The RomCom cyber threat group exploited zero-day vulnerabilities (CVE-2024-9680 and CVE-2024-49039) in Mozilla Firefox and Windows to deploy their backdoor. The vulnerabilities allowed zero-click exploitation, delivering payloads without user interaction. Fake websites were used to target victims worldwide, mainly in Europe and North America. The backdoor provided attackers with complete system control.
Over 2,000 Palo Alto Networks devices were compromised in a large-scale attack exploiting vulnerabilities CVE-2024-0012 and CVE-2024-9474. Attackers bypassed authentication, escalated privileges, and deployed malware. The US and India were particularly impacted.
Two zero-day vulnerabilities were exploited in Palo Alto Networks software, potentially compromising thousands of organizations. This highlights the critical need for vendors to prioritize security and for organizations to maintain up-to-date software and security patching practices. The widespread impact of this vulnerability underscores the cascading effect of software flaws, which can allow attackers to penetrate systems and cause significant harm. The incident serves as a reminder to organizations to proactively monitor their security posture, use robust threat intelligence feeds, and employ multi-layered security defenses.
Palo Alto Networks has issued a critical security warning regarding a vulnerability in the management interfaces of its firewall products. This vulnerability, categorized as a remote command execution (RCE) flaw, could allow unauthenticated attackers to remotely execute arbitrary commands on affected systems. While the number of observed exploitations is currently limited, it poses a serious threat to the security of Palo Alto firewalls. This vulnerability highlights the importance of keeping software up-to-date and implementing robust security measures to mitigate the risk of exploitation. Attackers could potentially leverage this vulnerability to gain unauthorized access to sensitive data, disrupt network operations, or launch further attacks. Organizations using Palo Alto firewalls are strongly advised to apply the necessary patches and security updates to mitigate this vulnerability and protect their systems.
A critical vulnerability, tracked as CVE-2024-8068 and CVE-2024-8069, has been discovered in Citrix StoreFront, also known as Citrix StoreWeb. This vulnerability could allow attackers to execute remote code if the StoreFront application is directly exposed to the internet and session recording is enabled. The vulnerability has been actively scanned for, but no signs of exploitation have been reported yet. Citrix has released patches to address the vulnerability. Organizations using Citrix StoreFront should prioritize applying the patches to mitigate the risk. The vulnerability highlights the importance of securing web applications and ensuring that they are properly configured, especially if they are exposed to the public internet.
A critical vulnerability in Ivanti’s Cloud Service Appliance (CSA) has been actively exploited by attackers. The flaw, tracked as CVE-2024-8190, allows attackers to gain unauthorized access to sensitive data and execute arbitrary commands on vulnerable systems. The vulnerability exists in the CSA’s authentication mechanism and can be exploited by attackers who can send specially crafted requests to the CSA. This attack vector allows attackers to bypass the CSA’s security measures and gain access to the underlying operating system. The vulnerability has been exploited in the wild by a suspected nation-state adversary. There are strong indications that China is behind the attacks. Organizations using Ivanti CSA should prioritize patching the vulnerability immediately to reduce their risk of being compromised.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added three new security vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, due to confirmed reports of active exploitation in the wild. These vulnerabilities pose significant risks to organizations and require immediate attention. The three vulnerabilities added to the KEV Catalog include a format string vulnerability in multiple Fortinet products, a SQL injection vulnerability in Ivanti Cloud Services Appliance (CSA), and an OS command injection vulnerability in Ivanti CSA. The addition of these vulnerabilities to the KEV Catalog highlights the ongoing threat posed by malicious cyber actors who actively exploit known vulnerabilities. CISA urges all organizations to prioritize timely remediation of vulnerabilities listed in the KEV Catalog as part of their vulnerability management practices to reduce their exposure to cyberattacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a series of critical vulnerabilities affecting multiple major platforms, including Zimbra Collaboration, Ivanti, D-Link, DrayTek, GPAC, and SAP. The vulnerabilities, which range in severity from critical to medium, have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation by threat actors. The vulnerabilities allow attackers to gain unauthorized access to systems, execute malicious code, and potentially steal sensitive information. Organizations are strongly urged to prioritize the immediate patching of affected systems to mitigate the risk of exploitation. The vulnerabilities and their potential impact are detailed below:
CVE-2024-45519 (Zimbra Collaboration): This critical vulnerability allows unauthenticated users to execute commands. A Proof of Concept (PoC) exploit has been demonstrated by researchers, and mass exploitation of this vulnerability has been reported.
CVE-2024-29824 (Ivanti Endpoint Manager): This high-severity SQL Injection vulnerability allows an unauthenticated attacker within the same network to execute arbitrary code.
CVE-2023-25280 (D-Link devices): This critical OS injection vulnerability allows an attacker to manipulate system commands through insufficient validation of the ping_addr parameter.
CVE-2020-15415 (DrayTek routers): This critical vulnerability allows remote command execution via OS injection.
CVE-2021-4043 (GPAC repository): This medium-severity vulnerability may lead to a denial-of-service (DoS) condition.
CVE-2019-0344 (SAP Commerce Cloud): This critical vulnerability allows arbitrary code execution due to unsafe deserialization.
Multiple Chinese Advanced Persistent Threat (APT) groups, including Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant, are engaging in sophisticated cyber espionage and disruptive campaigns. These groups employ various techniques, including “living off the land” (LOTL) methods, to compromise critical infrastructure, ISPs, and IoT devices. Volt Typhoon’s focus is on U.S. communication infrastructure, often leveraging compromised Fortinet devices for data exfiltration. Salt Typhoon targets U.S. Internet Service Providers (ISPs), seeking to compromise routers and network devices for data collection. Flax Typhoon utilizes compromised IoT devices to build botnets for command and control purposes, aiming at entities in Taiwan and expanding globally. Velvet Ant, a lesser-known group, targets software supply chains, aiming to indirectly infiltrate larger networks. These groups pose a serious threat to critical infrastructure and national security, requiring vigilant defense strategies to combat their stealthy operations.
Pwn2Own Ireland 2024, the first Pwn2Own event held in Ireland, has announced a comprehensive schedule for the four-day contest. The event features a diverse range of targets, including smart speakers, printers, network attached storage devices, surveillance cameras, and mobile phones. Researchers and security experts from around the world are competing to identify and exploit vulnerabilities in these devices, showcasing the latest in vulnerability research and hacking techniques. The contest is expected to attract significant attention from the cybersecurity community and provide valuable insights into the evolving threat landscape.