CyberSecurity updates
Updated: 2024-11-10 12:31:02 Pacfic


cyble.com
Cisco Unified Industrial Wireless Backhaul (URWB) Access Points Vulnerable to Critical Command Injection - 2d

Cisco’s Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB) Access Points has been found to contain a critical command injection vulnerability. This vulnerability, tracked as CVE-2024-39123, allows unauthenticated attackers to execute commands with root privileges on affected systems. The flaw stems from insufficient validation within the web-based management interface, making it susceptible to malicious HTTP requests. Successful exploitation of this vulnerability could grant attackers complete control over the targeted device, posing significant risks to networked devices and potentially disrupting critical operations. Cisco has released a software update to address the issue, and users are urged to upgrade immediately to mitigate potential impacts.

CISA @ Alerts
CISA Issues Urgent Advisories for Cisco ASA/FTD and RoundCube Webmail Vulnerabilities - 14d

The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent advisories about two critical vulnerabilities: CVE-2024-20481, a denial-of-service (DoS) vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), and CVE-2024-37383, a cross-site scripting (XSS) vulnerability in RoundCube Webmail. CVE-2024-20481 allows unauthenticated attackers to crash Cisco ASA/FTD devices with a crafted HTTP request, impacting network availability and security posture. CVE-2024-37383 allows attackers to inject malicious scripts into web pages viewed by RoundCube users, leading to potential data theft or other malicious activities. CISA urges organizations to promptly apply patches for both vulnerabilities and implement mitigation strategies such as input validation, user education, and WAFs to reduce the risk of exploitation.

theregister.com
Unsecured APIs Continue to Pose Significant Cybersecurity Risks: Lessons from the Cisco Data Breach - 11d

The recent Cisco data breach, which involved the exposure of API tokens and other sensitive information, highlights the ongoing danger of unsecured APIs. Even breaches in seemingly low-risk, public-facing environments can be exploited by attackers to gain access to sensitive data and launch more sophisticated attacks. Attackers can use exposed source code, hardcoded credentials, and even seemingly harmless data to compromise an organization’s security posture. This underscores the importance of comprehensive API security measures, including strict access controls, robust authentication mechanisms, and thorough security testing, to protect against these threats.

sec.cloudapps.cisco.com
Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication - 16d

Cisco has released its October 2024 Semiannual Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication. This publication addresses multiple vulnerabilities within Cisco’s ASA, FMC, and FTD products, some of which are actively being exploited by attackers. These vulnerabilities, if left unpatched, could allow attackers to gain control of affected systems. CISA strongly encourages users and administrators to review the provided advisory and apply the necessary updates promptly to mitigate the risk of compromise.

do son @ Cybersecurity News
Akira Ransomware Continuously Evolving and Targeting Vulnerable Systems - 19d

Akira ransomware, a prominent threat actor, is continuously evolving its tactics and targeting vulnerable systems, particularly network appliances. Their latest ransomware encryptor targets both Windows and Linux hosts. Akira affiliates have been exploiting vulnerabilities in SonicWall SonicOS, Cisco ASA/FTD, and FortiClientEMS for initial access, followed by credential harvesting, privilege escalation, and lateral movement. The group’s recent shift back to encryption methods, coupled with data theft extortion, emphasizes their focus on stability and efficiency in affiliate operations.

bleepingcomputer.com
Chinese APT Campaigns Targeting Critical Infrastructure and ISPs - 16d

Multiple Chinese Advanced Persistent Threat (APT) groups, including Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant, are engaging in sophisticated cyber espionage and disruptive campaigns. These groups employ various techniques, including “living off the land” (LOTL) methods, to compromise critical infrastructure, ISPs, and IoT devices. Volt Typhoon’s focus is on U.S. communication infrastructure, often leveraging compromised Fortinet devices for data exfiltration. Salt Typhoon targets U.S. Internet Service Providers (ISPs), seeking to compromise routers and network devices for data collection. Flax Typhoon utilizes compromised IoT devices to build botnets for command and control purposes, aiming at entities in Taiwan and expanding globally. Velvet Ant, a lesser-known group, targets software supply chains, aiming to indirectly infiltrate larger networks. These groups pose a serious threat to critical infrastructure and national security, requiring vigilant defense strategies to combat their stealthy operations.

cisco.com
New PowerRAT and DCRAT Delivered by Gophish Toolkit - 19d

A new phishing campaign discovered by Cisco Talos utilizes the open-source Gophish toolkit to distribute malware. This campaign leverages modular infection chains, either Maldoc or HTML-based, that require user interaction to activate. This attack delivers a previously undocumented PowerShell RAT, dubbed PowerRAT, along with the infamous Remote Access Tool (RAT) DCRAT. This indicates the threat actors are actively developing their tools and targeting Russian-speaking users. The attack uses malicious Microsoft Word documents and HTML files containing malicious JavaScript as initial infection vectors. These vectors lead to the download and activation of either PowerRAT or DCRAT based on the initial vector, with the attacker-controlled hosting domains disk-yanbex[.]ru and e-connection[.]ru delivering the payloads. The campaign is highly concerning due to its use of a readily available toolkit and the potential for further development and refinement of the PowerRAT malware. It highlights the importance of maintaining strong cybersecurity practices to protect against phishing attacks and the need for vigilance against emerging threats.

MalBot @ Malware Analysis, News and Indicators
APT41 Targets Gambling Industry with Custom Tools and Long-Term Persistence - 17d

APT41, a sophisticated threat actor, has been observed targeting the gambling industry with custom tools and achieving prolonged persistence, spanning nine months. Their tactics involve phantom DLL hijacking and WMIC JavaScript loading, allowing for stealthy operations and extended presence within victim networks. This activity highlights the growing interest of advanced threat actors in the gambling sector, demanding enhanced security measures to counter such persistent threats.

MalBot @ Malware Analysis, News and Indicators
Russian RomCom Attacks Target Ukrainian Government with New SingleCamper RAT Variant - 23d

The Russian-speaking threat actor group known as UAT-5647, also known as RomCom, has been observed targeting Ukrainian government entities and unknown Polish entities since late 2023. The group has expanded its arsenal to include four distinct malware families: RustClaw and MeltingClaw (downloaders), DustyHammock (RUST-based backdoor), and ShadyHammock (C++-based backdoor). UAT-5647’s attacks are likely a two-pronged strategy of establishing long-term access for espionage and potentially pivoting to ransomware deployment to disrupt and gain financially from the compromise.

ciso2ciso.com
Cisco Data Breach: IntelBroker Compromises Systems, Potentially Affecting Microsoft, Barclays, and SAP Developer Data - 25d

Cisco experienced a significant data breach, allegedly perpetrated by the IntelBroker hacking group. The breach, which occurred on Thursday, exposed sensitive information of Cisco’s customers, including Microsoft, Barclays, and SAP developer data. The stolen data, which is being sold on the dark web, includes confidential information and potentially compromise systems and accounts. This incident highlights the growing threat of data breaches and the importance of robust security measures for organizations, especially those handling sensitive information.

arcticwolf.com
Vulnerabilities in DrayTek Routers (DRAY:BREAK) Affect Over 700,000 Devices Worldwide - 4d

Forescout Technologies has identified 14 vulnerabilities, including two critical flaws, in DrayTek routers used by businesses and residential users. The vulnerabilities could allow attackers to compromise the devices and gain complete control, potentially affecting over 700,000 devices in 168 countries. Two of the vulnerabilities have been rated as critical, while nine are rated as high severity and three as medium severity. DrayTek has released patches for the vulnerabilities, but security teams are urged to update their routers as soon as possible to mitigate the risks. This incident highlights the importance of keeping network equipment up-to-date and patching vulnerabilities promptly. Exploitation of these vulnerabilities could lead to data breaches, denial of service attacks, and disruption of network operations.

cisco.com
Hardware Supply Chain Attacks: A Multifaceted Threat - 13d

The increasing prevalence of hardware supply chain attacks, where adversaries physically infiltrate or tamper with the manufacturing process, has raised concerns about the security of physical devices. These attacks differ from traditional software supply chain attacks, requiring a combination of physical and network-level manipulation. While the cybersecurity industry has a role in mitigating these threats, the challenge is multifaceted, requiring collaboration across logistics, cybersecurity, and manufacturing sectors. Organizations need to implement strong physical security measures, leverage technologies like smart containers and real-time monitoring, and invest in training to prevent hardware supply chain attacks.

eclypsium.com
Chinese Threat Actors Exploiting Cisco NX-OS and F5 Load Balancers - 6d

A Chinese threat group dubbed “Velvet Ant” has been exploiting vulnerabilities in Cisco NX-OS and F5 load balancers. This group has used a custom malware toolkit called “VelvetShell” to gain administrator-level access to devices and establish command-and-control (C2) channels. The group has been exploiting vulnerabilities in the wild, including CVE-2024-20399, a privilege escalation vulnerability in NX-OS. This incident underscores the importance of applying patches promptly to critical network devices and monitoring for signs of malicious activity. Organizations should also invest in robust security solutions that can detect and mitigate threats from sophisticated threat actors.

gbhackers.com
Cisco Smart Licensing Utility Vulnerability: Critical Flaw Allows Remote Attackers to Gain Admin Control - 4d

A critical vulnerability (CVSS score of 9.8) has been discovered in the Cisco Smart Licensing Utility, a software tool used to manage Cisco product licenses. This vulnerability allows unauthenticated remote attackers to potentially gain administrative control over affected systems. Organizations using the Cisco Smart Licensing Utility are advised to review the Cisco security advisory and install the necessary patches to address the vulnerability. The severity of this flaw is extremely high, as an unauthenticated attacker could gain complete control over a device or system, leading to data theft, data manipulation, denial of service, or other harmful actions.


This site is an experimental news aggregator using feeds I personally follow. You can reach me at Bluesky if you have feedback or comments.