Issue #1: Another Week of Zero Days & Critical Vulnerabilities
The latest high & critical vulnerabilities, exploits, ransomware attacks, data theft & a hefty fine for Uber
Major Vulnerabilities
Jenkins Critical Vulnerability
Last week Jenkins administrators were alerted to a critical vulnerability, that exposed around 45,000 servers to remote code execution threats.
| CVE | Type | CVSS Score |
|---|---|---|
| CVE-2024-23897 | Arbitrary file read vulnerability | High |
In Jenkins versions 2.441 and below, as well as LTS versions 2.426.2 and below, there is a vulnerability in the CLI command parser where an '@' character followed by a file path within an argument is substituted with the contents of the specified file. This flaw permits attackers without authentication to access and read any file on the Jenkins controller's file system.
Nasty.
Despite the availability of a patch, and the high severity of this vulnerability, many organisations did not apply the patch quickly, or perhaps they were not even aware of this issue. At the time of writing, there were approximately 45,000 unpatched Jenkins instances worldwide, with approximately 12,000 of those in China, 12,000 in the United States and 3,400 in Germany.
This underscores the crucial need for immediate patching to mitigate potential security breaches and protect against the exploitation of this vulnerability.
A proof of concept exploit is published here in 60 lines of Python code.
Juniper High Severity Vulnerabilities
Juniper Networks released urgent updates for its Junos OS to fix high-severity flaws in SRX and EX Series. The vulnerabilities were discovered by Cyber Security company WatchTowr Labs and they could be exploited by a threat actor to take control of susceptible systems.
Fixes have been released, and Juniper advised disabling J-Web or limiting access as temporary measures to prevent exploitation.
| CVE | Type | CVSS Score |
|---|---|---|
| CVE-2024-21619 | A missing authentication vulnerability | Medium / High |
| CVE-2024-21620 | A cross-site scripting (XSS) vulnerability | Medium / High |
Glibc Buffer Overflow Affects Linux
The GNU C Library (Glibc) is a fundamental component of various Linux distributions. It is crucial for the execution of compiled C programs, ensuring compatibility across different versions of Linux.
Researchers uncovered a significant vulnerability, (CVE-2023-6246), in the Glibc library, affecting major Linux distributions. This flaw, allowing privilege escalation to root level, was notably present in Debian, Ubuntu, and Fedora versions.
Originating from an attempt to fix a prior vulnerability, it emerged due to a dynamic memory buffer overflow. Addressing this issue requires updating glibc to version 2.39.
| CVE | Type | CVSS Score |
|---|---|---|
| CVE-2023-6246 | A heap-based buffer overflow | High |
Ivanti Critical and High Severity Vulnerabilities
Last week Ivanti issued an alert concerning zero-day vulnerabilities within its VPN products, (CVE-2023-46805 and CVE-2024-21887) which have allegedly been exploited by Chinese hackers since December 2023. These vulnerabilities allowed for authentication bypass and command injection.
Although the vendor has released a patch, further vulnerabilities were identified (CVE-2024-21888 and CVE-2024-21893).
As a result, CISA in the United States mandated federal agencies to disconnect affected Ivanti solutions by February 2, 2024, highlighting the severity of the threat and the steps required for mitigation.
The company said that it has seen targeted exploitation of the server-side bug and the German Federal Office for Information Security (BIS), said that it knows of multiple compromised systems.
| CVE | Type | CVSS Score |
|---|---|---|
| CVE-2023-46805 | Authentication Bypass Vulnerability | High |
| CVE-2024-21887 | Command Injection Vulnerability | Critical |
| CVE-2024-21888 | Privilege Escalation Vulnerability | High |
| CVE-2024-21893 | Server-Side Request Forgery (SSRF) Vulnerability | High |
GitLab Critical Vulnerability
Last week, GitLab issued an urgent update to patch a critical vulnerability allowing authenticated users to write files anywhere on a GitLab server while creating a workspace.
This ability is due to a path traversal flaw, in which users can manipulate pathnames to access locations outside of a restricted directory.
Identified as CVE-2024-0402 with a 9.9 severity score, this flaw prompted immediate action alongside fixes for four other medium-severity issues, underscoring the vital need for users to upgrade to the latest versions for enhanced security
| CVE | Type | CVSS Score |
|---|---|---|
| CVE-2024-0402 | Path traversal | Critical |
GitLab is a widely used web-based DevOps platform enabling collaborative software development and CI/CD with source code management.
Recent Exploits
OAuth Hack on Microsoft’s Senior Leadership Team
Microsoft recently admitted being the victim of an OAuth attack, the same type it had previously warned its customers about. The attack was executed by a cyberespionage group with alleged ties to Russia.
The attackers exploited OAuth applications to access corporate accounts, showing their ability to manipulate authentication mechanisms.
The attack was made more difficult to detect because the attackers used multiple compromised residential router IP addresses as proxies, making traditional indicators of compromise not feasible.
Threat actors were already known to be abusing OAuth applications for financial crime, leveraging compromised user accounts, to deploy crypto miners, maintaining persistence after compromise, and subsequently spamming using victim organizations' resources.
Phishing via Microsoft Teams Group Chats
In January 2024, Microsoft Teams users were targeted by phishing attacks distributing DarkGate malware through group chat invitations. Attackers, masquerading as legitimate users or domains, sent over 1,000 malicious invitations.
Upon accepting, victims were tricked into downloading files containing malware, leading to system compromise.
Mitigations such as disabling external access to Teams, and improving knowledge of Phishing through better Cyber Security Awareness help prevent such exploits.
USB Attack Targets Italian Businesses with Cryptojacking
In early 2024, Italian organizations were targeted by a cybercriminal group known as UNC4990, who used weaponised USB devices to spread cryptojacking malware.
The attacks, investigated by Mandiant, impacted various sectors including health and logistics. The attackers exploited third-party sites like GitHub and Vimeo for hosting malicious components, although the content hosted on these services posed no risk to the everyday users of these services.
This campaign leveraged the known EMPTYSPACE downloader and QUIETBOARD backdoor. Infections were initiated through malicious .lnk shortcuts on USB flash drives.
This kind of attack can be avoided by training users to treat unidentified USB flash drives as infected by default, or in certain industries, by disabling USB access altogether.
USB access can be controlled using carefully managed group policies, or using specific enterprise software for that purpose.
Ransomware Attacks
Schneider Electric Hit by Ransomware
Schneider Electric, was hit by a Cactus ransomware attack on January 17, 2024, affecting its Sustainability Business division.
This cyberattack led to terabytes of corporate data being stolen and ongoing outages on the Resource Advisor cloud platform.
Despite the breach, the company confirmed the attack was confined to one division and is taking steps to restore and secure its systems, and the company has not disclosed if a ransom will be paid or not.
Schneider Electric based in France, is a multinational specialising in energy management, automation, & digital transformation, providing services to datacentres, industry and infrastructure.
US Children's Hospital in Ransomware Attack
The LockBit ransomware gang attacked a Chicago children's hospital in the United States, demanding an $800,000 ransom. This is a departure from their usual policy of not attacking non-profit organisations like hospitals.
The attack compromised files containing patient information, though medical and financial records were reportedly untouched. The hospital has since taken steps to secure its network and is cooperating with the FBI.
A 2023 report from the US Department of Health and Human Services highlighted a significant rise in cyberattacks targeting the healthcare and public health sectors, leading to disruptions and delays in patient care nationwide.
And it is interesting that in 2021, the Conti ransomware group, after demanding $20m from Ireland's Health Service Executive, unexpectedly provided a decryption tool for free, aiding recovery without a ransom payment.
Recent Data Leaks
Datasport Mass Personal Data Theft in Switzerland
Datasport, a Swiss IT provider, announced that they experienced a significant data breach resulting in the theft of personal records of nearly 1 million individuals, including 900,000 Swiss citizens.
The breach exposed sensitive data such as names, addresses, and event participation details. The incident occurred during a backup process, leaving data vulnerable.
Datasport's response includes an apology and advice for customers to be vigilant against phishing, without requiring immediate action like password changes, which could raise concerns about their security practices.
More details about the incident are in this article.
CloudFlare Hackers Accessed Source Code & Configurations
Cloudflare provides web security and performance services, including DDoS protection, content delivery, secure DNS, and Zero Trust solutions to enhance the internet experience and protect against cyber threats.
The company said in this blog post last week that it experienced a sophisticated security incident in Q4 2023, orchestrated by a nation-state actor using stolen credentials. The attackers targeted Cloudflare's Atlassian servers, gaining limited access to internal wikis, bug databases, and a small amount of source code.
Despite the breach, the company's Zero Trust architecture prevented widespread network compromise. A remediation program was initiated to harden security, rotate credentials and re-image systems.
A comprehensive analysis by CrowdStrike’s Forensic team ensured the attackers were purged from systems without impacting customer data or services.
Data Protection
Uber Heavily Fined in the Netherlands
The Dutch Data Protection Authority fined Uber 10 million euros for violating privacy regulations related to its drivers' personal data. The issues included unclear data retention periods, insecure data transfers outside the EEA, and obstructing drivers' access to their data.
This action followed complaints from over 170 French drivers, highlighting the need for clearer data handling practices. Uber, acknowledging the findings, has made improvements.
The General Data Protection Regulation (GDPR) mandates stringent controls for transferring personal data outside the European Union, ensuring data protection.
This framework aims to maintain the privacy and security of EU residents' data, emphasizing legal, enforceable protections and rights for data subjects
The European Commission also adopted the EU-US Data Privacy Framework adequacy decision in July 2023, enabling personal data to flow freely from the EU to participating US companies.
There is an independent redress mechanism for Europeans' complaints about data collection for national security.
