the panel said “there can be little doubt that U.N. sanctions and their implementation have unintentionally affected the humanitarian situation and some aspects of aid operations.” But it said “their relative role remains impossible to disaggregate from many other factors.”

Information : UN Experts Investigating 58 Suspected North Korean Cyberattacks Valued at About $3 Billion

09 Feb, 2024

Malware & Threats : New macOS Backdoor Linked to Prominent Ransomware Groups

Written in Rust, the new RustDoor macOS backdoor appears linked to Black Basta and Alphv/BlackCat ransomware. By Ionut Arghire

A newly identified macOS backdoor written in Rust appears linked to the prominent ransomware families Black Basta and Alphv/BlackCat, cybersecurity firm Bitdefender reports.

The malware, dubbed RustDoor, impersonates Visual Studio, supports both Intel and Arm architectures, and appears to have been circulating since November 2023, remaining undetected for roughly three months.

Bitdefender has identified several variants of the malware, all sharing the same backdoor functionality, albeit with minor variations.

All analyzed samples support multiple commands to harvest and exfiltrate files and to gather details about the infected machine. The information is sent to a command-and-control (C&C) server to generate a victim ID that is used in subsequent communication.

The first variant of the backdoor, which appeared in November 2023, was likely a test version that lacked a complete persistence mechanism and also contained a plist file named ‘test’.

First seen at the end of November, the second variant had larger files and contained a complex JSON configuration and an Apple script for the exfiltration of specific documents from the Documents and Desktop folders, along with the user’s notes.

The malware copies the documents to a hidden folder and compresses them to a ZIP archive before sending them to the C&C server.

Bitdefender discovered that RustDoor’s configuration file contains options to impersonate different applications, with options to customize a spoofed administrator password dialog.

ADVERTISEMENT. SCROLL TO CONTINUE READING.

Learn about Process Mining

“Some configurations also include specific instructions about what data to collect, such as the maximum size and maximum number of files, as well as lists of targeted extensions and directories, or directories to exclude,” Bitdefender explains.

The JSON configuration also references four persistence mechanisms, using cronjobs, using the LaunchAgents (resulting in execution at login), by modifying a file to ensure execution when a new ZSH session is opened, and by adding the binary to the dock.

Bitdefender also identified a third variant of the backdoor, which appears to be the original one. First seen on November 2, it lacks complexity, the Apple script, and the embedded configuration.

RustDoor, Bitdefender says, uses three C&C servers previously associated with Black Basta and Alphv/BlackCat ransomware campaigns. First seen in November 2021, BlackCat is the first file-encrypting ransomware written in the Rust programming language. It was taken down in December 2023.

09 Feb, 2024

Malware & Threats : New macOS Backdoor Linked to Prominent Ransomware Groups

Written in Rust, the new RustDoor macOS backdoor appears linked to Black Basta and Alphv/BlackCat ransomware. by Ionut Arghire