Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mass Exploitation. Show all posts
Vulnerability
ConnectWise ScreenConnect Cyber Security Cybersecurity Mass Exploitation Ransomware remote desktop management Supply Chain Attack Vulnerability

Ransomware Distributed Through Mass Exploitation of ConnectWise ScreenConnect

 

Shortly after reports emerged regarding a significant security flaw in the ConnectWise ScreenConnect remote desktop management service, researchers are sounding the alarm about a potential large-scale supply chain attack.

Kyle Hanslovan, CEO of Huntress, expressed concerns about the exploitation of these vulnerabilities, warning that hackers could potentially infiltrate thousands of servers controlling numerous endpoints. He cautioned that this could lead to what might become the most significant cybersecurity incident of 2024. ScreenConnect's functionality, often used by tech support and others for remote authentication, poses a risk of unauthorized access to critical endpoints.

Compounding the issue is the widespread adoption of ScreenConnect by managed service providers (MSPs) to connect with customer environments. This mirrors previous incidents like the Kaseya attacks in 2021, where MSPs were exploited for broader access to downstream systems.

ConnectWise addressed the vulnerabilities without assigning CVEs initially, but subsequent proof-of-concept exploits emerged swiftly. By Tuesday, ConnectWise acknowledged active cyberattacks exploiting these bugs, and by Wednesday, multiple researchers reported increasing cyber activity.

The vulnerabilities now have designated CVEs, including a severe authentication bypass flaw (CVE-2024-1709) and a path traversal issue (CVE-2024-1708) enabling unauthorized file access.

The Shadowserver Foundation reported thousands of vulnerable instances exposed online, primarily in the US, with significant exploitation observed in the wild.

According to Huntress researchers, initial access brokers (IABs) are leveraging these bugs to gain access to various endpoints, intending to sell this access to ransomware groups. There have been instances of ransomware attacks targeting local governments, including endpoints potentially linked to critical systems like 911 services.

Bitdefender researchers corroborated these findings, noting the use of malicious extensions to deploy downloaders capable of installing additional malware.

The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities catalog.

Mitigation measures include applying patches released with ScreenConnect version 23.9.8 and monitoring for indicators of compromise (IoCs) as advised by ConnectWise. Additionally, organizations should vigilantly observe their systems for suspicious files and activities.

ConnectWise's actions to revoke licenses for unpatched servers offer some hope, although the severity of the situation remains a concern for anyone running vulnerable versions or failing to patch promptly.
Read more »
Vulnerabilities anfd Exploits
Citrix Bleed Bug Critical Flaw Mass Exploitation NetScaler Vulnerabilities anfd Exploits

Citrix Bleed Bug Delivers Sharp Blow: Vulnerability is Now Under "Mass Exploitation"

Citrix Bleed Bug

Citrix Bleed Bug: A Critical Vulnerability in Widespread Use

Despite the fact that a patch has been available for three weeks, ransomware hackers are exploiting a vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using Citrix hardware. 

What exactly is Citrix Bleed?

CVE-2023-4966, which exists in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, has been actively exploited since August. The vulnerability has a severity rating of 9.4 out of a possible 10, which is quite high for a simple information-disclosure fault. 

According to some estimates, 20,000 smartphones have already been compromised. The reason for this is that the information released may contain session tokens, which are assigned by the hardware to devices that have previously successfully provided credentials, including those delivering MFA

Attacks on the rise

Attacks have just lately increased, forcing security researcher Kevin Beaumont to write on Saturday, "This vulnerability is now under mass exploitation." He went on to describe the situation as follows: "From talking to multiple organizations, they are seeing widespread exploitation."

He stated that as of Saturday, he has discovered an estimated 20,000 instances of compromised Citrix machines with stolen session tokens. He stated that his estimate was based on establishing a honeypot of servers disguised as susceptible Netscaler devices to track opportunistic Internet attacks. Beaumont then compared the results to other data sources, such as Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security firm that also uses honeypots, was reporting CVE-2023-4966 attacks coming from 135 IP addresses. This is a 27-fold rise from the five IPs discovered by GreyNoise five days earlier.

Easy to exploit vulnerabilities 

According to the most recent data from security firm Shadowserver, there were approximately 5,500 unpatched machines. Beaumont has admitted that the amount contradicts his previous estimate of 20,000 affected devices. It's unclear what was causing the disparity.

The vulnerability is reasonably simple to exploit for experienced users. A simple reverse-engineering of the Citrix patch reveals the vulnerable methods, and it's not difficult to develop code that exploits them from there. A number of proof-of-concept exploits are available online, making attacks considerably easier.

What next? What should companies do to be safe?

Citrix Bleed is similar to Heartbleed, another major information leak vulnerability that rocked the Internet in 2014. This weakness, which was found in the OpenSSL code library, was widely exploited, allowing the theft of passwords, encryption keys, banking credentials, and other sensitive information. Citrix Bleed is less severe because fewer vulnerable devices are in operation.

Citrix Bleed, on the other hand, is still quite awful. All Netscaler devices should be considered hacked by organizations. This involves patching any unpatched devices that remain. Then, all credentials should be rotated to guarantee that any potentially leaked session tokens are expired. Mandiant, a security firm, provides comprehensive security advice here.
Read more »
Vulnerabilities and Exploits
Device Security Insights Mass Exploitation Mass Exploits Vulnerabilities and Exploits

Mass Exploits 2022: A Report Covering Most Dangerous Threats


What is the "Year of Mass Exploits?'

Experts at GreyNoise Intelligence have added more than 230 tags since January 1, 2022. It includes detections for more than 160 CVEs. In its annual report titled GreyNoise Intelligence 2022 "Year of Mass Exploits," the experts have identified 2022's most "pernicious and pwnable" vulnerabilities, in other words, the most significant threats. 

Bob Rudis, VP of Research & Data Science, GreyNoise Intelligence said “when it comes to cybersecurity, not all vulnerabilities are created equal, and many of the ones that garner media attention actually turn out to be insignificant.” 

 Log4j remote code execution

Activities around the Log4j remote code execution flaw surfaced at the end of 2021, kept the operations running, and has been active in regular web-based malicious activities, along with a group of other "celebrity vulnerabilities." 

In the earlier phase of exploitation, every single noise sensor (more than six hundred sensors handle from more than 5000 internship IPs) fielded Log4j exploit traffic, taking around one million attempts in just the first week. Threat actors keep looking for newly exposed, vulnerable nodes, and also for nodes that may have by mistake had fixes or patches removed. 

OGNL injection weakness

The Atlassian Confluence Object Graph Notation Library (OGNL) injection vulnerability was unique as it gave anyone unauthorized access to any query. Confluence is the knowledgeable repository of endless organizations. Because the API endpoint handles input in a certain way, cunning threat actors used different techniques to obscure exploit payloads. 

At the peak of hacking attempts, the GreyNoise sensor network found around 1,000 unique IPs looking for exposed vulnerable codes. GreyNoise saw an average of almost 20 unique addresses in hopes of unpatched Confluence incidents. 

For the Year of Mass Exploits 2022, experts have provided insights into the following areas:

  1. The impact of CISA's known exploited vulnerability catalog releases on security firms
  2. The celebrity vulnerability hype cycle, with a breakdown of the CVE-2022-1388, an F5 Big-IP iControl REST authentication bypass
  3. The amount of effort threat actors will put to never let a critical flaw go to waste by looking at the depth and width of CVE-2022-26134, a significant flaw in Atlassian Confluence. 

Besides the in-depth information about the most dangerous threat detection events of 2022, the report gives predictions for 2023 from Bob Rudis, GreyNoise VP of Data Science.

Organizations can expect regular web-based hacking attempts

Bob Rudis says “we see Log4j attack payloads every day. It’s part of the new ‘background noise’ of the internet, and the exploit code has been baked into numerous kits used by adversaries of every level. It’s very low risk for attackers to look for newly-exposed or re-exposed hosts, with the weakness unpatched or unmitigated. This means organizations must continue to be deliberate and diligent when placing services on the internet."

The rise in post-initial access internal threats

Rudis adds, “CISA’s database of software affected by the Log4j weakness stopped receiving regular updates earlier this year. The last update showed either ‘Unknown’ or ‘Affected’ status for ~35% (~1,550) of products cataloged. Attackers know that existing products have embedded Log4j weaknesses, and have already used the exploit in ransomware campaigns. If you have not yet dealt with your internal Log4j patching, early 2023 would be a good time to do so."

Log4J-centric attacks may target organizations

Rudis concludes, “organizations have to strive for perfection, while attackers need only persistence and luck to find that one device or service that is still exposing a weakness. We will see more organizations impacted by this, and it is vital you do what you can to ensure yours isn’t one of them."


Read more »
Subscribe to: Posts (Atom)