Okta, a prominent identity and access management provider, has been found to be vulnerable to an authorization bypass flaw. This vulnerability, which has been patched, allows attackers to gain unauthorized access to restricted resources, potentially compromising sensitive user data. The vulnerability stems from Okta’s AD/LDAP delegated authentication mechanism, which allows users to authenticate with a username longer than 52 characters. Attackers could exploit this by crafting specially designed usernames, effectively bypassing authentication checks and gaining access to resources without proper authorization. This incident highlights the importance of robust security practices, including thorough vulnerability assessments and timely patching of identified flaws.
A critical vulnerability in Ivanti’s Cloud Service Appliance (CSA) has been actively exploited by attackers. The flaw, tracked as CVE-2024-8190, allows attackers to gain unauthorized access to sensitive data and execute arbitrary commands on vulnerable systems. The vulnerability exists in the CSA’s authentication mechanism and can be exploited by attackers who can send specially crafted requests to the CSA. This attack vector allows attackers to bypass the CSA’s security measures and gain access to the underlying operating system. The vulnerability has been exploited in the wild by a suspected nation-state adversary. There are strong indications that China is behind the attacks. Organizations using Ivanti CSA should prioritize patching the vulnerability immediately to reduce their risk of being compromised.
The use of Artificial Intelligence (AI) to automatically discover vulnerabilities in code is becoming increasingly prevalent, with researchers developing new methods to effectively scan source code and find zero-days in the wild. Companies like ZeroPath are combining deep program analysis with adversarial AI agents to uncover critical vulnerabilities, often in production systems, that traditional security tools struggle to detect. While AI-based vulnerability discovery is still in its early stages, its potential to enhance security measures is undeniable. This development could significantly improve the effectiveness of security testing and lead to the identification of vulnerabilities earlier in the development cycle, reducing the risk of exploitation.
A vulnerability, CVE-2024-9264, has been discovered in Grafana Labs’ open-source analytics and monitoring platform, Grafana. This vulnerability affects the SQL Expressions feature, allowing attackers to exploit insufficient sanitization of user input in ‘duckdb’ queries to execute command injection and local file inclusion attacks. Organizations using Grafana should prioritize the installation of security patches released by the vendor to address this vulnerability. Failure to do so could result in unauthorized access to sensitive data, system compromise, and potential data breaches. It is crucial for organizations to implement robust security measures, including strong password policies, multi-factor authentication, and regular security assessments, to protect their systems from these threats. Additionally, organizations should be vigilant and proactive in their cybersecurity efforts, staying informed about vulnerabilities and promptly implementing necessary updates.
A high-severity vulnerability, CVE-2024-40766, has been identified in SonicWall’s SonicOS, affecting the administrative interface of the SonicOS system. This vulnerability allows attackers to exploit improper access controls, gaining unauthorized access to sensitive data and potentially compromising the entire system. This vulnerability has been actively exploited by ransomware groups, including Fog and Akira, who are targeting SSL VPN environments to infiltrate networks and deploy ransomware. Organizations using SonicWall products must prioritize the installation of security patches released by the vendor to address this critical vulnerability. Failure to do so could result in significant security breaches, data loss, and financial losses due to ransomware attacks. It is crucial for organizations to implement robust security measures, including strong password policies, multi-factor authentication, and regular security audits, to protect their systems from these threats. Additionally, organizations should be vigilant and proactive in their cybersecurity efforts, staying informed about vulnerabilities and promptly implementing necessary updates.
Mindgard security researchers have found two vulnerabilities in Microsoft Azure’s content safety filters for AI, namely AI Text Moderation and Prompt Shield. These vulnerabilities allow attackers to bypass these safeguards and inject malicious content into protected large language models (LLMs). Mindgard’s testing involved exposing ChatGPT 3.5 Turbo with Azure OpenAI to these filters and then using character injection and adversarial ML evasion techniques to circumvent them. The first method, character injection, involved adding specific characters and text patterns to prompts, leading to a significant drop in jailbreak detection effectiveness. The second, adversarial ML evasion, further reduced the effectiveness of both filters by finding blind spots in their ML classification systems. Microsoft acknowledged the issue and has been working on fixes for upcoming model updates. However, Mindgard emphasizes the seriousness of these vulnerabilities, as attackers could exploit them to compromise sensitive information, gain unauthorized access, manipulate outputs, and spread misinformation.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent advisories about two critical vulnerabilities: CVE-2024-20481, a denial-of-service (DoS) vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), and CVE-2024-37383, a cross-site scripting (XSS) vulnerability in RoundCube Webmail. CVE-2024-20481 allows unauthenticated attackers to crash Cisco ASA/FTD devices with a crafted HTTP request, impacting network availability and security posture. CVE-2024-37383 allows attackers to inject malicious scripts into web pages viewed by RoundCube users, leading to potential data theft or other malicious activities. CISA urges organizations to promptly apply patches for both vulnerabilities and implement mitigation strategies such as input validation, user education, and WAFs to reduce the risk of exploitation.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three new security vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, due to confirmed reports of active exploitation in the wild. These vulnerabilities pose significant risks to organizations and require immediate attention. The three vulnerabilities added to the KEV Catalog include a format string vulnerability in multiple Fortinet products, a SQL injection vulnerability in Ivanti Cloud Services Appliance (CSA), and an OS command injection vulnerability in Ivanti CSA. The addition of these vulnerabilities to the KEV Catalog highlights the ongoing threat posed by malicious cyber actors who actively exploit known vulnerabilities. CISA urges all organizations to prioritize timely remediation of vulnerabilities listed in the KEV Catalog as part of their vulnerability management practices to reduce their exposure to cyberattacks.
Multiple critical vulnerabilities have been identified in Ivanti Cloud Services Appliance (CSA), a key component for secure device management and communication. These vulnerabilities, CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, are actively exploited by threat actors. CVE-2024-9379 allows remote, authenticated attackers with administrator privileges to execute SQL injection attacks. CVE-2024-9380 enables attackers to achieve remote code execution through OS command injection. CVE-2024-9381 provides a path traversal vulnerability, enabling attackers to bypass restrictions. The vulnerabilities are chained with CVE-2024-8963, highlighting the severity of the situation. CISA has issued an urgent advisory, urging security teams to patch the flaws immediately.
Cyble sensors detected attacks targeting a command injection vulnerability in the SPIP open-source content management (CMS) and publishing system. The vulnerability, CVE-2024-38816, allows remote, unauthenticated attackers to execute arbitrary operating system commands via crafted HTTP requests. Multiple Proof of Concept (PoC) exploits have emerged, increasing the risk of attacks. SPIP administrators should update their systems to the latest versions to mitigate this vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a series of critical vulnerabilities affecting multiple major platforms, including Zimbra Collaboration, Ivanti, D-Link, DrayTek, GPAC, and SAP. The vulnerabilities, which range in severity from critical to medium, have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation by threat actors. The vulnerabilities allow attackers to gain unauthorized access to systems, execute malicious code, and potentially steal sensitive information. Organizations are strongly urged to prioritize the immediate patching of affected systems to mitigate the risk of exploitation. The vulnerabilities and their potential impact are detailed below:
CVE-2024-45519 (Zimbra Collaboration): This critical vulnerability allows unauthenticated users to execute commands. A Proof of Concept (PoC) exploit has been demonstrated by researchers, and mass exploitation of this vulnerability has been reported.
CVE-2024-29824 (Ivanti Endpoint Manager): This high-severity SQL Injection vulnerability allows an unauthenticated attacker within the same network to execute arbitrary code.
CVE-2023-25280 (D-Link devices): This critical OS injection vulnerability allows an attacker to manipulate system commands through insufficient validation of the ping_addr parameter.
CVE-2020-15415 (DrayTek routers): This critical vulnerability allows remote command execution via OS injection.
CVE-2021-4043 (GPAC repository): This medium-severity vulnerability may lead to a denial-of-service (DoS) condition.
CVE-2019-0344 (SAP Commerce Cloud): This critical vulnerability allows arbitrary code execution due to unsafe deserialization.
Akira ransomware, a prominent threat actor, is continuously evolving its tactics and targeting vulnerable systems, particularly network appliances. Their latest ransomware encryptor targets both Windows and Linux hosts. Akira affiliates have been exploiting vulnerabilities in SonicWall SonicOS, Cisco ASA/FTD, and FortiClientEMS for initial access, followed by credential harvesting, privilege escalation, and lateral movement. The group’s recent shift back to encryption methods, coupled with data theft extortion, emphasizes their focus on stability and efficiency in affiliate operations.
Multiple Chinese Advanced Persistent Threat (APT) groups, including Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant, are engaging in sophisticated cyber espionage and disruptive campaigns. These groups employ various techniques, including “living off the land” (LOTL) methods, to compromise critical infrastructure, ISPs, and IoT devices. Volt Typhoon’s focus is on U.S. communication infrastructure, often leveraging compromised Fortinet devices for data exfiltration. Salt Typhoon targets U.S. Internet Service Providers (ISPs), seeking to compromise routers and network devices for data collection. Flax Typhoon utilizes compromised IoT devices to build botnets for command and control purposes, aiming at entities in Taiwan and expanding globally. Velvet Ant, a lesser-known group, targets software supply chains, aiming to indirectly infiltrate larger networks. These groups pose a serious threat to critical infrastructure and national security, requiring vigilant defense strategies to combat their stealthy operations.
Arctic Wolf Labs has observed an increase in Fog and Akira ransomware attacks, with at least 30 intrusions across various industries since early August. These attacks often leverage SonicWall SSL VPN in the early stages of the attack chain, highlighting the importance of securing VPN access points. The malicious VPN logins originate from IP addresses associated with VPS hosting, providing defenders with a viable mechanism for early detection and response.
A vulnerability in the open-source Roundcube webmail software has been exploited in phishing attacks. The flaw, tracked as CVE-2024-37383, allows attackers to steal user credentials by sending malicious emails that appear to be from legitimate sources. The vulnerability has been patched, but users of Roundcube webmail are advised to update their software immediately. Threat actors targeted user accounts of Roundcube Webmail users, specifically with the goal of stealing their login credentials. The attack involved sending emails with malicious links that, when clicked, would redirect users to a fake website designed to look like the real Roundcube login page. Users who entered their credentials on the fake website had them stolen by the attackers, compromising their accounts and potentially exposing sensitive data.