2025-02-10

Abandoned AWS S3 Buckets Pose Major Cybersecurity Risk

Need some FUD to illustrate the hidden dangers of abandoned cloud resources and the potential for supply chain attacks? This article is for you!

Recent research reveals that abandoned AWS S3 buckets pose a significant cybersecurity risk, as malicious actors can re-register these unused storage resources under their original names to execute attacks, such as delivering malware through software updates. The study identified 150 neglected S3 buckets previously used by major organizations for software deployment and other purposes. When researchers registered these buckets, they received 8 million file requests in two months from various high-profile entities, indicating the potential for malicious exploitation. Although AWS intervened to mitigate the specific risks, the underlying issue persists, emphasizing the need for organizations to manage cloud resources diligently and understand the permanence of references in deployment code.

Risks: Shadow IT/Exposed Assets, Supply Chain, Malware

CVEs: N/A

Keywords: AWS S3, cloud storage, supply chain attack, abandoned buckets, malware delivery

Affected: AWS S3, US government agencies, UK government agencies, Australian government agencies, Fortune 100 companies, a major payment card network, an industrial product company, global banks, regional banks, cybersecurity companies

2025-02-08

Critical Flaw in Veeam Backup Software Allows Code Execution

Need some ammo against AWS, Google Cloud, or Microsoft Azure? Have a customer or prospect that uses these platforms? This article is for you!

A critical vulnerability in Veeam's Backup software, affecting several cloud platforms including AWS, Google Cloud, and Microsoft Azure, allows for arbitrary code execution via a man-in-the-middle attack. Veeam has released patches to address this issue, emphasizing that deployments not involving certain cloud environments remain unaffected.

Risks: Patch Management, Cloud Service Provider Flaw

CVEs: CVE-2025-23114

Keywords: Veeam, Backup, Vulnerability, Code Execution, Cloud Platforms, Patches

Affected: Veeam Backup for Salesforce, Veeam Backup for Nutanix AHV, Veeam Backup for AWS, Veeam Backup for Microsoft Azure, Veeam Backup for Google Cloud, Veeam Backup for Oracle Linux Virtualization Manager, Veeam Backup for Red Hat Virtualization

2025-02-08

Cisco Patches Critical ISE Vulnerabilities Allowing Root Access

Need some ammo against Cisco? This article is for you!

Cisco has released patches for two critical vulnerabilities in its Identity Services Engine (ISE) that could allow remote attackers to execute arbitrary commands and elevate privileges. These flaws include an insecure Java deserialization vulnerability and an authorization bypass, which could be exploited by sending crafted requests to the API. Both vulnerabilities require patching, as there are no other workarounds, and while there is no evidence of exploitation, keeping systems updated is advised.

Risks: Privilege Escalation, API Vulnerability

CVEs: CVE-2025-20124; CVE-2025-20125

Keywords: Cisco, Identity Services Engine, ISE, Vulnerabilities, CVE-2025-20124, CVE-2025-20125, Root Access, Privilege Escalation

Affected: Cisco Identity Services Engine

2025-02-08

ASP.NET Machine Keys Vulnerability Enables Remote Code Execution

Learn about the risks of using insecure ASP.NET machine keys and how CloudGuard can help secure web server environments against such vulnerabilities.

Microsoft has identified a security risk where developers are using publicly disclosed ASP.NET machine keys, making web servers vulnerable to remote code execution. Threat actors exploit this by crafting malicious ViewState objects using these keys, which are then sent to targeted websites to gain control via code injection. The issue is widespread, with over 3,000 keys publicly accessible, facilitating easier exploitation.

Risks: Web App/Website Vulnerability, Hardcoded Secrets, Shadow IT/Exposed Assets

CVEs: N/A

Keywords: ASP.NET, machine keys, remote code execution, ViewState, web server security, Microsoft warning

Affected: ASP.NET, Web servers

2025-02-08

Malicious Machine Learning Models on Hugging Face Evade Detection

Got you some real good FUD, learn about the dangers of supply chain attacks.

Cybersecurity researchers discovered two malicious machine learning models on Hugging Face that use a "broken" pickle format to evade detection by security tools. These models, likely proof-of-concept rather than active threats, contain platform-aware reverse shells that connect to a hard-coded IP address. The malicious content is embedded at the start of the PyTorch archives, which are compressed using the 7z format, allowing them to bypass detection by Picklescan, Hugging Face's security tool. The serialization breaks after the payload is executed, but the models can still execute the malicious code due to discrepancies in how deserialization and scanning are performed. This vulnerability has been addressed by updating the Picklescan utility.

Risks: Supply Chain, Open Source, Malware

CVEs: N/A

Keywords: Hugging Face, machine learning, pickle files, PyTorch, supply chain attack, nullifAI

Affected: Hugging Face, PyTorch, Picklescan

2025-02-08

CISA Adds Four Actively Exploited Vulnerabilities to Catalog

Learn about the critical importance of timely patch management to protect against vulnerabilities actively exploited in the wild.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities catalog, highlighting their active exploitation. These include a forced browsing flaw in Apache OFBiz, an information disclosure issue in Microsoft .NET Framework, and two vulnerabilities in Paessler PRTG Network Monitor related to command injection and local file inclusion. Patches for these vulnerabilities were released between 2018 and 2024.

Risks: Patch Management, Web App/Website Vulnerability

CVEs: CVE-2024-45195; CVE-2024-29059; CVE-2018-9276; CVE-2018-19410

Keywords: CISA, Known Exploited Vulnerabilities, Apache OFBiz, Microsoft .NET Framework, Paessler PRTG, Patch Management

Affected: Apache OFBiz, Microsoft .NET Framework, Paessler PRTG Network Monitor

2025-02-07

Microsoft Patches Critical Vulnerabilities in Azure AI Face Service and Microsoft Account

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure AI? This article is for you!

Microsoft has released patches for two critical security vulnerabilities affecting Azure AI Face Service and Microsoft Account, which could allow privilege escalation. The Azure AI Face Service vulnerability, with a CVSS score of 9.9, involves an authentication bypass that could enable privilege elevation, while the Microsoft Account vulnerability involves missing authorization. Both vulnerabilities have been mitigated, and no action is required from customers.

Risks: Privilege Escalation, Cloud Service Provider Flaw

CVEs: CVE-2025-21396; CVE-2025-21415

Keywords: Microsoft Azure, Azure AI Face Service, CVE-2025-21415, CVE-2025-21396, Privilege Escalation, Security Patches

Affected: Azure AI Face Service, Microsoft Account

2025-02-07

2024 Sees 20% Rise in Exploited Vulnerabilities

Learn about the increasing threat landscape and the importance of proactive vulnerability management to protect against sophisticated exploits.

The VulnCheck report for 2024 highlights a 20% increase in exploited vulnerabilities compared to 2023, with 768 CVEs reported as actively exploited. Notably, 23.6% of these vulnerabilities were weaponized by threat actors on or before their public disclosure. The report also links 15 Chinese hacking groups to the exploitation of frequently targeted vulnerabilities, affecting approximately 400,000 internet-accessible systems across various products from companies like Apache, Atlassian, Cisco, and Microsoft.

Risks: Patch Management, Web App/Website Vulnerability, Other: CVE Exploitation

CVEs: N/A

Keywords: VulnCheck, CVEs 2024, Exploited Vulnerabilities, Threat Actors, Apache, Microsoft, Chinese Hacking Groups

Affected: Apache, Atlassian, Barracuda, Citrix, Cisco, Fortinet, Microsoft, Progress, PaperCut, Zoho

2025-02-06

IMI Hit by Cyber Attack Affecting Global Systems

Learn about the growing threat landscape affecting engineering firms and other industries—perfect for showcasing the importance of robust cloud security solutions like CloudGuard.

Engineering group IMI has suffered a cyber attack, affecting its systems worldwide and leading to a 3% drop in its share price. The firm, which operates in 50 countries, has isolated impacted systems and is collaborating with external cybersecurity experts to investigate and contain the breach. While the specific data accessed remains undisclosed, the attack does not appear to have targeted employee or customer information. This incident follows a similar attack on Smiths Group, although the two are not believed to be linked. Recent cyber attacks have also affected other UK entities, including Transport for London and Harvey Nichols.

Risks: N/A

CVEs: N/A

Keywords: IMI, Smiths Group, Cyber Attack, UK Engineering, Global Systems, Data Breach, Cloud Security

Affected: IMI, Smiths Group, Transport for London, Harvey Nichols, Portsmouth City Council

2025-02-02

BeyondTrust Breach Exposes SaaS Customers via Compromised API Key

Learn about the critical need for robust API security and the potential vulnerabilities in Remote Support SaaS solutions.

BeyondTrust experienced a cybersecurity breach affecting 17 Remote Support SaaS customers due to a compromised API key, which was exploited through a zero-day vulnerability in a third-party application. This allowed unauthorized access by resetting local application passwords. The breach was first detected in December 2024. Although the compromised API key has been revoked and affected customer instances suspended, the U.S. Treasury Department was among those impacted. The attack has been linked to the China-affiliated hacking group Silk Typhoon. BeyondTrust identified two separate vulnerabilities in its products, which have been added to CISA's Known Exploited Vulnerabilities catalog.

Risks: Zero-Day, API Vulnerability, Third-Party Vendor/SaaS, Weak or Compromised Credentials

CVEs: CVE-2024-12356; CVE-2024-12686

Keywords: BeyondTrust, API Key Breach, Zero-Day Vulnerability, Silk Typhoon, Remote Support SaaS

Affected: BeyondTrust Remote Support SaaS, AWS, U.S. Treasury Department

2025-01-30

Critical Vulnerability in Cacti Allows Remote Code Execution

Learn about the critical importance of patch management to prevent remote code execution and data compromise in network monitoring tools.

A critical vulnerability in Cacti, an open-source network monitoring tool, allows authenticated users to execute remote code on affected systems by exploiting a flaw in the SNMP result parser. This vulnerability, identified as CVE-2025-22604, has a high severity score and permits attackers with management permissions to manipulate sensitive data. The issue, alongside another vulnerability (CVE-2025-24367), has been fixed in Cacti version 1.2.29. Organizations using Cacti should prioritize patching to prevent potential exploitation.

Risks: Patch Management, Web App/Website Vulnerability, Open Source

CVEs: CVE-2025-22604; CVE-2025-24367

Keywords: Cacti, CVE-2025-22604, Remote Code Execution, Network Monitoring, SNMP Vulnerability

Affected: Cacti

2025-01-30

Unpatched Vulnerabilities in Voyager Allow Remote Code Execution

Learn about the importance of securing open-source admin tools and the potential risks of unpatched vulnerabilities.

The open-source Laravel admin package Voyager has three unpatched vulnerabilities that could lead to remote code execution attacks when an authenticated user clicks on a malicious link. These vulnerabilities include bypassing MIME-type verification to upload malicious files, improper input sanitization allowing JavaScript injection, and file management flaws enabling unauthorized file manipulation. Despite attempts to notify the maintainers, the issues remain unresolved. Voyager users, primarily Laravel developers and small businesses, are advised to restrict access to trusted users, use role-based access control, and implement server-level security measures to mitigate risk.

Risks: Open Source, Web App/Website Vulnerability, Patch Management, Privilege Escalation

CVEs: CVE-2024-55417; CVE-2024-55416; CVE-2024-55415

Keywords: Voyager, Laravel, Remote Code Execution, CVE-2024-55417, Open Source Vulnerability

Affected: Voyager

2025-01-29

Critical Vulnerabilities Grant Access to 3,000 Companies

Learn about the critical importance of secure coding practices and how they can prevent massive breaches, providing you with valuable insights to discuss with prospects.

Cybersecurity researchers exploited critical vulnerabilities in a company's infrastructure, gaining control over a super admin panel and access to over 3,000 companies. These vulnerabilities included improper API authentication, inadequate KYC checks, and flawed backend authorization, which were uncovered by manipulating API endpoints and bypassing security measures like a Web Application Firewall. The findings highlight the severe risks associated with weak secure coding practices.

Risks: API Vulnerability, Web App/Website Vulnerability, Privilege Escalation

CVEs: N/A

Keywords: API security, secure coding, vulnerability exploitation, backend authorization, Web Application Firewall bypass

Affected: N/A

2025-01-29

High-Severity SQL Injection Vulnerability in VMware Avi Load Balancer

Learn about the critical importance of timely patch management to protect against high-severity vulnerabilities in key infrastructure components like VMware Avi Load Balancer.

Broadcom has identified a high-severity SQL injection vulnerability in VMware Avi Load Balancer that allows unauthorized users with network access to execute specially crafted SQL queries to gain database access. Affected versions include 30.1.1, 30.1.2, 30.2.1, and 30.2.2, and users are advised to update to the latest patched versions as there are no workarounds available.

Risks: Patch Management, Web App/Website Vulnerability

CVEs: CVE-2025-22217

Keywords: VMware Avi Load Balancer, SQL Injection, CVE-2025-22217, Patch Management, Broadcom

Affected: VMware Avi Load Balancer

2025-01-28

IBM Security Directory Integrator Vulnerabilities Expose Sensitive Data

Learn about the crucial importance of secure cookie handling and data protection to emphasize the need for comprehensive security solutions.

IBM has addressed multiple vulnerabilities in its Security Directory Integrator product, which could allow attackers to steal session cookies and access sensitive information. These vulnerabilities involve improper handling of authorization tokens and session cookies, with two having a medium severity and one rated as low severity. The issues primarily affect confidentiality by exposing cookies via unsecured HTTP connections and disclosing sensitive directory information. Although the vulnerabilities are less likely to impact system integrity and availability, they underscore the importance of securing sensitive data against unauthorized access.

Risks: Sensitive Data, Patch Management, Web App/Website Vulnerability

CVEs: CVE-2024-28771; CVE-2024-28770; CVE-2024-28766

Keywords: IBM, Security Directory Integrator, vulnerabilities, session cookies, data exposure, CVE

Affected: IBM Security Directory Integrator

2025-01-28

Intel TDX Vulnerability Exposes Cloud Environments to Security Risks

Learn how vulnerabilities in Intel's TDX can expose cloud environments to risk and see why robust virtualization security is crucial for protecting sensitive data.

Researchers have identified critical security vulnerabilities in Intel Trust Domain Extensions (TDX), which are designed to provide secure isolation for virtual machines by protecting sensitive data from potentially compromised Virtual Machine Managers (VMMs). Despite TDX's advanced security features, such as Multi-Key Total Memory Encryption (MKTME) and remote attestation, the study highlights weaknesses in its core isolation mechanisms. These vulnerabilities allow side-channel attacks through shared system resources and hardware performance counters, enabling a VMM to observe and exploit performance metrics. This compromises the integrity of TDX, posing significant risks to cloud computing and virtualized environments where TDX is used to secure multi-tenant workloads.

Risks: Sensitive Data, Side-Channel Attacks, Other: Resource Contention

CVEs: N/A

Keywords: Intel TDX, Virtual Machine Security, Cloud Vulnerability, Side-Channel Attacks, Multi-Tenant Security

Affected: Intel Trust Domain Extensions, Virtual Machine Managers, Cloud Computing Environments

2025-01-27

Meta Llama Framework Vulnerability Allows Remote Code Execution

Learn about the risks of unpatched AI frameworks and how CloudGuard can help protect against remote code execution vulnerabilities.

A vulnerability in Meta's Llama large language model framework could allow attackers to execute arbitrary code on the inference server by exploiting a flaw in the deserialization process. This issue affects the Llama Stack component, specifically the reference Python Inference API implementation, which uses the unsafe pickle library to deserialize data. If the ZeroMQ socket is exposed, attackers could send malicious objects to execute code on the host machine.

Risks: API Vulnerability, Open Source, Other: Remote Code Execution

CVEs: CVE-2024-50050

Keywords: Meta, Llama, Remote Code Execution, Vulnerability, AI Security, CVE-2024-50050

Affected: Meta, Llama, Llama Stack, Python Inference API, ZeroMQ

2025-01-24

Juniper Routers Exploited by Custom Backdoor in J-magic Campaign

Learn about the risks facing edge infrastructure and the opportunity to offer advanced security solutions for sectors like IT, energy, and manufacturing.

The J-magic campaign involves a custom backdoor exploiting a "magic packet" vulnerability in Juniper Networks routers running Junos OS. The malware, based on an old backdoor called cd00r, targets sectors like semiconductor, energy, manufacturing, and IT across multiple countries. The backdoor waits for specific packets to establish a reverse shell, allowing attackers to control devices, steal data, or deploy further payloads. The campaign highlights vulnerabilities in edge infrastructure, particularly routers lacking endpoint detection and response protections.

Risks: Malware, Shadow IT/Exposed Assets

CVEs: N/A

Keywords: Juniper Networks, magic packet, backdoor, J-magic campaign, Junos OS, cd00r, SEASPY, edge infrastructure

Affected: Juniper Networks routers, Junos OS, semiconductor industry, energy industry, manufacturing industry, information technology sector, Barracuda Email Security Gateway appliances

2025-01-24

Palo Alto Networks Firewalls Vulnerable to Firmware Exploits

Need some ammo against Palo Alto Networks? This article is for you!

An evaluation of Palo Alto Networks' firewall models revealed multiple known vulnerabilities in the firmware, potentially allowing attackers to bypass Secure Boot and modify device firmware. The vulnerabilities, collectively termed PANdora's Box, include issues like BootHole, LogoFAIL, PixieFail, and others affecting models PA-3260, PA-1410, and PA-415. These findings highlight the necessity for organizations to adopt comprehensive supply chain security measures, including vendor assessments, firmware updates, and device integrity monitoring. Palo Alto Networks asserts that their current PAN-OS software, when configured correctly, mitigates these risks and that they are unaware of any active exploitation of these vulnerabilities.

Risks: Privilege Escalation, Misconfiguration, Supply Chain

CVEs: CVE-2020-10713; CVE-2022-24030; CVE-2021-33627; CVE-2021-42060; CVE-2021-42554; CVE-2021-43323; CVE-2021-45970; CVE-2023-1017

Keywords: Palo Alto Networks, firewall vulnerabilities, Secure Boot bypass, firmware exploits, PANdora's Box

Affected: Palo Alto Networks, PA-3260, PA-1410, PA-415

2025-01-24

jQuery XSS Vulnerability Actively Exploited Despite Patch

Learn about the importance of patch management and how vulnerabilities in widely used libraries like jQuery can impact security.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability in the jQuery library to its list of known exploited vulnerabilities. Although this medium-severity flaw, which could allow arbitrary code execution, was patched in jQuery version 3.5.0 in April 2020, it continues to be exploited. The flaw can occur when HTML containing

Risks: Patch Management, Web App/Website Vulnerability, Open Source

CVEs: CVE-2020-11023

Keywords: jQuery, XSS vulnerability, CISA, CVE-2020-11023, DOM manipulation, patch management

Affected: jQuery

2025-01-24

Next.js Vulnerabilities Expose Websites to Cache Poisoning and XSS Attacks

Want to show the importance of securing popular frameworks and the risks of improper caching? This article on Next.js vulnerabilities is a must-read!

Recent research has identified critical vulnerabilities in the Next.js framework, specifically between versions 13.5.1 and 14.2.9, which expose websites to cache poisoning and stored cross-site scripting (XSS) attacks. These vulnerabilities stem from improper caching mechanisms, allowing attackers to manipulate data-fetching routes and request details, resulting in corrupted content delivery and execution of malicious scripts. The issues affect static-route deployments on non-Vercel-hosted sites, necessitating an upgrade to version 14.2.10 or later. Organizations using Next.js must apply patches promptly, modify cache keys, and review their code to safeguard against these threats, given the framework's extensive use and potential impact on user privacy and service availability.

Risks: Misconfiguration, Web App/Website Vulnerability, Open Source

CVEs: CVE-2024-46982

Keywords: Next.js, Cache Poisoning, Stored XSS, CVE-2024-46982, JavaScript Vulnerability, Web Security

Affected: Next.js

2025-01-23

Unauthorized Encryption Threats Target AWS S3 Buckets

Need some ammo against AWS? Have a customer or prospect that uses AWS? This article is for you!

AWS has detected an increase in unauthorized encryption activities targeting S3 buckets, where threat actors use compromised credentials to exploit server-side encryption with client-provided keys. Although no AWS service vulnerabilities are identified, the misuse of valid credentials poses data protection risks by overwriting and re-encrypting customer data. AWS advises eliminating long-term access credentials, establishing data recovery procedures, monitoring access for anomalies, and blocking unnecessary SSE-C usage as key security practices to mitigate these threats. AWS has also implemented automatic security measures to block many unauthorized activities, highlighting the importance of customer vigilance.

Risks: Weak or Compromised Credentials, Sensitive Data

CVEs: N/A

Keywords: AWS, S3 Buckets, Unauthorized Encryption, Cloud Security, Data Protection

Affected: AWS

2025-01-23

Critical Vulnerabilities in WordPress RealHome and Easy Real Estate Plugins

Learn about the risks of unpatched vulnerabilities in popular WordPress themes and plugins, and how CloudGuard can help protect against privilege escalation attacks.

Two critical vulnerabilities affecting the RealHome theme and Easy Real Estate plugins for WordPress allow unauthenticated users to gain administrative privileges. Despite being identified in September 2024, these issues remain unpatched by the vendor, InspiryThemes. The RealHome theme's flaw enables attackers to register as administrators through a registration function without proper authorization checks, while the Easy Real Estate plugin allows privilege escalation via its social login feature. Both vulnerabilities pose significant security risks to websites using these popular real estate solutions.

Risks: Zero-Day, Privilege Escalation, Web App/Website Vulnerability

CVEs: CVE-2024-32444; CVE-2024-32555

Keywords: WordPress, RealHome, Easy Real Estate, privilege escalation, CVE-2024-32444, CVE-2024-32555

Affected: RealHome theme, Easy Real Estate plugin, WordPress

2025-01-23

Ivanti Cloud Services Targeted by Nation-State Exploit Chains

Understand the critical vulnerabilities in cloud service applications and emphasize the importance of proactive security measures to protect against nation-state attacks.

The U.S. government agencies CISA and FBI have provided technical details on two exploit chains used by nation-state hackers to compromise Ivanti's cloud service applications. These exploits, identified in September 2024, involve vulnerabilities that allow administrative bypass, SQL injection, and remote code execution. The exploit chains enable attackers to gain initial access, execute remote code, obtain credentials, and attempt to implant web shells on target networks. The vulnerabilities have been used to conduct lateral movements and compromise sensitive data stored within Ivanti appliances.

Risks: Sensitive Data, Patch Management, Web App/Website Vulnerability, Weak or Compromised Credentials

CVEs: CVE-2024-8963; CVE-2024-9379; CVE-2024-8190; CVE-2024-9380

Keywords: Ivanti, Nation-State Attack, Cloud Vulnerabilities, Remote Code Execution, CISA, FBI

Affected: Ivanti

2025-01-23

Azure DevOps Vulnerabilities Enable CRLF Injection and DNS Rebinding Attacks

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure DevOps? This article is for you!

The article discusses several vulnerabilities discovered in Azure DevOps, including CRLF injection and DNS rebinding attacks, which present serious security risks. The vulnerabilities allow attackers to conduct Server-Side Request Forgery (SSRF) and manipulate DNS records, potentially exposing sensitive internal services and data. Exploitation of these flaws can lead to unauthorized access, data leakage, and further attacks like cross-site scripting (XSS). To mitigate these risks, Azure DevOps users are advised to apply security patches, strengthen authentication, audit access controls, and monitor network activities.

Risks: API Vulnerability, Cloud Service Provider Flaw

CVEs: N/A

Keywords: Azure DevOps, SSRF, CRLF Injection, DNS Rebinding, Cloud Security, Vulnerability

Affected: Azure DevOps, Azure Active Directory

2025-01-23

Cisco Patches ClamAV DoS Vulnerability and Other Critical Flaws

Need some ammo against Cisco? This article highlights vulnerabilities in their software, offering an opportunity to showcase CloudGuard's superior security capabilities.

Cisco has issued security updates to address a denial-of-service (DoS) vulnerability in ClamAV, caused by a heap-based buffer overflow in the OLE2 decryption routine. This flaw allows remote attackers to crash the ClamAV antivirus scanning process by submitting a crafted file, affecting Secure Endpoint Connector software across multiple platforms. Although there is no evidence of active exploitation, proof-of-concept exploit code is available. Cisco also patched additional vulnerabilities, including a DoS flaw in Cisco BroadWorks and a critical privilege escalation issue in Cisco Meeting Management REST API.

Risks: Patch Management, Privilege Escalation, Open Source

CVEs: CVE-2025-20128; CVE-2025-20165; CVE-2025-20156

Keywords: Cisco, ClamAV, Denial of Service, CVE-2025-20128, Vulnerability Patch, Secure Endpoint Connector

Affected: ClamAV, Secure Endpoint Connector software, Cisco BroadWorks, Cisco Meeting Management REST API

2025-01-22

TalkTalk Data Breach Exposes Information of 18 Million Customers

Discover the critical importance of robust cybersecurity measures in the telecommunications industry and how CloudGuard can protect against massive data breaches like TalkTalk's.

A significant data breach at TalkTalk has exposed sensitive information from over 18 million customers, with the data reportedly being sold on a Russian dark web forum. The breach includes personal details such as subscriber characteristics, contact numbers, email addresses, and IP addresses. The incident is one of the largest in recent years and highlights ongoing cybersecurity challenges in the telecommunications industry. TalkTalk is under pressure to address these allegations and implement measures to prevent further harm.

Risks: Sensitive Data

CVEs: N/A

Keywords: TalkTalk, Data Breach, Telecommunications, Customer Data, Dark Web, Personal Information Exposure

Affected: TalkTalk

2025-01-22

CISA and FBI Update Guidance on Risky Software Security Practices

Learn about the crucial importance of secure software development practices and how addressing risky practices can enhance your pitch for CloudGuard solutions in safeguarding critical infrastructure.

The CISA and FBI have updated their guidance on risky software security practices, emphasizing the need for software manufacturers to prioritize security, especially for critical infrastructure. The guidance highlights practices like using memory-unsafe languages, default passwords, and components with known vulnerabilities, and stresses the importance of multi-factor authentication and timely publication of CVEs. New additions include avoiding hardcoded credentials, outdated cryptographic functions, and improving product support. The updates also provide more examples for preventing SQL and command injection vulnerabilities, with specific recommendations for operational technology products to support phishing-resistant MFA. This guidance aims to help software manufacturers, including those developing on-premises, cloud, and SaaS products, to improve security and signal commitment to customer security outcomes.

Risks: Patch Management, Hardcoded Secrets, Weak or Compromised Credentials, Web App/Website Vulnerability

CVEs: N/A

Keywords: Software Security, CISA, FBI, Risky Practices, Multi-Factor Authentication, Cryptographic Functions, Critical Infrastructure

Affected: N/A

2025-01-22

PowerSchool Data Breach Exposes Student and Educator Information

Learn about the consequences of data breaches in the education sector and the critical importance of securing customer support portals to protect sensitive information.

In December 2024, PowerSchool, a major provider of education technology solutions, experienced a data breach affecting its Student Information System (SIS) environments. Compromised credentials were used to access the PowerSource customer support portal, leading to the export of sensitive data including personal information of students and educators. PowerSchool has indicated that the data has been deleted and will not be disseminated, hinting at a possible ransomware attack. The breach impacted numerous schools and districts globally, with significant effects in Virginia and California, among other regions. The company is offering two years of free identity theft and credit monitoring services to those affected.

Risks: Sensitive Data, Weak or Compromised Credentials, Third-Party Vendor/SaaS

CVEs: N/A

Keywords: PowerSchool, Data Breach, Student Information System, Ransomware, Education Technology, Identity Theft

Affected: PowerSchool, Student Information System (SIS), PowerSource, K-12 education, Menlo Park City School District, Rancho Santa Fe School District, Toronto District School Board

2025-01-22

Oracle Releases January 2025 Patch Fixing 318 Vulnerabilities

Learn about the crucial importance of patch management and how staying updated can prevent severe security risks in enterprise environments.

Oracle has issued its January 2025 Critical Patch Update addressing 318 security vulnerabilities across its product suite, including Oracle Agile Product Lifecycle Management (PLM) Framework, Oracle WebLogic Server, and JD Edwards EnterpriseOne Tools. The most critical flaw, with a CVSS score of 9.9, affects the Oracle Agile PLM Framework and could allow attackers to gain control via HTTP. Other significant vulnerabilities include those in JD Edwards EnterpriseOne Tools, Apache Xerces C++ XML parser, Apache ActiveMQ, and Oracle WebLogic Server. Oracle has also released 285 security patches for Oracle Linux. Users are encouraged to apply these updates promptly to mitigate security risks.

Risks: Patch Management, Privilege Escalation, Web App/Website Vulnerability

CVEs: CVE-2025-21556; CVE-2024-21287; CVE-2025-21524; CVE-2023-3961; CVE-2024-23807; CVE-2023-46604; CVE-2024-45492; CVE-2024-56337; CVE-2025-21535; CVE-2016-1000027; CVE-2023-29824; CVE-2020-2883; CVE-2024-37371

Keywords: Oracle, Critical Patch Update, Vulnerabilities, Oracle Agile PLM, JD Edwards, WebLogic Server, Cyber Risk, Security Patches

Affected: Oracle Agile Product Lifecycle Management Framework, JD Edwards EnterpriseOne Tools, Apache Xerces C++ XML parser, Apache ActiveMQ, Oracle Communications Diameter Signaling Router, Oracle Communications Network Analytics Data Director, Financial Services Behavior Detection Platform, Financial Services Trade-Based Anti Money Laundering Enterprise Edition, HTTP Server, Apache Tomcat server, Oracle Communications Policy Management, Oracle WebLogic Server, Oracle BI Publisher, Oracle Business Intelligence Enterprise Edition, Oracle Linux

2025-01-21

Vulnerabilities in Tunneling Protocols Expose Millions of Internet Hosts

Learn how to secure cloud environments and network infrastructure from tunneling protocol vulnerabilities to protect against anonymous attacks and unauthorized network access.

Recent research has identified security vulnerabilities in several tunneling protocols that affect approximately 4.2 million internet hosts, including VPN servers and routers. These vulnerabilities arise from the lack of sender verification, allowing attackers to perform anonymous attacks and access networks by exploiting protocols such as IP6IP6, GRE6, 4in6, and 6in4 without proper authentication and encryption. The affected hosts, particularly in countries like China, France, Japan, the U.S., and Brazil, could be misused for creating one-way proxies and conducting denial-of-service attacks. Mitigation strategies include using IPSec or WireGuard for security, accepting packets only from trusted sources, implementing traffic filtering, deep packet inspection, and blocking unencrypted tunneling packets.

Risks: Misconfiguration, Shadow IT/Exposed Assets, Other: Inadequate Authentication

CVEs: CVE-2020-10136; CVE-2024-7595; CVE-2024-7596; CVE-2025-23018; CVE-2025-23019

Keywords: Tunneling Protocols, VPN Vulnerabilities, GRE, IP6IP6, DDoS Attacks, Network Security

Affected: VPN servers, ISP home routers, core internet routers, mobile network gateways, content delivery network (CDN) nodes

2025-01-21

Malindo Air Targeted by BASHE Ransomware Group

New opportunity - airlines and the aviation industry are under threat from ransomware attacks. Time to get out your rolodex.

Malindo Air, a Malaysian airline, has been targeted by the BASHE Ransomware group, raising concerns over the security of its systems and customer data. The attackers claim to have accessed sensitive organizational information, although specific details remain undisclosed. This attack highlights the ongoing vulnerability of airlines to cyber threats, as Malindo Air had previously experienced a major data breach in 2019. The incident emphasizes the importance for companies, particularly in the aviation sector, to implement robust cybersecurity measures, conduct regular vulnerability assessments, and provide employee training to protect against such threats.

Risks: Sensitive Data, Insider Threats

CVEs: N/A

Keywords: Malindo Air, BASHE Ransomware, Airline Cybersecurity, Data Breach, Aviation Industry

Affected: Malindo Air, aviation industry

2025-01-21

Critical Vulnerability Found in Mongoose Library for MongoDB

Learn about the critical risks in widely used open-source components and how CloudGuard can help secure application vulnerabilities.

A critical vulnerability has been discovered in the Mongoose library, which is widely used for MongoDB database modeling in Node.js environments. The flaw involves improper handling of nested $where filters with the populate() method, allowing attackers to inject malicious queries, manipulate search results, and access sensitive data. With a CVSS score of 9.0, this vulnerability affects millions of applications across various industries. Organizations are advised to assess their applications and apply mitigations such as strict query validation, limiting database access, deploying web application firewalls, and auditing for vulnerabilities while awaiting a patch from the developers.

Risks: Sensitive Data, Web App/Website Vulnerability, Open Source, Injection

CVEs: CVE-2025-2306

Keywords: Mongoose, MongoDB, CVE-2025-2306, Node.js, Vulnerability, Data Breach, Database Security

Affected: Mongoose, MongoDB, Node.js

2025-01-20

FCC Enforces Network Security for US Telecoms Amid Espionage Concerns

Want to highlight the critical need for robust network security and compliance? Learn how recent espionage incidents underscore the importance of securing telecommunications against foreign threats.

The FCC has reinforced that US telecommunications carriers are legally required to secure their networks against unauthorized access, as mandated by the Communications Assistance for Law Enforcement Act (CALEA). This comes in response to Chinese espionage activities, notably the Salt Typhoon group, which compromised major telcos and accessed sensitive data. The FCC's recent ruling emphasizes the need for carriers to implement robust cybersecurity measures, including comprehensive risk management plans to identify and mitigate cyber threats. These measures aim to protect against foreign intelligence activities and ensure compliance with CALEA's security requirements.

Risks: Sensitive Data, Third-Party Vendor/SaaS, Other: Surveillance System Exploitation

CVEs: N/A

Keywords: FCC, CALEA, Network Security, Telecommunications, Espionage, Salt Typhoon, Chinese Spies

Affected: AT&T, Verizon, Federal networks

2025-01-20

Otelier Data Breach Exposes Hotel Guest Information via Amazon S3

Learn about the critical role of credential security and cloud storage protection in preventing data breaches, and leverage this insight to highlight the importance of comprehensive cloud security solutions.

Otelier, a hotel management platform, experienced a data breach when attackers accessed its Amazon S3 storage, stealing nearly eight terabytes of data, including personal and reservation details of hotel guests from brands like Marriott, Hilton, and Hyatt. The breach, which occurred from July to October 2024, was facilitated by stolen credentials obtained through malware, allowing attackers to access Atlassian servers and subsequently Otelier's S3 buckets. While passwords and billing information remained secure, the exposed data included guests' names, addresses, phone numbers, and email addresses. Otelier has since terminated unauthorized access, disabled affected accounts, and is enhancing its cybersecurity measures to prevent future incidents.

Risks: Sensitive Data, Malware, Weak or Compromised Credentials, Third-Party Vendor/SaaS

CVEs: N/A

Keywords: Otelier, Data Breach, Amazon S3, Credential Theft, Hotel Industry

Affected: Amazon S3, Atlassian, Marriott, Hilton, Hyatt

2025-01-17

HPE Faces Potential Data Breach Exposing Sensitive Information

Learn about the potential security risks for enterprises using HPE products and the importance of safeguarding source code and certificate keys.

A potential data breach at Hewlett Packard Enterprise (HPE) has been reported, with a threat actor claiming to have accessed sensitive company data, including private GitHub repositories, Docker builds, source code for products, and certificate keys. The exposure could compromise product integrity and present security risks to enterprises using HPE technology. Concerns about financial fraud also arose due to HPE's rumored use of WePay. The company has not yet confirmed the breach or its scope, and investigations are presumably ongoing.

Risks: Sensitive Data, Git/Repo Breach, Shadow IT/Exposed Assets, Hardcoded Secrets

CVEs: N/A

Keywords: HPE, Data Breach, Source Code, Certificate Keys, IntelBroker, Dark Web

Affected: Hewlett Packard Enterprise, Zerto, Integrated Lights-Out, SAP Hybris, WePay

2025-01-17

Wolf Haldenstein Data Breach Exposes 3.5 Million Individuals

Learn about the significant impact of data breaches on law firms and how CloudGuard can offer comprehensive protection to safeguard sensitive information and prevent similar incidents.

Wolf Haldenstein Adler Freeman & Herz LLP experienced a data breach on December 13, 2023, affecting nearly 3.5 million individuals. The breach involved unauthorized access to confidential data on the firm's servers. Although the firm detected the breach in December 2023, they have not yet contacted all affected individuals due to incomplete contact information. They are offering credit monitoring services to those potentially impacted and advise vigilance against suspicious activities. The firm has not clarified whether the exposed data includes client or employee information.

Risks: Sensitive Data, Weak or Compromised Credentials

CVEs: N/A

Keywords: Wolf Haldenstein, Data Breach, Law Firm, Personal Information, Network Security

Affected: Wolf Haldenstein Adler Freeman & Herz LLP

2025-01-17

Ivanti Updates Fix Critical Vulnerabilities in Endpoint Manager and Other Products

Learn about the critical importance of proactive vulnerability management and how to articulate the value of robust security solutions to clients.

Ivanti has released security updates to fix critical vulnerabilities in multiple products, including Endpoint Manager (EPM), Avalanche, and Application Control Engine. The critical flaws, primarily affecting EPM, involve absolute path traversal that could allow unauthorized access to sensitive information. Ivanti also addressed high-severity vulnerabilities in Avalanche and Application Control Engine that could enable authentication bypass and information leaks. There is currently no evidence of these vulnerabilities being exploited in the wild, and Ivanti has enhanced its internal security measures to improve flaw detection and remediation.

Risks: Patch Management, Sensitive Data, Web App/Website Vulnerability

CVEs: CVE-2024-10811; CVE-2024-13161; CVE-2024-13160; CVE-2024-13159

Keywords: Ivanti, Endpoint Manager, Vulnerabilities, Security Updates, Path Traversal, Avalanche, Application Control Engine

Affected: Ivanti Endpoint Manager, Avalanche, Application Control Engine

2025-01-16

FortiGate Devices Compromised by Belsen Group Data Leak

Need some ammo against Fortinet? Learn how a breach exposed critical vulnerabilities in FortiGate devices and understand the importance of robust security measures.

A new hacking group, the Belsen Group, has leaked configuration files, IP addresses, and VPN credentials for over 15,000 FortiGate devices on the dark web, exposing sensitive information to cybercriminals. The leaked data includes private keys and firewall rules and is organized by country and IP address. This breach is believed to be linked to the exploitation of a zero-day vulnerability, CVE-2022–40684, in FortiOS before it was patched in version 7.2.2. Despite the data being collected in 2022, it still poses significant security risks to affected networks.

Risks: Zero-Day, Sensitive Data, Weak or Compromised Credentials, Patch Management

CVEs: CVE-2022-40684; CVE-2018-13379

Keywords: FortiGate, Belsen Group, Data Leak, VPN Credentials, Zero-Day Vulnerability, CVE-2022-40684

Affected: FortiGate, FortiOS

2025-01-15

Microsoft Patches 161 Vulnerabilities Including Three Actively Exploited Zero-Days

Learn about the critical importance of timely patch management to protect against actively exploited vulnerabilities and how Check Point solutions can help safeguard Microsoft environments.

Microsoft's January 2025 security update addresses 161 vulnerabilities, including three actively exploited zero-days within Windows Hyper-V NT Kernel Integration VSP, which are privilege escalation flaws potentially used in post-compromise scenarios. The update also resolves several critical vulnerabilities, notably in Microsoft Digest Authentication and SPNEGO Extended Negotiation, which could allow remote code execution without user interaction. This update marks the highest number of CVEs addressed in a single month since 2017, highlighting the importance of prompt patching to mitigate potential security risks.

Risks: Zero-Day, Privilege Escalation, Patch Management

CVEs: CVE-2024-7344; CVE-2025-21333; CVE-2025-21334; CVE-2025-21335; CVE-2025-21186; CVE-2025-21366; CVE-2025-21395; CVE-2025-21275; CVE-2025-21308; CVE-2025-21294; CVE-2025-21295; CVE-2025-21298; CVE-2025-21307; CVE-2025-21311

Keywords: Microsoft, Zero-Day, Hyper-V, Vulnerabilities, Patch Management, Remote Code Execution, Privilege Escalation

Affected: Microsoft, Windows Hyper-V NT Kernel Integration VSP, Windows Secure Boot, Microsoft Access, Windows App Package Installer, Windows Themes, Microsoft Digest Authentication, SPNEGO Extended Negotiation (NEGOEX), Windows Object Linking and Embedding (OLE), Windows Reliable Multicast Transport Driver (RMCAST), Windows NTLM

2025-01-15

SAP Patches Critical Vulnerabilities in NetWeaver Platform

Learn about the critical importance of patch management to protect SAP systems from severe vulnerabilities and safeguard enterprise data.

SAP's January 2025 Patch Day includes the release of 14 new security notes, addressing critical vulnerabilities in its NetWeaver platform. The most severe issues involve an improper authentication bug and an information disclosure flaw, both posing significant risks to application confidentiality, integrity, and availability. Additional patches resolve a high-severity SQL injection vulnerability in NetWeaver and other notable flaws in SAP's BusinessObjects Business Intelligence platform and SAPSetup. The remaining notes cover medium- and low-severity defects across various SAP components.

Risks: Patch Management, Weak or Compromised Credentials, Web App/Website Vulnerability

CVEs: CVE-2025-0070; CVE-2025-0066; CVE-2025-0063; CVE-2025-0061; CVE-2025-0060; CVE-2025-0069

Keywords: SAP, NetWeaver, ABAP, CVE-2025-0070, CVE-2025-0066, SQL Injection, Vulnerability Patch

Affected: NetWeaver AS for ABAP, ABAP Platform, Informix database, BusinessObjects Business Intelligence platform, SAPSetup, Business Workflow, Flexible Workflow, GUI for Windows

2025-01-14

OneBlood Ransomware Attack Exposes Donor Data and Disrupts Operations

Learn about the critical importance of cybersecurity in healthcare and how breaches can severely impact operations and data privacy.

OneBlood, a blood-donation not-for-profit, experienced a ransomware attack in July 2024, resulting in the theft of donors' personal data, specifically names and Social Security numbers. The attack disrupted operations, causing delays in blood collection and distribution. An investigation completed in December 2024 confirmed the breach occurred on July 14, 2024, with threat actors maintaining network access until July 29. OneBlood has since notified affected individuals, offering a year of free credit monitoring and advising on additional protective measures. The total number of impacted individuals remains undisclosed.

Risks: Sensitive Data, Malware

CVEs: N/A

Keywords: OneBlood, Ransomware, Data Breach, Healthcare Cybersecurity, Donor Data, Network Security

Affected: OneBlood

2025-01-14

CISA Adds Exploited BeyondTrust and Qlik Sense Vulnerabilities to Catalog

Learn about the critical importance of patch management and how vulnerabilities in widely used remote support tools can lead to major breaches, demonstrating the need for comprehensive security solutions.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a medium-severity vulnerability in BeyondTrust Privileged Remote Access and Remote Support products to its Known Exploited Vulnerabilities catalog due to active exploitation. This flaw, alongside a previously reported critical vulnerability, was identified following a cyber incident involving a compromised Remote Support SaaS API key, which was used in a breach attributed to the Chinese state-sponsored group Silk Typhoon, targeting the U.S. Treasury Department. Additionally, a critical vulnerability in Qlik Sense, previously exploited by the Cactus ransomware group, was also added to the catalog, with federal agencies mandated to patch these vulnerabilities by February 3, 2024, to prevent further threats.

Risks: Zero-Day, API Vulnerability, Privilege Escalation, Third-Party Vendor/SaaS

CVEs: CVE-2024-12686; CVE-2024-12356; CVE-2023-48365

Keywords: BeyondTrust, CISA, Vulnerabilities, Silk Typhoon, Qlik Sense, Remote Support, API Key Breach

Affected: BeyondTrust Privileged Remote Access, BeyondTrust Remote Support, Qlik Sense, U.S. Treasury Department

2025-01-14

Fortinet Firewalls Targeted in Mass Exploitation Campaign

Need some ammo against Fortinet? Discover the implications of unpatched vulnerabilities and mass exploitation campaigns.

In December, a mass exploitation campaign targeted Fortinet firewalls, potentially utilizing an unpatched zero-day vulnerability, although the exact flaw remains unidentified. Attackers accessed FortiGate firewalls through internet-exposed management interfaces, altering configurations and using SSL VPN tunnels for persistence. This allowed them to steal credentials for lateral movement within networks. The intrusions began in November, with suspicious activity involving unusual IP addresses and web-based command-line interface interactions. Despite notifying Fortinet, the specific vulnerability and its resolution remain unconfirmed.

Risks: Zero-Day, Misconfiguration, Weak or Compromised Credentials

CVEs: N/A

Keywords: Fortinet, FortiGate, Zero-Day, Exploitation, SSL VPN, Credential Theft

Affected: Fortinet, FortiGate, SSL VPN, Active Directory

2025-01-13

IBM watsonx.ai Vulnerability Allows XSS Attacks in Web UI

Discover how vulnerabilities in AI platforms like IBM watsonx.ai emphasize the critical need for robust cloud security solutions, presenting an opportunity to showcase CloudGuard's capabilities.

IBM has disclosed a vulnerability in its watsonx.ai platform that could allow authenticated users to perform cross-site scripting (XSS) attacks by embedding arbitrary JavaScript code in the Web UI. This affects both Cloud Pak for Data and standalone installations, potentially leading to credential disclosure and altered functionality. The vulnerability highlights the need for robust security measures as AI technologies become more integral to business operations.

Risks: Web App/Website Vulnerability, Third-Party Vendor/SaaS

CVEs: CVE-2024-49785

Keywords: IBM watsonx.ai, XSS vulnerability, Cloud Pak for Data, JavaScript injection, AI security

Affected: IBM watsonx.ai, Cloud Pak for Data

2025-01-13

BayMark Health Services Data Breach from Ransomware Attack

Learn about the importance of robust cybersecurity measures in the healthcare industry to prevent data breaches and ransomware attacks.

BayMark Health Services, a major addiction treatment provider in the US, experienced a ransomware attack that led to a data breach, compromising personal information of patients, including names, birthdates, and sensitive identification and treatment details. The breach affected their IT systems from late September to mid-October. BayMark has begun notifying affected patients and is offering free identity protection and credit monitoring services. The Ransomhub ransomware group claims to have stolen 1.5 terabytes of data, which they have made publicly available. The exact number of individuals impacted remains undisclosed.

Risks: Sensitive Data, Malware

CVEs: N/A

Keywords: BayMark Health Services, Ransomware, Data Breach, Patient Data, Identity Protection

Affected: BayMark Health Services

2025-01-13

T-Mobile Faces Lawsuit Over Major Data Breach Affecting Millions

Want some FUD to demonstrate the $$$ effect of breaches (and maybe check for a possible opportunity)? Read about T-Mobile's disastrous breach outcomes.

T-Mobile is facing a lawsuit from Washington State over a data breach that exposed sensitive information of over 2 million residents. The breach, discovered in August 2021, affected more than 79 million people nationwide. The lawsuit alleges T-Mobile's negligence in cybersecurity, citing inadequate security measures, poor password practices, and failure to act on known vulnerabilities. It also accuses T-Mobile of not properly notifying affected customers about the breach's severity. This incident follows a history of cyberattacks on the company and highlights their insufficient data protection practices.

Risks: Sensitive Data, Weak or Compromised Credentials

CVEs: N/A

Keywords: T-Mobile, Data Breach, Lawsuit, Washington State, Cybersecurity Negligence

Affected: T-Mobile

2025-01-13

Capital Markets Elite Group Data Breach Exposes Sensitive Customer Information

Want some FUD to demonstrate the $$$ effect of breaches and the critical need for robust cybersecurity measures? Read about Capital Markets Elite Group’s data breach and its potential regulatory implications.

The Capital Markets Elite Group (CMEG), a financial services firm, experienced a significant data breach in January 2025, resulting in the exposure of sensitive customer information, including personal and contact details, on a dark web forum. This incident highlights the vulnerabilities in CMEG's data security protocols and underscores the critical need for financial institutions to implement robust cybersecurity measures to protect against unauthorized access. The breach may have regulatory consequences, potentially leading to fines and reputational damage, emphasizing the importance of compliance with data protection standards.

Risks: Sensitive Data, Weak or Compromised Credentials

CVEs: N/A

Keywords: Capital Markets Elite Group, data breach, financial services, customer data exposure, dark web, regulatory compliance

Affected: Capital Markets Elite Group

2025-01-09

Optimizing Security Through Vendor Consolidation

Want to show customers the benefits of simplifying their security stack? Learn how consolidating security solutions can lead to operational efficiency and cost savings.

In today's fiscal landscape, security teams face pressure to optimize budgets by consolidating point solutions into a platform-based approach. This rationalization of security tools can lead to cost savings, streamlined management, simplified operations, and improved security outcomes. By reducing the number of disparate tools, organizations can centralize management, ease maintenance, and enhance visibility, which also facilitates talent recruitment and retention. Moreover, consolidation improves the flow of telemetry data and simplifies reporting, allowing security teams to demonstrate their value more effectively to stakeholders. Overall, adopting a platform-based approach offers strategic benefits, including operational efficiencies and budgetary savings.

Risks: N/A

CVEs: N/A

Keywords: Security Consolidation, Platform Solutions, Operational Efficiency, Cost Optimization, Talent Retention

Affected: N/A

2025-01-09

Critical Vulnerability in GFI KerioControl Allows Remote Code Execution

Learn about the critical importance of securing firewall products and the potential risks of unpatched vulnerabilities, and how proactive measures can protect your clients.

Hackers are actively exploiting a critical vulnerability in GFI KerioControl firewalls that allows remote code execution by manipulating HTTP headers through a CRLF injection flaw. This vulnerability affects versions 9.2.5 to 9.4.5 and can lead to the theft of admin CSRF tokens, enabling attackers to upload malicious files and gain unauthorized access. Recent scans have detected exploitation attempts, and with nearly 24,000 internet-exposed instances, it's advised to restrict access and monitor for suspicious activities if patching isn't feasible.

Risks: Patch Management, Web App/Website Vulnerability, Privilege Escalation

CVEs: CVE-2024-52875

Keywords: GFI KerioControl, CVE-2024-52875, Remote Code Execution, Firewall Vulnerability, CRLF Injection

Affected: GFI KerioControl

2025-01-09

Ivanti Software Vulnerability Exploited for Remote Code Execution

Learn about the critical impact of unpatched vulnerabilities and how CloudGuard can help protect against sophisticated malware threats like those exploiting Ivanti software.

A critical security flaw in Ivanti Connect Secure and Policy Secure, identified as CVE-2025-0282, is being actively exploited, allowing unauthenticated remote code execution. The exploitation involves a series of sophisticated steps to compromise systems, including deploying malware like DRYHOOK and PHASEJAM. Ivanti has issued patches for this and another related high-severity flaw, CVE-2025-0283. The exploitation has been observed by Mandiant, which noted the use of the SPAWN malware ecosystem to maintain persistence and communicate with attackers. The U.S. CISA has added CVE-2025-0282 to its Known Exploited Vulnerabilities list, urging organizations to apply patches promptly.

Risks: Zero-Day, Malware, Privilege Escalation, Patch Management

CVEs: CVE-2025-0282; CVE-2025-0283

Keywords: Ivanti, CVE-2025-0282, Remote Code Execution, PHASEJAM, SPAWN Malware, Mandiant

Affected: Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA, SELinux, Google-owned Mandiant

2025-01-09

Medusind Discloses Data Breach Affecting 360,000 Individuals

Learn about the potential risks and financial impacts of data breaches in the healthcare industry and leverage this knowledge to highlight the importance of robust cloud security solutions.

Medusind, a medical billing firm, disclosed a data breach affecting 360,934 individuals, exposing personal and health information from December 2023. The breach involved sensitive data such as health insurance, payment details, medical history, and government IDs. Upon discovery, Medusind engaged cybersecurity experts to investigate and is offering two years of free identity monitoring services to those affected. This disclosure coincides with proposed updates to HIPAA by the U.S. Department of Health and Human Services, aiming to enhance patient data security following recent large-scale healthcare data breaches.

Risks: Sensitive Data, Third-Party Vendor/SaaS

CVEs: N/A

Keywords: Medusind, Data Breach, Healthcare Security, Personal Information Exposure, Identity Theft

Affected: Medusind, healthcare industry

2025-01-09

Unpatched Vulnerabilities in Fancy Product Designer and SonicWall Firmware

Learn about the critical importance of timely patch management and how unpatched vulnerabilities can lead to severe security risks, providing an opportunity to highlight the need for robust security solutions.

The Fancy Product Designer WordPress plugin has two critical security vulnerabilities that remain unpatched, affecting over 20,000 users. These vulnerabilities allow unauthenticated arbitrary file uploads and SQL injection, leading to potential remote code execution and database compromise. Despite being informed of these issues in March 2024, the vendor has not addressed them in their updates. Meanwhile, SonicWall has issued a patch for a high-severity vulnerability in its SSL VPN and SSH management, urging immediate updates to prevent exploitation. The patch also addresses additional security issues, including a weak PRNG and SSRF vulnerability.

Risks: Patch Management, Web App/Website Vulnerability, Privilege Escalation, Open Source

CVEs: CVE-2024-51919; CVE-2024-51818; CVE-2024-53704; CVE-2024-40762; CVE-2024-53705; CVE-2024-53706

Keywords: WordPress, Fancy Product Designer, SonicWall, CVE-2024-51919, CVE-2024-51818, SQL Injection, Remote Code Execution, SSL VPN

Affected: WordPress, WooCommerce, SonicWall, SSL VPN, SSH, SonicOS, AWS, Azure

2025-01-09

Palo Alto Networks Patches Critical Vulnerabilities in Expedition Tool

Need some ammo against Palo Alto Networks? This article is for you!

Palo Alto Networks has issued patches to fix multiple security vulnerabilities in its Expedition migration tool, which is no longer supported as of December 31, 2024. The flaws could allow attackers, both authenticated and unauthenticated, to access and manipulate sensitive data including usernames, passwords, device configurations, and API keys. The vulnerabilities include SQL injection, cross-site scripting, file deletion, file enumeration, and OS command injection. These issues present significant security risks, especially given the tool's role in facilitating firewall migrations to Palo Alto's platform.

Risks: Patch Management, Sensitive Data, Web App/Website Vulnerability

CVEs: CVE-2025-0103; CVE-2025-0104; CVE-2025-0105; CVE-2025-0106; CVE-2025-0107

Keywords: Palo Alto Networks, Expedition Tool, Vulnerabilities, Patches, CVE, End-of-Life

Affected: Palo Alto Networks Expedition, PAN-OS software

2025-01-07

HHS Proposes Major HIPAA Updates to Boost Healthcare Cybersecurity

New opportunity - healthcare organizations are under threat from evolving cybersecurity requirements. Time to get out your rolodex and offer CloudGuard solutions.

The US Department of Health and Human Services (HHS) is proposing significant amendments to the HIPAA security rule to enhance cybersecurity measures for protecting electronic protected health information (PHI). These changes, set to be published in the Federal Register, include mandatory implementation of security controls such as multifactor authentication, enhanced encryption, and regular security audits. The amendments aim to address the evolving threat landscape, which has seen a dramatic increase in breaches against healthcare organizations. Key proposals include maintaining up-to-date technology asset inventories, conducting thorough risk analyses, and enforcing encryption of PHI both at rest and in transit.

Risks: N/A

CVEs: N/A

Keywords: HIPAA, HHS, healthcare security, PHI protection, multifactor authentication, encryption, compliance audits

Affected: Healthcare organizations

2025-01-07

Nuclei Vulnerability Allows Signature Bypass and Code Execution

Learn about the risks of using untrusted templates in vulnerability scanners and how Check Point's solutions can help secure against signature bypass and code execution vulnerabilities.

A high-severity vulnerability has been identified in ProjectDiscovery's Nuclei, an open-source vulnerability scanner, that could allow attackers to bypass signature checks and execute malicious code. This flaw affects all versions after 3.0.0 and is due to a discrepancy in how newline characters are handled between the signature verification process and the YAML parser. Attackers can inject malicious content into templates while maintaining valid signatures, bypassing crucial verification steps. This is exacerbated by the use of regular expressions for signature validation, allowing attackers to exploit untrusted templates, potentially leading to arbitrary command execution and data breaches.

Risks: Open Source, Web App/Website Vulnerability, Supply Chain

CVEs: CVE-2024-43405

Keywords: Nuclei, CVE-2024-43405, Vulnerability Scanner, Signature Bypass, Code Execution, YAML Parsing

Affected: Nuclei

2025-01-07

Xstrahl Data Breach Exposes 150GB of Sensitive Information

Need to highlight the importance of robust cybersecurity in healthcare? This article showcases the potential risks and opportunities for CloudGuard solutions in safeguarding sensitive medical data.

A recent data breach at Xstrahl, a medical technology company, resulted in the exposure of 150GB of sensitive data, including employee information, confidential projects, and contracts related to radiation therapy equipment. This incident highlights the critical need for enhanced cybersecurity measures in the healthcare sector due to the potential risks to patient safety, intellectual property, and corporate confidentiality. Experts emphasize the importance of stronger encryption, regular vulnerability assessments, and employee training to prevent such breaches. The situation serves as a wake-up call for the industry to bolster defenses against evolving cyber threats.

Risks: Sensitive Data

CVEs: N/A

Keywords: Xstrahl, data breach, healthcare security, medical technology, sensitive data leak

Affected: Xstrahl, healthcare sector, medical technology industry

2024-12-31

Azure Airflow Vulnerabilities Allow Unauthorized Cluster Access

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure? This article is for you!

Cybersecurity researchers identified three security vulnerabilities in Microsoft's Azure Data Factory Apache Airflow integration, which could allow attackers to gain unauthorized access and control over the entire Airflow Azure Kubernetes Service (AKS) cluster. These vulnerabilities involve misconfigured Kubernetes RBAC, poor secret handling, and weak authentication in Azure's Geneva service. Attackers could exploit these flaws to exfiltrate data, deploy malware, and manipulate log data. The research highlights the importance of managing service permissions and monitoring third-party services to prevent unauthorized access. Microsoft has updated documentation to address related access policy risks in Azure Key Vault.

Risks: Misconfiguration, Over Permissive Roles, Privilege Escalation, Git/Repo Breach, Cloud Service Provider Flaw

CVEs: N/A

Keywords: Azure, Apache Airflow, Kubernetes, RBAC, Geneva Service, Data Factory, Vulnerabilities

Affected: Microsoft Azure, Apache Airflow, Azure Kubernetes Service, Azure Key Vault, Amazon Bedrock, CloudTrail

2024-12-27

Palo Alto Networks Releases Patch for PAN-OS Denial-of-Service Vulnerability

Need some ammo against Palo Alto Networks? This article is for you!

Palo Alto Networks has identified a high-severity vulnerability in its PAN-OS software that can lead to a denial-of-service (DoS) condition on affected devices. This flaw impacts specific versions of PAN-OS and Prisma Access and has been actively exploited. Palo Alto has released patches for various PAN-OS versions to mitigate the issue and advises disabling DNS Security logging as a workaround for unmanaged firewalls. The vulnerability has been included in CISA's Known Exploited Vulnerabilities catalog, mandating patch application by January 20, 2025, for certain agencies.

Risks: Patch Management

CVEs: CVE-2024-3393

Keywords: Palo Alto Networks, PAN-OS, CVE-2024-3393, Denial-of-Service, Vulnerability Patch

Affected: Palo Alto Networks, PAN-OS, Prisma Access

2024-12-27

Apache MINA Vulnerability Enables Remote Code Execution

Learn about the critical need for secure deserialization practices and timely patch management to protect cloud environments from severe vulnerabilities.

The Apache MINA framework has a critical vulnerability that allows remote code execution due to unsafe deserialization in certain conditions. This flaw is present in versions 2.0.X, 2.1.X, and 2.2.X and requires specific usage patterns to be exploited. Apache has issued patches, but users must also configure their systems to restrict accepted classes for deserialization to mitigate the risk. The announcement follows recent security fixes in other Apache projects, highlighting the importance of timely updates to protect against exploitation.

Risks: Patch Management, Open Source, Web App/Website Vulnerability

CVEs: CVE-2024-52046; CVE-2024-56337; CVE-2024-45387; CVE-2024-43441; CVE-2024-53677

Keywords: Apache MINA, Remote Code Execution, CVE-2024-52046, Java Deserialization, Vulnerability Patch

Affected: Apache MINA, Apache Tomcat, Apache Traffic Control, HugeGraph-Server, Apache Struts

2024-12-26

Critical SQL Injection Vulnerability Fixed in Apache Traffic Control

Learn about the critical vulnerabilities in popular Apache open-source projects and the importance of proactive patch management to protect cloud environments.

The Apache Software Foundation has released updates to fix a critical SQL injection vulnerability in Apache Traffic Control, which could allow privileged users to execute arbitrary SQL commands. This vulnerability affects versions 8.0.0 to 8.0.1 and has been resolved in version 8.0.2. Apache Traffic Control is an open-source CDN solution. The issue was identified by a researcher from Tencent YunDing Security Lab. Concurrently, the ASF has also addressed other vulnerabilities, including an authentication bypass in Apache HugeGraph-Server and a remote code execution flaw in Apache Tomcat. Users are advised to update to the latest versions to mitigate these risks.

Risks: Patch Management, Over Permissive Roles, Open Source, Web App/Website Vulnerability

CVEs: CVE-2024-45387; CVE-2024-43441; CVE-2024-56337

Keywords: Apache Traffic Control, SQL Injection, CVE-2024-45387, Open Source Security, Vulnerability Patch, CDN Security

Affected: Apache Traffic Control, Apache HugeGraph-Server, Apache Tomcat

2024-12-24

CISA Identifies Exploited Vulnerability in Acclaim USAHERDS Software

Learn about the critical importance of timely patch management to protect cloud environments from vulnerabilities actively exploited in the wild.

CISA has added a high-severity vulnerability in Acclaim Systems USAHERDS to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw, found in versions 7.4.0.1 and earlier, involves hard-coded credentials that could allow remote code execution if attackers acquire the necessary keys. Although initially exploited by the APT41 group in 2021, agencies are advised to implement mitigations by January 13, 2025, to protect against potential threats.

Risks: Zero-Day, Hardcoded Secrets, Web App/Website Vulnerability

CVEs: CVE-2021-44207; CVE-2024-53961

Keywords: USAHERDS, CISA, CVE-2021-44207, APT41, ColdFusion Vulnerability

Affected: Acclaim Systems USAHERDS, Adobe ColdFusion

2024-12-23

Apache Tomcat Vulnerability Could Lead to Remote Code Execution

Learn about the importance of proper configuration management and the risks of unpatched vulnerabilities in Apache Tomcat environments.

The Apache Software Foundation has released a security update for Tomcat server software to address a vulnerability that could lead to remote code execution (RCE) under specific conditions. This issue is related to a previous vulnerability and involves a Time-of-check Time-of-use (TOCTOU) race condition that can occur on case-insensitive file systems when the default servlet is enabled for writing. Users may need to adjust configurations based on their Java version to fully mitigate the risk.

Risks: Misconfiguration, Open Source, Patch Management

CVEs: CVE-2024-56337; CVE-2024-50379

Keywords: Apache Tomcat, CVE-2024-56337, Remote Code Execution, TOCTOU, Security Update

Affected: Apache Tomcat

2024-12-20

CISA Mandates Cloud Security Compliance for Federal Agencies by 2025

Learn how the latest CISA directive on cloud security standards can drive opportunities with federal agencies by showcasing the necessity of robust cloud security solutions like Check Point CloudGuard.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 25-01, requiring federal civilian agencies to secure their cloud environments by adhering to Secure Cloud Business Applications (SCuBA) secure configuration baselines by 2025. This directive aims to mitigate risks from cloud misconfigurations and weak security controls, with agencies needing to identify cloud tenants, deploy automated configuration assessment tools, and integrate with CISA's monitoring infrastructure. Additionally, CISA advises broader adoption of these practices and provides new mobile communication security guidelines in response to cyber espionage threats, including the use of end-to-end encrypted messaging and enhanced security measures for mobile devices.

Risks: Misconfiguration, Weak or Compromised Credentials

CVEs: N/A

Keywords: CISA, Cloud Security, SCuBA, Federal Agencies, Microsoft 365, Cyber Espionage, Mobile Security

Affected: Microsoft 365, Azure Active Directory, Entra ID, Microsoft Defender, Exchange Online, Power Platform, SharePoint Online, OneDrive, Microsoft Teams

2024-12-20

Critical Vulnerability in BeyondTrust Products Exploited in the Wild

Learn about the importance of patch management and how proactive security measures can protect against critical vulnerabilities and cyber attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical command injection vulnerability in BeyondTrust's Privileged Remote Access and Remote Support products to its Known Exploited Vulnerabilities list due to evidence of active exploitation. The flaw allows unauthorized users to execute arbitrary commands. While BeyondTrust has updated its cloud instances, users with self-hosted versions need to apply specific patches. BeyondTrust was recently targeted in a cyber attack, revealing the vulnerability and leading to further investigation that uncovered another medium-severity flaw. All affected customers have been notified, but the scope of the attack and the identities of the attackers remain unknown.

Risks: Patch Management, Privilege Escalation, API Vulnerability, Third-Party Vendor/SaaS

CVEs: CVE-2024-12356; CVE-2024-12686

Keywords: BeyondTrust, CVE-2024-12356, Command Injection, Remote Support, Privileged Remote Access, Vulnerability Exploitation

Affected: BeyondTrust Privileged Remote Access, BeyondTrust Remote Support

2024-12-20

Sophos Releases Hotfixes for Critical Firewall Vulnerabilities

Need some ammo against Sophos? Discover how vulnerabilities in their Firewall products could expose businesses and highlight the importance of comprehensive security solutions.

Sophos has released hotfixes for three vulnerabilities in its Firewall products, two of which are critical, that could allow remote code execution and privileged access. While there is no evidence of these being exploited, they impact versions 21.0 GA and older. Users are advised to update to the latest versions to mitigate these risks. Temporary workarounds include restricting SSH access and reconfiguring HA settings. The update follows recent charges against a Chinese national for exploiting a different Sophos Firewall vulnerability.

Risks: Patch Management, Weak or Compromised Credentials, Web App/Website Vulnerability

CVEs: CVE-2024-12727; CVE-2024-12728; CVE-2024-12729; CVE-2020-12271

Keywords: Sophos Firewall, CVE-2024-12727, CVE-2024-12728, CVE-2024-12729, Remote Code Execution, Vulnerability Patch

Affected: Sophos Firewall

2024-12-18

Azure Data Factory Vulnerabilities Risk Cloud Infrastructure Security

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure? This article is for you!

Researchers identified three vulnerabilities in Azure Data Factory's Apache Airflow integration that could let attackers gain unauthorized control over an enterprise's cloud infrastructure. These flaws, involving misconfigured Kubernetes role-based access control, improper secret handling of Azure's Geneva service, and weak authentication, could allow persistent shadow administrative access, potentially leading to data exfiltration and malware deployment. Exploitation could occur via unauthorized DAG file manipulation or compromised Git repository access. Although Microsoft classified these as low-severity, the vulnerabilities underscore the need for robust cloud security measures beyond perimeter defenses, emphasizing internal permissions, configurations, and comprehensive monitoring.

Risks: Misconfiguration, Over Permissive Roles, Git/Repo Breach, Weak or Compromised Credentials, Cloud Service Provider Flaw

CVEs: N/A

Keywords: Azure Data Factory, Apache Airflow, Kubernetes RBAC, Cloud Vulnerabilities, Microsoft Azure, Geneva Service

Affected: Microsoft Azure, Apache Airflow, Azure Kubernetes Service (AKS), Azure Geneva service

2024-12-18

Telecom Namibia Hit by Ransomware, Sensitive Data Leaked

Learn about the critical importance of refusing to negotiate with cybercriminals and how Check Point CloudGuard can strengthen defenses against ransomware attacks.

Telecom Namibia, a state-owned telecom company, suffered a ransomware attack resulting in the leak of sensitive customer data, including information about top government officials. The hackers, known as Hunters International, released the data after Telecom Namibia refused to pay the ransom. The breach involved nearly 500,000 pieces of personal and financial data. The company is collaborating with security officials to mitigate further impact and has warned against sharing the leaked information, urging customers to change their passwords and remain vigilant. Ransomware typically involves locking data until a ransom is paid, but Telecom Namibia has firmly stated it will not negotiate with the attackers.

Risks: Sensitive Data, Malware

CVEs: N/A

Keywords: Ransomware, Telecom Namibia, Data Leak, Cyberattack, Hunters International

Affected: Telecom Namibia

2024-12-17

Texas Tech University Health Sciences Center Data Breach Exposes 1.4 Million Patient Records

Learn about the critical need for robust cybersecurity measures in healthcare institutions and how Check Point solutions can help prevent data breaches and protect sensitive patient data.

The Texas Tech University Health Sciences Center experienced a cyberattack in September 2024, affecting 1.4 million patients by potentially exposing sensitive information, including personal and medical data. The Interlock ransomware group claimed responsibility, leaking 2.6 TB of data on the dark web. Affected individuals are being notified and offered credit monitoring services, while being advised to stay alert for potential scams.

Risks: Sensitive Data, Ransomware

CVEs: N/A

Keywords: Texas Tech, Health Sciences Center, Data Breach, Ransomware, Interlock, Patient Data

Affected: Texas Tech University Health Sciences Center, Texas Tech University Health Sciences Center El Paso

2024-12-17

CISA Warns of Vulnerabilities in Adobe ColdFusion and Windows Kernel-Mode Driver

Learn about the critical importance of proactive vulnerability management to protect against threats in widely used systems like Adobe ColdFusion and Windows.

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted two critical vulnerabilities involving Adobe ColdFusion and Microsoft Windows Kernel-Mode Driver, which are actively being exploited. These vulnerabilities, related to improper access control and untrusted pointer dereference, pose significant risks by potentially allowing unauthorized access and code execution with elevated privileges. CISA's warning emphasizes the importance of applying available patches and encourages both federal agencies and private organizations to adopt proactive vulnerability management practices to mitigate these threats.

Risks: Patch Management, Privilege Escalation, Web App/Website Vulnerability

CVEs: CVE-2024-20767; CVE-2024-35250

Keywords: CISA, Adobe ColdFusion, Windows Kernel-Mode Driver, CVE-2024-20767, CVE-2024-35250, Vulnerability Management, Exploited Vulnerabilities

Affected: Adobe ColdFusion, Microsoft Windows Kernel-Mode Driver

2024-12-17

New Glutton Malware Exploits PHP Frameworks in Cyber Attacks

Discover how vulnerabilities in popular PHP frameworks like Laravel and ThinkPHP can lead to significant security threats and learn how CloudGuard can protect against such modular malware attacks.

The newly discovered Glutton malware is a PHP-based backdoor used in cyberattacks across multiple countries, attributed to the Chinese group Winnti. It targets popular PHP frameworks like Laravel and ThinkPHP, exploiting vulnerabilities to harvest sensitive data and inject malicious code. Despite its links to Winnti, Glutton lacks typical stealth features, using unencrypted communications and brute-force attacks for initial access. It features a modular framework capable of executing a range of commands and leveraging cybercriminal tools against their creators. The malware's strategy includes exploiting cybercrime resources for further attacks, creating a recursive attack chain.

Risks: Malware, Web App/Website Vulnerability, Open Source, Zero-Day

CVEs: N/A

Keywords: Glutton malware, PHP frameworks, Winnti, APT41, cybercrime market, Laravel, ThinkPHP, ELF backdoor

Affected: Laravel, ThinkPHP, Yii, Baota (BT), PHP frameworks, FastCGI Process Manager, ELF backdoor, cybercrime forums

2024-12-17

ConnectOnCall Breach Exposes Over 910,000 Patients' Data

Discover the critical importance of securing telehealth platforms and how breaches can impact patient trust and data integrity.

The breach of ConnectOnCall, a telehealth subsidiary of Phreesia, exposed the personal and health data of over 910,000 patients between February and May 2024. The breach involved unauthorized access to provider-patient communications, revealing sensitive information such as names, phone numbers, and health-related details. Following the incident, Phreesia involved law enforcement, engaged cybersecurity experts, and took ConnectOnCall offline to enhance its security. They assured that their other services remain unaffected and advised impacted individuals to monitor for potential identity theft.

Risks: Sensitive Data, Third-Party Vendor/SaaS

CVEs: N/A

Keywords: ConnectOnCall, Phreesia, Data Breach, Telehealth Security, Patient Data Exposure

Affected: ConnectOnCall, Phreesia, U.S. Department of Health and Human Services

2024-12-13

Thousands of Prometheus Instances Exposed to Security Vulnerabilities

Learn about the critical importance of securing monitoring tools like Prometheus to protect sensitive data and prevent costly breaches.

The article highlights the exposure of over 300,000 Prometheus monitoring instances, putting sensitive credentials and API keys at risk. Lack of proper authentication allows attackers to access critical information, and public exposure of endpoints like "/debug/pprof" can lead to denial-of-service and remote code execution attacks. These vulnerabilities, previously noted by researchers, allow unauthorized data access, revealing internal endpoints and valuable network information. Organizations are urged to secure Prometheus servers with authentication, limit public access, and monitor for unusual activity to mitigate these risks.

Risks: Misconfiguration, Shadow IT/Exposed Assets, Weak or Compromised Credentials, API Vulnerability

CVEs: N/A

Keywords: Prometheus, Node Exporter, Information Leakage, Denial-of-Service, Remote Code Execution, Endpoint Security, Authentication

Affected: Prometheus, Prometheus Node Exporter

2024-12-13

Apache Struts 2 Vulnerability Enables Remote Code Execution

Learn about the critical importance of patch management and protecting cloud environments from vulnerabilities in widely used software frameworks like Apache Struts 2.

The article discusses a critical remote code execution (RCE) vulnerability in Apache Struts 2 that has been patched. The flaw allows attackers to exploit file upload parameters to execute malicious code remotely, and it has a high severity rating. Apache advises upgrading to version 6.4.0 or later, as there are no workarounds, and applications not using the deprecated File Upload Interceptor are not affected. Users must update to the Action File Upload Interceptor and rewrite actions for compatibility. Despite newer frameworks, Struts 2 remains popular, with substantial download requests, highlighting the urgency of addressing this vulnerability.

Risks: Patch Management, Web App/Website Vulnerability, Open Source

CVEs: CVE-2024-53677; CVE-2023-50164; CVE-2017-5638

Keywords: Apache Struts 2, CVE-2024-53677, Remote Code Execution, Vulnerability, File Upload Interceptor

Affected: Apache Struts 2

2024-12-12

Critical Vulnerability in Hunk Companion Plugin Allows Installation of Exploitable Plugins

Learn about the importance of timely updates and patch management to prevent exploitation of known vulnerabilities in WordPress plugins.

Hackers are exploiting a critical vulnerability in the Hunk Companion WordPress plugin to install other outdated plugins with known vulnerabilities, allowing them to execute remote code, perform SQL injection, and create backdoor admin accounts. This vulnerability, affecting all versions before 1.9.0, was discovered by WPScan and has been actively exploited to compromise WordPress sites. A security update has been released to address the issue, but many sites remain at risk due to unpatched installations.

Risks: Zero-Day, Patch Management, Web App/Website Vulnerability, Open Source

CVEs: CVE-2024-11972; CVE-2024-50498; CVE-2024-9707

Keywords: Hunk Companion, WordPress vulnerability, CVE-2024-11972, plugin exploitation, remote code execution

Affected: Hunk Companion, WordPress, WP Query Console

2024-12-11

Ivanti Releases Security Updates for Critical Vulnerabilities in CSA and Connect Secure

Learn about the crucial importance of timely patch management to protect against severe vulnerabilities in cloud security products.

Ivanti has released critical security updates to fix several serious vulnerabilities in its Cloud Services Application (CSA) and Connect Secure products, which could lead to privilege escalation and remote code execution. These vulnerabilities, which include authentication bypass, command injection, SQL injection, argument injection, and insecure permissions, have been addressed in updated versions of the affected products. Although there are currently no reports of these vulnerabilities being actively exploited, Ivanti urges users to update promptly due to the history of past vulnerabilities being targeted by state-sponsored attackers.

Risks: Privilege Escalation, Web App/Website Vulnerability

CVEs: CVE-2024-11639; CVE-2024-11772; CVE-2024-11773; CVE-2024-11633; CVE-2024-11634; CVE-2024-8540

Keywords: Ivanti, Cloud Services Application, Connect Secure, Vulnerabilities, Security Updates, CVE, Remote Code Execution

Affected: Ivanti Cloud Services Application, Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Sentry

2024-12-11

Cybercriminals Exploit AWS Vulnerabilities to Steal Credentials

Need some FUD? Want to demonstrate and understand how vulnerable cloud environments are and the importance of secure credential management? This article is for you!

Cybercriminal groups Nemesis and ShinyHunters exploited vulnerabilities in public websites to steal AWS credentials and other sensitive data from thousands of organizations. The operation involved scanning millions of sites for vulnerable endpoints, leveraging tools like Shodan for domain discovery, and targeting known application vulnerabilities. The attackers stored the stolen data in an unsecured AWS S3 bucket, leading to their discovery. AWS took immediate action to mitigate the impact and notify affected customers, emphasizing the shared responsibility model in cloud security. Organizations are advised to avoid hardcoding credentials, use web application firewalls, and implement security best practices to protect their cloud environments.

Risks: Misconfiguration, Web App/Website Vulnerability, Hardcoded Secrets, Weak or Compromised Credentials

CVEs: N/A

Keywords: AWS, Cloud Vulnerabilities, Credential Theft, Nemesis, ShinyHunters, Cyber Attack

Affected: AWS, Ticketmaster

2024-12-11

Microsoft Patches Critical CLFS Vulnerability in December 2024 Update

Learn about the critical importance of patch management and how Check Point can help secure systems against actively exploited vulnerabilities like the CLFS privilege escalation flaw.

Microsoft's December 2024 Patch Tuesday addressed 72 security vulnerabilities, including a critical privilege escalation flaw in the Windows Common Log File System (CLFS) that has been actively exploited. The update also resolved significant issues in Windows Lightweight Directory Access Protocol (LDAP) and other components, as well as NTLM vulnerabilities, prompting Microsoft to bolster security measures across various services. Additionally, the U.S. CISA mandated remediation of the exploited CLFS vulnerability by December 31, 2024. The update aligns with Microsoft's ongoing efforts to phase out NTLM and improve security defaults. Other major vendors have also issued security updates recently.

Risks: Privilege Escalation, Patch Management

CVEs: CVE-2024-49138; CVE-2022-24521; CVE-2022-37969; CVE-2023-23376; CVE-2023-28252; CVE-2024-49112; CVE-2024-49117; CVE-2024-49105; CVE-2024-49063

Keywords: Microsoft, CLFS vulnerability, Patch Tuesday, privilege escalation, NTLM, LDAP, ransomware

Affected: Microsoft Windows, Windows Common Log File System (CLFS), Windows Lightweight Directory Access Protocol (LDAP), Windows Hyper-V, Remote Desktop Client, Microsoft Muzic, NT LAN Manager (NTLM), Microsoft Exchange Server, Active Directory Certificate Services (AD CS), LDAP, Windows Server, Azure Directory Certificate Services, Windows Explorer

2024-12-11

Exploitation of Cleo Products Despite Previous Patch

Learn about the importance of timely patch management and how vulnerabilities can still be exploited even after initial patches, highlighting the need for comprehensive security solutions.

A vulnerability in Cleo's Harmony, VLTrader, and LexiCom file management products is being actively exploited, even on systems thought to be patched, leading to unauthorized access and potential compromise of servers. Despite Cleo's previous patch efforts, the flaw allows attackers to execute remote code, impacting industries such as consumer products, food, and shipping. Huntress researchers observed these exploit attempts on numerous servers and provided detection rules and mitigation advice while Cleo works on a new patch. The attacks involve stealthy installation and deletion of autorun files and JAR files to maintain persistence, and Cleo users are advised to reconfigure their software to mitigate the impact.

Risks: Zero-Day, Patch Management, Remote Code Execution

CVEs: CVE-2024-50623

Keywords: Cleo, Harmony, VLTrader, LexiCom, Zero-Day, Remote Code Execution, Vulnerability, Patch Management

Affected: Cleo Harmony, Cleo VLTrader, Cleo LexiCom, consumer products industry, food industry, trucking industry, shipping industry, Active Directory

2024-12-11

Critical Vulnerabilities in SAP NetWeaver Allow Malicious PDF Uploads

Learn about the critical importance of timely patch management to prevent vulnerabilities in enterprise solutions like SAP NetWeaver.

On December 10, 2024, SAP released a security update for its NetWeaver Application Server for Java to address multiple high-severity vulnerabilities in the Adobe Document Services component. These vulnerabilities, notably including a server-side request forgery flaw, allow attackers to upload malicious PDF files, potentially compromising sensitive information and enabling unauthorized access to internal systems. The exploitation risks include data breaches, unauthorized access to intellectual property, and compromised system integrity. SAP recommends immediate application of Security Note 3536965 and additional security measures to mitigate these risks.

Risks: Patch Management, Web App/Website Vulnerability

CVEs: CVE-2024-47578; CVE-2024-47579; CVE-2024-47580

Keywords: SAP NetWeaver, Adobe Document Services, CVE-2024-47578, SSRF, Vulnerability Patch

Affected: SAP NetWeaver Application Server for Java, Adobe Document Services

2024-12-10

QNAP Patches Critical Vulnerabilities in QTS and QuTS Hero Systems

Learn about the critical importance of timely patch management to protect against high-severity vulnerabilities in widely-used storage solutions.

QNAP has issued patches for several high-severity vulnerabilities in its QTS and QuTS Hero systems, including a command injection flaw and a CRLF injection bug, both with significant security risks. The updates, available in specific software builds, also address an improper certificate validation vulnerability and other medium to low-severity flaws. Additionally, a high-severity issue in License Center and a medium-severity flaw in Qsync Central have been patched. While there is no indication of these vulnerabilities being exploited in the wild, users are advised to update their systems promptly to prevent potential attacks.

Risks: Patch Management, Web App/Website Vulnerability, Other: Injection

CVEs: CVE-2024-50393; CVE-2024-48868; CVE-2024-48865; CVE-2024-48863

Keywords: QNAP, Vulnerabilities, Patches, QTS, QuTS Hero, Command Injection, CRLF Injection

Affected: QNAP, QTS, QuTS Hero, License Center, Qsync Central

2024-12-10

OpenWrt Vulnerability Allows Malicious Firmware Injection

Got you some real good FUD, learn about the dangers of supply chain attacks through vulnerabilities in custom firmware.

A vulnerability in OpenWrt's Attended Sysupgrade feature allowed attackers to inject malicious firmware images by exploiting a command injection flaw and a hash truncation issue. OpenWrt, used for customizing network devices, had a critical flaw that was quickly patched after discovery. The flaw involved insecure handling of package names in server code and inadequate hash security, enabling attackers to deliver malicious firmware by reusing legitimate cache keys. Despite the fix, users are advised to verify their firmware integrity.

Risks: Supply Chain, Open Source, Malware, Other: Command Injection

CVEs: CVE-2024-54143

Keywords: OpenWrt, Vulnerability, Firmware Injection, Command Injection, Supply Chain Attack, Network Devices

Affected: OpenWrt, ASUS, Belkin, Buffalo, D-Link, Zyxel

2024-12-09

BreakingWAF Vulnerability Exposes Major Companies to Cyber Threats

Discover how widespread WAF misconfigurations create vulnerabilities in Fortune 100 companies, presenting a significant opportunity to showcase CloudGuard's superior security solutions.

A vulnerability named "BreakingWAF" has been found in the configuration of web application firewall (WAF) services used by major providers like Akamai, Cloudflare, Fastly, and Imperva, affecting around 40% of Fortune 100 companies. This flaw allows attackers to bypass WAF protections and directly access backend servers, leading to potential denial-of-service attacks, ransomware, or application compromise. The issue affects over 140,000 domains, exposing numerous backend servers to cyber threats. Zafran researchers have suggested mitigation measures such as IP whitelisting, pre-shared secrets in custom headers, and mutual TLS to address the vulnerability. Affected companies have been notified, with some already resolving the issue.

Risks: Misconfiguration, Web App/Website Vulnerability, Third-Party Vendor/SaaS

CVEs: N/A

Keywords: BreakingWAF, Akamai, Cloudflare, Imperva, Fortune 100, WAF vulnerability, DoS attack, CDN security

Affected: Akamai, Cloudflare, Fastly, Imperva, JPMorgan Chase, Visa, Intel, Berkshire Hathaway, UnitedHealth

2024-12-08

Ultralytics AI Library Compromised by Cryptocurrency Miner

Got you some real good FUD, learn about the dangers of supply chain attacks.

In a recent software supply chain attack, two versions of the popular Ultralytics AI library on PyPI were compromised to include a cryptocurrency miner. This was achieved through a malicious code injection in the build environment using a GitHub Actions Script Injection, allowing unauthorized modifications post-code review. The affected versions, 8.3.41 and 8.3.42, have been removed, and a security fix has been implemented. Users are advised to update to the latest version to ensure security.

Risks: Supply Chain, Open Source, Git/Repo Breach, Malware

CVEs: N/A

Keywords: Ultralytics, PyPI, cryptocurrency miner, supply chain attack, GitHub Actions, open source security

Affected: Ultralytics AI library, PyPI, GitHub, ComfyUI

2024-12-07

Security Vulnerabilities Found in Popular Open-Source ML Frameworks

Want to understand how unpatched vulnerabilities in open-source ML frameworks can lead to security risks in cloud environments? This article is for you!

Cybersecurity researchers have identified multiple vulnerabilities in widely used open-source machine learning frameworks such as MLflow, H2O, PyTorch, and MLeap. These vulnerabilities, which include issues like cross-site scripting, unsafe deserialization, and path traversal, could allow attackers to execute code and perform lateral movement within an organization. This poses a significant risk as it may expose sensitive information, compromise ML model registries, and backdoor stored models. To mitigate these threats, organizations are advised to carefully vet the ML models they use and avoid loading untrusted models, even from seemingly safe repositories, as this can lead to remote code execution and substantial organizational harm.

Risks: Open Source, Remote Code Execution, Web App/Website Vulnerability, Supply Chain

CVEs: CVE-2024-27132; CVE-2024-6960; CVE-2023-5245

Keywords: Machine Learning, Open-Source Vulnerabilities, MLflow, PyTorch, H2O, MLeap, Remote Code Execution, ML Security

Affected: MLflow, H2O, PyTorch, MLeap

2024-12-06

Chinese State Hackers Breach Global Telecom Networks

New opportunity - telecommunications companies are under threat from state-sponsored attacks. Time to get out your rolodex.

Chinese state-sponsored hackers, known as Salt Typhoon, have breached telecommunications companies in dozens of countries, including eight firms in the U.S. This ongoing campaign, which may have started up to two years ago, has not compromised classified communications but has accessed private networks, including those of government officials. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI confirmed the breaches, advising the use of encrypted communication to thwart interception attempts. T-Mobile reported recent breaches from a connected provider but claims to have resolved the issue. CISA, in collaboration with the FBI, NSA, and international partners, has issued guidance to strengthen network defenses against such attacks.

Risks: Sensitive Data, Third-Party Vendor/SaaS, Weak or Compromised Credentials

CVEs: N/A

Keywords: Salt Typhoon, Telecom Breach, Chinese State Hackers, CISA, T-Mobile, Verizon, AT&T, Lumen Technologies

Affected: Telecommunications companies, T-Mobile, Verizon, AT&T, Lumen Technologies

2024-12-06

Mitel MiCollab Vulnerabilities Expose Sensitive Files via Exploit Chain

Learn about the critical importance of timely patch management and the potential risks of unpatched collaboration tools in enterprise environments.

A proof-of-concept exploit demonstrates how a zero-day arbitrary file read vulnerability in Mitel MiCollab can be combined with a previously patched critical bug to access sensitive files on affected systems. Despite Mitel being informed over 100 days ago, a patch for the zero-day is still pending. MiCollab is a widely used enterprise collaboration tool, making it an appealing target for cybercriminals. The earlier critical flaw, which allowed path traversal and unauthorized data access, was fixed in October. However, the new flaw remains unpatched, allowing potential attackers to bypass authentication and access critical system files.

Risks: Zero-Day, Sensitive Data, Patch Management, Web App/Website Vulnerability

CVEs: CVE-2024-35286; CVE-2024-41713

Keywords: Mitel MiCollab, Zero-Day, SQL Injection, Exploit Chain, Vulnerability, Enterprise Collaboration

Affected: Mitel MiCollab, NuPoint Unified Messaging (NPM) component

2024-12-05

Merseyside Hospitals Hit by Cyber Attack, Data Breach Investigated

New opportunity - hospitals and healthcare facilities are under threat. Time to get out your rolodex and discuss how CloudGuard can secure their systems.

Three hospitals in Merseyside, including Alder Hey Children's NHS Foundation Trust, Liverpool Heart and Chest Hospital, and Royal Liverpool University Hospital, have been targeted in a cyber attack, following a similar incident at Wirral's Arrowe Park hospital. The attackers have potentially accessed confidential data, which they have threatened to release. Investigations are ongoing to determine the extent of the data breach, but the affected hospitals have secured their systems. While services at Alder Hey were not disrupted, Wirral University Teaching Hospital Trust is still in the process of recovering services, prioritizing emergency treatment, and urging patients with non-urgent issues to seek alternative healthcare options. Authorities, including the National Crime Agency and National Cyber Security Centre, are involved in the response effort.

Risks: Sensitive Data

CVEs: N/A

Keywords: Merseyside, NHS, healthcare, cyber attack, data breach, Alder Hey, hospital security

Affected: Alder Hey Children's NHS Foundation Trust, Liverpool Heart and Chest Hospital, Royal Liverpool University Hospital, Wirral University Teaching Hospital Trust

2024-12-04

Stoli Group Files for Bankruptcy After Ransomware Attack and Asset Seizure

Understand the severe impact of ransomware attacks on business operations and financial stability, highlighting the necessity of robust cybersecurity solutions to prevent such disruptions.

Stoli Group's U.S. subsidiaries have filed for bankruptcy following a ransomware attack in August 2024 that disrupted their IT systems and enterprise resource planning (ERP) platform, forcing manual operations and hindering financial reporting. The incident compounded financial strain from Russian authorities seizing the company's last remaining distilleries in Russia and ongoing legal battles over vodka trademark rights. The ransomware attack and asset seizure have led to significant operational and financial challenges, with recovery expected by early 2025.

Risks: Malware, Other: Ransomware Attack

CVEs: N/A

Keywords: Ransomware, Stoli Group, Bankruptcy, IT Disruption, Asset Seizure, ERP System, Financial Impact

Affected: Stoli Group, Stoli USA, Kentucky Owl, enterprise resource planning (ERP) platform

2024-12-04

Critical Vulnerability Exposes Files in SailPoint IdentityIQ

Learn about the critical importance of securing IAM solutions and the potential consequences of unpatched vulnerabilities in identity management systems.

A critical vulnerability in SailPoint's IdentityIQ software, affecting versions 8.2, 8.3, 8.4, and others, allows unauthorized access to files in the application directory. The flaw involves improper handling of file names, enabling access to protected content. It is rated with a maximum severity score, but details remain scarce, and no security advisory has been issued by SailPoint.

Risks: Web App/Website Vulnerability, Sensitive Data, Misconfiguration

CVEs: CVE-2024-10905

Keywords: SailPoint, IdentityIQ, CVE-2024-10905, IAM Vulnerability, Unauthorized Access

Affected: SailPoint IdentityIQ

2024-12-04

Veeam Patches Critical Vulnerabilities in Service Provider Console

Learn about the critical importance of timely patch management to safeguard against remote code execution vulnerabilities in cloud services.

Veeam has released patches for critical vulnerabilities in its Service Provider Console, including a severe remote code execution flaw. These vulnerabilities, affecting versions 8.1.0.21377 and earlier, have been resolved in version 8.1.0.21999. The vulnerabilities could allow remote code execution and NTLM hash leakage, with no available mitigations other than upgrading to the latest version.

Risks: Patch Management, Remote Code Execution

CVEs: CVE-2024-42448; CVE-2024-42449

Keywords: Veeam, Service Provider Console, Remote Code Execution, Vulnerability, NTLM Hash Leakage, Patch Management

Affected: Veeam Service Provider Console

2024-12-04

Organizations Move Towards Consolidated Cybersecurity Platforms

Discover the shift towards cybersecurity platforms and the opportunity to capture market share as organizations streamline their security tools, with Check Point positioned as a key player.

Cybersecurity leaders are overwhelmed by the number of security tools they manage, with most organizations operating between 21 to 50 tools. Although three-quarters want to reduce this number, 87% have added more tools in the past year due to the expanding threat landscape. The transition to streamlined cybersecurity platforms is expected over the next three to five years as existing contracts end. Key players like CrowdStrike, Palo Alto Networks, Fortinet, and Check Point are poised to benefit from this shift, though a diverse vendor ecosystem remains important.

Risks: N/A

CVEs: N/A

Keywords: Cybersecurity Platforms, Tool Consolidation, Threat Landscape, Check Point, Market Opportunities

Affected: CrowdStrike, Palo Alto Networks, Fortinet, Check Point

2024-12-04

Vulnerabilities in Palo Alto Networks and SonicWall VPN Clients Allow Remote Code Execution

Need some ammo against Palo Alto Networks and SonicWall? This article is for you!

The article discusses vulnerabilities in Palo Alto Networks and SonicWall VPN clients, which can be exploited to execute remote code on Windows and macOS systems. These flaws allow attackers to manipulate VPN client behavior and execute commands by exploiting the trust placed in servers. The vulnerabilities include insufficient certificate validation and improper handling of client updates, potentially leading to privileged code execution. Palo Alto Networks and SonicWall have released patches to address these issues, emphasizing the importance of updating to the latest versions to prevent possible exploitation.

Risks: Privilege Escalation, Patch Management, Other: VPN Client Vulnerability

CVEs: CVE-2024-5921; CVE-2024-29014

Keywords: Palo Alto Networks, SonicWall, VPN Vulnerability, Remote Code Execution, NachoVPN

Affected: Palo Alto Networks GlobalProtect, SonicWall SMA100 NetExtender

2024-12-03

Major Corporations Hit by Data Breach Linked to MOVEit Vulnerability

Learn about the critical importance of patch management and how vulnerabilities in widely-used tools like MOVEit can lead to massive data breaches, creating opportunities for CloudGuard solutions to secure sensitive data.

A significant data breach linked to vulnerabilities in the MOVEit file transfer tool has resulted in the exposure of personal data for hundreds of thousands of employees from major corporations such as Xerox, Nokia, Bank of America, and Morgan Stanley. The breach, exploited by the Cl0p ransomware group since May 2023, has led to the leakage of sensitive employee details, including names, phone numbers, email addresses, and job-related information, on a cybercrime forum. This breach underscores the severe risks posed by unpatched vulnerabilities and highlights the potential for social engineering attacks targeting the affected organizations.

Risks: Sensitive Data, Patch Management, Third-Party Vendor/SaaS

CVEs: CVE-2023-34362

Keywords: MOVEit vulnerability, data breach, Cl0p ransomware, employee data leak, CVE-2023-34362, Xerox, Nokia, Bank of America, Morgan Stanley

Affected: Xerox, Nokia, Koch, Bank of America, Morgan Stanley, Amazon, Bridgewater, JLL

2024-12-03

AWS Launches Security Incident Response Service for Efficient Incident Management

Need some ammo against AWS? Have a customer or prospect that uses AWS? This article is for you!

AWS has introduced a new service called AWS Security Incident Response, designed to enhance organizational security by managing security incidents more efficiently. This service provides automated monitoring and investigation, streamlined communication via tools like Amazon GuardDuty and AWS Security Hub, and 24/7 expert support from the AWS Customer Incident Response Team. It offers automated triage, simplified communication and coordination, and access to expert support, all aimed at improving incident response performance. Organizations can onboard through AWS Organizations and benefit from features like proactive incident response and containment capabilities. Pricing starts at $7,000 per month, with costs increasing based on AWS spending.

Risks: N/A

CVEs: N/A

Keywords: AWS, Security Incident Response, GuardDuty, AWS Security Hub, Cloud Security, Incident Management

Affected: AWS, Amazon GuardDuty, AWS Security Hub

2024-12-02

SmokeLoader Malware Targets Taiwan's Manufacturing, Healthcare, and IT Sectors

New opportunity - companies in the manufacturing, healthcare, and IT industries are under threat from SmokeLoader malware. Time to get out your rolodex.

The SmokeLoader malware has resurfaced, targeting manufacturing, healthcare, and IT sectors in Taiwan. Known for its advanced evasion techniques and modular design, SmokeLoader serves as a downloader to deliver other malware but can also execute attacks itself by downloading plugins from its command-and-control server. Despite a decline in activity after Operation Endgame dismantled its infrastructure, SmokeLoader remains active due to publicly available cracked versions. The recent campaign begins with phishing emails containing Excel attachments exploiting old vulnerabilities to deploy SmokeLoader, which uses plugins to steal sensitive data and perform various attacks.

Risks: Malware, Sensitive Data, Patch Management

CVEs: CVE-2017-0199; CVE-2017-11882

Keywords: SmokeLoader, Malware, Phishing, Taiwan, Manufacturing, Healthcare, IT Security, Data Theft, Ande Loader

Affected: Manufacturing, Healthcare, Information Technology, Microsoft Excel, Outlook, Thunderbird, FileZilla, WinSCP

2024-12-01

Active Directory Certificate Services Vulnerability Enables Privilege Escalation

Need some FUD? Learn about the critical vulnerabilities in Microsoft's Active Directory Certificate Services and the importance of securing certificate infrastructures to protect against domain compromises.

A critical vulnerability in Microsoft's Active Directory Certificate Services (AD CS) allows attackers to escalate privileges and potentially gain domain admin access by manipulating certificate requests. Discovered by TrustedSec in October 2024, this exploit, known as ESC15, affects AD CS environments using version 1 certificate templates with specific configurations. It enables attackers with basic enrollment rights to bypass restrictions and gain unauthorized privileges by crafting Certificate Signing Requests (CSRs) that override intended attributes. This vulnerability highlights ongoing challenges in securing AD CS infrastructures and poses a risk of domain compromise, particularly through the commonly used WebServer template.

Risks: Privilege Escalation, Misconfiguration, Over Permissive Roles

CVEs: CVE-2024-49019

Keywords: Active Directory, Certificate Services, ESC15, EKUwu, Microsoft, Privilege Escalation, AD CS Vulnerability

Affected: Microsoft, Active Directory Certificate Services

2024-11-29

Cyberattack Causes System Outage at UK Hospital Network

Learn about the critical importance of robust cybersecurity measures in healthcare and how disruptions can impact essential services.

A cyberattack on Wirral University Teaching Hospital, part of the NHS Foundation Trust in the UK, has caused significant disruption by leading to a systems outage, forcing the postponement of appointments and scheduled procedures. The hospital network, which includes Arrowe Park, Clatterbridge, and Wirral Women and Children's Hospitals, has been operating under business continuity processes using manual systems. This has resulted in increased waiting times and limited availability of services like X-rays and surgeries, with no clear timeline for full system restoration.

Risks: Other: System Outage

CVEs: N/A

Keywords: Healthcare Cyberattack, NHS Trust, System Outage, Hospital Network, Incident Response

Affected: Wirral University Teaching Hospital, NHS Foundation Trust, Arrowe Park Hospital, Clatterbridge Hospital, Wirral Women and Children's Hospital

2024-11-28

First Linux UEFI Bootkit 'Bootkitty' Discovered Targeting Ubuntu

Need some FUD? Learn about the emerging threat of Linux UEFI bootkits and how they highlight vulnerabilities in cloud environments.

The discovery of 'Bootkitty,' the first UEFI bootkit malware targeting Linux, marks a shift in bootkit threats that have traditionally focused on Windows. This proof-of-concept malware specifically affects certain Ubuntu versions, bypassing kernel signature verification during system boot using a self-signed certificate. Although Bootkitty is not yet a fully developed threat, it signifies an evolution in the UEFI bootkit space. The malware hooks UEFI security protocols to bypass Secure Boot and modifies GRUB functions to disable signature verification, allowing malicious modules to load. Despite its potential, Bootkitty's current implementation is limited by compatibility issues and remains unsuitable for widespread deployment.

Risks: Malware, Privilege Escalation, Open Source

CVEs: N/A

Keywords: UEFI bootkit, Linux malware, Bootkitty, Ubuntu security, ESET research, Secure Boot bypass

Affected: Ubuntu, GRUB, Linux kernel

2024-11-28

npm Package @0xengine/xmlrpc Turns Malicious, Steals Data and Mines Cryptocurrency

Got you some real good FUD, learn about the dangers of supply chain attacks.

A software supply chain attack was discovered involving the npm package @0xengine/xmlrpc, which was initially a legitimate JavaScript-based XML-RPC server and client for Node.js, but later became malicious. The attack involved adding code to steal sensitive data and mine cryptocurrency, distributed through npm and a GitHub repository named yawpp. The malware harvests data, establishes persistence, and uses XMRig to mine cryptocurrency on compromised systems. This incident underscores the need for vigilance in monitoring software supply chains, as packages can become threats over time.

Risks: Sensitive Data, Malware, Supply Chain, Open Source, Git/Repo Breach

CVEs: N/A

Keywords: npm, supply chain attack, data theft, cryptocurrency mining, @0xengine/xmlrpc, Node.js, GitHub

Affected: npm, Node.js, yawpp, GitHub, Dropbox, file.io, systemd, XMRig, Monero

2024-11-28

ProjectSend Vulnerability CVE-2024-11680 Allows Code Execution

Learn about the importance of timely patch management and how exploiting unpatched vulnerabilities can lead to major security risks.

A critical security vulnerability in the ProjectSend file-sharing application, originally reported in January 2023 and patched in August 2024, is being actively exploited. The flaw allows attackers to execute arbitrary PHP code on affected servers by bypassing authorization checks. Despite the availability of a patched version, only 1% of the 4,000 internet-exposed ProjectSend servers have been updated, leaving the majority susceptible to attacks that include web shell installations and potential malicious JavaScript embedding. Users are urged to update to the latest version to protect against these threats.

Risks: Patch Management, Web App/Website Vulnerability, Open Source

CVEs: CVE-2024-11680

Keywords: ProjectSend, CVE-2024-11680, Code Execution, Open Source Vulnerability, Web Shell

Affected: ProjectSend

2024-11-27

IBM Patches Critical RCE Flaws in Data Virtualization Manager and Security SOAR

Learn about the crucial role of timely patch management in preventing vulnerabilities and securing your clients' IT infrastructure.

IBM has released patches for several vulnerabilities in its products, including serious remote code execution issues in Data Virtualization Manager and Security SOAR. These vulnerabilities could allow attackers to execute arbitrary code or cause system disruptions. The company also addressed high-severity flaws in Watson Speech Services and OpenSSL, as well as various medium- and low-severity security issues in Engineering Lifecycle Management and other products. IBM has provided fix packs and guidance to mitigate these risks.

Risks: Patch Management, Web App/Website Vulnerability, Other: Prototype Pollution

CVEs: CVE-2024-52899; CVE-2024-45801; CVE-2024-49353; CVE-2024-6119

Keywords: IBM, RCE, Data Virtualization Manager, Security SOAR, Vulnerability, Patch Management, CVE-2024-52899, CVE-2024-45801

Affected: Data Virtualization Manager, Security SOAR, Watson Speech Services Cartridge for Cloud Pak for Data, OpenSSL, Engineering Lifecycle Management, IBM Workload Scheduler, Watson Query, Db2 Big SQL on Cloud Pak for Data

2024-11-27

Evaluation of Cloud Service Provider Firewall Effectiveness

Need some ammo against AWS, Azure, or GCP? Have a customer or prospect that uses these CSPs? This article is for you!

CyberRatings.org conducted an independent test of cloud service provider native firewalls from AWS, Azure, and GCP, revealing significant disparities in their security effectiveness. The firewalls were evaluated against 522 exploits, with GCP blocking 264, Azure blocking 126, and AWS blocking only 2. The tests focused on known vulnerabilities from the last decade with medium or higher severity. Despite ease of deployment, the low block rates highlight the need for improvement in native firewall security. Customers are advised to consider third-party solutions for enhanced protection until these native firewalls demonstrate higher security effectiveness.

Risks: Cloud Service Provider Flaw

CVEs: N/A

Keywords: AWS firewall, Azure firewall, GCP firewall, cloud security, CSP evaluation, native firewall performance

Affected: Amazon Web Services, Microsoft Azure, Google Cloud Platform

2024-11-27

High-Risk Vulnerability Found in NVIDIA UFM Products

Learn about the critical importance of patch management for infrastructure tools and how timely updates can protect against privilege escalation and data tampering risks.

A recently disclosed vulnerability in NVIDIA's UFM Enterprise, UFM Appliance, and UFM CyberAI products allows attackers to escalate privileges, tamper with data, cause denial of service, and access sensitive information due to improper authentication. Exploitation occurs via malformed requests through the Ethernet management interface, typically isolated from public networks. NVIDIA has issued firmware updates to address the issue, highlighting the importance of timely patch management for infrastructure tools with privileged access. Organizations using these products should promptly apply the updates to mitigate risk.

Risks: Privilege Escalation, Patch Management

CVEs: CVE-2024-0130

Keywords: NVIDIA, UFM Vulnerability, Privilege Escalation, Patch Management, CVE-2024-0130

Affected: NVIDIA UFM Enterprise, NVIDIA UFM Appliance, NVIDIA UFM CyberAI

2024-11-27

VMware Patches Critical Vulnerabilities in Aria Operations

Learn about the critical importance of patch management to prevent privilege escalation and cross-site scripting vulnerabilities in virtualized cloud environments.

VMware has released patches for five high-severity vulnerabilities in its Aria Operations product, addressing issues that could allow attackers to elevate privileges or execute cross-site scripting attacks. These vulnerabilities include two local privilege escalation flaws that could lead to root access and three stored cross-site scripting vulnerabilities that enable script injection through various means, such as views and email templates.

Risks: Patch Management, Privilege Escalation, Web App/Website Vulnerability

CVEs: CVE-2024-38830; CVE-2024-38831; CVE-2024-38832; CVE-2024-38833; CVE-2024-38834

Keywords: VMware, Aria Operations, Vulnerabilities, Privilege Escalation, Cross-Site Scripting, CVE-2024-38830, CVE-2024-38831, Patch Management

Affected: VMware Aria Operations

2024-11-26

Critical Vulnerabilities in CleanTalk WordPress Plugin Allow Remote Code Execution

Learn about the importance of patch management to protect WordPress sites from critical vulnerabilities that can lead to remote code execution.

Two critical vulnerabilities in the CleanTalk WordPress Anti-Spam plugin, impacting over 200,000 sites, could allow unauthorized attackers to install and activate malicious plugins, potentially leading to remote code execution. The flaws involve authorization bypass issues, one due to a missing value check and another through reverse DNS spoofing. Users are advised to update to the latest versions, 6.44 and 6.45, which address these security issues. The situation coincides with ongoing campaigns exploiting compromised WordPress sites to inject malicious code, posing additional risks.

Risks: Web App/Website Vulnerability, Patch Management, Privilege Escalation

CVEs: CVE-2024-10542; CVE-2024-10781

Keywords: WordPress, CleanTalk, Remote Code Execution, CVE-2024-10542, CVE-2024-10781, Plugin Vulnerability, Authorization Bypass

Affected: WordPress, CleanTalk Spam protection, Anti-Spam, FireWall plugin

2024-11-26

Blue Yonder Ransomware Attack Disrupts UK Grocery Supply Chains

Learn about the importance of securing managed services environments to prevent supply chain disruptions like those faced by Blue Yonder's clients.

Blue Yonder, a supply chain management firm, experienced a ransomware attack on November 21, 2024, disrupting its managed services and impacting several high-profile clients, including UK grocery stores like Morrisons and Sainsbury, as well as Starbucks. The company, a Panasonic subsidiary, is working with external cybersecurity firms to recover while maintaining that its public cloud environment remains secure. Clients are advised to stay updated via Blue Yonder's customer update page, as no specific restoration timeline is available yet, and no ransomware group has claimed responsibility for the attack.

Risks: Ransomware, Supply Chain, Third-Party Vendor/SaaS

CVEs: N/A

Keywords: Ransomware, Blue Yonder, Supply Chain Disruption, UK Grocery, Managed Services

Affected: Morrisons, Sainsbury, Starbucks, Blue Yonder's managed services environment

2024-11-26

Critical Vulnerability in Array Networks Exploited by Cyber Espionage Group

Need some ammo against Fortinet? This article is for you! Learn about the importance of patch management and how Check Point can help protect against such vulnerabilities.

CISA has added a critical vulnerability affecting Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities catalog due to active exploitation in the wild. The flaw involves missing authentication, allowing remote code execution via a vulnerable URL without authentication. The Chinese cyber espionage group Earth Kasha has been exploiting this vulnerability, alongside others in Proself and Fortinet products, primarily targeting Japanese and other international entities. The vulnerability has now been patched, and agencies are urged to update their systems promptly.

Risks: Patch Management, Web App/Website Vulnerability, Other: Remote Code Execution

CVEs: CVE-2023-28461; CVE-2023-45727; CVE-2023-27997

Keywords: Array Networks, Earth Kasha, CVE-2023-28461, Remote Code Execution, Fortinet, Cyber Espionage

Affected: Array Networks, Array AG, vxAG, Proself, Fortinet FortiOS, Fortinet FortiProxy

2024-11-26

New Attack Techniques Exploit Terraform and Open Policy Agent Vulnerabilities

Need some FUD? Learn about the vulnerabilities in IaC and PaC tools like Terraform and OPA, and how they expose cloud platforms to new attack vectors.

The article discusses newly discovered attack techniques targeting Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) tools like Terraform and Open Policy Agent (OPA). These tools, which utilize domain-specific languages, are typically seen as secure but have vulnerabilities that can be exploited. An attacker can compromise OPA by inserting malicious policies to exfiltrate data using functions like "http.send" or "net.lookup_ip_addr." Terraform is also vulnerable as attackers can manipulate GitHub workflows through unreviewed changes in pull requests, using malicious data sources to achieve their goals. The article emphasizes the need for using trusted third-party components to mitigate these risks.

Risks: Supply Chain, Git/Repo Breach, Weak or Compromised Credentials, Open Source

CVEs: N/A

Keywords: Terraform, Open Policy Agent, IaC vulnerabilities, PaC vulnerabilities, data exfiltration, DNS tunneling

Affected: Terraform, Open Policy Agent

2024-11-26

Arizona State Database Breach Exposes Sensitive Personal Data

Discover the importance of robust cybersecurity protocols in public administration to highlight potential opportunities for CloudGuard solutions.

A breach in Arizona’s state database has exposed sensitive personal information, highlighting vulnerabilities in public administration systems and raising concerns over data security and privacy. The leaked data, including names, addresses, and contact details, poses risks such as identity theft and fraud. The source of the leak is unclear, but it may be due to inadequate cybersecurity measures or a targeted attack. The incident underscores the need for robust cybersecurity protocols and regular audits to protect government infrastructure from cyberattacks.

Risks: Sensitive Data, Other: Inadequate Cybersecurity Measures

CVEs: N/A

Keywords: Data Breach, Arizona State, Personal Information Leak, Government Cybersecurity, Identity Theft

Affected: Arizona state database

2024-11-22

Fortinet VPN Logging Flaw Enables Undetected Brute-Force Attacks

Need some ammo against Fortinet? This article highlights a significant security flaw in Fortinet VPN that leaves organizations vulnerable to undetected brute-force attacks.

A design flaw in Fortinet VPN's logging system allows successful brute-force attacks to go unnoticed by logging only failed login attempts. Attackers can verify credentials after the authentication stage without proceeding to authorization, preventing successful attempts from being recorded. This vulnerability enables attackers to validate credentials without alerting defenders, posing a significant security risk as they could use or sell the verified credentials later. The flaw complicates the detection of successful breaches during incident response, although failed attempts still indicate an ongoing brute-force attack.

Risks: Weak or Compromised Credentials, Other: Logging Flaw

CVEs: N/A

Keywords: Fortinet, VPN, brute-force attack, logging flaw, credential verification

Affected: Fortinet VPN

2024-11-22

Palo Alto Networks Firewalls Compromised by Exploited Vulnerabilities

Need some ammo against Palo Alto Networks? This article is for you!

Hackers have compromised over 2,000 Palo Alto Networks firewalls by exploiting two recently patched zero-day vulnerabilities. These vulnerabilities include an authentication bypass in the PAN-OS management web interface, allowing remote attackers to gain administrator privileges, and a privilege escalation flaw enabling command execution with root privileges. Despite the company's assurance of limited impact, threat monitoring indicates widespread vulnerability, with over 2,700 devices at risk. Additionally, a critical flaw in the Expedition firewall configuration tool was exploited earlier, highlighting the ongoing challenge of securing Palo Alto Networks devices against emerging threats.

Risks: Zero-Day, Privilege Escalation, Patch Management

CVEs: CVE-2024-0012; CVE-2024-9474; CVE-2024-5910; CVE-2024-3400

Keywords: Palo Alto Networks, PAN-OS, Firewall Vulnerabilities, Authentication Bypass, Privilege Escalation

Affected: Palo Alto Networks firewalls, PAN-OS, Expedition firewall configuration tool

2024-11-22

Gelsemium APT Targets Linux with New WolfsBane Backdoor

New opportunity - organizations in East and Southeast Asia are under threat from Linux-targeted espionage campaigns. Time to get out your rolodex.

The article discusses the recent activities of the Chinese APT group Gelsemium, which has been deploying a new Linux backdoor called WolfsBane in cyber espionage campaigns targeting East and Southeast Asia. WolfsBane is a Linux adaptation of their existing Windows backdoor, Gelsevirine, and is used to gather sensitive data while maintaining persistent, stealthy access. Additionally, another implant named FireWood was discovered, linked to a different malware suite, Project Wood. The attackers possibly exploited a web application vulnerability to deliver these backdoors, leveraging rootkits for concealment. This marks Gelsemium's first documented use of Linux malware, reflecting a broader trend of APTs shifting focus toward Linux systems, driven by improvements in email and endpoint security.

Risks: Malware, Sensitive Data, Web App/Website Vulnerability

CVEs: N/A

Keywords: Gelsemium, WolfsBane, Linux backdoor, cyber espionage, APT, East Asia, Southeast Asia

Affected: Linux, Windows, East Asia, Southeast Asia, Taiwan, Philippines, Singapore

2024-11-21

Critical Vulnerabilities in Palo Alto Networks Firewalls Allow System Takeover

Need some ammo against Palo Alto Networks? Discover the vulnerabilities in their firewall systems and understand the importance of secure development practices.

Palo Alto Networks addressed two critical vulnerabilities in its firewalls and virtual security appliances that allowed attackers to execute code with high privileges, potentially taking full control of affected devices. These vulnerabilities stemmed from basic development errors, enabling authentication bypass and privilege escalation. Attackers could exploit these flaws to gain administrative access and execute code on the underlying OS. The vulnerabilities affected multiple PAN-OS versions, which have now been patched. Administrators are advised to update their systems and limit management interface exposure to trusted networks to mitigate risks.

Risks: Zero-Day, Misconfiguration, Privilege Escalation, Web App/Website Vulnerability

CVEs: CVE-2024-0012; CVE-2024-9474; CVE-2024-3400

Keywords: Palo Alto Networks, PAN-OS, Firewall Vulnerabilities, Authentication Bypass, Privilege Escalation, CVE-2024-0012, CVE-2024-9474

Affected: Palo Alto Networks, PAN-OS, Palo Alto Panorama

2024-11-20

Oracle Agile PLM Framework Vulnerability Allows Unauthorized Data Access

Learn about the significance of security vulnerabilities in widely-used enterprise applications and how proactive measures can prevent unauthorized data access.

Oracle has disclosed a critical security flaw in the Agile Product Lifecycle Management Framework that allows attackers to exploit it remotely without authentication, potentially leaking sensitive information. The vulnerability, which is actively being exploited, enables unauthorized access to files on the affected system. Details about the attackers and the extent of the attacks remain unknown.

Risks: Sensitive Data, Web App/Website Vulnerability

CVEs: CVE-2024-21287

Keywords: Oracle, Agile PLM, CVE-2024-21287, Data Breach, Unauthorized Access

Affected: Agile Product Lifecycle Management Framework

2024-11-19

Custom IOCs Enhance Cybersecurity Threat Detection

Learn how utilizing custom IOCs can enhance threat detection and improve security postures, offering an edge in protecting cloud environments.

The article discusses the importance of using custom Indicators of Compromise (IOCs) in cybersecurity to improve threat detection and response. While generic IOCs are often noisy, lack context, and are not tailored to specific threats, custom IOCs provide more relevant and actionable intelligence. They enhance threat hunting, offer targeted threat intelligence, boost supply chain security, align with industry or geographical needs, protect critical infrastructure, and improve compliance. As cyber threats evolve, integrating custom IOCs into security systems is essential for effective protection.

Risks: N/A

CVEs: N/A

Keywords: Custom IOCs, Threat Detection, Cyber Threat Intelligence, Supply Chain Security, Compliance

Affected: N/A

2024-11-19

Critical Vulnerabilities in VMware vCenter and Kemp LoadMaster Under Active Exploitation

Learn about the critical importance of patch management and the opportunity to showcase CloudGuard's capabilities in defending against emerging threats and vulnerabilities in VMware and Progress Kemp LoadMaster environments.

The article highlights active exploitation of critical vulnerabilities in VMware vCenter and Kemp LoadMaster, as noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The Kemp LoadMaster flaw, a command injection vulnerability, allows remote attackers full system access through the management interface and was patched in February 2024. VMware vCenter Server is also under attack due to two security flaws, initially resolved in September 2024, but requiring further patching last month. Additionally, a severe vulnerability in Veeam Backup & Replication is being exploited to deploy new ransomware. These incidents underscore the need for timely patch management and vigilance against emerging threats.

Risks: Patch Management, Web App/Website Vulnerability, Malware

CVEs: CVE-2024-1212; CVE-2024-38812; CVE-2024-38813; CVE-2024-40711

Keywords: VMware vCenter, Progress Kemp LoadMaster, CVE-2024-1212, CVE-2024-38812, Veeam Backup & Replication, Ransomware, Patch Management

Affected: VMware vCenter, Progress Kemp LoadMaster, Veeam Backup & Replication

2024-11-19

Helldown Ransomware Expands to Target VMware and Linux Systems

Learn about evolving ransomware threats and the importance of protecting virtualized infrastructures in key industries like IT, telecom, and healthcare.

The article discusses the emergence of a Linux variant of the Helldown ransomware, expanding its attacks to VMware and Linux systems. Helldown, derived from LockBit 3.0, targets virtualized infrastructures and sectors like IT, telecom, manufacturing, and healthcare using double extortion tactics. It exploits vulnerabilities in Zyxel firewalls for network entry, performing activities like credential harvesting and lateral movement. The Windows version deletes shadow copies and processes before encryption, while the Linux variant terminates VMs for file access, although this feature isn't fully utilized. The ransomware's development suggests it's not highly sophisticated yet. Helldown shares behavioral traits with DarkRace and coincides with the rise of other ransomware families like Interlock and SafePay, indicating a trend of ransomware groups expanding their capabilities and targeting diverse sectors.

Risks: Malware, Weak or Compromised Credentials, Inadequate Network Segmentation, Other: Double Extortion

CVEs: N/A

Keywords: Helldown, ransomware, VMware, Linux, LockBit, Zyxel, double extortion, virtual machines

Affected: VMware, Linux, Windows, Zyxel firewalls, IT services, telecommunications, manufacturing, healthcare

2024-11-18

BabbleLoader Malware Evades Detection to Deliver Information Stealers

Need some FUD? Understand how advanced malware loaders like BabbleLoader evade detection and threaten cloud environments, highlighting the critical need for robust security solutions.

BabbleLoader is a newly identified malware loader that stealthily delivers information-stealing malware like WhiteSnake and Meduza by evading antivirus and sandbox detection. It targets English and Russian-speaking users, often posing as accounting software. BabbleLoader uses advanced evasion techniques, such as junk code and metamorphic transformations, to bypass both traditional and AI-based detection systems. Each instance of BabbleLoader is unique, with randomized code and metadata, complicating analysis and detection. This loader exemplifies a growing trend in malware delivery methods that prioritize evasion to protect payloads, reducing the need for threat actors to frequently change their infrastructure.

Risks: Malware, Supply Chain

CVEs: N/A

Keywords: BabbleLoader, Malware Evasion, Information Stealer, WhiteSnake, Meduza, Loader Techniques, Anti-Sandboxing

Affected: BabbleLoader, WhiteSnake, Meduza, Dolphin Loader, Emmenhtal, FakeBat, Hijack Loader, CryptBot, Lumma Stealer, SectopRAT, SmokeLoader, Ursnif

2024-11-17

T-Mobile Targeted in Telecom Breaches by Chinese Hackers

New opportunity - companies in the telecommunications industry are under threat from state-sponsored attacks. Time to get out your rolodex.

T-Mobile was recently targeted in a wave of telecom breaches by Chinese state-sponsored threat actors aiming to access private communications, call records, and law enforcement information requests. Although T-Mobile claims no significant impact on its systems or customer data, the breaches have affected other major U.S. telecom companies like AT&T and Verizon. The attackers, known as Salt Typhoon, have a history of targeting government entities and telecom companies. The U.S. government confirmed that these breaches allowed the theft of sensitive communications and data related to national security officials. The attacks reportedly exploited vulnerabilities in Cisco routers, though Cisco denies any breach of their equipment.

Risks: Sensitive Data, Other: State-Sponsored Attack

CVEs: N/A

Keywords: T-Mobile, Salt Typhoon, Chinese state-sponsored, telecom breaches, Cisco vulnerabilities

Affected: T-Mobile, AT&T, Verizon, Lumen, U.S. telecommunications industry, Cisco routers

2024-11-17

Fortinet FortiClient Vulnerability Exploited by DEEPDATA Malware to Steal VPN Credentials

Need some ammo against Fortinet? Discover how unpatched vulnerabilities in FortiClient lead to major security risks and learn about the importance of proactive patch management.

A vulnerability in Fortinet's FortiClient for Windows is being exploited by the threat actor BrazenBamboo through a malware framework called DEEPDATA to steal VPN credentials. Discovered by Volexity in July 2024, DEEPDATA is a post-exploitation tool targeting Windows to gather various sensitive data, including application passwords and communication app data. It includes a DLL loader to decrypt and launch plugins, one of which exploits the FortiClient flaw to extract VPN credentials. Despite being reported, the flaw remains unpatched. DEEPDATA, along with DEEPPOST and LightSpy, enhance BrazenBamboo's cyber espionage capabilities. LightSpy, linked to China-linked APT41, shares code similarities with DEEPDATA, hinting at a coordinated development effort, possibly by government-associated entities.

Risks: Zero-Day, Sensitive Data, Patch Management, Malware

CVEs: N/A

Keywords: Fortinet, FortiClient, DEEPDATA, VPN Credentials, BrazenBamboo, Zero-Day, APT41, Malware

Affected: Fortinet, FortiClient, Windows, WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass

2024-11-17

Retail and Tech Sectors Face Highest Cyber Attack Risks

New opportunity - companies in retail and technology industries are under threat. Time to get out your rolodex.

The investigation by NordStellar into nearly 2,000 data breaches over the past two years reveals that retail and technology sectors are the prime targets for cybercriminals, with 95 and 56 attacks respectively. Business services, internet services, IT consulting, and software development also face significant risks. Geographically, US companies are the most targeted, followed by firms in India and the UK. Small and medium businesses are particularly vulnerable, comprising 72% of breached firms, likely due to underestimating their value to hackers. Additionally, 85% of affected businesses are private companies, highlighting their susceptibility to cyber threats.

Risks: Weak or Compromised Credentials, Other: Broad Attack Methods

CVEs: N/A

Keywords: Retail Sector, Technology Sector, Data Breaches, Small and Medium Businesses, Cybercrime Trends

Affected: Retail sector, Technology sector, Business services, Internet and web services, IT services and consulting, Software development, Computer hardware development, Entertainment, Education, Finance

2024-11-16

Critical Vulnerability in Palo Alto Networks PAN-OS Under Active Exploitation

Need some ammo against Palo Alto Networks? This article is for you!

Palo Alto Networks disclosed a zero-day vulnerability in its PAN-OS firewall management interface, which is actively exploited to deploy web shells, granting attackers persistent access. The vulnerability has a critical CVSS score of 9.3 and allows unauthenticated remote command execution, though severity drops if interface access is restricted. Patches were released for other related vulnerabilities (CVE-2024-9474 and CVE-2024-0012), which allow privilege escalation and authentication bypass. These vulnerabilities have been added to the CISA's Known Exploited Vulnerabilities catalog, requiring remediation by December 9, 2024. Palo Alto is investigating the exploitation under "Operation Lunar Peek" and advises immediate securing of the management interface.

Risks: Zero-Day, Privilege Escalation, Web App/Website Vulnerability, Malware

CVEs: CVE-2024-5910; CVE-2024-9463; CVE-2024-9465; CVE-2024-9474; CVE-2024-0012

Keywords: Palo Alto Networks, PAN-OS, Zero-Day, Firewall Vulnerability, Remote Command Execution, Web Shell

Affected: Palo Alto Networks, PAN-OS

2024-11-15

Chinese Hackers Breach Telecom Providers in Espionage Campaign

New opportunity - telecommunications industry is under threat. Time to get out your rolodex.

Chinese hackers have executed a significant cyberespionage campaign targeting telecommunications providers, as confirmed by the US government agencies CISA and FBI. This campaign involved compromising networks to steal call records, spy on individuals, and gather sensitive data, primarily affecting those involved in government or political activities. The alert follows reports of similar breaches in major US broadband providers and raises concerns about the broader implications of such cyber threats on national security.

Risks: Sensitive Data, State-Sponsored Hackers

CVEs:

Keywords: Telecommunications, Cyber Espionage, China, Network Breach, Call Records, State-Sponsored Hackers

Affected: Telecommunications providers, AT&T, Verizon, Lumen Technologies, US internet service providers, Singtel

2024-11-15

Critical Vulnerabilities in Palo Alto Networks Software Actively Exploited

Need some ammo against Palo Alto Networks? This article is for you!

CISA has identified two critical vulnerabilities in Palo Alto Networks Expedition software that are currently being exploited in the wild, allowing attackers to execute arbitrary OS commands and access sensitive data. These flaws could lead to severe security breaches, including exposure of usernames, passwords, and firewall configurations. Palo Alto Networks has issued security patches and is actively addressing reports of exploitation, urging users to secure exposed interfaces and prepare for upcoming fixes and threat prevention measures.

Risks: Web App/Website Vulnerability, Sensitive Data, Patch Management

CVEs: CVE-2024-9463; CVE-2024-9465

Keywords: Palo Alto Networks, Expedition, Vulnerabilities, CVE-2024-9463, CVE-2024-9465, Command Injection, SQL Injection

Affected: Palo Alto Networks Expedition, PAN-OS firewalls

2024-11-15

WordPress Plugin Vulnerability Exposes Millions to Security Risks

Learn about the crucial role of regular updates and security practices in preventing WordPress plugin vulnerabilities.

A critical vulnerability in the popular WordPress plugin, Really Simple Security, has exposed over 4 million websites to potential hacking. The flaw, affecting versions 9.0.0 through 9.1.1.1, allows attackers to bypass authentication and gain full administrative access, posing a risk of complete site compromise. The vulnerability was discovered on November 6, 2024, and patches were released by the developer by November 14. Website owners are urged to ensure their installations are updated to version 9.1.2 or newer to mitigate the risk. This incident highlights the importance of maintaining updated plugins and vigilant security practices in the WordPress environment.

Risks: Patch Management, Web App/Website Vulnerability, Open Source, Weak or Compromised Credentials

CVEs: CVE-2024-10924

Keywords: WordPress, Really Simple Security, Plugin Vulnerability, Authentication Bypass, CVE-2024-10924

Affected: WordPress, Really Simple Security plugin

2024-11-15

SHJCoop Data Breach Exposes User Information

Learn about the critical need for robust security measures in e-commerce platforms to protect against data breaches and identity theft risks.

A data breach at SHJCoop, a UAE-based cooperative platform, has exposed sensitive user information, including personal and potentially financial details. This incident highlights the security vulnerabilities of e-commerce platforms and the risks users face, such as identity theft and fraud. The leaked data has reportedly been uploaded to dark web forums, prompting calls for enhanced security measures like stronger encryption and regular audits to prevent future breaches.

Risks: Sensitive Data, Web App/Website Vulnerability

CVEs:

Keywords: SHJCoop, data breach, user data exposure, e-commerce security, identity theft risk

Affected: SHJCoop

2024-11-15

Fortinet Fixes Privilege Escalation Vulnerability in VPN Software

Need some ammo against Fortinet? This article highlights vulnerabilities in their VPN software that could be critical for prospects considering robust security solutions.

Fortinet has released an update to fix a vulnerability in its VPN application that could allow unauthorized users or malware to gain elevated privileges by altering SYSTEM-level registry keys. Although this flaw has not yet been actively exploited, users are advised to update to the latest version, FortiClient 7.4.1, which addresses these security issues.

Risks: Privilege Escalation, Patch Management

CVEs: CVE-2024-50564

Keywords: Fortinet, VPN vulnerability, Privilege escalation, FortiClient, CVE-2024-50564

Affected: FortiClient

2024-11-15

High-Severity Flaw in PostgreSQL Allows Code Execution via Environment Variables

Learn about the importance of patch management and how PostgreSQL vulnerabilities can impact database security.

Researchers have identified a high-severity vulnerability in PostgreSQL that allows unprivileged users to manipulate environment variables, potentially enabling code execution or information disclosure. The flaw is linked to the incorrect control of environment variables in PostgreSQL's PL/Perl, which could lead to severe security issues. Users are urged to apply patches and restrict extensions and permissions to mitigate the risk.

Risks: Open Source, Privilege Escalation, Patch Management

CVEs: CVE-2024-10979

Keywords: PostgreSQL, Vulnerability, Code Execution, Environment Variables, Database Security

Affected: PostgreSQL

2024-11-14

2024 Verizon Report Highlights Ransomware, Human Error, and Phishing Threats

Want to highlight the growing threat landscape and the importance of comprehensive security solutions? This article provides insights into the rise of ransomware, extortion, and the alarming speed of phishing attacks.

The 2024 Verizon Data Breach Investigations Report reveals that ransomware and extortion techniques constitute a significant portion of data breaches, with a notable increase in pure extortion attacks. The human element remains a major factor in breaches, while third-party and supply chain vulnerabilities have seen a marked rise, largely due to zero-day exploits. Errors in data handling are more prevalent than previously recognized, accounting for 28% of breaches. The report also highlights the alarming speed at which phishing attacks succeed, with users falling for them in less than a minute. Financially motivated attacks continue to rely heavily on ransomware and extortion, with business email compromise also contributing to substantial financial losses.

Risks: Ransomware, Extortion, Human Error, Supply Chain, Third-Party Vendor/SaaS, Weak or Compromised Credentials

CVEs:

Keywords: Ransomware, Extortion, Human Error, Phishing, Data Breach, Verizon Report

Affected:

2024-11-14

2023's Most Exploited Cyber Vulnerabilities Revealed

Learn about the importance of proactive patch management and secure practices to protect against frequently exploited vulnerabilities.

The 2023 Top Routinely Exploited Vulnerabilities report, coauthored by cybersecurity agencies from multiple countries, outlines the most frequently exploited vulnerabilities by malicious actors, highlighting a rise in zero-day attacks compared to 2022. The report emphasizes the need for secure practices among vendors, developers, and organizations to mitigate these risks. It lists the top 15 vulnerabilities exploited, affecting a range of products from Citrix, Cisco, Fortinet, Atlassian, and others, stressing the importance of timely patching and robust security measures. Recommendations include adopting secure design principles, implementing centralized patch management, and enhancing access controls to protect against these threats.

Risks: Zero-Day, Privilege Escalation, Web App/Website Vulnerability, Patch Management

CVEs: CVE-2023-3519; CVE-2023-4966; CVE-2023-20198; CVE-2023-20273; CVE-2023-27997; CVE-2023-34362; CVE-2023-22515; CVE-2021-44228; CVE-2023-2868; CVE-2022-47966; CVE-2023-27350; CVE-2020-1472; CVE-2023-42793; CVE-2023-23397; CVE-2023-49103

Keywords: Zero-Day, Exploited Vulnerabilities, Patch Management, Citrix, Cisco, Fortinet, Log4Shell, Cyber Threats

Affected: Citrix NetScaler ADC, NetScaler Gateway, Cisco IOS XE Web UI, Fortinet FortiOS, FortiProxy SSL-VPN, Progress MOVEit Transfer, Atlassian Confluence Data Center, Atlassian Confluence Server, Apache Log4j, Barracuda Networks Email Security Gateway, Zoho ManageEngine, PaperCut MF, PaperCut NG, Microsoft Netlogon, JetBrains TeamCity, Microsoft Office Outlook, ownCloud graphapi

2024-11-14

Google Patches Vertex AI Vulnerabilities Exposing Enterprise Models

Need some ammo against Google Cloud? Have a customer or prospect that uses Google Cloud? This article is for you!

Google recently addressed two significant security vulnerabilities in its Vertex AI platform, which is used for developing and deploying large language models. These flaws could have allowed attackers to access proprietary enterprise models. The vulnerabilities involved privilege escalation in custom jobs and model exfiltration through malicious models, posing a risk of model-to-model infection. Although the issues have been resolved, they underscore the potential dangers of AI manipulation and the importance of stringent access controls and separation of development and production environments to protect sensitive AI assets.

Risks: Privilege Escalation, Over Permissive Roles, Cloud Service Provider Flaw, Malware

CVEs:

Keywords: Google Cloud, Vertex AI, AI Security, Model Exfiltration, Privilege Escalation

Affected: Google Vertex AI, Google Cloud Platform

2024-11-13

Microsoft Patches Critical NTLM and Task Scheduler Vulnerabilities

Learn about the critical importance of timely patch management and how vulnerabilities in widely-used systems can impact your security posture.

Microsoft's November 2024 Patch Tuesday update addresses 90 security vulnerabilities, including two actively exploited flaws in Windows NT LAN Manager (NTLM) and Task Scheduler. These vulnerabilities, along with others affecting systems such as Azure CycleCloud and .NET, involve remote code execution and privilege escalation risks. Among the vulnerabilities, four are deemed Critical, with 52 allowing remote code execution. Additionally, Microsoft fixed flaws in its Chromium-based Edge browser. The update also highlights a cryptographic protocol issue in Windows Kerberos and a remote code execution flaw in OpenSSL. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the exploited NTLM and Task Scheduler vulnerabilities to its Known Exploited Vulnerabilities catalog.

Risks: Zero-Day, Privilege Escalation, Patch Management, Remote Code Execution

CVEs: CVE-2024-43451; CVE-2024-49039; CVE-2024-21410; CVE-2024-38021; CVE-2024-49019; CVE-2024-43498; CVE-2024-43639; CVE-2024-43602; CVE-2024-5535

Keywords: Microsoft, NTLM vulnerability, Task Scheduler, Patch Tuesday, Remote Code Execution, Privilege Escalation

Affected: Windows NT LAN Manager, Task Scheduler, Azure CycleCloud, .NET, Visual Studio, Windows Kerberos, OpenSSL, Active Directory Certificate Services, Chromium-based Edge

2024-11-13

Form I-9 Compliance Data Breach Exposes 193,000 Individuals' Information

Want to emphasize the risks and costs of inadequate data protection? Learn from Form I-9 Compliance's massive data breach incident.

Form I-9 Compliance, a company providing employee eligibility verification solutions, experienced a significant data breach initially affecting around 27,000 individuals, which later escalated to over 193,000 people. The breach, detected in April but occurring in February, exposed sensitive information such as names and Social Security numbers. Impacted individuals are being offered free identity theft protection and credit monitoring services as part of the company's response to the incident.

Risks: Sensitive Data, Third-Party Vendor/SaaS

CVEs:

Keywords: Data Breach, Form I-9 Compliance, Identity Theft, Personal Information, Cybersecurity Incident

Affected: Form I-9 Compliance

2024-11-13

Hot Topic Data Breach Exposes 57 Million Customer Records

Learn about the critical role of multi-factor authentication and proactive security measures in preventing costly data breaches.

In October 2024, fashion retailer Hot Topic experienced a significant data breach impacting approximately 57 million customers. The compromised information included personal details such as names, addresses, phone numbers, birth dates, and partial credit card data. The breach was discovered when a threat actor claimed to have hacked Hot Topic and related brands, attempting to sell the stolen data and extort the company. The breach likely stemmed from password-stealing malware and the absence of multi-factor authentication on a Snowflake account. The situation is under investigation, with updates pending.

Risks: Sensitive Data, Malware, Weak or Compromised Credentials, Misconfiguration

CVEs:

Keywords: Hot Topic, Data Breach, Customer Data, Multi-Factor Authentication, Password-Stealing Malware, Snowflake, Personal Information Leak

Affected: Hot Topic, BoxLunch, Torrid, Snowflake

2024-11-13

SAP Releases Critical Patches for Web Dispatcher and PDCE Vulnerabilities

Learn about the critical importance of timely patch management to protect against severe vulnerabilities and safeguard your clients' SAP environments.

SAP's November 2024 security updates address critical vulnerabilities, including a high-severity cross-site scripting flaw in Web Dispatcher that could lead to remote code execution and full system compromise. The updates also include patches for a missing authorization check in Product Design Cost Estimating, which poses a confidentiality risk, and several medium-severity vulnerabilities in other SAP components. While no active exploitation has been reported, the critical nature of these vulnerabilities highlights the importance of timely patch application to safeguard against potential threats.

Risks: Patch Management, Web App/Website Vulnerability

CVEs: CVE-2024-47590; CVE-2024-39592

Keywords: SAP, Web Dispatcher, PDCE, Vulnerability, XSS, Remote Code Execution, Patch Management

Affected: Web Dispatcher, SAP Product Design Cost Estimating, Host Agent, NetWeaver, Cash Management, Bank Account Management

2024-11-13

Malicious Python Package Fabrice Steals AWS Credentials from PyPI

Got you some real good FUD, learn about the dangers of supply chain attacks through malicious open source packages.

A malicious Python package named "Fabrice" has been active on the PyPI repository since 2021, exploiting the trust of developers in the legitimate "Fabric" SSH automation library by typosquatting. With over 37,000 downloads, "Fabrice" has been used to exfiltrate AWS credentials, creating backdoors and executing platform-specific scripts. The attack employs obfuscated URLs, encoded payloads, and a VPN-based proxy server for covert data exfiltration, reflecting a strategic approach typical of advanced threat actors. This long-term presence highlights a trend where attackers prioritize persistent access and gradual collection of valuable data, particularly targeting AWS credentials due to their critical role in cloud infrastructures. The exploitation of non-human identities (NHIs) is also a significant concern, as it can take up to a year for companies to identify and mitigate compromised identities. This underscores the need for rapid detection and response to abnormal behaviors related to NHIs to prevent further credential theft.

Risks: Sensitive Data, Supply Chain, Open Source, Weak or Compromised Credentials

CVEs:

Keywords: PyPI, AWS credentials, supply chain attack, Fabric library, typosquatting

Affected: PyPI, AWS, Fabric, SSH

2024-11-13

Amazon Employee Data Exposed in MOVEit Hack

Need some ammo against Amazon AWS? Have a customer or prospect that uses AWS? This article is for you!

Amazon has confirmed that some of its employee data was compromised due to a MOVEit hack that exploited a vulnerability in Progress Software's file transfer software, impacting nearly 2,800 organizations. The breach, primarily attributed to the Cl0p ransomware group, involved a third-party property management vendor, not Amazon or AWS systems directly. Exposed data includes work contact information such as emails and phone numbers, but no sensitive personal data like Social Security or financial information was affected. The hacker claims to possess a database with around 2.8 million entries, although the exact number of affected employees is unknown.

Risks: Zero-Day, Sensitive Data, Supply Chain, Third-Party Vendor/SaaS

CVEs:

Keywords: Amazon, MOVEit, Data Breach, Cl0p Ransomware, Third-Party Vendor

Affected: Amazon, MOVEit, Progress Software

2024-11-13

GitLoker Introduces Goissue Tool Targeting GitHub Developers and Supply Chains

Got you some real good FUD, learn about the dangers of supply chain attacks and how automated tools like Goissue can threaten corporate networks.

Cybercriminals from the Gitloker group have introduced a phishing tool called Goissue, designed to target GitHub developers and corporate supply chains. This tool automates the extraction of email addresses from GitHub repositories and facilitates large-scale phishing campaigns that can lead to source code theft, supply chain attacks, and breaches of corporate networks. Key features of Goissue include customizable email templates and token management, with the ability to target entire organizations. Experts warn of the growing threat as attackers use such sophisticated tools to compromise developer credentials and gain unauthorized access to private repositories.

Risks: Git/Repo Breach, Supply Chain, Weak or Compromised Credentials

CVEs:

Keywords: GitLoker, Goissue, GitHub, Phishing Tool, Supply Chain Attack, Developer Security

Affected: GitHub, Corporate Supply Chains

2024-11-13

Ahold Delhaize Faces Cybersecurity Incident Affecting US Brands

Learn how a major food retailer's cybersecurity incident highlights the importance of proactive threat mitigation and detection strategies in protecting retail networks.

Ahold Delhaize, a major global food retailer, has experienced a cybersecurity incident affecting its US network, impacting brands like Giant Food and Hannaford, with the latter's ecommerce portal being offline due to server issues. The company has implemented mitigation measures and launched an investigation, involving law enforcement, although details about the incident type or potential data compromise remain undisclosed. This response suggests the possibility of a ransomware attack.

Risks: Ransomware, Other: Network Incident

CVEs:

Keywords: Ahold Delhaize, Giant Food, Hannaford, Ransomware, Retail Cybersecurity, US Network Incident

Affected: Giant Food, Hannaford, Ahold Delhaize, Food Lion, Stop & Shop, The Giant Company

2024-11-13

OvrC Platform Vulnerabilities Expose IoT Devices to Remote Code Execution

Learn about the critical importance of securing cloud-managed IoT devices and how vulnerabilities can expose vast networks to remote attacks.

A recent security analysis of the OvrC cloud platform, used for managing IoT devices, revealed ten vulnerabilities that could allow attackers to execute code remotely on connected devices. These vulnerabilities affect over 500,000 installations of OvrC solutions and could be exploited to impersonate devices, execute arbitrary code, and access sensitive information. Snap One, the company behind OvrC, has addressed these issues with patches released in May 2023 and November 2024. The vulnerabilities underscore the importance of enhancing the security of cloud-managed IoT devices to prevent unauthorized access and potential exploitation.

Risks: Patch Management, Privilege Escalation, Web App/Website Vulnerability

CVEs: CVE-2023-28649; CVE-2023-31241; CVE-2023-28386; CVE-2024-50381; CVE-2024-3184; CVE-2024-3186; CVE-2024-3187

Keywords: IoT vulnerabilities, OvrC platform, remote code execution, Snap One, device security

Affected: Snap One, OvrC Platform, EmbedThis GoAhead, Johnson Controls' exacqVision Web Service

2024-11-12

Forth Data Breach Exposes Personal Information of 1.5 Million Individuals

Learn about the critical importance of data protection and the potential business relationships at risk due to data breaches.

Debt relief provider Forth disclosed a data breach affecting 1.5 million individuals, compromising sensitive personal information such as names, addresses, dates of birth, and Social Security numbers. The breach, which occurred in May 2024, was identified by July 1, and notifications were sent to affected parties starting November 8. The breach also impacts individuals who were not direct customers of Forth but used Centrex Software, a platform enabling data sharing between businesses.

Risks: Sensitive Data, Third-Party Vendor/SaaS

CVEs:

Keywords: Data Breach, Forth, Personal Information, Centrex Software, Identity Theft

Affected: Forth, Centrex Software

2024-11-12

New Vulnerabilities in Citrix Virtual Apps Allow Remote Code Execution

Learn about the critical importance of secure configuration and patch management to prevent vulnerabilities in enterprise applications.

Researchers have identified security vulnerabilities in Citrix Virtual Apps and Desktop, specifically within the Session Recording component, which could allow unauthenticated remote code execution. These flaws stem from the use of an exposed MSMQ instance and misconfigured permissions that enable exploitation through BinaryFormatter deserialization via HTTP. While these vulnerabilities could lead to privilege escalation and limited remote code execution, successful exploitation requires the attacker to be an authenticated user within the same Active Directory domain and intranet as the session recording server. The core issue lies in the excessive privileges of the MSMQ instance and the insecure deserialization process, highlighting Microsoft's recommendation to avoid using BinaryFormatter with untrusted data.

Risks: Misconfiguration, Over Permissive Roles, Privilege Escalation

CVEs: CVE-2024-8068; CVE-2024-8069

Keywords: Citrix, Remote Code Execution, CVE-2024-8068, CVE-2024-8069, Session Recording, MSMQ, BinaryFormatter

Affected: Citrix Virtual Apps and Desktop, Microsoft Message Queuing, Windows Active Directory

2024-11-12

Tewkesbury Borough Council Faces Backlog After Cyber Attack

Learn about the operational impacts of a cyber attack on local government services and the importance of robust cybersecurity measures to prevent service disruptions.

Tewkesbury Borough Council experienced a cyber attack that led to the temporary shutdown of all online services, necessitating the redeployment of staff to ensure continued access to services for vulnerable individuals. Although the council has resolved the issue with no data loss, they are now facing a significant backlog of work. The downtime resulted in an increase in planning application backlogs, rising from 238 to 390 by the end of October, highlighting the operational challenges posed by the cyber incident.

Risks: Other: Service Disruption

CVEs:

Keywords: Tewkesbury Borough Council, Cyber Attack, Service Disruption, Local Government, Operational Backlog

Affected: Tewkesbury Borough Council

2024-11-12

Unpatched Vulnerabilities in Mazda Infotainment Systems Allow Code Execution

Learn about the critical importance of securing IoT and automotive systems to prevent potential vulnerabilities from compromising vehicle safety and operations.

Vulnerabilities in the infotainment system of several Mazda car models, particularly affecting the Mazda Connect Connectivity Master Unit (CMU), allow attackers to execute arbitrary code with root privileges by exploiting improper input sanitization. These flaws enable a physically present attacker to use a specially crafted USB device to compromise the system, potentially gaining full control over the vehicle's networks and affecting its operation and safety. The vulnerabilities impact Mazda models from 2014 to 2021 and remain unpatched by the manufacturer, posing significant security risks. Exploitation could lead to persistent system compromise, data manipulation, and potential harm to connected devices.

Risks: Privilege Escalation, Patch Management, Other: Input Sanitization Flaw

CVEs: CVE-2024-8355; CVE-2024-8359; CVE-2024-8360; CVE-2024-8358; CVE-2024-8356

Keywords: Mazda, Infotainment System, Vulnerability, Code Execution, Automotive Security, USB Exploit

Affected: Mazda, Visteon, Johnson Controls, Mazda Connect Connectivity Master Unit (CMU)

2024-11-12

Veeam Releases Patch for High-Severity Vulnerability in Backup Enterprise Manager

Learn about the critical importance of patch management to prevent exploitation and ensure your cloud security offerings are up-to-date.

Veeam has issued patches for a high-severity vulnerability in its Backup Enterprise Manager that can be remotely exploited without authentication via a man-in-the-middle attack. A hotfix is available for users of version 12.2.0.334, or they can upgrade using the latest ISOs. While there is no current evidence of this vulnerability being actively exploited, Veeam advises immediate application of the patch due to previous instances where patched vulnerabilities were later targeted by threat actors, as seen with a recently exploited critical flaw in the same product line.

Risks: Patch Management, Man-in-the-Middle Attack

CVEs: CVE-2024-40715; CVE-2024-40711

Keywords: Veeam, Backup Enterprise Manager, CVE-2024-40715, Patch Management, Man-in-the-Middle Attack

Affected: Veeam, Backup Enterprise Manager, Veeam Backup & Replication

2024-11-12

Thompson Coburn Data Breach Exposes Over 300,000 Presbyterian Healthcare Patients' Information

Learn about the crucial importance of securing third-party partnerships and protecting sensitive healthcare data to avoid costly breaches.

A data breach at law firm Thompson Coburn led to the exposure of sensitive information of over 300,000 patients from Presbyterian Healthcare Services. The breach, detected on May 29, involved unauthorized access to files containing protected health information, including personal identifiers, medical and insurance details. No ransomware group has claimed responsibility, and the law firm has not disclosed further details about the attack.

Risks: Sensitive Data, Third-Party Vendor/SaaS

CVEs:

Keywords: Data Breach, Healthcare, Thompson Coburn, Presbyterian Healthcare, PHI Exposure, Law Firm Breach

Affected: Presbyterian Healthcare Services, Thompson Coburn

2024-11-11

Palo Alto Networks Warns of Potential RCE Vulnerability in PAN-OS

Need some ammo against Palo Alto Networks? This article highlights potential vulnerabilities in their systems.

Palo Alto Networks has issued a notice urging users to secure the PAN-OS management interface due to concerns about a potential remote code execution vulnerability. Although specific details of the vulnerability are not yet known, the company advises customers to configure the management interface according to best practices, ensuring access is restricted to trusted internal IPs to minimize risk. Key recommendations include isolating the interface on a dedicated VLAN, using jump servers for access, limiting inbound IP addresses to approved devices, and permitting only secure communication protocols like SSH and HTTPS.

Risks: Misconfiguration, Inadequate Network Segmentation

CVEs:

Keywords: Palo Alto Networks, PAN-OS, Remote Code Execution, Vulnerability, Network Security

Affected: Palo Alto Networks, PAN-OS, SSH, HTTPS

2024-11-10

Critical Vulnerabilities Found in Azure AI Content Safety

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure's AI services? This article is for you!

Mindgard researchers discovered critical vulnerabilities in Microsoft's Azure AI Content Safety service, which allowed attackers to bypass security measures and deliver harmful AI-generated content. The vulnerabilities were found in the AI Text Moderation and Prompt Shield guardrails, enabling attackers to use character injection and adversarial machine learning techniques to mislead the model and compromise sensitive data. These flaws significantly reduced the effectiveness of content moderation, posing risks of inappropriate content generation and ethical violations. Organizations are advised to apply security patches and enhance protective measures to safeguard AI applications from such threats.

Risks: Cloud Service Provider Flaw, Other: Injection

CVEs:

Keywords: Azure AI, Microsoft Vulnerability, AI Content Safety, Character Injection, Adversarial Machine Learning

Affected: Microsoft Azure

2024-11-10

New Ransomware Tactics Exploit AWS KMS External Key Store

Need some ammo against AWS? Have a customer or prospect that uses AWS? This article is for you!

Recently, a new method for executing ransomware attacks on AWS accounts was discovered, leveraging the AWS Key Management Service (KMS) and its eXternal Key Store (XKS) feature. This feature, introduced in late 2022, allows encryption using external keys stored in on-premises Hardware Security Modules (HSMs). Attackers can exploit this by creating external key stores, gaining control over cryptographic processes, and encrypting data in AWS services like S3 and EC2. However, AWS provides mechanisms to mitigate such attacks, emphasizing that the security of key material lies with HSM owners. Organizations can implement Service Control Policies to restrict certain API calls and prevent unauthorized key store creation.

Risks: Privilege Escalation, Cloud Service Provider Flaw

CVEs:

Keywords: AWS, Ransomware, Key Management Service, External Key Store, Encryption, HSM

Affected: AWS

2024-11-10

Vulnerability in AWS CDK Allows Potential Account Takeover

Need some ammo against AWS? Have a customer or prospect using AWS? This article is for you!

In June 2024, a vulnerability in the AWS Cloud Development Kit (CDK) was identified, which could allow attackers to gain administrative access to AWS accounts through predictable S3 bucket names. AWS addressed the issue by updating CDK to version v2.149.0, requiring users to upgrade and re-run the `cdk bootstrap` command to secure their environments. The vulnerability affects about 1% of CDK users, and AWS has taken steps to mitigate the risk by ensuring assets are only uploaded to buckets within the user's account. Users are advised to treat AWS Account IDs as sensitive and use unique naming strategies for S3 buckets.

Risks: Misconfiguration, Shadow IT/Exposed Assets, Supply Chain, Cloud Service Provider Flaw

CVEs:

Keywords: AWS CDK, Account Takeover, Cloud Security, S3 Bucket Vulnerability, Infrastructure as Code

Affected: AWS Cloud Development Kit

2024-11-09

Critical Vulnerability in Cisco's Industrial Wireless Systems Exposes Admin Access

Need some ammo against Cisco? This article highlights a critical vulnerability in their industrial wireless systems, emphasizing the importance of robust security solutions.

Cisco has issued a critical alert about a severe vulnerability in its Ultra-Reliable Wireless Backhaul systems, potentially allowing remote attackers to gain unauthorized admin-level access. This flaw affects several Catalyst access points and wireless clients used in industrial settings, with a maximum severity rating due to the ease of exploitation and significant impact. Cisco urges users to apply an emergency patch immediately, as no workarounds are available. Fortunately, there have been no reports of the vulnerability being exploited yet, highlighting the importance of strong cybersecurity practices in critical infrastructure environments.

Risks: Privilege Escalation, Web App/Website Vulnerability, Patch Management

CVEs: CVE-2024-20418

Keywords: Cisco, CVE-2024-20418, Industrial Wireless, Admin Access, Vulnerability

Affected: Cisco, Unified Industrial Wireless Software, Catalyst IW9165D Heavy Duty Access Points, Catalyst IW9165E Rugged Access Points and Wireless Clients, Catalyst IW9167E Heavy Duty Access Points

2024-11-09

Malicious npm Packages Target Roblox Users with Stealer Malware

Got you some real good FUD, learn about the dangers of supply chain attacks in open-source ecosystems.

A recent attack on the npm package repository introduced malicious JavaScript libraries targeting Roblox users with stealer malware, specifically Skuld and Blank-Grabber. The attack involved deceptive packages masquerading as legitimate ones, such as `node-dlls` and `rolimons-api`, to download and execute malware that exfiltrates data through Discord and Telegram. The threat actor utilized GitHub to host these malicious binaries. The surge in Roblox's popularity has made it a target for such attacks, emphasizing the need for developers to verify package authenticity and maintain robust security practices to mitigate supply chain threats.

Risks: Malware, Supply Chain, Open Source, Git/Repo Breach

CVEs:

Keywords: Roblox, npm, supply chain attack, stealer malware, Skuld, Blank-Grabber

Affected: Roblox, npm

2024-11-08

Critical Vulnerabilities Found in Palo Alto Networks Expedition and CyberPanel

Need some ammo against Palo Alto Networks and insights into critical vulnerabilities? This article is for you!

CISA has added two critical security vulnerabilities to its Known Exploited Vulnerabilities catalog, highlighting their active exploitation. The first flaw, affecting Palo Alto Networks Expedition, allows unauthorized access to admin accounts and impacts all versions prior to 1.2.92, which was patched in July 2024. The second, a more severe vulnerability in CyberPanel, enables remote attackers to execute commands as root and has been exploited to spread ransomware across thousands of systems.

Risks: Patch Management, Web App/Website Vulnerability, Malware, Privilege Escalation, Weak or Compromised Credentials

CVEs: CVE-2024-5910; CVE-2024-51567

Keywords: Palo Alto Networks, Expedition, CyberPanel, CVE-2024-5910, CVE-2024-51567, Ransomware, Vulnerability Exploitation

Affected: Palo Alto Networks Expedition, CyberPanel

2024-11-08

HPE Releases Critical Updates for Aruba Access Points Due to Severe Vulnerabilities

Learn about the critical need for timely patch management to protect against severe vulnerabilities in network devices.

Hewlett Packard Enterprise has released critical updates for its Instant AOS-8 and AOS-10 software to address severe vulnerabilities in Aruba Networking Access Points. These vulnerabilities could allow remote attackers to execute unauthorized command injections. The update also fixes additional security issues that could enable remote command execution and unauthorized file access. Affected software versions include AOS-10.4.x.x and Instant AOS-8.x.x, with recommendations to update to newer versions to mitigate risks. Workarounds involve restricting access to certain ports and interfaces. No active exploitation has been reported, but timely updates are advised to maintain security.

Risks: Patch Management, Other: Command Injection

CVEs: CVE-2024-42509; CVE-2024-47460; CVE-2024-47461; CVE-2024-47462; CVE-2024-47463; CVE-2024-47464

Keywords: HPE, Aruba, Access Points, Vulnerabilities, Security Updates, Command Injection

Affected: Hewlett Packard Enterprise, Aruba Networking Access Points

2024-11-07

Ariel University Data Breach Exposes 30,000 Records

Learn about the growing threat landscape in educational institutions and the vital need for robust data protection strategies.

Hackers have allegedly breached Ariel University, exposing the personal data of 30,000 students and applicants, with an additional 180,000 records purportedly for sale on the dark web. This incident highlights the increasing trend of cybercriminals targeting educational institutions, which hold vast amounts of sensitive data. The breach underscores the vulnerabilities in data security within higher education, particularly as universities often depend on third-party vendors for data management, thereby amplifying their risk of exposure. Such breaches not only compromise personal information but also harm the reputations of the affected institutions.

Risks: Sensitive Data, Third-Party Vendor/SaaS

CVEs:

Keywords: Data Breach, Ariel University, Educational Institutions, Cyberattack, Dark Web

Affected: Ariel University

2024-11-07

Critical Vulnerability in Cisco Wireless Access Points Allows Root Command Execution

Need some ammo against Cisco? This article highlights their vulnerabilities, offering insights into their security challenges.

Cisco has addressed a critical vulnerability in its Ultra-Reliable Wireless Backhaul access points, which could allow attackers to execute commands with root privileges. This flaw, found in the web-based management interface of Cisco's Unified Industrial Wireless Software, can be exploited through low-complexity attacks without requiring user interaction. The vulnerability affects several Catalyst access points and is due to improper input validation. Cisco has also recently fixed other security issues, including a denial-of-service flaw and another command injection vulnerability, highlighting the ongoing need for vigilance against OS command injection threats.

Risks: Privilege Escalation, Web App/Website Vulnerability

CVEs: CVE-2024-20418; CVE-2024-20399; CVE-2024-3400; CVE-2024-21887

Keywords: Cisco, Vulnerability, Root Access, Wireless Access Points, Command Injection, CVE-2024-20418

Affected: Cisco, Ultra-Reliable Wireless Backhaul access points, Unified Industrial Wireless Software, Catalyst IW9165D Heavy Duty Access Points, Catalyst IW9165E Rugged Access Points and Wireless Clients, Catalyst IW9167E Heavy Duty Access Points, Cisco ASA, Firepower Threat Defense (FTD) software

2024-11-07

VEILDrive Attack Exploits Microsoft Services to Distribute Malware

Need some FUD? Learn how attackers are exploiting trusted Microsoft services to bypass conventional defenses and infiltrate critical infrastructures.

The VEILDrive attack leverages legitimate Microsoft services such as Teams, SharePoint, Quick Assist, and OneDrive to evade detection and distribute malware. Discovered in September 2024, the campaign targets critical infrastructure by exploiting trusted infrastructures of compromised organizations for spear-phishing and malware storage. The attackers impersonate IT staff to gain remote access, using pre-existing user accounts and SharePoint links to disseminate malware-laden ZIP files. The Java-based malware connects to a OneDrive account for command-and-control operations, employing PowerShell and Azure virtual machines for further execution. This approach complicates detection and bypasses conventional defenses due to its reliance on familiar SaaS platforms.

Risks: Malware, Third-Party Vendor/SaaS, Weak or Compromised Credentials

CVEs:

Keywords: VEILDrive, Microsoft Teams, SharePoint, OneDrive, Spear-Phishing, Quick Assist, Cloud Exploitation

Affected: Microsoft Teams, Microsoft SharePoint, Microsoft Quick Assist, Microsoft OneDrive, Java, Microsoft Graph API, Azure virtual machine, OneDrive account

2024-11-07

Microlise Data Breach Disrupts DHL and Serco Services

Discover the critical need for robust supply chain cybersecurity as major companies face disruptions and financial impacts due to breaches.

Microlise, a telematics technology company, experienced a data breach impacting employee data, but not customer data, leading to a 16% drop in its share price. The breach, disclosed on October 31, 2024, affected major clients like DHL and Serco, disrupting services such as delivery tracking and security systems. Although no specific cybercrime group has been identified, experts suggest it resembles a ransomware attack, highlighting the risks in supply chain security. Microlise is working with cybersecurity experts to mitigate the threat and expects full service resumption soon, while complying with regulatory notification requirements.

Risks: Supply Chain, Ransomware, Third-Party Vendor/SaaS

CVEs:

Keywords: Microlise, Data Breach, Ransomware, Supply Chain Attack, Telematics, DHL, Serco

Affected: Microlise, DHL, Serco, Nisa Group

2024-11-06

Critical Vulnerabilities Found in Rockwell ThinManager Software

Learn about the critical importance of securing industrial control systems and the potential impact of unpatched vulnerabilities.

Rockwell Automation has disclosed critical vulnerabilities in its FactoryTalk ThinManager software, a vital component in industrial control systems. These vulnerabilities could allow attackers to manipulate databases or cause denial-of-service (DoS) conditions, posing serious risks to industrial environments. Affected ThinManager versions range from 11.2.0 to 14.0.0. Rockwell recommends updating to the latest software versions, hardening network security by limiting communication on specific ports, and implementing robust security practices. The Cybersecurity and Infrastructure Security Agency (CISA) also advises prioritizing updates and securing networks to mitigate potential impacts on critical industrial systems.

Risks: Patch Management, Inadequate Network Segmentation

CVEs: CVE-2024-10386; CVE-2024-10387

Keywords: Rockwell Automation, ThinManager, Industrial Control Systems, Vulnerabilities, Denial-of-Service, Database Manipulation

Affected: FactoryTalk ThinManager, Rockwell Automation

2024-11-06

Schneider Electric hit by ransomware via Atlassian Jira breach

Learn about the importance of securing project management tools and the potential impacts of neglecting ransomware threats.

Schneider Electric is investigating a ransomware breach where the Hellcat group claims to have stolen over 40 GB of compressed data, including sensitive customer and operational information. The attackers allegedly accessed Schneider's infrastructure through its Atlassian Jira system and demanded a humorous ransom of $125,000 in baguettes. Despite the joke, the breach is serious, with critical data, including projects and user information, compromised. This marks Schneider Electric's third breach in less than two years, following incidents with Cactus ransomware and the CL0P ransomware crew.

Risks: Sensitive Data, Web App/Website Vulnerability

CVEs:

Keywords: Schneider Electric, Ransomware, Hellcat group, Atlassian Jira, Data Breach

Affected: Schneider Electric, Atlassian Jira

2024-11-06

36 Vulnerabilities Found in IBM Security Verify Access

Learn about the critical security gaps in IBM's authentication systems and discover how CloudGuard can offer superior protection and risk mitigation strategies.

A recent security analysis of IBM Security Verify Access identified 36 vulnerabilities, including remote code execution, authentication bypass, and privilege escalation issues. Attackers could exploit these flaws through man-in-the-middle attacks and by accessing internal networks using IBM’s ISVA appliances and Docker images. Key issues include hardcoded encryption keys, outdated OpenSSL packages, and vulnerable back-end APIs. While most vulnerabilities were addressed in software updates by June 2024, IBM has yet to patch some, advising customers to apply network restrictions and security best practices to mitigate risks. Organizations using ISVA may face threats such as denial-of-service attacks and compromised authentication infrastructure if these vulnerabilities are not properly managed.

Risks: Privilege Escalation, Hardcoded Secrets, API Vulnerability, Patch Management, Supply Chain

CVEs:

Keywords: IBM Security Verify Access, vulnerabilities, remote code execution, authentication bypass, privilege escalation, Docker images

Affected: IBM Security Verify Access

2024-11-06

Saint Xavier University Data Breach Affects Over 210,000 Individuals

Learn about the crucial role of proactive threat detection and response in preventing data breaches, as demonstrated by the Saint Xavier University incident.

Saint Xavier University experienced a data breach in July 2023, affecting over 210,000 individuals by compromising personal information such as names, Social Security numbers, and financial data. The breach was discovered on July 21, 2023, but unauthorized access occurred weeks earlier. The university's investigation and notification process took considerable time, with formal notifications starting on October 30, 2024. Although the type of attack was not specified by the university, the Alphv/BlackCat ransomware group claimed responsibility for the incident in August 2023.

Risks: Sensitive Data, Ransomware

CVEs:

Keywords: Data Breach, Saint Xavier University, Ransomware, Alphv/BlackCat, Personal Information Compromise

Affected: Saint Xavier University

2024-11-05

Critical Vulnerabilities Found in Ollama AI Framework

Learn about the critical vulnerabilities in open-source AI frameworks and how CloudGuard can help secure your deployments from similar threats.

Researchers have uncovered six critical vulnerabilities in the Ollama AI framework, which could be exploited to perform denial-of-service attacks, model theft, and poisoning. These flaws, found in an open-source application used to deploy large language models on various operating systems, could allow attackers to execute malicious actions with a single HTTP request. Despite fixes being released for some vulnerabilities, the exposure of Ollama's endpoints to the internet remains a significant risk, with over 9,800 instances globally, many of which are vulnerable. Users are advised to restrict endpoint access to mitigate potential exploits.

Risks: API Vulnerability, Open Source, Shadow IT/Exposed Assets

CVEs: CVE-2024-39719; CVE-2024-39720; CVE-2024-39721; CVE-2024-39722

Keywords: Ollama, AI Framework, Denial-of-Service, Model Theft, Vulnerabilities

Affected: Ollama AI framework

2024-11-05

Telecom Companies in East Asia Targeted by Hackers Selling Network Access

New opportunity - telecom companies in China and Taiwan are under threat. Time to get out your rolodex.

Hackers are reportedly selling root access to a telecom company in China or Taiwan for $4,000, posing significant threats to corporate data and customer privacy. Such access could lead to data breaches, service disruptions, and potential espionage, especially amid geopolitical tensions in East Asia. This incident underscores the increasing trend of cyberattacks on telecommunications companies globally, including recent targets like U.S. firms AT&T and Verizon. Experts recommend enhanced cybersecurity measures and regular audits to mitigate these risks.

Risks: Sensitive Data, Privilege Escalation, Weak or Compromised Credentials

CVEs:

Keywords: Telecom Security, Hacker Access Sale, East Asia Cyber Threats, Network Infrastructure Risk, China Taiwan Cybersecurity

Affected: telecom company in China, telecom company in Taiwan, Chunghwa Telecom, AT&T, Verizon

2024-11-05

Nokia's Data Compromised via Third-Party Vendor Breach

Discover the critical role of securing third-party vendors and the risks of default credentials to prevent data breaches.

Nokia is currently investigating a security breach after a hacker, known as IntelBroker, claimed to have accessed and stolen source code from a third-party contractor associated with Nokia. The hacker is reportedly selling this data, which includes sensitive information such as SSH keys, RSA keys, BitBucket logins, and other credentials. The breach allegedly occurred through a SonarQube server that was accessed using default credentials, enabling the download of various Python projects, including those related to Nokia.

Risks: Sensitive Data, Misconfiguration, Hardcoded Secrets, Third-Party Vendor/SaaS, Weak or Compromised Credentials

CVEs:

Keywords: Nokia, Data Breach, Third-Party Vendor, IntelBroker, SonarQube, Default Credentials

Affected: Nokia, SonarQube, BitBucket, SMTP, SSH, RSA

2024-11-04

Backdoor Malware Targets Sophos and Fortinet Devices

Need some ammo against Sophos and Fortinet? This article is for you!

The UK's National Cyber Security Centre has identified a sophisticated backdoor, named Pygmy Goat, on hacked Sophos XG firewall devices, which is capable of targeting a broader range of Linux-based network devices. This malware disguises malicious traffic as legitimate SSH connections and uses encrypted ICMP packets for covert communication. Its clean and extensible code suggests skilled development, possibly initially targeting Fortinet devices before adapting to Sophos. Pygmy Goat's versatile communication methods and remote shells indicate it wasn't designed for a specific device. Sophos has reported multiple attack campaigns, including a breach at its Cyberoam office in India, where attackers used overlooked display units to gain access and deploy persistent payloads.

Risks: Malware, Patch Management, Inadequate Network Segmentation

CVEs:

Keywords: Sophos, Fortinet, Pygmy Goat, Firewall Breach, Linux Malware

Affected: Sophos, Fortinet, Linux-based network devices, Sophos XG firewall devices, FortiGate devices, Cyberoam

2024-11-04

New Interlock Ransomware Targets FreeBSD and Windows Servers

Discover the latest ransomware threat targeting critical server infrastructure and learn how to protect your clients' environments from sophisticated double-extortion tactics.

Interlock is a new ransomware operation that targets both FreeBSD servers and Windows systems, which is unusual as FreeBSD is less commonly attacked by ransomware. The operation involves breaching corporate networks, stealing data, and encrypting files to demand ransoms. The ransomware uses unique techniques such as appending a .interlock extension to encrypted files and creating ransom notes. Victims are coerced into paying hefty ransoms through threats of public data leaks in a double-extortion scheme, with demands scaling from hundreds of thousands to millions of dollars based on the organization's size.

Risks: Malware, Sensitive Data, Other: Ransomware

CVEs:

Keywords: Interlock, Ransomware, FreeBSD, Windows, Double-Extortion, Data Leak

Affected: FreeBSD, Windows

2024-11-04

Critical Vulnerability in Synology NAS Devices Allows Unauthorized Access

Learn about the critical importance of securing network-attached storage devices and ensuring timely patch management to prevent data breaches and ransomware attacks.

A critical zero-click vulnerability in the SynologyPhotos app, pre-installed on Synology network-attached storage (NAS) devices, allows attackers to gain unauthorized access and potentially steal data, install ransomware, or plant backdoors. The flaw does not require authentication, making it exploitable directly over the internet, and grants root access for executing malicious code. This vulnerability is particularly concerning as Synology NAS systems are high-value targets due to their large data storage capabilities, often connected directly to the internet. Synology released patches to address the issue, but the lack of automatic updates means many users might remain unaware or unprotected. The vulnerability could also enable attackers to use compromised devices as part of a botnet, further amplifying security risks.

Risks: Zero-Day, Sensitive Data, Patch Management, Web App/Website Vulnerability

CVEs:

Keywords: Synology, NAS Vulnerability, Zero-Click Exploit, Ransomware Risk, Network Storage Security

Affected: Synology, SynologyPhotos, BeeStation, DiskStation, Synology NAS devices

2024-11-03

Exploitation of Microsoft SharePoint Vulnerability CVE-2024-38094

Learn about the critical importance of patch management to prevent unauthorized access and protect your network from exploitation.

Microsoft SharePoint has a critical remote code execution vulnerability that attackers are exploiting to gain unauthorized access to corporate networks. This flaw allows attackers to move laterally across the network, compromising entire domains by leveraging a Microsoft Exchange service account with elevated privileges. They disable security defenses and install malicious tools to maintain persistence and extract credentials while evading detection. Although Microsoft fixed the issue in July 2024, ongoing exploits highlight the urgency for administrators to apply updates promptly to protect against these attacks.

Risks: Patch Management, Privilege Escalation, Weak or Compromised Credentials, Web App/Website Vulnerability

CVEs: CVE-2024-38094

Keywords: SharePoint, CVE-2024-38094, Remote Code Execution, Microsoft Exchange, Network Exploitation

Affected: Microsoft SharePoint, Microsoft Exchange, Windows Defender, Active Directory

2024-11-01

High-Severity Vulnerability Found in LiteSpeed Cache Plugin for WordPress

Discover the critical importance of securing WordPress environments and how vulnerabilities in popular plugins can be leveraged by attackers, highlighting opportunities for proactive cybersecurity solutions.

A newly disclosed high-severity security flaw in the LiteSpeed Cache plugin for WordPress poses a significant risk, potentially allowing unauthenticated users to gain administrator access and perform malicious actions. This vulnerability is due to a weak security hash check that can be brute-forced, exploiting the plugin's role simulation feature. While a patch has been released to address the issue by enhancing hash security, the flaw adds to a series of vulnerabilities recently identified in LiteSpeed, highlighting ongoing security challenges for popular WordPress plugins.

Risks: Privilege Escalation, Web App/Website Vulnerability, Patch Management

CVEs: CVE-2024-50550; CVE-2024-28000; CVE-2024-44000; CVE-2024-47374

Keywords: WordPress, LiteSpeed Cache, CVE-2024-50550, Plugin Vulnerability, Privilege Escalation

Affected: WordPress, LiteSpeed Cache

2024-11-01

Supply Chain Attack Compromises LottieFiles' npm Package

Got you some real good FUD, learn about the dangers of supply chain attacks.

LottieFiles has issued a warning about a compromised version of their "lottie-player" npm package, which was part of a supply chain attack. The attack involved unauthorized versions of the package containing malicious code aimed at draining users' cryptocurrency wallets. LottieFiles responded by releasing an updated version of the library and removing the rogue versions from the npm repository. The incident does not affect their dotlottie player or SaaS services.

Risks: Supply Chain, Open Source, Malware, Third-Party Vendor/SaaS

CVEs:

Keywords: Supply Chain Attack, LottieFiles, npm Package, Cryptocurrency Wallet, Malicious Code

Affected: LottieFiles, npm

2024-10-31

Midnight Blizzard Targets Organizations with Signed RDP Files

Need some FUD to demonstrate the vulnerabilities of remote access and spear-phishing tactics? Learn how sophisticated threat actors are exploiting signed RDP files.

Midnight Blizzard, a Russian-linked threat group, has launched a large-scale spear-phishing campaign targeting over 100 organizations globally, including governmental, educational, and defense sectors. Since October 22, the group has been using digitally signed Remote Desktop Protocol (RDP) configuration files in their phishing emails. These files connect to attacker-controlled servers and allow the harvesting of user credentials and system information. The campaign affects countries like the UK, Europe, Australia, and Japan. The use of signed RDP files, which can bypass traditional security controls, marks a new tactic for the group, enabling them to install malware and maintain persistent access to compromised systems.

Risks: Weak or Compromised Credentials, Malware, Supply Chain

CVEs:

Keywords: Midnight Blizzard, Spear Phishing, RDP Files, Cyber Attack, Remote Access, Let's Encrypt

Affected: Microsoft, SolarWinds, HPE, US federal government agencies, Fortinet, Pulse Secure, Citrix, Zimbra

2024-10-31

Interbank Data Breach Exposes Sensitive Customer Information

Learn about the critical importance of data protection and the risks of non-compliance with security protocols to avoid breaches and extortion attempts.

Interbank, a major financial institution in Peru, has experienced a data breach following a failed extortion attempt by a hacker who leaked stolen data online. The breach affected the bank's systems, leading to temporary disruptions in its mobile app and online services. Although operations are mostly restored, the bank has not specified how many customers were impacted. The hacker claims to have accessed sensitive customer information, including personal details, account information, and credit card data, which is now being sold on hacking forums. Despite negotiations, Interbank chose not to comply with the extortion demands.

Risks: Sensitive Data, Weak or Compromised Credentials

CVEs:

Keywords: Interbank, Data Breach, Extortion, Financial Sector, Customer Data Leak

Affected: Interbank

2024-10-31

Canada Faces Major Cyber Threats from China and Emerging Concerns from India

Discover opportunities in the Canadian market as cyber threats from state-sponsored actors increase—time to connect with potential clients in government and private sectors.

Canada's Communications Security Establishment (CSE) has identified China as the most aggressive cyber threat to Canada, citing extensive state-backed cyber operations targeting government networks for espionage and intellectual property theft. Over the past five years, at least 20 Canadian government networks have been compromised, and private sector entities are also at risk. The report highlights China's focus on gathering information to support its economic and military interests, with predictions of intensified espionage amid growing tensions. Russia and Iran are also noted as significant threats. Notably, India has emerged as a new concern, with state-sponsored activities likely aimed at espionage, driven by recent diplomatic tensions between Canada and India. Hacktivism further complicates the threat landscape by potentially disrupting critical infrastructure.

Risks: Sensitive Data, State-Sponsored Attacks

CVEs:

Keywords: China cyber threat, Canada espionage, Indian hacktivism, state-sponsored attacks, government network compromise

Affected: Canadian government networks, Canadian government agencies, Canadian government departments, Canadian private sector, Canadian firms, Canadian institutions

2024-10-31

Hackers Steal 15,000 Cloud Credentials via Exposed Git Files

Need some FUD? Learn how exposed Git configuration files can lead to massive credential theft and understand the critical importance of securing cloud environments.

A cybercriminal operation named EmeraldWhale has exploited exposed Git configuration files to steal over 15,000 cloud account credentials from thousands of private repositories. Using automated tools to scan IP ranges, the attackers accessed authentication tokens to download and analyze repositories from platforms like GitHub, GitLab, and BitBucket. The stolen credentials were then used for phishing, spam campaigns, and sold to other criminals. The breach highlights the risk of storing sensitive information, such as API keys and passwords, in Git configuration files. To prevent such incidents, developers are advised to use secret management tools and environment variables instead of embedding secrets directly into configuration files.

Risks: Misconfiguration, Shadow IT/Exposed Assets, Hardcoded Secrets, Git/Repo Breach

CVEs:

Keywords: Cloud Credentials, Git Configuration, EmeraldWhale, Credential Theft, GitHub Security, Secret Management

Affected: GitHub, GitLab, BitBucket, AWS, Amazon S3

2024-10-31

Critical RCE Vulnerability Found in VMware vCenter Server

Learn about the critical importance of patch management and how timely updates can prevent severe vulnerabilities in virtualization management platforms.

Security researchers have identified a critical remote code execution vulnerability in VMware vCenter Server, affecting its DCERPC protocol implementation. This severe flaw, with a CVSS score of 9.8, allows attackers with network access to exploit the server by sending specially crafted packets, potentially leading to remote code execution. The root cause involves manipulation of memory addresses through attacker-controlled input, increasing the risk of memory corruption. VMware has released a patch to address this vulnerability, emphasizing the need for prompt patching and regular security assessments to protect against potential exploitation.

Risks: Patch Management, Remote Code Execution

CVEs: CVE-2024-38812

Keywords: VMware, vCenter Server, RCE Vulnerability, CVE-2024-38812, Remote Code Execution

Affected: VMware vCenter Server, VMware Cloud Foundation

2024-10-30

PSAUX Ransomware Exploits CyberPanel Vulnerabilities

Learn about the critical importance of securing web hosting panels and the risks of not patching vulnerabilities promptly.

Over 22,000 CyberPanel instances were hit by a PSAUX ransomware attack exploiting critical vulnerabilities in versions 2.3.6 and likely 2.3.7, leading to a significant outage. The attack leveraged issues such as defective authentication, command injection, and security filter bypass, allowing unauthenticated remote root access. The vulnerabilities, disclosed by a researcher, have been partially addressed with an authentication fix available on GitHub, though a new software version hasn't been released. With the PSAUX ransomware actively exploiting these flaws, users are urged to update their systems immediately to mitigate risks.

Risks: Patch Management, Misconfiguration, Web App/Website Vulnerability, Privilege Escalation

CVEs:

Keywords: CyberPanel, PSAUX Ransomware, Remote Code Execution, Vulnerability, Patch Management

Affected: CyberPanel

2024-10-30

Critical Vulnerability Discovered in Spring WebFlux Framework

Learn about the criticality of securing open-source frameworks and the importance of proactive vulnerability management in cloud environments.

A newly disclosed critical-severity vulnerability in the Spring development framework, specifically affecting Spring WebFlux applications, requires administrators to ensure their systems are updated. The vulnerability, with a debated CVSS score ranging from 9.1 to a lower 7.4, depends on several conditions being met, including serving static resources with non-permitAll authorization rules. While the vulnerability impacts only static resources and not dynamic data, its presence in a widely used framework like Spring necessitates prompt attention to mitigate potential risks.

Risks: Open Source, Web App/Website Vulnerability, Patch Management

CVEs: CVE-2024-38821

Keywords: Spring WebFlux, CVE-2024-38821, Java vulnerability, static resources, authorization rules

Affected: Spring WebFlux, Java applications

2024-10-30

Vulnerabilities in Open-Source AI and ML Models Expose Security Risks

Got you some real good FUD, learn about the dangers of supply chain attacks in open-source AI and ML models.

Researchers have identified over thirty security vulnerabilities in various open-source AI and ML models, posing risks of remote code execution and data theft. These vulnerabilities affect tools like ChuanhuChatGPT, Lunary, and LocalAI, with issues ranging from insecure object references to path traversal flaws. Recent patches by NVIDIA and the introduction of Protect AI's Vulnhuntr, a static code analyzer, aim to address some of these vulnerabilities. Additionally, a new jailbreak technique has been discovered that could exploit models like OpenAI's ChatGPT using encoded prompts. Users are advised to update their systems to mitigate potential threats.

Risks: Supply Chain, Open Source, Web App/Website Vulnerability, API Vulnerability

CVEs: CVE-2024-7474; CVE-2024-7475; CVE-2024-7473; CVE-2024-5982; CVE-2024-6983; CVE-2024-7010; CVE-2024-8396; CVE-2024-0129

Keywords: AI vulnerabilities, machine learning security, remote code execution, open-source risks, path traversal, Protect AI, NVIDIA NeMo

Affected: ChuanhuChatGPT, Lunary, LocalAI, Deep Java Library, NVIDIA NeMo, OpenAI ChatGPT

2024-10-29

Chinese Hackers Breach U.S. Telecom Giants for Espionage

New opportunity - telecom and governmental sectors are under cyberespionage threat. Time to get out your rolodex and offer CloudGuard solutions!

Chinese hackers, linked to the People's Republic of China, breached multiple U.S. telecom providers, including Verizon, AT&T, and Lumen Technologies, in an espionage operation targeting communications interception systems. The U.S. Government, with the FBI and CISA, is investigating and providing assistance. The attacks are part of broader cyberespionage activities expected to rise with the upcoming U.S. presidential elections, also affecting Canadian entities, although Canada's incidents are limited to reconnaissance activities.

Risks: Sensitive Data, Other: Espionage

CVEs:

Keywords: Telecom Breach, Chinese Hackers, Salt Typhoon, Espionage, Verizon, AT&T, Lumen Technologies, Cyberattack

Affected: Verizon, AT&T, Lumen Technologies, Government of Canada departments and agencies, federal political parties, House of Commons, Senate, democratic institutions, critical infrastructure, defence sector, media organizations, think tanks, NGOs

2024-10-29

Hackers Offer Unauthorized Access to Acer China's Firewall Systems

Learn about the risks of unauthorized access and the importance of robust cybersecurity measures to protect your clients' data and maintain their trust.

Hackers are reportedly selling unauthorized access to Acer China's firewall and shell systems, potentially exposing sensitive data and compromising the company's cybersecurity infrastructure. The breach highlights the importance of robust cybersecurity measures and vigilance to protect against cyber threats.

Risks: Weak or Compromised Credentials, Sensitive Data

CVEs:

Keywords: Acer China, Firewall Breach, Unauthorized Access, DarkWeb, Cyber Threat

Affected: Acer China, Firewall, Shell Systems

2024-10-29

French ISP Free Suffers Data Breach Affecting Millions

Learn about the vulnerabilities in the telecommunications sector and the importance of robust cybersecurity measures to protect against data breaches.

Free, a leading French ISP, experienced a data breach impacting approximately 19.2 million customers, with over 5.11 million IBANs stolen. The breach, attributed to a threat actor auctioning the data online, did not compromise customer passwords or bank card details. Free reported the incident to authorities and took steps to secure its systems, advising customers to watch for phishing attempts. The breach underscores the telecommunications sector's vulnerability and the need for robust cybersecurity measures.

Risks: Sensitive Data, Web App/Website Vulnerability

CVEs:

Keywords: Free ISP, Iliad Group, Data Breach, Telecommunications, Customer Data, Cyber Attack, BreachForums

Affected: Free, Iliad Group

2024-10-28

Critical Vulnerability in OneDev Allows Unauthorized File Access

Learn about the critical importance of securing DevOps environments and the role of patch management in preventing data breaches.

A critical vulnerability in the OneDev DevOps platform allows unauthorized users to read sensitive files without needing credentials, posing a major security threat to organizations using the tool for development and deployment. The flaw enables attackers to access configuration files, source code, and other crucial data, potentially leading to further attacks, privilege escalation, or operational disruptions. This situation highlights the necessity of regular software updates, effective patch management, and robust security protocols to protect DevOps environments from such threats. As development tools become increasingly vital to business operations, maintaining their security is essential to prevent breaches and safeguard organizational data.

Risks: Sensitive Data, Patch Management, Privilege Escalation, Git/Repo Breach

CVEs: CVE-2024-45309

Keywords: OneDev, DevOps security, CVE-2024-45309, unauthorized access, patch management

Affected: OneDev

2024-10-28

OPA for Windows Vulnerability Exposes User Credentials

Learn about the critical need for patch management and the risks of open source vulnerabilities that can impact your clients' security.

Organizations using Open Policy Agent (OPA) for Windows should update to version 0.68.0 or later to address a vulnerability that exposes NTLM hashes due to improper input validation. This flaw allows attackers to trick OPA into accessing a malicious server, potentially leading to unauthorized access by leaking user credentials. The issue highlights risks associated with consuming open source software, as many codebases contain vulnerabilities, with a significant portion being high-risk or unpatched for extended periods. Collaboration between security and engineering teams is crucial to mitigate such risks.

Risks: Patch Management, Weak or Compromised Credentials, Open Source

CVEs: CVE-2024-8260

Keywords: Open Policy Agent, OPA, Windows Vulnerability, NTLM Hash Leak, CVE-2024-8260, Open Source Risk

Affected: Open Policy Agent, Microsoft Windows

2024-10-28

Malicious npm Packages Spread BeaverTail Malware to Developers

Got you some real good FUD, learn about the dangers of supply chain attacks.

In September 2024, three malicious npm packages were discovered containing the BeaverTail malware, linked to a North Korean campaign called Contagious Interview. These packages, mimicking popular JavaScript libraries, aim to compromise developers by acting as downloaders and information stealers. This resurgence follows previous similar incidents in August 2024, highlighting a persistent focus on targeting the cryptocurrency sector. The incidents emphasize the increasing misuse of the open-source software supply chain by threat actors to infect downstream targets and maintain access to compromised systems.

Risks: Malware, Supply Chain, Open Source

CVEs:

Keywords: BeaverTail, npm packages, North Korean campaign, software supply chain, cryptocurrency sector

Affected: npm, etherscan-api, cryptocurrency sector

2024-10-28

Intel's Linear Address Masking Disabled in Linux Kernel Due to Security Concerns

Learn how unpatched security features can impact system security and why it's crucial to keep up with the latest updates and mitigations.

Intel's Linear Address Masking (LAM), integrated into the Linux kernel to allow user-space metadata storage in pointers, is now being disabled due to security concerns. Despite being supported by Intel's new Arrow Lake and Lunar Lake CPUs, the feature is disabled in the Linux kernel until security issues are resolved. Intel's patch, initially submitted in January but overlooked, ensures LAM is disabled at compile-time unless specific mitigations are turned off. The feature's utility is limited until Linear Address Space Separation (LASS) is implemented, which also requires hardware support, making LAM currently ineffective for these processors.

Risks: Patch Management, Open Source

CVEs:

Keywords: Intel, Linear Address Masking, Linux Kernel, Security Vulnerability, Arrow Lake, Lunar Lake

Affected: Intel, Linux kernel, Arrow Lake CPUs, Lunar Lake CPUs

2024-10-28

Ransomware Exploits SonicWall VPN Vulnerability in Corporate Attacks

Learn about the importance of patch management and multi-factor authentication to protect corporate networks from ransomware attacks.

Fog and Akira ransomware groups are exploiting vulnerabilities in SonicWall VPNs to infiltrate corporate networks. These attacks often begin with remote access through unpatched VPN accounts lacking multi-factor authentication. Once inside, the ransomware operators move quickly, encrypting data in as little as 1.5 hours. The majority of breaches are linked to Akira, with both groups exploiting a critical SSL VPN flaw. Organizations are advised to patch their systems and enable additional security measures to mitigate these risks.

Risks: Patch Management, Weak or Compromised Credentials, Malware

CVEs: CVE-2024-40766

Keywords: SonicWall, VPN Vulnerability, Ransomware, Fog, Akira, CVE-2024-40766

Affected: SonicWall VPN, Corporate Networks

2024-10-26

TeamTNT Exploits Docker for Cryptojacking and Server Rentals

Need some FUD? Want to demonstrate and understand how exposed Docker environments can be exploited for cryptojacking? This article is for you!

TeamTNT, a notorious cryptojacking group, is launching a new campaign targeting cloud-native environments for cryptocurrency mining and renting out compromised servers. They exploit exposed Docker daemons to deploy malware and cryptominers, leveraging Docker Hub for malware distribution. This operation involves using masscan and ZGrab to identify unauthenticated Docker API endpoints and deploying malicious containers from a compromised Docker Hub account. TeamTNT employs the open-source Sliver C2 framework for server control and diversifies monetization by selling computational power on a mining rental platform. The campaign reflects an evolution in tactics, highlighting the group's persistent threat to cloud infrastructure.

Risks: Misconfiguration, Shadow IT/Exposed Assets, Malware

CVEs:

Keywords: TeamTNT, Docker, Cryptojacking, Sliver C2, Cloud Security, Mining Rig Rentals

Affected: Docker, Docker Hub, Docker API, Docker Swarm

2024-10-25

Penn State Settles $1.25 Million for Cybersecurity Non-Compliance

Want some FUD to demonstrate the risks and financial consequences of non-compliance with cybersecurity standards? Discover the costly lessons from Penn State's settlement.

Penn State University settled for $1.25 million due to non-compliance with cybersecurity requirements set by the Department of Defense and NASA. A whistleblower lawsuit under the False Claims Act highlighted Penn State's failure to meet the Defense Federal Acquisition Regulation Supplement (DFARS) standards, particularly those aligned with NIST SP 800-171, affecting 15 federal contracts. Allegations included inadequate implementation of security controls, failure to document and correct deficiencies, and misrepresentation of compliance timelines. Additionally, Penn State did not use a compliant external cloud service provider. This case follows a similar whistleblower suit against Georgia Tech for related compliance failures.

Risks: Third-Party Vendor/SaaS, Other: Non-Compliance

CVEs:

Keywords: Penn State, DFARS Compliance, NIST SP 800-171, Federal Contracts, Settlement

Affected: Penn State University, Department of Defense, NASA, Georgia Institute of Technology, Georgia Tech Research Corporation

2024-10-25

Critical Vulnerability in Microsoft SharePoint Allows Remote Code Execution

Learn about the importance of patch management to protect against vulnerabilities in widely-used platforms like Microsoft SharePoint.

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a critical vulnerability in Microsoft SharePoint that allows unauthorized remote code execution, posing significant risks to organizations. This deserialization vulnerability, disclosed in July 2024, underscores the importance of timely remediation to protect sensitive information and maintain the security of digital assets. Organizations are urged to prioritize addressing this issue to reduce exposure to potential cyberattacks.

Risks: Patch Management, Web App/Website Vulnerability

CVEs: CVE-2024-38094

Keywords: Microsoft SharePoint, Deserialization Vulnerability, Remote Code Execution, CVE-2024-38094, CISA Alert

Affected: Microsoft SharePoint

2024-10-25

Windows Remote Registry Client Vulnerability Allows Privilege Escalation

Learn about the critical importance of patch management to protect Windows systems from privilege escalation vulnerabilities.

A critical vulnerability in the Windows Remote Registry client allows attackers to relay NTLM authentication, potentially leading to unauthorized system access. This elevation of privilege flaw affects all unpatched Windows versions and exploits insecure fallback transport protocols. Despite the vulnerability being patched in October 2024, it highlights the need for robust network defenses and regular security audits to mitigate risks from legacy systems and protocols.

Risks: Privilege Escalation, Patch Management

CVEs: CVE-2024-43532

Keywords: Windows, CVE-2024-43532, NTLM Relay Attack, Privilege Escalation, Patch Tuesday

Affected: Windows, Active Directory, Microsoft

2024-10-25

UnitedHealth Suffers Massive Data Breach in Change Healthcare Ransomware Attack

Learn about the costly impact of insufficient security measures and the importance of robust protection to prevent breaches in healthcare and beyond.

UnitedHealth has disclosed that a ransomware attack on its subsidiary, Change Healthcare, resulted in the theft of personal and healthcare data of over 100 million individuals, marking it as one of the largest breaches in recent years. The breach, carried out by the BlackCat ransomware group, led to significant disruptions in the U.S. healthcare system, including outages that affected claim filings and prescription pricing. Despite paying a ransom to decrypt data and allegedly secure the deletion of stolen data, further extortion attempts ensued, with the stolen data later linked to another ransomware group. The financial fallout from this attack is substantial, with losses expected to reach $2.45 billion.

Risks: Sensitive Data, Weak or Compromised Credentials, Third-Party Vendor/SaaS

CVEs:

Keywords: UnitedHealth, Change Healthcare, BlackCat, Ransomware, Data Breach, Healthcare Security

Affected: UnitedHealth, Change Healthcare, U.S. healthcare system, Citrix remote access service

2024-10-25

AWS CDK Vulnerability Could Lead to Full Account Takeover

Need some ammo against AWS? Have a customer or prospect that uses AWS? This article is for you!

A vulnerability in the AWS Cloud Development Kit (CDK) allowed attackers to potentially hijack user accounts by exploiting predictable S3 bucket naming conventions. AWS has patched this flaw with a new version of the CDK, but user action is required to upgrade if they have previously bootstrapped with an older version. The issue, related to an earlier attack method called Bucket Monopoly, involved predictable S3 bucket names that attackers could exploit through namesquatting. The fix ensures assets are only uploaded to buckets owned by the user's account, and AWS recommends using unique hashes or random identifiers for S3 bucket names to prevent such attacks.

Risks: Patch Management, Misconfiguration, Cloud Service Provider Flaw, Open Source

CVEs:

Keywords: AWS, Cloud Development Kit, S3 Bucket, Account Takeover, Vulnerability

Affected: AWS, AWS Cloud Development Kit, S3

2024-10-23

Critical Vulnerabilities Found in mbNET.mini and Helmholz REX100 Routers

Learn about the critical importance of securing industrial routers and the potential risks to industrial control systems from unpatched vulnerabilities.

Germany's CERT@VDE has identified several critical and high-severity vulnerabilities in the mbNET.mini and Helmholz REX100 industrial routers. These vulnerabilities allow unauthenticated, remote attackers to execute OS commands and take control of affected devices, potentially leading to privilege escalation and information disclosure. The vulnerabilities can be exploited remotely if certain services are exposed online, or locally if an attacker gains physical access to the device. Although patches have been released by the affected vendors, their effectiveness has not been fully verified. These vulnerabilities pose a significant risk to industrial control systems and sensitive information.

Risks: Patch Management, Hardcoded Secrets, Weak or Compromised Credentials, Shadow IT/Exposed Assets

CVEs: CVE-2024-45274; CVE-2024-45275

Keywords: mbNET.mini, Helmholz REX100, industrial routers, vulnerabilities, remote access, ICS security

Affected: mbNET.mini, Helmholz REX100, industrial control systems

2024-10-23

Insurance Firm Johnson & Johnson Reports Data Breach Affecting Thousands

Learn about the potential financial impact of data breaches and the importance of proactive cybersecurity measures for insurance firms.

Insurance firm Johnson & Johnson has reported a data breach affecting over 3,200 individuals, potentially compromising sensitive personal information. Detected in mid-August 2024, the breach has prompted the company to offer free credit monitoring and identity restoration services to those impacted. The company has not disclosed further details about the attack, and no ransomware group has claimed responsibility.

Risks: Sensitive Data, Other

CVEs:

Keywords: Data Breach, Insurance, Johnson & Johnson, Personal Information, Cybersecurity Incident

Affected: Johnson & Johnson

2024-10-23

UN Women Database Exposes Sensitive Information Online

Learn about the critical importance of securing cloud databases and preventing data exposure to protect sensitive information and maintain trust.

A database from the United Nations Trust Fund to End Violence Against Women was left openly accessible online, exposing over 115,000 sensitive files. These files contained detailed financial disclosures, staffing information, contracts, and personal testimonials from organizations partnering with or funded by UN Women. The lack of access control on the database highlights the risks posed by misconfigurations, which can potentially endanger vulnerable individuals and organizations by exposing them to scams, extortion, and targeting by authoritarian regimes. This incident underscores the need for improved data management and security practices to prevent such breaches in the future.

Risks: Misconfiguration, Sensitive Data, Shadow IT/Exposed Assets

CVEs:

Keywords: UN Women, Data Exposure, Database Security, Sensitive Information, Misconfiguration

Affected: United Nations, UN Women, organizations partnering with UN Women

2024-10-23

Security Flaws in Mobile Apps Expose AWS and Azure Credentials

Need some FUD? Highlight the risks of poor cloud credential management and the importance of robust security practices in app development.

Many popular iOS and Android apps have been found to contain hardcoded, unencrypted credentials for cloud services like AWS and Azure, posing a risk of unauthorized access to sensitive user data and source code. These security vulnerabilities are due to poor development practices, and can lead to data manipulation or theft. To mitigate such risks, developers are advised to use environment variables, secrets management tools, encrypt data, conduct regular code reviews, and integrate automated security scanning into the development process.

Risks: Sensitive Data, Hardcoded Secrets, Cloud Service Provider Flaw

CVEs:

Keywords: Mobile App Security, AWS Credentials, Azure Blob Storage, Hardcoded Keys, Cloud Vulnerabilities

Affected: AWS, Microsoft Azure

2024-10-22

IcePeony APT Targets Asian Institutions with Webshell Attacks

Want to showcase how advanced threat actors exploit vulnerabilities in cloud environments? This article reveals the tactics and tools used by state-sponsored groups.

The IcePeony APT group, a Chinese state-sponsored threat actor active since 2023, targets entities in India, Mauritius, and Vietnam. Their attack strategy involves SQL injection to compromise government and academic institutions, leading to webshell and backdoor installations for credential theft and data exfiltration. Utilizing custom tools like IceCache and StaX, IcePeony's multi-stage attacks employ open-source utilities and encrypted proxy communications. They gather system information with scripts and maintain persistence with backdoor shells and user accounts. Additionally, they use the Diamorphine rootkit and malware targeting IIS servers.

Risks: Web App & API Vulnerability, Malware, Weak or Compromised Credentials

CVEs:

Keywords: IcePeony, APT, SQL Injection, Webshell, Data Exfiltration, China, Government Institutions, Academic Institutions

Affected: Government institutions, Academic institutions, IIS servers

2024-10-22

ScienceLogic SL1 Vulnerability Exploited, Affects Rackspace Systems

Learn about the critical importance of third-party security and patch management to prevent unauthorized access and safeguard your cloud infrastructure.

The article discusses a critical security flaw in ScienceLogic SL1, a platform used for monitoring IT resources, which has been actively exploited as a zero-day vulnerability. The flaw, which could lead to remote code execution, has been added to CISA's Known Exploited Vulnerabilities catalog. The issue has been patched, but it led to unauthorized access to Rackspace's internal systems, prompting the company to take its dashboard offline and notify affected customers. Rackspace uses ScienceLogic as a third-party tool for monitoring its services.

Risks: Zero-Day, Patch Management, Third-Party Vendor/SaaS

CVEs: CVE-2024-9537

Keywords: ScienceLogic SL1, Rackspace, Zero-Day, Remote Code Execution, Vulnerability Exploitation

Affected: ScienceLogic SL1, Rackspace

2024-10-22

Atlassian Patches High-Severity Vulnerabilities in Bitbucket, Confluence, and Jira

Learn about the critical importance of timely patch management to prevent high-severity vulnerabilities in popular enterprise tools like Atlassian's Bitbucket, Confluence, and Jira Service Management.

Atlassian has issued security updates to address six high-severity vulnerabilities across its Bitbucket, Confluence, and Jira Service Management products. These updates resolve critical flaws, including unauthorized data access risks in Bitbucket, path traversal and denial of service vulnerabilities in Confluence, and a buffer overflow issue in Jira Service Management that could disrupt service availability. The patches also fix an XSS vulnerability that could allow code execution in a user's browser. Users are encouraged to apply these updates to enhance the security and stability of their systems.

Risks: Patch Management, Web App & API Vulnerability, Third-Party Vendor/SaaS

CVEs: CVE-2024-21147; CVE-2022-24785; CVE-2022-31129; CVE-2024-4367

Keywords: Atlassian, Bitbucket, Confluence, Jira, Vulnerabilities, Patch Management, High-Severity, CVE

Affected: Atlassian, Bitbucket, Confluence, Jira Service Management, Oracle

2024-10-22

Roundcube XSS Vulnerability Exploited to Steal Credentials

Learn about the critical importance of timely patch management to protect against sophisticated phishing campaigns targeting government agencies.

Security researchers have identified a phishing campaign exploiting a cross-site scripting (XSS) vulnerability in the Roundcube webmail software, which allows attackers to execute arbitrary JavaScript and steal login credentials. Despite being patched in May 2024, many organizations still run vulnerable versions, making them susceptible to attacks. Threat actors utilize this flaw by embedding malicious code in emails that, when opened, execute within the webmail context to exfiltrate user credentials. Government agencies are prime targets due to their extensive use of Roundcube. The vulnerability has been recognized by the U.S. Cybersecurity and Infrastructure Security Agency as a common attack vector.

Risks: Patch Management, Web App & API Vulnerability, Open Source, Weak or Compromised Credentials

CVEs: CVE-2024-37383

Keywords: Roundcube, XSS vulnerability, credential theft, phishing campaign, CVE-2024-37383

Affected: Roundcube, Government agencies

2024-10-22

Critical Vulnerability in VMware vCenter Server Requires Second Patch

Learn about the critical importance of timely patch management in preventing remote code execution vulnerabilities.

VMware is addressing a critical remote code execution flaw in its vCenter Server platform, initially exposed during a Chinese hacking contest. The vulnerability, found in the DCERPC protocol implementation, has a high severity score, allowing network-accessible attackers to execute code remotely. VMware released a second patch to mitigate this issue and also addressed a privilege escalation bug with moderate severity in the same update.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation

CVEs: CVE-2024-38813

Keywords: VMware, vCenter Server, Remote Code Execution, DCERPC, Patch Management

Affected: VMware, vCenter Server

2024-10-22

Fortinet Criticized for Handling of FortiManager Cloud Zero-Day Vulnerability

Need some ammo against Fortinet? This article is for you!

Fortinet is facing criticism for its handling of a zero-day vulnerability actively exploited in its FortiManager Cloud product. Despite having known about the issue for nearly two weeks, the company has yet to release a CVE, a public write-up, or mention the vulnerability in its patch notes. This situation contrasts with Fortinet's recent advocacy for transparency and responsible vulnerability disclosure in the cybersecurity industry.

Risks: Zero-Day, Patch Management

CVEs:

Keywords: Fortinet, Zero-Day, FortiManager Cloud, Vulnerability Disclosure, Security Flaw

Affected: Fortinet, FortiManager Cloud

2024-10-22

Transak Data Breach Exposes Sensitive User Information via Phishing Attack

Understand the critical need for robust employee training and security measures to protect against sophisticated phishing attacks in the crypto industry.

Transak, a crypto payment services provider, experienced a significant data breach affecting over 92,000 users due to a phishing attack on an employee's laptop. The breach exposed sensitive personal information, including KYC verification details, but did not impact user funds as Transak operates on a non-custodial model. In response, Transak has engaged cybersecurity experts, notified affected users and authorities, and implemented enhanced security measures, including collaboration with their KYC vendor. The incident underscores the ongoing security challenges in the crypto industry, particularly against phishing attacks, and follows similar breaches in the sector.

Risks: Sensitive Data, Phishing Attack, Third-Party Vendor/SaaS, Weak or Compromised Credentials

CVEs:

Keywords: Transak, Data Breach, Phishing Attack, Cryptocurrency, User Data Exposure, KYC

Affected: Transak, Fidelity Investments

2024-10-21

Omni Family Health Data Breach Exposes Sensitive Information of 470,000 Individuals

Learn about the critical importance of safeguarding sensitive healthcare data to prevent costly breaches and protect patient trust.

Omni Family Health, a network of health centers in California, has experienced a data breach affecting approximately 470,000 individuals, including patients and employees. Discovered on August 7, the breach exposed sensitive personal information such as names, addresses, dates of birth, Social Security numbers, and health insurance details. Employee data also included financial account information and details about dependents and beneficiaries. The specific nature of the cyberattack remains undisclosed.

Risks: Sensitive Data, Other

CVEs:

Keywords: Omni Family Health, Data Breach, Healthcare Security, Personal Information, Cyberattack

Affected: Omni Family Health

2024-10-21

Cisco DevHub Data Leaked After API Token Exploitation

Need some ammo against Cisco? This article highlights their recent data exposure incident.

Cisco took its DevHub portal offline after a hacker published non-public data, although the company maintains that its systems were not breached. The exposed data included source code, configuration files, technical documentation, and SQL files, but no personal or financial information is believed to have been compromised. The hacker, known as IntelBroker, accessed the data through an exposed API token in a third-party developer environment. Despite the hacker's claims of ongoing access, Cisco has blocked all access to the affected portal and continues to investigate the incident.

Risks: Web App & API Vulnerability, Third-Party Vendor/SaaS, Shadow IT/Exposed Assets

CVEs:

Keywords: Cisco, Data Leak, DevHub, API Token, IntelBroker, Third-Party Access

Affected: Cisco, JFrog

2024-10-21

Internet Archive Breached Through Stolen GitLab Tokens

Learn about the critical importance of securing API tokens and managing access controls to prevent data breaches.

The Internet Archive experienced another data breach through their Zendesk email support platform due to stolen GitLab authentication tokens. Despite warnings, the organization failed to rotate exposed API keys, allowing the threat actor access to over 800,000 support tickets. This breach follows a prior attack where user data for 33 million users was stolen and a DDoS attack occurred, though these were carried out by different groups. The breach began with an exposed GitLab configuration file, leading to unauthorized access to source code and database credentials, ultimately resulting in the theft of 7TB of data. The motivation was not financial but rather opportunistic, highlighting the ongoing issue of data breaches within the cybersecurity community.

Risks: Hardcoded Secrets, Web App & API Vulnerability, Weak or Compromised Credentials, Shadow IT/Exposed Assets

CVEs:

Keywords: Internet Archive, Zendesk breach, GitLab tokens, data exfiltration, API key security

Affected: Internet Archive, Zendesk, GitLab

2024-10-21

Vulnerabilities Found in Popular Encrypted Cloud Storage Services

Learn about the critical vulnerabilities in popular E2EE cloud storage platforms and the importance of robust encryption and authentication measures.

Recent research has uncovered significant security vulnerabilities in end-to-end encrypted (E2EE) cloud storage platforms used by over 22 million users, including services like Sync, pCloud, Icedrive, Seafile, and Tresorit. These vulnerabilities allow attackers to manipulate data, inject files, and access user information due to weaknesses in encryption and authentication processes. The study highlights issues such as unauthenticated key material, tampering with file contents, protocol downgrades, and server-controlled certificate vulnerabilities. Some providers have acknowledged the issues and plan to address them, while others have not responded or opted not to fix the vulnerabilities.

Risks: Web App & API Vulnerability, Cloud Service Provider Flaw, Third-Party Vendor/SaaS

CVEs:

Keywords: E2EE, Cloud Storage, Sync, pCloud, Icedrive, Seafile, Tresorit, Encryption Vulnerabilities

Affected: Sync, pCloud, Icedrive, Seafile, Tresorit

2024-10-18

Microsoft Loses Critical Security Logs for a Month Due to Bug

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Microsoft Azure? This article is for you!

Microsoft recently disclosed that a bug led to the loss of critical security logs for nearly a month, impacting enterprise customers who depend on these logs for detecting unauthorized activity. This issue affected services such as Microsoft Entra, Microsoft Sentinel, and other security products, resulting in potentially incomplete or missing log data. The logging failure originated from a bug introduced while addressing another problem in Microsoft's log collection service. This incident raises concerns about the reliability of Microsoft's security logging, especially following previous criticism from CISA and other governmental bodies regarding log data accessibility. In response, Microsoft had previously expanded its free logging capabilities for certain customers earlier in 2024.

Risks: Cloud Service Provider Flaw, Other

CVEs:

Keywords: Microsoft, Security Logs, Data Loss, Bug Impact, Microsoft Entra, Microsoft Sentinel

Affected: Microsoft Entra, Microsoft Sentinel, Microsoft Purview, Microsoft Defender for Cloud, Microsoft Security products

2024-10-18

Globe Life Faces Extortion After Customer Data Breach

Learn about the risks of data breaches and the potential impact of cyber extortion on insurance companies, and use this insight to highlight the importance of comprehensive security solutions.

Globe Life, a major insurance company, is dealing with a cyberattack where hackers stole data and are attempting to extort the company by threatening to publish the stolen information. The breach, initially discovered in June during a security review, potentially affects at least 5,000 customers of its subsidiary, American Income Life Insurance Company, with the number possibly increasing as the investigation progresses. Globe Life confirmed that while the cybercriminals are demanding a ransom, this is not a ransomware attack as there is no data encryption involved.

Risks: Sensitive Data, Web App & API Vulnerability

CVEs:

Keywords: Data Breach, Extortion, Globe Life, Insurance Cyberattack, Customer Data Security

Affected: Globe Life, American Income Life Insurance Company

2024-10-18

BianLian Ransomware Targets Boston Children's Health Physicians

Learn how healthcare institutions are prime targets for ransomware attacks and how Check Point CloudGuard can offer robust protection against such threats.

The BianLian ransomware group has claimed responsibility for a cyberattack on Boston Children's Health Physicians (BCHP), a network of over 300 pediatric specialists. The attack compromised an IT vendor on September 6, leading to unauthorized access to BCHP's systems and the exfiltration of sensitive data. The stolen information includes personal, financial, and health-related data of current and former employees, patients, and guarantors. The BianLian group is threatening to leak the data unless a ransom is paid, adding BCHP to their extortion portal. This incident highlights ongoing cybersecurity threats to healthcare institutions.

Risks: Sensitive Data, Third-Party Vendor/SaaS, Malware

CVEs:

Keywords: BianLian, Ransomware, Healthcare Breach, Data Exfiltration, Boston Children's Hospital

Affected: Boston Children's Health Physicians, Boston Children's Hospital, healthcare industry

2024-10-17

Critical Vulnerability in Kubernetes Image Builder Allows Unauthorized SSH Access

Learn about the critical vulnerabilities in Kubernetes Image Builder and how proactive security measures can protect cloud environments.

A critical vulnerability in Kubernetes Image Builder allows unauthorized SSH root access to virtual machines by utilizing default credentials during the image build process. This affects VM images built with various providers, most notably Proxmox, which is at the highest risk. While other providers like Nutanix, OVA, and QEMU also have vulnerabilities, they disable default credentials at the end of the build process, reducing the risk. To remediate, users should upgrade to Image Builder v0.1.38 or later, which addresses the flaw by randomizing passwords and disabling the builder account post-build. A temporary mitigation involves manually disabling the builder account before upgrading.

Risks: Hardcoded Secrets, Weak or Compromised Credentials, Cloud Service Provider Flaw

CVEs: CVE-2024-9486; CVE-2024-9594

Keywords: Kubernetes, Image Builder, SSH vulnerability, Proxmox, Cloud Security

Affected: Kubernetes Image Builder, Proxmox, Nutanix, OVA, QEMU

2024-10-17

Ransomware and Tech Scams Surge, Highlighting Need for Stronger Cyber Defense

Learn about the critical importance of agile cybersecurity and collaboration in defending against the rising tide of ransomware and tech scams.

Cyber threats are intensifying globally, with significant increases in ransomware and tech scams, highlighting the need for robust defense and international cooperation. Microsoft's latest report reveals a sharp rise in ransomware attacks, although fewer reach the encryption stage. Social engineering, identity compromise, and exploiting vulnerabilities remain the primary access methods. Tech scams have surged drastically, emphasizing the need for agile cybersecurity measures as malicious activities often disappear before detection. To counter over 600 million daily attacks, the industry must enhance defenses and collaborate with governments to deter cybercrime effectively.

Risks: Malware, Weak or Compromised Credentials, Web App & API Vulnerability

CVEs:

Keywords: Ransomware, Tech Scams, Social Engineering, Microsoft Report, Cyber Defense

Affected: Microsoft

2024-10-17

Rapid Decrease in Time to Exploit Vulnerabilities Highlights Security Challenges

Learn about the critical importance of rapid patch management and the growing threat of zero-day vulnerabilities to strengthen your sales pitch.

The time to exploit vulnerabilities has dramatically decreased, with the average time dropping from 63 days in 2018-2019 to just five days in 2023. This trend is driven by improved tools, techniques, and intelligence sharing, with a significant increase in zero-day exploitation. Over half of known vulnerabilities are now exploited within a month of patch release, underscoring the need for rapid patching and vigilance. The time from vulnerability disclosure to exploitation varies, with publicly available exploits reducing this period. Two case studies highlight how exploit availability and complexity affect attack timelines, with attackers prioritizing easily weaponizable vulnerabilities.

Risks: Zero-Day, Patch Management, Web App & API Vulnerability

CVEs: CVE-2023-28121; CVE-2023-27997

Keywords: Zero-Day Exploitation, Rapid Patching, Vulnerability Management, CVE-2023-28121, CVE-2023-27997

Affected: WooCommerce Payments, FortiOS SSL VPN

2024-10-16

Five Steps to Enhance Cloud Detection and Response

Discover strategies to improve real-time detection and response in cloud environments, showcasing the importance of effective security measures for potential clients.

Organizations adopting cloud environments face challenges in effective detection and response due to an over-reliance on various tools, leading to delays in incident resolution and increased costs. To enhance real-time detection and response capabilities, it is crucial to implement strategies such as adding runtime visibility and protection, employing a multi-layered detection strategy, integrating vulnerability and incident views, incorporating identities for better understanding of attacks, and ensuring a diverse range of response actions for contextual interventions.

Risks: Misconfiguration, Other

CVEs:

Keywords: Cloud Security, Detection and Response, Runtime Protection, Multi-Layered Strategy, Incident Management

Affected:

2024-10-16

Organizations Vulnerable to Attacks Due to Weak SSO Security Practices

Need some FUD? Highlight the critical importance of robust identity management and MFA to protect against prevalent phishing and credential-based attacks in cloud environments!

Organizations using single sign-on (SSO) are highly susceptible to identity-based attacks due to vulnerabilities in their authentication practices. As businesses increasingly rely on cloud services and digital technologies, identity management becomes crucial. Despite the adoption of SSO and multifactor authentication (MFA), gaps remain, with a significant portion of accounts lacking robust security measures. Research indicates that many accounts use weak or phishable MFA methods, leaving them open to phishing, credential stuffing, and brute-force attacks. Additionally, accounts with multiple login methods, including SSO and passwords, are at risk, especially if MFA is not enabled. This highlights the need for more secure authentication practices to protect identities in the digital landscape.

Risks: Weak or Compromised Credentials, Phishing Attacks, Other

CVEs:

Keywords: Single Sign-On, Identity Management, Phishing Attacks, MFA Vulnerabilities, Credential Stuffing

Affected:

2024-10-16

GitHub Enterprise Server Vulnerability Allows Unauthorized Access

Learn about the critical importance of securing enterprise software and how vulnerabilities can lead to unauthorized access.

GitHub has issued security updates for its Enterprise Server to fix several vulnerabilities, including a critical flaw that allows unauthorized access to server instances by bypassing SAML SSO authentication. This critical bug stems from improper verification of cryptographic signatures and could enable unauthorized user provisioning. The update also addresses an information disclosure vulnerability and a sensitive data exposure issue in HTML forms.

Risks: Patch Management, Web App & API Vulnerability, Sensitive Data

CVEs: CVE-2024-9487; CVE-2024-4985; CVE-2024-9539;

Keywords: GitHub, Enterprise Server, Vulnerability, Unauthorized Access, CVE-2024-9487, SAML Bypass

Affected: GitHub Enterprise Server

2024-10-16

Critical Vulnerability in SolarWinds Web Help Desk Allows Unauthorized Access

Learn about the critical importance of securing help desk software and how vulnerabilities can lead to unauthorized access to sensitive data.

CISA has identified a critical vulnerability in SolarWinds Web Help Desk software, which is actively being exploited. This flaw allows unauthorized access and modifications due to hard-coded credentials, enabling attackers to read and change sensitive help desk ticket information. Details were initially disclosed by SolarWinds in August 2024, with further technical insights provided by Horizon3.ai. This vulnerability follows another recent flaw in the same software, highlighting ongoing security concerns.

Risks: Hardcoded Secrets, Sensitive Data, Patch Management, Web App & API Vulnerability

CVEs: CVE-2024-28987; CVE-2024-28986

Keywords: SolarWinds, Web Help Desk, CVE-2024-28987, CISA, Vulnerability Exploitation, Unauthorized Access

Affected: SolarWinds Web Help Desk

2024-10-16

Cybersecurity Burnout Crisis Threatens Organizational Security

Learn how addressing cybersecurity burnout can enhance organizational security and resilience, and uncover opportunities to support stressed security teams with strategic solutions.

A recent report from BlackFog highlights a significant cybersecurity burnout crisis, with nearly a quarter of CISOs and IT Security Decision Makers considering leaving their roles due to overwhelming stress. The study reveals that security leaders are working excessive hours under mounting pressure from sophisticated threats like AI-driven cyberattacks and ransomware. The burnout is exacerbated by insufficient budgets, which hinder access to necessary tools, and a reactive security environment focused on immediate threat responses rather than strategic planning. This crisis threatens organizational security by risking the loss of top talent and creating security gaps. To mitigate this, companies must invest in resources, foster supportive cultures, and address stress causes to enhance cybersecurity resilience and retain skilled professionals.

Risks: Other

CVEs:

Keywords: Burnout, CISOs, AI-powered attacks, Ransomware, Cybersecurity stress

Affected:

2024-10-15

Critical Vulnerability in pac4j Allows Remote Code Execution

Learn about the critical importance of patch management to safeguard against vulnerabilities that can lead to remote code execution and potential system compromise.

A critical vulnerability in the Java security framework pac4j, affecting versions prior to 4.0, has been discovered, allowing remote code execution (RCE). This flaw arises from an issue in the deserialization process within pac4j-core, enabling attackers to execute arbitrary code by exploiting systems that store externally controlled values in user attributes. The vulnerability was reported and fixed with the release of version 4.0, highlighting the importance of updating to secure systems against potential RCE attacks that could compromise confidentiality, integrity, and availability.

Risks: Patch Management, Web App & API Vulnerability, Open Source

CVEs: CVE-2023-25581

Keywords: pac4j, Java vulnerability, remote code execution, CVE-2023-25581, deserialization flaw

Affected: pac4j-core

2024-10-15

OilRig Hackers Exploit Microsoft Exchange Servers in UAE and Gulf Regions

New opportunity - companies in the energy and governmental sectors are under threat from sophisticated cyber espionage attacks. Time to get out your rolodex.

The OilRig hackers, linked to Iranian interests, are targeting energy, governmental, and critical infrastructure sectors in the UAE and Gulf regions by exploiting Microsoft Exchange servers. Using sophisticated methods, they deploy a backdoor to steal credentials, beginning with uploading a web shell for remote control. They employ tools like ngrok for persistence, exploit Windows vulnerabilities for privilege escalation, and use password filter DLLs to capture and exfiltrate data. Their comprehensive attack strategy includes custom loaders, encrypted payloads, and supply chain attacks, demonstrating their evolving capabilities and persistent threat to critical systems. Their malware is crafted to blend into network traffic and avoid detection.

Risks: Over Permissive Roles & Privilege Escalation, Malware, Supply Chain, Weak or Compromised Credentials

CVEs: CVE-2024-30088

Keywords: OilRig, Microsoft Exchange, UAE, Cyber Espionage, Earth Simnavaz, Credential Theft

Affected: Microsoft Exchange Server

2024-10-15

Juniper Networks Releases Security Patches for Junos OS Vulnerabilities

Learn about the critical importance of timely patch management and how vulnerabilities in network operating systems can expose enterprises to severe security risks.

Juniper Networks has issued patches for numerous vulnerabilities in its Junos OS and Junos OS Evolved systems, including significant flaws in components like the packet forwarding engine, routing protocol daemon, and HTTP daemon. These vulnerabilities could enable unauthenticated attackers to cause denial-of-service conditions, access sensitive data, or gain control over devices. The updates also address issues in third-party components like Nginx, PHP, and OpenSSL, as well as a critical command injection flaw in Junos Space. The fixes aim to enhance security by mitigating risks associated with these vulnerabilities.

Risks: Patch Management, Third-Party Vendor/SaaS, Web App & API Vulnerability

CVEs: CVE-2016-0746; CVE-2017-20005

Keywords: Juniper Networks, Junos OS, Security Patches, Vulnerabilities, Network Security

Affected: Juniper Networks, Junos OS, Junos OS Evolved, C-ares, Nginx, PHP, OpenSSL, Junos Space, OpenSSH

2024-10-15

Jetpack WordPress Plugin Patches Critical Vulnerability

Learn about the critical importance of regularly auditing and patching plugins to prevent vulnerabilities from affecting millions of users.

The Jetpack WordPress plugin, used by 27 million sites, has patched a critical vulnerability that allowed logged-in users to access forms submitted by others. This issue, existing since 2016, was discovered during an internal security audit. Jetpack had previously addressed a similar flaw in June 2023.

Risks: Patch Management, Sensitive Data, Web App & API Vulnerability

CVEs:

Keywords: Jetpack, WordPress, Vulnerability, Plugin Security, Patch Management

Affected: WordPress, Jetpack

2024-10-15

Data Breaches Impact Gryphon Healthcare and Tri-City Medical Center

Need some FUD to highlight the critical importance of data security in healthcare? Discover the severe consequences of data breaches and the vulnerabilities in third-party services.

Gryphon Healthcare and Tri-City Medical Center have disclosed significant data breaches affecting hundreds of thousands of individuals. Gryphon's breach, discovered in August 2024, involved unauthorized access to sensitive patient information through a third-party partner. Compromised data included personal and medical details of nearly 393,358 individuals. Tri-City Medical Center reported a breach affecting 108,149 people, stemming from a November 2023 cyberattack. This breach involved exposure of personal identifiers and was later linked to the Inc Ransom ransomware group. Both incidents highlight vulnerabilities in healthcare data security and the risks associated with third-party services and cyberattacks.

Risks: Sensitive Data, Ransomware, Third-Party Vendor/SaaS

CVEs:

Keywords: Data Breach, Healthcare Security, Gryphon Healthcare, Tri-City Medical Center, Ransomware, Third-Party Risk

Affected: Gryphon Healthcare, Tri-City Medical Center

2024-10-15

Splunk Enterprise Vulnerabilities Enable Remote Code Execution

Learn about the importance of patch management to protect critical infrastructure and prevent remote code execution vulnerabilities.

Splunk has issued patches for several high-severity vulnerabilities in its Enterprise and Cloud Platform products, which could allow attackers to execute remote code. These vulnerabilities primarily affect low-privileged users by exploiting insecure configurations, enabling file manipulation, and unauthorized data access. The issues highlight the importance of timely security updates for critical infrastructure tools like Splunk, which are often targeted due to their access to sensitive organizational data.

Risks: Patch Management, Misconfiguration, Over Permissive Roles & Privilege Escalation, Third-Party Vendor/SaaS

CVEs: CVE-2024-45733; CVE-2024-45731; CVE-2024-45732;

Keywords: Splunk, Remote Code Execution, Vulnerabilities, CVE-2024-45733, Security Patches, Cloud Platform

Affected: Splunk Enterprise, Splunk Cloud Platform, Splunk Add-on for Amazon Web Services, Windows

2024-10-15

Supply Chain Attack Targets Open-Source Package Repositories

Got you some real good FUD, learn about the dangers of supply chain attacks and how they can stealthily compromise cloud environments.

A sophisticated supply chain attack has been discovered, targeting entry points in popular open-source package repositories like PyPI, npm, Ruby Gems, and NuGet. This attack method exploits entry points, which are designed to expose functionalities as command-line interface commands, by creating malicious packages that mimic popular tools or system commands. When developers unknowingly install these packages and execute the commands, they trigger harmful code execution. The attack employs tactics such as command-jacking, system command impersonation, and command wrapping to stealthily exfiltrate sensitive information or compromise cloud infrastructures. This attack vector poses significant risks to both individual developers and enterprises by bypassing traditional security checks.

Risks: Supply Chain, Open Source, Malware

CVEs:

Keywords: Supply Chain Attack, Open-Source Repositories, PyPI, npm, Command-Jacking, Cloud Security

Affected: PyPI, npm, Ruby Gems, NuGet, Dart Pub, Rust Crates

2024-10-14

Microsoft Releases Security Update for Azure Linux 2.0

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure? This article is for you!

Microsoft has released an update for Azure Linux 2.0, addressing numerous security vulnerabilities in critical components like cURL, CMake, and OpenSSL, among others. This update, which is crucial for maintaining security in production environments, also introduces new features such as an Azure Marketplace ARM64 FIPS image definition and integration of an Azure proxy agent into cloud-init. Users can access the updated version on GitHub to ensure their systems are secure and up-to-date.

Risks: Patch Management, Open Source, Cloud Service Provider Flaw

CVEs:

Keywords: Azure Linux 2.0, Microsoft Update, Security Vulnerabilities, OpenSSL, Cloud Security

Affected: Microsoft Azure, Azure Linux 2.0, cURL, CMake, Krb5, Moby, Ruby, Python, xorg-x11-server, Vim, OpenSSL, Linux kernel

2024-10-14

Fidelity Investments Breach Exposes Personal Data of 77,000 Customers

Learn about the critical importance of safeguarding sensitive customer data and the financial impact of data breaches on large financial institutions.

Fidelity Investments experienced a data breach in August, affecting over 77,000 individuals, where unauthorized access led to the exposure of sensitive personal information, including names, Social Security numbers, financial account data, and driver's license details. The breach was discovered on August 19, and measures were taken to stop the unauthorized access. This incident marks the second data breach Fidelity has reported this year, following a prior breach involving a third-party provider.

Risks: Sensitive Data, Third-Party Vendor/SaaS, Weak or Compromised Credentials

CVEs:

Keywords: Fidelity Investments, Data Breach, Personal Information, Unauthorized Access, Financial Services Security

Affected: Fidelity Investments, Infosys McCamish System

2024-10-14

Veeam Software Vulnerability Exploited in Ransomware Attacks

Learn about the critical importance of patch management and robust VPN security to protect against sophisticated ransomware attacks exploiting vulnerabilities.

Ransomware operators are exploiting a critical vulnerability in Veeam Backup & Replication software to gain unauthorized access and deploy malware. The flaw allows remote code execution without authentication and has been used to create rogue accounts and spread ransomware, such as Fog and Akira. Despite a patch being released in September, attackers continue to exploit this vulnerability by targeting VPN gateways lacking multi-factor authentication. These incidents highlight the importance of timely patching and robust security measures to protect against such threats.

Risks: Patch Management, Malware, Weak or Compromised Credentials, Web App & API Vulnerability

CVEs: CVE-2024-40711

Keywords: Veeam, Ransomware, CVE-2024-40711, Vulnerability Exploitation, Patch Management

Affected: Veeam Backup & Replication, Hyper-V, VPN gateways

2024-10-12

F5 BIG-IP LTM Vulnerable Due to Unencrypted Cookies

Discover the risks of unencrypted cookies and the importance of securing load balancing tools to protect internal networks.

CISA has identified that cyber threat actors are exploiting unencrypted persistent cookies in the F5 BIG-IP Local Traffic Manager (LTM) module to discover non-internet facing devices on networks. These cookies, vital for maintaining session consistency and load balancing, are unencrypted by default, which can allow malicious actors to infer or identify other network resources and potentially exploit vulnerabilities in those devices. CISA advises administrators to follow F5's guidelines for encrypting these cookies to prevent such exploitation.

Risks: Misconfiguration, Shadow IT/Exposed Assets

CVEs:

Keywords: F5 BIG-IP, LTM, unencrypted cookies, network vulnerability, CISA

Affected: F5 BIG-IP Local Traffic Manager

2024-10-11

Critical Vulnerability Found in Nortek Linear eMerge E3 Access Control System

Learn about the critical importance of proactive security measures and patch management in preventing unauthorized access to systems.

A critical vulnerability in the Nortek Linear eMerge E3 access control system has been identified, allowing remote attackers to execute arbitrary commands. With a high severity score of 9.8, proof-of-concept exploits have been released, raising concerns over potential exploitation. The vendor has previously been slow to address similar vulnerabilities, suggesting that organizations using the system should act quickly to isolate or take these devices offline. Security best practices, such as network segmentation and firewall protection, are recommended to mitigate risks.

Risks: Patch Management, Web App & API Vulnerability, Inadequate Network Segmentation

CVEs: CVE-2024-9441; CVE-2019-7256

Keywords: Nortek Linear eMerge E3, CVE-2024-9441, Access Control Vulnerability, Remote Code Execution, Network Security

Affected: Nortek Linear eMerge E3

2024-10-11

Critical GitLab Vulnerability Allows Unauthorized CI/CD Pipeline Execution

Learn about the critical importance of patch management and how vulnerabilities can impact CI/CD pipelines, highlighting opportunities for enhancing cloud security.

GitLab has issued security updates for both its Community and Enterprise Editions to fix eight vulnerabilities, including a critical flaw that allows unauthorized execution of CI/CD pipelines on arbitrary branches. This critical vulnerability highlights the importance of updating to the latest version to mitigate potential security risks. In addition to the critical issue, four vulnerabilities were rated as high severity, two as medium, and one as low. Although no active exploitation has been reported, users are strongly encouraged to update their GitLab instances to ensure protection against these threats.

Risks: Patch Management, Web App & API Vulnerability, Open Source

CVEs: CVE-2024-9164; CVE-2024-8970; CVE-2024-8977; CVE-2024-9631

Keywords: GitLab, CI/CD vulnerability, pipeline execution, security update, CVE-2024-9164

Affected: GitLab

2024-10-10

Palo Alto Networks Firewall Vulnerabilities Allow Potential Hijacking

Need some ammo against Palo Alto Networks? This article is for you!

Palo Alto Networks has issued a warning about multiple security vulnerabilities in its Expedition solution that can be exploited to hijack PAN-OS firewalls. These vulnerabilities, which include command injection, cross-site scripting, and SQL injection, allow attackers to access sensitive data like user credentials and device configurations. Exploitation of these flaws can lead to unauthorized control of firewall admin accounts. The company advises immediate patching to mitigate the risks, as public exploit code is available.

Risks: Sensitive Data, Patch Management, Web App & API Vulnerability, Weak or Compromised Credentials

CVEs: CVE-2024-9463; CVE-2024-9464; CVE-2024-9465; CVE-2024-9466

Keywords: Palo Alto Networks, PAN-OS, Expedition tool, Firewall vulnerabilities, Command injection, SQL injection, Cross-site scripting

Affected: Palo Alto Networks, PAN-OS firewalls, Expedition solution

2024-10-10

Trinity Ransomware Targets Healthcare with Double Extortion Tactics

New opportunity - healthcare organizations are under threat from sophisticated ransomware attacks. Time to get out your rolodex.

Trinity ransomware is targeting healthcare organizations with sophisticated tactics like double extortion, posing a significant threat. Recently, a US healthcare provider, Rocky Mountain Gastroenterology, was attacked, with Trinity claiming to have stolen 330 GB of data. The group has also targeted other organizations globally, including a dental group in the Channel Islands and entities in the UK, Canada, and more. Trinity typically gains access by exploiting software vulnerabilities, phishing, or compromised RDP endpoints.

Risks: Sensitive Data, Malware, Weak or Compromised Credentials

CVEs:

Keywords: Trinity Ransomware, Healthcare Cyberattack, Double Extortion, Data Breach, Phishing, RDP Vulnerability

Affected: Rocky Mountain Gastroenterology, Cosmetic Dental Group, a law firm in Florida and Georgia, healthcare organizations, entities in the UK, Canada, China, the Philippines, Argentina, Brazil

2024-10-10

{title}

{one_liner}

{gist}

Risks: {risks}

CVEs:

Keywords: {keywords}

Affected: {affected}

2024-10-10

Libano-Suisse Insurance Exposes Client Data Due to Azure Blob Misconfiguration

Want to illustrate the critical importance of cloud storage security and governance? This article highlights real-world risks and opportunities for enhancing client data protection.

A misconfigured Azure Blob storage at Libano-Suisse Insurance Company exposed sensitive personal and financial data of clients across several Middle Eastern and North African countries. Discovered in September 2024, the breach affected approximately 22,000 files containing crucial documents like policies and passport numbers. Despite initial notification, the company delayed securing the data until intervention by the Qatar National Cyber Security Agency in October. This incident underscores the critical need for stringent cloud storage management and data governance practices, particularly given Libano-Suisse's significant role in healthcare benefits management through its stake in GlobeMed.

Risks: Misconfiguration, Sensitive Data, Shadow IT/Exposed Assets

CVEs:

Keywords: Azure Blob, Data Breach, Cloud Misconfiguration, Libano-Suisse, Client Data Exposure

Affected: Azure Blob storage, Libano-Suisse Insurance Company, GlobeMed

2024-10-10

Hackers Exploit DNS Tunneling to Evade Network Firewalls

Discover the stealthy tactics of DNS tunneling and how CloudGuard can safeguard critical infrastructure and targeted industries against these evolving threats.

Hackers are increasingly using DNS tunneling to bypass network firewalls, exploiting the DNS protocol to hide data within queries and responses, enabling command and control over compromised systems. This method targets port 53, often left unmonitored, allowing the exfiltration of data encoded in DNS queries. Notable threat groups like "Evasive Serpens" and "Obscure Serpens" have used this technique, particularly against critical infrastructure. Recent investigations have identified four major DNS tunneling campaigns, each with unique characteristics and targeting different sectors. These campaigns are significant threats due to their distinct infrastructure, DNS configurations, and payload encoding methods.

Risks: Malware, Sensitive Data, Inadequate Network Segmentation

CVEs:

Keywords: DNS Tunneling, Network Firewall, Data Exfiltration, Command and Control, Critical Infrastructure, Evasive Serpens

Affected: Finance, Healthcare, Critical Infrastructure

2024-10-10

Critical Fortinet FortiOS Vulnerability Exploited in Attacks

Need some ammo against Fortinet? This article is for you!

Attackers are actively exploiting a critical remote code execution vulnerability in Fortinet's FortiOS, allowing them to execute commands or arbitrary code on unpatched devices without user interaction. The flaw affects FortiGate and FortiManager devices and was disclosed and patched by the company in February. Administrators were advised to mitigate the risk by restricting access to the fgfmd daemon and implementing a local-in policy. Previous similar vulnerabilities have been exploited by state-sponsored actors, highlighting the importance of addressing these security issues promptly.

Risks: Patch Management, Web App & API Vulnerability

CVEs: CVE-2024-23113; CVE-2022-42475

Keywords: Fortinet, FortiOS, Remote Code Execution, CVE-2024-23113, Vulnerability Exploitation, FortiGate, FortiManager

Affected: Fortinet, FortiGate, FortiManager

2024-10-10

National Public Data Files for Bankruptcy After Massive Data Breach

Learn about the severe financial and legal consequences of a massive data breach and the importance of robust data protection strategies.

The Florida-based data brokerage company, National Public Data, has filed for bankruptcy following a significant data breach that affected potentially billions of individuals. Originally, the company reported that 1.3 million people were impacted, but court documents reveal the actual number is much higher. The breach, linked to a December 2023 cyberattack, involved a 277.1 GB data file released by the hacking group USDoD, containing personal information on about 2.9 billion individuals. As a result, the company is now facing multiple class-action lawsuits and potential regulatory actions from the FTC and numerous US states.

Risks: Sensitive Data, Third-Party Vendor/SaaS, Web App & API Vulnerability

CVEs:

Keywords: Data Breach, National Public Data, USDoD Hack, Personal Information Leak, Bankruptcy, Regulatory Challenges

Affected: National Public Data, Jerico Pictures

2024-10-09

Casio Experiences Network Breach Causing Service Disruptions

Learn about the importance of swift incident response and proactive security measures to prevent costly breaches and disruptions.

Casio Computer Co., Ltd. experienced unauthorized network access that caused system disruptions, affecting some services. The company has reported the incident to data protection authorities and implemented measures to restrict external access. This follows a previous breach a year ago that exposed customer data from its ClassPad education platform.

Risks: Unauthorized Access, Sensitive Data, Other

CVEs:

Keywords: Casio, Network Breach, Service Disruption, Unauthorized Access, Data Protection

Affected: Casio

2024-10-09

Critical Zero-Day Vulnerability in Windows Management Console Exploited

Learn about the critical importance of timely patch management to prevent exploitation of zero-day vulnerabilities in widely-used Windows components.

Microsoft has issued a Patch Tuesday update to address a critical zero-day vulnerability in the Windows Management Console, which is being actively exploited to execute remote code on targeted Windows systems. The flaw is part of a larger patch release that resolves 119 vulnerabilities across Windows. Notably, Microsoft is urging users to prioritize updates for remote code execution vulnerabilities in the Configuration Manager and Remote Desktop Protocol Server. Additionally, patches have been released for publicly-known issues, including privilege escalation in Winlogon and a security bypass in Windows Hyper-V.

Risks: Zero-Day, Patch Management, Over Permissive Roles & Privilege Escalation

CVEs: CVE-2024-43572; CVE-2024-43468; CVE-2024-43582; CVE-2024-43583

Keywords: Windows Management Console, Zero-Day, Remote Code Execution, Microsoft, Patch Tuesday, Vulnerability

Affected: Windows Management Console, Microsoft Configuration Manager, Remote Desktop Protocol Server, Winlogon, Windows Hyper-V

2024-10-09

SAP Releases October 2024 Security Patches for Critical and High-Severity Vulnerabilities

Learn about the critical importance of timely patch management and the potential vulnerabilities in widely-used SAP systems, to better position CloudGuard solutions in safeguarding enterprise environments.

In October 2024, SAP released 12 security notes, including critical and high-severity patches. A critical issue in the BusinessObjects Business Intelligence suite required urgent attention due to a missing authorization check. Additionally, SAP addressed high-severity vulnerabilities in Enterprise Project Connection related to the Spring framework and Log4j libraries, as well as an insecure file operations flaw in BusinessObjects. Updates also included a high-severity authorization check issue in Product Design Cost Estimating, with other patches targeting medium-severity issues in various SAP products.

Risks: Patch Management, Web App & API Vulnerability, Open Source

CVEs: CVE-2024-41730; CVE-2024-22259; CVE-2024-38809; CVE-2024-38808

Keywords: SAP, BusinessObjects, Patch Management, Enterprise Project Connection, CVE-2024-41730, Log4j Vulnerability, Spring Framework Vulnerability

Affected: BusinessObjects Business Intelligence, Enterprise Project Connection, Product Design Cost Estimating, NetWeaver, Commerce Backoffice, HANA Client, S/4 HANA, Student Life Cycle Management

2024-10-09

Critical Vulnerabilities Discovered in Adobe Commerce and Magento

Learn about the critical importance of patch management to prevent severe vulnerabilities in enterprise software.

Adobe has released a Patch Tuesday update addressing 25 critical vulnerabilities in Adobe Commerce and Magento Open Source, which are commonly targeted by malicious hackers. The vulnerabilities include risks of code execution, privilege escalation, and security feature bypass, with two vulnerabilities rated as highly severe. Affected versions include Magento Open Source 2.4.7-p2 and earlier, underscoring the importance of updating to maintain security.

Risks: Patch Management, Privilege Escalation, Web App & API Vulnerability

CVEs:

Keywords: Adobe Commerce, Magento, Vulnerabilities, Patch Tuesday, Code Execution

Affected: Adobe Commerce, Magento Open Source

2024-10-08

Critical Vulnerabilities in Ivanti CSA Actively Exploited

Learn about the critical importance of vulnerability management and proactive security measures to protect cloud services from exploitation.

Ivanti has identified three critical vulnerabilities in its Cloud Service Appliance (CSA) that are being actively exploited. These zero-day vulnerabilities, when combined with a previously patched flaw, allow attackers with admin privileges to bypass restrictions, execute arbitrary SQL statements, or perform remote code execution. The vulnerabilities affect CSA versions 4.6 patch 518 and prior, with attackers exploiting them alongside a critical path traversal flaw. Ivanti advises users to update to version 5.0.2 and check for signs of compromise or alerts from security tools. This issue follows a recent addition to the U.S. CISA's Known Exploited Vulnerabilities catalog concerning Ivanti Endpoint Manager.

Risks: Zero-Day, Patch Management, Web App & API Vulnerability

CVEs: CVE-2024-9379; CVE-2024-9380; CVE-2024-9381; CVE-2024-8963

Keywords: Ivanti, Cloud Service Appliance, Zero-Day, Vulnerability Exploitation, Remote Code Execution, Path Traversal

Affected: Ivanti Cloud Service Appliance, Ivanti Endpoint Manager

2024-10-07

Financial Losses from API Vulnerabilities and Bot Attacks

Discover the financial impact of API and bot vulnerabilities, and learn how to position CloudGuard solutions as essential for protecting large enterprises from costly threats.

Organizations are facing significant financial losses, estimated between $94 and $186 billion annually, due to vulnerabilities in APIs and automated bot attacks, according to a report by Imperva. The reliance on APIs is growing, expanding the attack surface and resulting in a 40% increase in API-related security incidents in 2022 and a further 9% in 2023. Bot attacks alone have surged by 88% in 2022, with an additional 28% rise in 2023, accounting for up to $116 billion in losses each year. Large enterprises, particularly those with revenues exceeding $1 billion, are at a higher risk due to the complexity of their digital infrastructures. The report suggests fostering collaboration between security and development teams, comprehensive API monitoring, and deploying integrated security solutions to mitigate these risks.

Risks: Web App & API Vulnerability, Shadow IT/Exposed Assets, Other

CVEs:

Keywords: API Security, Bot Attacks, Financial Loss, Digital Transformation, Enterprise Risk, Cyber Threats

Affected:

2024-10-07

Chinese Hackers Breach Major U.S. Telecom Networks

Learn about the vulnerabilities in major telecom networks and the potential security gaps in their infrastructure.

Chinese hackers, suspected to be linked to China's Ministry of State Security, have infiltrated major U.S. telecommunications providers such as Verizon, AT&T, and Lumen. The hackers have been inside these networks for months, primarily seeking information on federal wiretap requests, but potentially accessing broader internet traffic. The breach has led to a significant investigation by the FBI and other U.S. agencies. The hackers' sophisticated methods, including reconfiguring Cisco routers, highlight serious security vulnerabilities. This operation is separate from other Chinese cyber activities targeting U.S. critical infrastructure.

Risks: Misconfiguration, Sensitive Data

CVEs:

Keywords: Telecommunications, Chinese Hackers, Data Breach, Cisco Routers, National Security

Affected: Verizon, AT&T, Lumen, Cisco routers

2024-10-07

Critical Vulnerability in Apache Avro SDK Allows Remote Code Execution

Discover the critical importance of securing data serialization processes to prevent potential remote code execution vulnerabilities in widely-used open-source frameworks.

A critical vulnerability in the Apache Avro Java SDK, affecting versions prior to 1.11.4, allows remote code execution by exploiting schema parsing. This flaw impacts applications that permit user-supplied Avro schemas, potentially enabling arbitrary code execution during data serialization. The vulnerability can be triggered through specific directives and is relevant to users of Apache Avro, a widely-used open-source data serialization framework.

Risks: Open Source, Web App & API Vulnerability, Supply Chain

CVEs: CVE-2024-47561

Keywords: Apache Avro, Remote Code Execution, CVE-2024-47561, Data Serialization, Java SDK Vulnerability

Affected: Apache Avro

2024-10-05

Stored XSS Vulnerability Found in WordPress LiteSpeed Cache Plugin

Learn about the significant risks posed by vulnerabilities in popular WordPress plugins and the importance of securing web assets against opportunistic attacks.

{gist}

Risks: Web App & API Vulnerability, Open Source, Patch Management

CVEs: CVE-2024-47374; CVE-2024-44000; CVE-2024-43917; CVE-2024-7772

Keywords: WordPress, LiteSpeed Cache, XSS, Vulnerability, CVE-2024-47374, Plugin Security

Affected: WordPress, LiteSpeed Cache plugin, TI WooCommerce Wishlist plugin, Jupiter X Core WordPress plugin

2024-10-04

Critical Security Flaws Found in US Government IT Systems

Learn about the importance of robust access control in government IT systems to prevent unauthorized data access and manipulation.

A range of high- and critical-severity vulnerabilities have been identified in government IT systems across the US, affecting platforms that manage sensitive information like Social Security numbers and voter registrations. These issues, uncovered by researcher Jason Parker, include access control flaws that allow unauthorized actions such as canceling voter registrations or escalating user privileges in public records systems. Notable affected platforms include Georgia's voter cancellation portal and Granicus' GovQA, both of which had vulnerabilities allowing data leakage and unauthorized account modifications. While some vulnerabilities have been patched, the widespread presence of these issues highlights the ongoing security challenges faced by government IT systems.

Risks: Sensitive Data, Over Permissive Roles & Privilege Escalation, Web App & API Vulnerability

CVEs:

Keywords: Access Control, Government Vulnerabilities, Public Records Security, Granicus GovQA, Voter Registration Portal

Affected: Georgia voter cancellation portal, Granicus GovQA, Thomson Reuters C-Track eFiling, court record systems in Florida, court record systems in Arizona, court record systems in Georgia, court record systems in South Carolina

2024-10-04

DrayTek Routers Exposed to Hacking via 14 Vulnerabilities

Learn about the importance of securing network devices and the critical role of patch management to protect enterprise networks from vulnerabilities.

Over 700,000 DrayTek routers are vulnerable to hacking due to 14 newly discovered security flaws, collectively known as DRAY:BREAK. These vulnerabilities can be exploited to gain unauthorized control over the devices, potentially allowing attackers to use them as entry points into enterprise networks. Among these, two flaws are rated critical, with one having the highest severity score due to a buffer overflow issue that could result in denial-of-service or remote code execution. To protect against these vulnerabilities, it is advised to patch affected devices, disable unnecessary remote access, and implement access control measures and two-factor authentication.

Risks: Patch Management, Web App & API Vulnerability, Weak or Compromised Credentials

CVEs: CVE-2024-41592; CVE-2024-41585; CVE-2024-41589; CVE-2024-41591

Keywords: DrayTek, router vulnerabilities, remote code execution, buffer overflow, network security

Affected: DrayTek routers

2024-10-04

8220 Hacker Group Uses New Tools to Exploit Oracle WebLogic Vulnerabilities

Learn how vulnerabilities in cloud environments can be exploited by sophisticated attackers, highlighting the critical importance of robust cloud security solutions.

The 8220 hacker group, known for targeting both Windows and Linux web servers with crypto-jacking malware, has enhanced its capabilities with two new tools, Hadooken and K4Spreader. These tools exploit vulnerabilities in Oracle WebLogic servers to execute remote code without authentication, deploying malware like the Tsunami backdoor and PwnRig cryptominer. The attack chain involves using scripts to disable cloud protection and propagate via SSH brute-force on Linux, while attempting to install a cryptominer on Windows through PowerShell. The attacks, impacting cloud services like Oracle Cloud, are geographically concentrated in Asia and South America, and share tactics with previous cases, strongly suggesting the involvement of the 8220 Gang.

Risks: Web App & API Vulnerability, Malware, Weak or Compromised Credentials

CVEs: CVE-2017-10271; CVE-2020-14883

Keywords: 8220 Gang, Hadooken, K4Spreader, Oracle WebLogic, Crypto-jacking, Cloud Security, Remote Code Execution

Affected: Windows, Linux, Oracle WebLogic, SSH, Oracle Cloud, Drupal, Apache Struts

2024-10-04

Perfctl Malware Exploits Linux Servers for Crypto Mining and Proxyjacking

Learn about the stealthy perfctl malware targeting Linux servers and how to protect cloud environments from sophisticated attacks.

The article discusses a new malware campaign targeting Linux servers with a sophisticated malware called perfctl, designed to run cryptocurrency mining and proxyjacking software. Perfctl is stealthy, stopping its activities when a user logs in and resuming when the server is idle. It exploits a known security flaw to gain root access and deploys a cryptocurrency miner. The malware mimics legitimate system processes to avoid detection, and uses techniques like deleting its initial binary to cover its tracks. It also drops a rootkit for defense evasion and can retrieve proxyjacking software from a remote server. To mitigate risks, it's recommended to keep systems updated, restrict file execution, disable unused services, enforce network segmentation, and implement Role-Based Access Control (RBAC). Detection involves monitoring for unusual CPU usage or system slowdowns.

Risks: Malware, Over Permissive Roles & Privilege Escalation, Web App & API Vulnerability

CVEs: CVE-2021-4043

Keywords: Linux servers, perfctl malware, cryptocurrency mining, proxyjacking, Polkit vulnerability, Apache RocketMQ

Affected: Linux servers, Apache RocketMQ, Polkit

2024-10-04

Jenkins Releases Patches for Critical Server and Plugin Vulnerabilities

Learn about the critical role of timely patch management to prevent vulnerabilities from exposing your cloud automation tools.

Jenkins has issued patches to address multiple vulnerabilities of varying severities in its server and plugins. These include two medium-severity flaws that could expose sensitive information and bypass creation restrictions, as well as high-severity issues in the OpenId Connect Authentication plugin that could potentially grant unauthorized administrator access. Additionally, a medium-severity flaw in the Credentials plugin could allow attackers to view encrypted credential values. The patches are designed to mitigate these risks by redacting sensitive information and ensuring proper validation and access control.

Risks: Patch Management, Sensitive Data, Over Permissive Roles & Privilege Escalation, Open Source

CVEs: CVE-2024-47803; CVE-2024-47804; CVE-2024-47806; CVE-2024-47807

Keywords: Jenkins, CI/CD, Vulnerabilities, OpenId Connect, Credentials Plugin, Patch Management

Affected: Jenkins, OpenId Connect Authentication plugin, Credentials plugin

2024-10-04

Sellafield Ltd Fined for Cybersecurity Failings

Learn about the costly consequences of cybersecurity non-compliance in critical infrastructure and how to prevent it.

Sellafield Ltd, a UK nuclear waste processing firm, was fined £332,500 by the Office for Nuclear Regulation due to cybersecurity shortcomings over four years. While Sellafield did not face a successful cyberattack or compromise public safety, it failed to adhere to its own cybersecurity standards for safeguarding sensitive nuclear information. The company has since implemented improvements to its systems and structures.

Risks: Inadequate Network Segmentation, Sensitive Data

CVEs:

Keywords: Sellafield, Nuclear Security, ONR Fine, Cyber Compliance, Critical Infrastructure

Affected: Sellafield Ltd

2024-10-04

Rackspace Data Breach from Zero-Day Vulnerability in ScienceLogic Platform

Learn about the risks of third-party vulnerabilities and the importance of timely patch management to protect cloud infrastructure.

Rackspace experienced a data breach due to a zero-day vulnerability in a third-party tool within the ScienceLogic SL1 platform, which it uses for IT infrastructure monitoring. The breach exposed limited customer monitoring data, including account details and encrypted credentials. ScienceLogic quickly patched the vulnerability and assisted affected customers. In response, Rackspace disabled certain monitoring features to mitigate risk and rotated exposed credentials to prevent further exploitation. The breach highlights potential risks of third-party vulnerabilities and the importance of timely patching and response.

Risks: Zero-Day, Sensitive Data, Patch Management, Third-Party Vendor/SaaS

CVEs:

Keywords: Rackspace, ScienceLogic, Zero-Day Vulnerability, Data Breach, Cloud Monitoring

Affected: Rackspace, ScienceLogic SL1

2024-10-02

Malicious Packages in PyPI Target Cryptocurrency Wallets

Got you some real good FUD, learn about the dangers of supply chain attacks.

Malicious packages were discovered in the Python Package Index (PyPI) posing as cryptocurrency wallet recovery tools but were designed to steal sensitive data from users of popular wallets like Atomic, Trust Wallet, and Metamask. These packages deceptively attracted users by offering legitimate-sounding features and displaying fake popularity statistics. They employed sophisticated techniques, such as obfuscating malicious functionality and dynamically retrieving server information, to avoid detection and facilitate data exfiltration. This incident underscores the need for robust security practices and vigilant monitoring to protect against such complex threats.

Risks: Malware, Supply Chain, Open Source

CVEs:

Keywords: PyPI, Cryptocurrency, Wallet Recovery, Data Theft, Supply Chain Attack

Affected: Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus

2024-10-02

Storm-0501 Exploits Weak Hybrid Cloud Credentials for Ransomware Attacks

Need some FUD? Discover how weak identity management in hybrid cloud environments can lead to devastating ransomware attacks and learn how to protect your customers with Check Point solutions.

Storm-0501, a ransomware group active since 2021, has shifted its tactics from buying initial access to exploiting weak passwords and overprivileged accounts in hybrid cloud environments. By targeting Entra ID credentials, Storm-0501 breaches on-premises systems and pivots to cloud environments, enabling data tampering, backdoor access, and ransomware deployment. They exploit poor password management and lack of multifactor authentication to gain control. The incident underscores the importance of robust security measures, including strong identity and access management, least privilege principles, and advanced email security to prevent such attacks.

Risks: Weak or Compromised Credentials, Over Permissive Roles & Privilege Escalation, Malware

CVEs:

Keywords: Storm-0501, Ransomware, Hybrid Cloud, Entra ID, Credential Theft, Microsoft

Affected: Microsoft Entra ID, Active Directory, Hybrid Cloud Environments

2024-10-01

Cryptojacking Campaign Targets Exposed Docker API to Create Botnet

Need some FUD? Want to demonstrate how vulnerable cloud container environments can be to cryptojacking attacks? This is for you!

Cybersecurity researchers have identified a new cryptojacking campaign that targets the Docker Engine API to form a malicious Docker Swarm botnet. This attack uses Docker's orchestration features for command-and-control purposes, deploying cryptocurrency miners on compromised containers. The campaign exploits unauthenticated, exposed Docker API endpoints to gain initial access, and uses additional scripts to move laterally to Docker, Kubernetes, and SSH endpoints within a network. The malware employs a rootkit to hide its processes and utilizes Docker Hub-hosted images to propagate itself. It also compromises SSH servers to maintain persistent access and exfiltrates sensitive credentials from cloud environments. The attack highlights the dangers of exposed Docker API endpoints and the appeal of cryptojacking for threat actors due to potential high rewards.

Risks: Shadow IT/Exposed Assets, Malware, Misconfiguration

CVEs:

Keywords: Docker, Cryptojacking, Botnet, Cloud Security, Lateral Movement

Affected: Docker, Docker Swarm, Kubernetes, SSH, Amazon Web Services, Google Cloud, Samba, GitHub Codespaces

2024-09-30

Critical NVIDIA Container Toolkit Vulnerability Threatens AI Applications

Learn about a critical vulnerability affecting AI applications using NVIDIA hardware and understand the importance of robust security measures in cloud environments.

A critical vulnerability in the NVIDIA Container Toolkit affects AI applications using NVIDIA hardware in both cloud and on-premise environments. This flaw allows attackers to perform container escape attacks, potentially gaining full control over the host system to execute commands or steal sensitive data. Affecting over 35% of cloud environments, the vulnerability arises from inadequate isolation between containerized GPUs and the host, enabling unauthorized access to sensitive host resources. The flaw, which affects NVIDIA Container Toolkit 1.16.1 and earlier versions, has a critical severity rating. Technical details remain undisclosed to allow organizations time to address the issue.

Risks: Patch Management, Cloud Service Provider Flaw, Other

CVEs: CVE-2024-0132

Keywords: NVIDIA Container Toolkit, AI Vulnerability, Container Escape, Cloud Security, GPU Exploit

Affected: NVIDIA Container Toolkit, AI applications, cloud environments

2024-09-30

Kia Web Portal Flaw Exposes Millions of Vehicles to Remote Hacking

Want to showcase the critical need for robust web security in the automotive industry? Discover how web-based vulnerabilities can put millions of vehicles at risk.

Researchers discovered a vulnerability in a Kia web portal that allowed them to track, unlock, and start millions of vehicles remotely by exploiting a simple website flaw. This issue, part of a broader trend of web-based security weaknesses affecting several car manufacturers, highlights significant risks in the automotive industry's digital systems. Despite Kia addressing the flaw, the problem persists across the industry, with similar vulnerabilities found in other car brands, posing potential threats to vehicle control and data security.

Risks: Web App & API Vulnerability, Over Permissive Roles & Privilege Escalation

CVEs:

Keywords: Kia, Vehicle Hacking, Web Portal Vulnerability, Automotive Cybersecurity, Connected Cars

Affected: Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls Royce, Ferrari, Toyota, Lexus

2024-09-30

Flax Typhoon Botnet Exploits 66 Vulnerabilities in Network Devices

Learn about the importance of proactive threat detection and the need for comprehensive security measures to protect against sophisticated botnet attacks.

Flax Typhoon, a cyber threat actor, is exploiting 66 vulnerabilities in routers, IoT devices, and web-facing applications to gain unauthorized access to organizations in Taiwan and extract sensitive information. The botnet targets technologies like Apache, Cisco, and Zyxel, among others. The United States hosts nearly half of the compromised devices, with a significant portion of these vulnerabilities already known or weaponized. Recommended mitigations include disabling unused services, implementing network segmentation, monitoring network traffic, applying patches, and using strong passwords.

Risks: Patch Management, Malware, Web App & API Vulnerability, Weak or Compromised Credentials, Inadequate Network Segmentation

CVEs:

Keywords: Flax Typhoon, Botnet, Vulnerabilities, Network Security, Exploits, IoT Devices, Apache, Cisco

Affected: Apache, Cisco, Zyxel, QNAP, Fortinet, Draytek, WordPress, Telesquare, Ivanti, IBM, F5, Contec, Chamilo

2024-09-26

{title}

{one_liner}

{gist}

Risks: {risks}

CVEs:

Keywords: {keywords}

Affected: {affected}

2024-09-26

MoneyGram Takes Systems Offline Following Cyberattack

Learn how proactive cybersecurity measures can prevent business disruptions and protect sensitive data in the face of ransomware threats.

MoneyGram recently experienced a cyberattack that prompted the company to take its systems offline to investigate and protect its network, impacting service availability. The company is collaborating with law enforcement and cybersecurity experts to address the issue and restore operations. There are concerns about potential data theft, as the incident may involve ransomware, a common threat that encrypts data and demands a ransom. MoneyGram is focused on resolving the situation and ensuring data security.

Risks: Sensitive Data, Ransomware

CVEs:

Keywords: MoneyGram, Cyberattack, Ransomware, Data Breach, System Offline

Affected: MoneyGram

2024-09-25

Critical Vulnerability in Ivanti vTM Allows Unauthorized Admin Access

Learn about the critical importance of patch management and how unpatched vulnerabilities can lead to unauthorized access in cloud environments.

The CISA has identified a critical security flaw in Ivanti Virtual Traffic Manager (vTM) that is being actively exploited, allowing attackers to bypass authentication and create unauthorized admin accounts. This vulnerability was patched in August 2024, but some systems remain unpatched and vulnerable. Ivanti confirmed that a proof-of-concept for this exploit is available, and there have been active exploitations of other vulnerabilities in Ivanti devices recently. As of late September 2024, there are over 2,000 exposed Ivanti Cloud Service Appliance instances online, predominantly in the U.S., with an unknown number still at risk.

Risks: Patch Management, Web App & API Vulnerability, Shadow IT/Exposed Assets

CVEs: CVE-2024-7593; CVE-2024-8190; CVE-2024-8963;

Keywords: Ivanti vTM, CVE-2024-7593, Authentication Bypass, Patch Management, Cloud Security

Affected: Ivanti Virtual Traffic Manager, Ivanti Cloud Service Appliance

2024-09-25

Critical RCE Vulnerability Discovered in All GNU/Linux Systems

Learn about the critical importance of vulnerability management and proactive security measures in protecting Linux-based systems from severe threats.

A critical unauthenticated Remote Code Execution (RCE) vulnerability affecting all GNU/Linux systems has been discovered, with a severity rating of 9.9 out of 10, indicating its potential for severe exploitation. The flaw, which has been present for over a decade, will be fully disclosed shortly, but no fix is currently available. Leading Linux distributors acknowledge the vulnerability's seriousness, yet developers are debating its security implications. The researcher who identified the flaw has faced challenges in the disclosure process, despite providing multiple proofs of concept to demonstrate the vulnerability's impact.

Risks: Zero-Day, Open Source

CVEs:

Keywords: GNU/Linux, RCE vulnerability, Canonical, RedHat, security flaw, Linux distributions

Affected: GNU/Linux, Canonical, RedHat

2024-09-25

Deloitte Server Breach Claims No Sensitive Data Compromised

Learn about the risks of unsecured cloud services and how proactive security measures can protect sensitive data.

Deloitte has confirmed a security incident involving an internet-exposed Apache Solr server accessed with default credentials. The hacker, IntelBroker, claims to have stolen data including email addresses and internal communications. Despite these claims, Deloitte asserts that there is no threat to client or sensitive data, and the impact of the breach is limited.

Risks: Misconfiguration, Weak or Compromised Credentials, Shadow IT/Exposed Assets

CVEs:

Keywords: Deloitte, Apache Solr, Data Breach, IntelBroker, Cloud Security

Affected: Deloitte, Apache Solr

2024-09-25

ChatGPT Vulnerability Allows Data Exfiltration via AI Memory Manipulation

Need some FUD to highlight AI vulnerabilities? Discover how easily AI memory can be exploited, emphasizing the need for robust security solutions.

A vulnerability in ChatGPT's long-term memory feature allowed attackers to plant false memories and exfiltrate user data indefinitely through prompt injections. Security researcher Johann Rehberger exploited this flaw to demonstrate how malicious instructions could be stored and used to manipulate future interactions with the AI. Despite OpenAI implementing a partial fix, the exploit could still be initiated via untrusted content such as links or images. The researcher showed how the vulnerability enabled all user inputs and AI outputs to be transmitted to an attacker's server, highlighting ongoing security challenges in handling AI memory.

Risks: Web App & API Vulnerability, Other

CVEs:

Keywords: ChatGPT, AI Security, Data Exfiltration, Memory Manipulation, Prompt Injection

Affected: ChatGPT, Google Drive, Microsoft OneDrive, Bing

2024-09-24

Microsoft Launches Secure Future Initiative to Strengthen Cybersecurity

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Microsoft services? This article is for you!

Microsoft's Secure Future Initiative (SFI) is a comprehensive effort to enhance cybersecurity following significant breaches involving state-sponsored espionage. Launched in November 2023, SFI aims to address past security failings by focusing on six key engineering pillars, including identity protection, tenant isolation, and network security. Key measures include the removal of unused applications and tenants, deployment of secure devices, and improved processes for handling critical vulnerabilities. This initiative is part of Microsoft's strategy to integrate security as a core company priority and improve transparency and accountability in its security practices.

Risks: Inadequate Network Segmentation, Weak or Compromised Credentials, Cloud Service Provider Flaw

CVEs:

Keywords: Microsoft, Secure Future Initiative, cloud security, state-sponsored attacks, network isolation

Affected: Microsoft-hosted email accounts, Microsoft network, Microsoft Entra ID, Microsoft Account (MSA), Microsoft cloud environment

2024-09-24

Versa Networks Vulnerability Exposes Authentication Tokens

Learn about the importance of securing API endpoints and how vulnerabilities can expose critical authentication tokens.

Versa Networks has released patches for a vulnerability in their Versa Director platform that could lead to the exposure of authentication tokens. This flaw, found in the REST API used for orchestration and management, could be exploited if the Director is directly connected to the internet, allowing attackers to access other users' tokens and invoke additional APIs. However, if the Director is protected by a firewall or API gateway, the risk is mitigated. Organizations are advised to apply the updates and monitor for any malicious activity as recommended by the US cybersecurity agency CISA.

Risks: Patch Management, Web App & API Vulnerability, Shadow IT/Exposed Assets

CVEs: CVE-2024-45229

Keywords: Versa Networks, Authentication Tokens, REST API Vulnerability, CVE-2024-45229, Cybersecurity Patch

Affected: Versa Networks, Versa Director

2024-09-23

New Splinter Tool Poses Threat to IT Environments and Cloud Accounts

Need some FUD? Discover how advanced post-exploitation tools like Splinter are targeting cloud service accounts and compromising IT environments, highlighting the critical need for robust cloud security solutions.

Splinter is a new post-exploitation tool being used by attackers to infiltrate and disrupt IT environments. After initial access, it can execute Windows commands, steal files, gather cloud service account information, and download additional malware before self-deleting. Unlike the legitimate red-teaming tool Cobalt Strike, Splinter is designed for malicious use and is written in Rust, resulting in large file sizes. It uses a JSON configuration to manage communication with a command-and-control server, allowing attackers to remotely execute various tasks on compromised systems.

Risks: Malware, Sensitive Data, Weak or Compromised Credentials

CVEs:

Keywords: Splinter, Post-Exploitation, Cloud Security, Rust, Command-and-Control, Data Theft

Affected:

2024-09-23

Ivanti Cloud Service Appliance Vulnerability Allows Unauthorized Access

Learn about the critical importance of timely patch management to protect against severe vulnerabilities and active exploitation.

Ivanti has disclosed a critical security flaw in its Cloud Service Appliance (CSA) that is being actively exploited, posing a significant risk with a severity score of 9.4. This vulnerability, present in CSA versions before 4.6 Patch 519, allows unauthorized remote access and can be exploited alongside another flaw to bypass admin authentication and execute commands. With evidence of limited exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to apply necessary fixes by October 10, 2024. Users are urged to upgrade to CSA version 5.0 as version 4.6 is no longer supported.

Risks: Patch Management, Web App & API Vulnerability

CVEs: CVE-2024-8963; CVE-2024-8190

Keywords: Ivanti, Cloud Service Appliance, CVE-2024-8963, Path Traversal, Vulnerability Exploitation

Affected: Ivanti

2024-09-23

High-Severity Vulnerability Found in FreeBSD Hypervisor bhyve

Learn about the critical importance of patch management to secure virtual environments and protect against potential host system compromises.

A high-severity vulnerability in the FreeBSD hypervisor, bhyve, could allow malicious software running in a guest virtual machine to execute code on the host system. This vulnerability stems from insufficient boundary validation in the USB code, potentially leading to remote code execution. The FreeBSD Project has issued a patch, and users are advised to update their systems to mitigate this risk. The vulnerability does not affect guests that do not use XHCI emulation, and no workaround is available.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation, Open Source

CVEs: CVE-2024-41721

Keywords: FreeBSD, bhyve, Hypervisor Vulnerability, CVE-2024-41721, Virtual Machine Security, Remote Code Execution

Affected: FreeBSD, bhyve

2024-09-22

Cybercriminals Exploit Foundation Software in Construction Industry

New opportunity - companies in the construction industry are under threat from software vulnerabilities. Time to get out your rolodex.

Threat actors are exploiting vulnerabilities in Foundation accounting software, commonly used by contractors in the construction industry, to gain administrative access via MSSQL. This access is facilitated through a publicly exposed TCP port 4243, used by a mobile app feature of the software. Attackers are leveraging this exposure to brute-force credentials and exploit default system admin accounts, thereby executing automated attacks through scripts.

Risks: Misconfiguration, Weak or Compromised Credentials, Shadow IT/Exposed Assets, Over Permissive Roles & Privilege Escalation

CVEs:

Keywords: Foundation software, MSSQL vulnerabilities, construction industry cyberattack, mobile app security, administrative access breach

Affected: Foundation accounting software, MSSQL, construction industry, plumbing sub-industry, HVAC sub-industry, concrete sub-industry

2024-09-22

Deloitte Breached Due to Exposed Apache Solr Server

Learn about the critical importance of securing misconfigured systems to protect sensitive communications and prevent costly breaches.

A significant data breach at Deloitte was allegedly caused by IntelBroker, who exploited an Apache Solr server exposed with default login credentials, leading to unauthorized access to sensitive internal communications. This incident highlights the risks associated with misconfigured systems and underscores the necessity of securing digital infrastructures as organizations increasingly depend on them. Despite law enforcement actions against platforms like BreachForums, where such breaches are often facilitated, these threats persist, emphasizing the ongoing challenges in cybersecurity.

Risks: Misconfiguration, Weak or Compromised Credentials, Shadow IT/Exposed Assets

CVEs:

Keywords: Deloitte, Data Breach, IntelBroker, Apache Solr, BreachForums, Misconfigured Systems

Affected: Deloitte, Apache Solr

2024-09-20

Critical Oracle Vulnerabilities Allow Remote Code Execution

Learn about the critical importance of securing Oracle environments and the potential risks of unpatched vulnerabilities in cloud services.

CISA has issued a warning about two critical Oracle vulnerabilities affecting JDeveloper and WebLogic Server, which are being actively exploited. These vulnerabilities can allow unauthenticated attackers to execute remote code and take control of systems, impacting a wide range of Oracle applications and services, including cloud services. The flaws were initially identified as severe threats due to their potential for exploitation across many Oracle platforms.

Risks: Patch Management, Web App & API Vulnerability

CVEs: CVE-2022-21445; CVE-2020-14644

Keywords: Oracle, Vulnerabilities, Remote Code Execution, JDeveloper, WebLogic Server, ADF Faces, CISA Alert

Affected: JDeveloper, WebLogic Server, Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, Transportation Management

2024-09-19

Critical SAML Authentication Flaw in GitLab Requires Immediate Patching

Learn about the critical importance of securing authentication protocols and the role of patch management in preventing unauthorized access.

GitLab has issued critical patches for a severe vulnerability in both its Community and Enterprise Editions, related to a flaw in the ruby-saml library that allows authentication bypass. The flaw stems from improper signature verification of SAML Responses, potentially enabling attackers to log in as arbitrary users. While GitLab hasn't confirmed active exploitation, there are indications of attempted attacks. Users are advised to apply the patches promptly to secure their systems against potential unauthorized access.

Risks: Patch Management, Open Source, Web App & API Vulnerability

CVEs: CVE-2024-45409

Keywords: GitLab, ruby-saml, SAML vulnerability, authentication bypass, critical CVE

Affected: GitLab, ruby-saml library

2024-09-19

TeamTNT Targets CentOS VPS with New Cryptojacking Campaign

Need some FUD? Discover how TeamTNT is exploiting cloud vulnerabilities and demonstrate the critical need for robust cloud security solutions.

TeamTNT has launched a new cryptojacking campaign targeting CentOS-based Virtual Private Servers (VPS) by exploiting SSH vulnerabilities. After gaining initial access through brute force attacks, the attackers deploy a malicious script that disables security measures, removes logs, and hides their activities using the Diamorphine rootkit. They ensure persistence by setting up cron jobs and backdoor accounts, while also eliminating competing cryptocurrency mining processes. The attack has been linked to TeamTNT due to the familiar tactics and procedures observed.

Risks: Weak or Compromised Credentials, Malware

CVEs:

Keywords: TeamTNT, Cryptojacking, CentOS, VPS Security, SSH Brute Force, Cloud Threats

Affected: CentOS, VPS, SSH, Alibaba

2024-09-18

AT&T pays $13 million following customer data breach

Want some FUD to demonstrate the $$$ effect of breaches (and maybe check for a possible opportunity)? Read about AT&T's costly data breach settlement and its implications.

AT&T has agreed to pay $13 million to settle an investigation by the FCC regarding a data breach in January 2023 that affected 8.9 million wireless customers. This breach involved a cloud vendor's mishandling of data that should have been deleted years earlier. In response, AT&T will enhance its data governance and vendor data management practices to prevent future breaches. Additionally, the FCC is investigating a separate incident where a massive breach in April 2023 resulted in the illegal downloading of 109 million customer accounts, involving call and text data from 2022 stored on a cloud platform.

Risks: Sensitive Data, Third-Party Vendor/SaaS

CVEs:

Keywords: AT&T, Data Breach, FCC Settlement, Cloud Vendor, Customer Data Leak

Affected: AT&T, Snowflake

2024-09-18

Critical Vulnerability in AutoGPT Allows Unauthorized Command Execution

Learn about the critical vulnerability in AutoGPT's security mechanisms and the importance of robust denylist implementations to safeguard cloud environments.

A critical vulnerability in the AutoGPT library's shell command denylist feature allows attackers to bypass restrictions and execute unauthorized commands, including with root privileges. The flaw stems from the ineffective blocking of command execution, as attackers can use symbolic links or specify full command paths to circumvent the denylist. This vulnerability is exploited through Docker Compose, enabling unauthorized access to system resources and posing significant security risks to users of AutoGPT.

Risks: Web App & API Vulnerability, Open Source, Over Permissive Roles & Privilege Escalation

CVEs:

Keywords: AutoGPT, vulnerability, command execution, security flaw, Docker Compose

Affected: AutoGPT

2024-09-18

NHS Hospitals in London Hit by Ransomware, Leaking Patient Data

Learn about the growing threat of ransomware in healthcare and how to position CloudGuard as a solution to safeguard sensitive patient data.

In a significant ransomware attack on NHS hospitals in London, nearly one million patients had their personal and sensitive medical information leaked online. The attack, carried out by the Qilin ransomware gang, exposed details such as requests for medical appointments and tests, impacting individuals with conditions like cancer and STIs. Despite Synnovis and NHS England being responsible for data protection, they have not provided an official count of those affected. Although Synnovis has restored its IT systems, many patients remain unaware of the data breach. This incident highlights the increasing trend of ransomware attacks in the healthcare sector, which now represents over 12% of reported cyber extortion breaches in the first half of 2024.

Risks: Sensitive Data, Malware, Third-Party Vendor/SaaS

CVEs:

Keywords: NHS, ransomware, data breach, Qilin gang, healthcare cybersecurity

Affected: NHS, Synnovis, Qilin ransomware gang

2024-09-18

Critical Vulnerability Found in VMware vCenter Server

Learn about the critical importance of timely patch management to protect cloud infrastructures from severe vulnerabilities.

VMware has released a patch for a critical vulnerability in vCenter Server that allows remote code execution due to a heap-overflow issue in the DCE/RPC protocol. This flaw, with a high severity score, could be exploited by attackers with network access through specially crafted network packets. In addition to this, VMware addressed another privilege escalation vulnerability in vCenter Server, which could enable attackers to gain root access. These issues are related to memory management and corruption, affecting VMware vCenter services. The update coincides with a joint advisory from CISA and the FBI, urging organizations to address cross-site scripting vulnerabilities to prevent system breaches.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation, Web App & API Vulnerability

CVEs: CVE-2024-38812; CVE-2024-37079; CVE-2024-37080; CVE-2024-38813

Keywords: VMware, vCenter Server, Remote Code Execution, CVE-2024-38812, Patch Management

Affected: VMware, vCenter Server

2024-09-17

Kawasaki Motors Europe Data Leaked After Ransomware Attack

Learn about the financial and reputational risks of ransomware attacks and how isolation and recovery strategies can mitigate damage.

The RansomHub ransomware group has leaked 487 gigabytes of data allegedly stolen from Kawasaki Motors Europe after a failed extortion attempt. Kawasaki had disclosed the incident, stating they were recovering from a cyberattack and had isolated servers as a precaution. They reported restoring over 90% of server functionality. Despite not specifying the attack type, the RansomHub group had already added Kawasaki to its leak site before the official disclosure, ultimately releasing the data when their ransom demand was not met.

Risks: Malware, Sensitive Data

CVEs:

Keywords: Kawasaki, Ransomware, Data Leak, RansomHub, Cyberattack

Affected: Kawasaki Motors Europe

2024-09-17

SolarWinds Patches Critical RCE Vulnerability in Access Rights Manager

Learn about the importance of patch management and how addressing vulnerabilities proactively can protect critical systems from potential remote code execution threats.

SolarWinds has released patches for its Access Rights Manager (ARM) software to fix two security vulnerabilities, including a critical flaw that could lead to remote code execution due to improper validation of user-supplied data. The critical vulnerability has a high severity rating and involves deserialization of untrusted data. Additionally, a medium-severity flaw involving hard-coded credentials was also addressed. There is no indication that these vulnerabilities have been actively exploited.

Risks: Patch Management, Hardcoded Secrets, Web App & API Vulnerability

CVEs: CVE-2024-28991; CVE-2024-28990

Keywords: SolarWinds, Access Rights Manager, RCE Vulnerability, CVE-2024-28991, Security Patch

Affected: SolarWinds, Access Rights Manager

2024-09-17

Remote Access Software Vulnerabilities Targeted in 2024 Cyberattacks

Want to showcase the critical need for advanced security solutions in the face of escalating remote access vulnerabilities and sophisticated malware attacks? This article is for you!

In the first half of 2024, cybercriminals and state-sponsored actors increasingly targeted remote access software vulnerabilities, such as those found in Ivanti Secure Connect, PAN-OS, and Microsoft SmartScreen, despite the availability of patches. This trend highlights the growing sophistication of cyber threats and the significant risk they pose to organizations. Infostealers, particularly LummaC2, dominated the malware landscape by harvesting sensitive information for financial gain, while complex attack chains involving malware loaders like GuLoader and Remcos became more prevalent. Additionally, Magecart attacks surged by 103%, exploiting vulnerabilities in popular e-commerce platforms like Adobe Commerce.

Risks: Patch Management, Malware, Web App & API Vulnerability, Supply Chain

CVEs:

Keywords: Remote Access Vulnerability, Ivanti Secure Connect, PAN-OS, Microsoft SmartScreen, Infostealers, Magecart, Adobe Commerce

Affected: Ivanti Secure Connect, PAN-OS, Microsoft SmartScreen, Adobe Commerce

2024-09-16

Medusa Ransomware Exploits Fortinet FortiClient EMS Vulnerability

Need some ammo against Fortinet? Learn how their vulnerability led to sophisticated ransomware attacks.

The Medusa ransomware group is exploiting a critical vulnerability in Fortinet's FortiClient EMS software to carry out sophisticated ransomware attacks. This SQL injection flaw allows attackers to execute malicious code, manipulate request headers, and deploy ransomware on affected systems. Once they gain initial access, Medusa uses PowerShell scripts to exfiltrate data and deliver payloads, while evading detection with compromised remote monitoring tools. Effective defense strategies include prompt patch management, network segmentation, regular backups, and employee security awareness training.

Risks: Patch Management, Web App & API Vulnerability, Malware

CVEs: CVE-2023-48788

Keywords: Medusa Ransomware, Fortinet Vulnerability, SQL Injection, FortiClient EMS, Remote Monitoring Tools

Affected: Fortinet FortiClient EMS

2024-09-16

Critical Privilege Escalation Vulnerability in Azure API Management

Need some ammo against Microsoft Azure? Have a customer or prospect that uses Azure? This article is for you!

Recently, a critical security vulnerability was identified in Azure API Management (APIM) that allowed users with Reader-level access to escalate their privileges to Contributor-level access. This flaw enabled unauthorized users to modify and delete configurations by exploiting a flaw in the Azure Resource Manager API, bypassing existing security restrictions. Attackers could gain full management access, compromising the security of APIM resources and potentially accessing sensitive information across integrated systems. To mitigate this risk, experts advise restricting access to critical resources by making them private and limiting access to their own virtual network (VNET).

Risks: Over Permissive Roles & Privilege Escalation, Web App & API Vulnerability, Cloud Service Provider Flaw

CVEs:

Keywords: Azure API Management, Privilege Escalation, Microsoft Azure, Cloud Security, ARM API Vulnerability

Affected: Microsoft Azure, Azure API Management, Azure Resource Manager, Entra ID

2024-09-16

Google Cloud Composer Vulnerability Fixed to Prevent Dependency Confusion

Need some ammo against Google Cloud? Have a customer or prospect that uses Google Cloud? This article is for you!

Google has addressed a vulnerability in Google Cloud Composer, named CloudImposer, which could have allowed remote code execution by exploiting dependency confusion. This flaw involved the potential for attackers to upload a malicious package to the Python Package Index, which could then be preinstalled on all Composer instances with elevated permissions. The issue stemmed from the use of the --extra-index-url argument during package installations, prioritizing public registries and increasing the risk of dependency confusion. Google has fixed the vulnerability and recommends using the --index-url argument to mitigate such risks, ensuring packages are only fetched from specified registries. Additionally, they advise GCP customers to use an Artifact Registry virtual repository when multiple repositories are needed.

Risks: Supply Chain, Cloud Service Provider Flaw, Open Source

CVEs:

Keywords: Google Cloud, Cloud Composer, Dependency Confusion, Remote Code Execution, Supply Chain Attack

Affected: Google Cloud Composer, Python Package Index

2024-09-14

Ivanti Cloud Appliance Vulnerability Enables Remote Code Execution

Learn about the critical importance of keeping your cloud services updated to prevent potential security breaches.

Ivanti has issued a warning about the active exploitation of a high-severity vulnerability in its Cloud Services Appliance, which allows remote code execution if an attacker has admin privileges. This vulnerability affects versions up to 4.6 Patch 518, while the latest version, CSA 5.0, is not impacted. Although the exploitation has been confirmed in the wild, it targets a limited number of customers. Ivanti has not disclosed specifics about the attacks or the threat actors involved. This comes alongside a separate analysis by Horizon3.ai of a critical vulnerability in Ivanti's Endpoint Manager, also allowing remote code execution.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation, Web App & API Vulnerability

CVEs: CVE-2024-8190; CVE-2024-29847

Keywords: Ivanti, Cloud Services Appliance, Remote Code Execution, Vulnerability, CVE-2024-8190, Endpoint Manager, Cybersecurity Threat

Affected: Ivanti Cloud Services Appliance, Ivanti Endpoint Manager

2024-09-14

23andMe pays $30 million settlement after data breach

Want some FUD to demonstrate the $$$ effect of breaches (and maybe check for a possible opportunity)? Read about 23andMe's disastrous breach outcomes.

23andMe has settled a lawsuit for $30 million following a data breach that exposed 6.4 million customers' personal information due to credential-stuffing attacks. The company has agreed to enhance its security measures, including implementing mandatory two-factor authentication, conducting annual cybersecurity audits, and establishing a data breach response plan. The breach, which occurred over five months in 2023, involved stolen health reports and genotype data. In response, 23andMe has also committed to revising its data retention policies and providing updated security training for employees.

Risks: Sensitive Data, Weak or Compromised Credentials

CVEs:

Keywords: 23andMe, data breach, credential stuffing, settlement, personal data

Affected: 23andMe

2024-09-13

Hadooken Malware Exploits Weak Passwords on Oracle WebLogic Servers

Learn about the risks of weak password management and how they can lead to severe malware infections in critical business systems.

An unknown attacker is exploiting weak passwords to compromise Oracle WebLogic servers and deploy a new Linux malware named Hadooken. This malware includes a cryptominer and the Tsunami malware, which acts as a DDoS botnet and backdoor, providing attackers with full remote control over infected machines. The initial attack involves executing malicious scripts to download the malware, create persistent cronjobs, and steal user credentials, allowing lateral movement to other servers. WebLogic, often used in critical business systems, is a frequent target due to its vulnerabilities.

Risks: Malware, Weak or Compromised Credentials

CVEs:

Keywords: Oracle WebLogic, Hadooken, Weak Passwords, Cryptominer, Tsunami Malware

Affected: Oracle WebLogic, financial services providers, e-commerce operations, business-critical systems

2024-09-13

Transport for London Confirms Data Breach Affecting Customers and Employees

Learn about the real-world impacts of a cyber incident on public infrastructure and the importance of robust security measures.

Transport for London (TfL) has confirmed a cyber incident where the bank data of 5,000 customers and some employee details have potentially been accessed. As a result, 30,000 employees must reset their passwords in person. While TfL initially claimed no customer data had been compromised, they have since retracted this. The incident has led to significant disruptions, including the unavailability of live tube arrival information and suspension of certain services like new Oyster photocard applications. The breach has impacted both customer and employee data, although currently, only email addresses, job titles, and employee numbers are believed to be accessed. The situation is ongoing, prompting an emergency management meeting and increased security measures. This event follows a previous 2023 identity theft incident involving a London Underground worker using a keylogger.

Risks: Sensitive Data, Weak or Compromised Credentials

CVEs:

Keywords: Transport for London, Data Breach, Customer Data, Employee Data, Cyber Incident

Affected: Transport for London

2024-09-13

Challenges and Improvements for Microsoft's Privileged Identity Management

Want to highlight the risks of overprivileged access in cloud environments? Learn how inadequate PIM practices can expose organizations to sophisticated threats.

Privileged Identity Management (PIM) within Microsoft Entra ID is designed to manage and monitor access to critical resources, enhancing security through principles like least privilege and just-in-time access. However, practical challenges often lead to overprivileged users, as organizations tend to assign excessive roles, such as Global Administrator, undermining security. Attackers can exploit these weaknesses, turning temporary access into continuous privilege. To bolster PIM's effectiveness, it's recommended to enforce strict role activation justifications, implement additional MFA, establish approval processes, and use anomaly detection to ensure genuine protection against evolving cyber threats.

Risks: Over Permissive Roles & Privilege Escalation, Insider Threats

CVEs:

Keywords: Privileged Identity Management, Microsoft Entra ID, Cloud Security, Access Control, Overprivileged Access

Affected: Microsoft Entra ID, Microsoft Azure, Microsoft 365, Microsoft Intune

2024-09-13

Critical Vulnerability in GitLab Allows Arbitrary Pipeline Execution

Learn about the critical importance of securing DevOps pipelines and the risks of unpatched vulnerabilities in software development environments.

GitLab has released critical updates to address multiple vulnerabilities, with the most severe flaw allowing attackers to execute pipelines as arbitrary users, posing a significant security risk due to its potential for remote exploitation and low privilege requirements. This vulnerability can enable attackers to perform unauthorized actions like stopping jobs in the pipeline. GitLab has previously addressed similar issues, highlighting a pattern of critical vulnerabilities in their pipeline execution process. Additionally, several high-severity vulnerabilities could allow attackers to disrupt services, execute unauthorized commands, or compromise sensitive resources.

Risks: Patch Management, Web App & API Vulnerability, Open Source

CVEs: CVE-2024-6678CVE-2024-6385; CVE-2024-5655

Keywords: GitLab, Vulnerability, Pipeline Execution, CVE-2024-6678, DevOps Security

Affected: GitLab

2024-09-13

Selenium Grid Servers Exploited for Crypto Mining and Proxyjacking

Need to highlight the risks of misconfiguration in cloud environments? This article is your go-to for showcasing the importance of securing test automation tools.

Internet-exposed Selenium Grid servers are being exploited by threat actors for unauthorized cryptocurrency mining and proxyjacking activities due to a lack of default authentication. Attackers use vulnerabilities to inject malicious scripts, which deploy tools for selling internet bandwidth and mining cryptocurrency. These campaigns highlight the risks of misconfigured Selenium Grid instances and underscore the importance of enabling authentication to protect against such threats.

Risks: Misconfiguration, Shadow IT/Exposed Assets, Malware, Over Permissive Roles & Privilege Escalation

CVEs: CVE-2021-4043

Keywords: Selenium Grid, Crypto Mining, Proxyjacking, Misconfiguration, Cloud Security

Affected: Selenium Grid

2024-09-13

Cisco Patches Critical Vulnerabilities in IOS XR Software

Need some ammo against Cisco? Learn about the vulnerabilities in their network operating system and how Check Point can offer better protection.

Cisco has released security updates for its IOS XR software, addressing eight vulnerabilities, including six high-severity ones. The most critical flaw could allow attackers to gain root privileges through crafted commands, while another bug enables remote denial-of-service attacks. Additional vulnerabilities involve command injection and unauthorized command execution on certain routers, with resolutions planned in future updates. The fixes also cover issues related to Ethernet frame handling, segment routing, and medium-severity bugs that could lead to unauthorized file access or denial-of-service conditions.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation, Web App & API Vulnerability

CVEs: CVE-2024-20398; CVE-2024-20304; CVE-2024-20483; CVE-2024-20489

Keywords: Cisco, IOS XR, Vulnerabilities, Network Security, PON Controller, Denial of Service, Command Injection

Affected: Cisco, IOS XR, NCS 540, NCS 5500, NCS 5700, Routed Passive Optical Network (PON) controller software

2024-09-13

Fortinet Confirms Data Breach Involving 440GB of Stolen Files

Need some ammo against Fortinet? This article is for you!

Fortinet, a cybersecurity company, confirmed a data breach in which a hacker claimed to have stolen 440GB of files from its Microsoft Sharepoint server. The hacker, who attempted to extort Fortinet for a ransom, shared the stolen data on a hacking forum. Fortinet stated that the breach affected less than 0.3% of its customer base and did not lead to any malicious activity targeting its customers.

Risks: Weak or Compromised Credentials, Sensitive Data

CVEs:

Keywords: Fortinet, Data Breach, Sharepoint, Azure, Cyber Extortion

Affected: Microsoft Sharepoint, Fortinet

2024-09-13

Windows Installer Vulnerability Allows SYSTEM Privilege Escalation

Learn about the critical importance of privilege escalation vulnerabilities and how they can impact security, underscoring the need for robust defenses and timely patch management.

A vulnerability in Windows Installer allows malware or rogue users to gain SYSTEM-level privileges on a PC by exploiting a flaw during the repair process of an Installer package. The attack involves manipulating a brief window of opportunity during the repair process to gain elevated privileges, providing significant control over the system. This flaw is complex to fix, and Microsoft has requested more time to develop a patch. The vulnerability is already being exploited in the wild, highlighting the urgency for a resolution.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation

CVEs: CVE-2024-38014

Keywords: Windows Installer, Privilege Escalation, CVE-2024-38014, SYSTEM Access, Vulnerability Exploit

Affected: Windows Installer

2024-09-13

Lehigh Valley Health Network Pays $65M Settlement After Ransomware Data Breach

Want some FUD to demonstrate the $$$ effect of breaches (and maybe check for a possible opportunity)? Read about Lehigh Valley Health Network's disastrous breach outcomes.

Lehigh Valley Health Network (LVHN), a Pennsylvania healthcare provider, has agreed to a $65 million settlement following a class-action lawsuit over a ransomware attack that occurred in early 2023. The breach, which began in January and was disclosed in February, resulted in unauthorized access to sensitive personal and medical data, including names, addresses, treatment details, and financial information. A limited number of clinical images, including nude photos, were also stolen and later leaked by the BlackCat ransomware group. The lawsuit claimed that LVHN failed to adequately protect patient data.

Risks: Sensitive Data, Malware

CVEs:

Keywords: Ransomware, Lehigh Valley Health Network, Data Breach, BlackCat, Healthcare Cybersecurity

Affected: Lehigh Valley Health Network, Lehigh Valley Physician Group – Delta Medix, Healthcare Industry

2024-09-13

Capgemini Data Breach Exposes 20GB of Sensitive Information

Need some FUD to highlight the risks of data breaches and the importance of securing cloud environments? This article is for you!

A cybercriminal has leaked 20GB of sensitive data allegedly stolen from Capgemini, a French IT and consulting firm. The leaked data reportedly includes databases, source code, private keys, employee information, and client-related files such as cloud infrastructure configurations. The attacker claims to have exfiltrated large files containing confidential company data, including Terraform configurations, and is offering the stolen information on a forum. Capgemini has not yet confirmed or denied the breach.

Risks: Sensitive Data, Weak or Compromised Credentials, Third-Party Vendor/SaaS

CVEs:

Keywords: Capgemini, Data Breach, Information Leak, Cloud Security, Terraform

Affected: Capgemini, T-Mobile, Terraform

2024-09-13

Palo Alto Networks Patches Critical Vulnerabilities in PAN-OS and Other Products

Need some ammo against Palo Alto Networks? Discover how vulnerabilities in their products could highlight opportunities for Check Point's superior security solutions.

Palo Alto Networks has released patches for numerous medium- and high-severity vulnerabilities affecting PAN-OS, Cortex XDR, ActiveMQ Content Pack, and Prisma Access Browser. The most critical of these is a command injection vulnerability in PAN-OS that allows authenticated administrators to execute arbitrary commands on the firewall. The updates also include fixes for multiple high-severity vulnerabilities in the Chromium-based Prisma Access Browser, some of which have been exploited in the wild. Other notable issues addressed include exposure of GlobalProtect portal passwords, file reading vulnerabilities, user impersonation flaws in PAN-OS, a Cortex XDR Agent vulnerability on Windows, and cleartext credential exposure in ActiveMQ Content Pack.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation, Sensitive Data, Weak or Compromised Credentials

CVEs: CVE-2024-8686

Keywords: Palo Alto Networks, PAN-OS, Prisma Access, Cortex XDR, Vulnerability Patching, GlobalProtect

Affected: Palo Alto Networks, PAN-OS, Cortex XDR, ActiveMQ Content Pack, Prisma Access Browser, GlobalProtect

2024-09-12

Ivanti Releases Updates for Critical Vulnerabilities in Endpoint Manager

Learn about the critical importance of timely patch management and how vulnerabilities can impact key enterprise systems.

Ivanti has issued updates to fix several security vulnerabilities in its Endpoint Manager, including ten critical issues that could allow remote code execution. These updates also address high-severity vulnerabilities in Ivanti Workspace Control and Cloud Service Appliance. The company has enhanced its security measures to detect and resolve issues more efficiently. Meanwhile, Zyxel has released patches for a critical command injection flaw in its NAS devices.

Risks: Patch Management, Web App & API Vulnerability, Third-Party Vendor/SaaS

CVEs: CVE-2024-29847; CVE-2024-6342

Keywords: Ivanti, Endpoint Manager, Vulnerabilities, Remote Code Execution, Patch Management, Zyxel, CVE-2024-29847, CVE-2024-6342

Affected: Ivanti Endpoint Manager, Ivanti Workspace Control, Ivanti Cloud Service Appliance, Zyxel NAS devices

2024-09-11

Tewkesbury Borough Council Faces Cyber Attack, Systems Shut Down

Want to highlight the critical need for robust incident response and risk management in local government cybersecurity? This article is for you!

Tewkesbury Borough Council experienced a cyber attack on September 6, 2024, leading to a shutdown of its systems as a precautionary measure. While the incident is believed to be contained with no evidence of a data breach, the council is in the process of rebuilding its services and conducting forensic investigations. Due to the attack, job interviews and processing of formal complaints are suspended, and community support hubs have been established for residents. The council is focusing on a risk-based approach to restore services, underscoring the challenges local governments face in cybersecurity and the need for effective incident response protocols.

Risks: Other

CVEs:

Keywords: Tewkesbury, Cyber Attack, Local Government, Incident Response, Data Protection

Affected: Tewkesbury Borough Council

2024-09-11

Cybersecurity Staffing Shortage Challenges Threat Mitigation

Want to highlight the critical need for comprehensive cybersecurity solutions? Learn how staffing shortages and costly tools are impacting threat mitigation, presenting opportunities for Check Point's efficient solutions.

The ongoing shortage of qualified cybersecurity professionals is a major challenge for CISOs, leading to overstretched teams, burnout, and decreased effectiveness in threat mitigation. Cyber roles require a diverse skill set across IT disciplines, making them difficult to fill. This staffing gap causes operational concerns as threats increase. While EDR/XDR tools are critical for investigations, their high costs and limitations in cloud environments hinder full utilization. Additionally, the integration of SIEM and SOAR systems is hampered by a lack of skilled resources, leading many to rely on third-party services, further complicating the staffing and cost issues in cybersecurity operations.

Risks: Other

CVEs:

Keywords: staffing shortage, EDR/XDR limitations, SIEM challenges, threat mitigation, cybersecurity skills gap

Affected:

2024-09-11

Vulnerabilities in Microsoft AD CS Allow Persistent Network Access

Learn how misconfigurations in widely used services like Active Directory can lead to persistent threats, highlighting the importance of secure infrastructure management.

Security researchers have identified critical vulnerabilities in Microsoft’s Active Directory Certificate Services (AD CS) that can be exploited by attackers to gain and maintain persistent access in compromised networks. These vulnerabilities stem from misconfigurations in AD CS, which can lead to credential theft, privilege escalation, and domain persistence. Key attack vectors include certificate theft, malicious enrollments, and misconfigured certificate templates that can be manipulated to elevate privileges or forge certificates. While AD CS itself is not inherently insecure, its complexity and frequent misconfigurations pose significant risks.

Risks: Misconfiguration, Over Permissive Roles & Privilege Escalation

CVEs:

Keywords: Active Directory, Certificate Services, Microsoft, Persistence, Vulnerabilities, Privilege Escalation

Affected: Microsoft, Active Directory Certificate Services

2024-09-11

Critical ICS Vulnerabilities Disclosed by Siemens, Schneider, ABB, and CISA

Learn about critical vulnerabilities in industrial control systems and the importance of robust security measures to protect against potential threats.

Siemens, Schneider Electric, ABB, and CISA have issued advisories addressing numerous vulnerabilities in industrial control systems (ICS). Siemens highlighted critical flaws, including an authentication bypass in its Industrial Edge Management and remote code execution vulnerabilities in Simatic products. Schneider Electric detailed a high-severity privilege escalation in Vijeo Designer, while ABB reported medium-severity denial-of-service issues in Relion protection relays. CISA's advisories included critical vulnerabilities in Viessmann Climate Solutions SE, involving hardcoded credentials and command injection, as well as other high-severity issues in various ICS products. These vulnerabilities underscore the ongoing need for robust security measures in ICS environments.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation, Hardcoded Secrets, Web App & API Vulnerability

CVEs:

Keywords: ICS vulnerabilities, Siemens advisories, Schneider Electric, ABB security, CISA advisories, Industrial Edge Management, Simatic products, Vijeo Designer

Affected: Siemens, Schneider Electric, ABB, CISA, Industrial Edge Management, Simatic products, Scalance W products, Vijeo Designer, Relion protection relays, Viessmann Climate Solutions SE, SpiderControl SCADA Web Server, Rockwell Automation SequenceManager, BPL Medical Technologies Android applications

2024-09-11

SonicWall SSLVPN Vulnerability Exploited by Cybercriminals

Learn about the critical importance of patch management to protect against vulnerabilities in widely used network devices.

Cybercriminals, including Akira ransomware operators, are exploiting a recently fixed access control flaw in SonicOS, which affects SonicWall's SSLVPN feature. This vulnerability could allow unauthorized access to resources and potentially crash the firewall, removing network protections. While SonicWall has not detailed the exploitation methods, similar vulnerabilities have been used to gain initial network access. SonicWall devices, often exposed to the internet for remote VPN access, have been frequent targets for attackers. Users are urged to apply patches promptly to mitigate these risks.

Risks: Patch Management, Shadow IT/Exposed Assets, Malware

CVEs: CVE-2024-40766

Keywords: SonicWall, SSLVPN, Akira ransomware, CVE-2024-40766, network security, vulnerability exploitation

Affected: SonicWall, SonicOS, SonicWall SSLVPN, SonicWall SonicOS management access, SonicWall Secure Mobile Access (SMA)

2024-09-11

Microsoft Patches Four Zero-Day Vulnerabilities in September 2024 Update

Learn about the critical importance of timely patch management and how it can protect against actively exploited vulnerabilities in widely-used Microsoft systems.

Microsoft's September 2024 Patch Tuesday addressed four zero-day vulnerabilities and 79 flaws, including seven critical ones that involve remote code execution or privilege escalation. The four zero-days were actively exploited and included vulnerabilities in Windows Installer, Windows Mark of the Web, Microsoft Publisher, and Windows Update. The flaws allowed attackers to gain system privileges, bypass security features, and execute remote code. Notably, the Windows Update vulnerability affected older Windows 10 versions, causing certain components to revert to their original versions, which could potentially reintroduce previously fixed issues.

Risks: Zero-Day, Patch Management, Over Permissive Roles & Privilege Escalation

CVEs: CVE-2024-38014; CVE-2024-38217; CVE-2024-38226; CVE-2024-43491

Keywords: Microsoft, Zero-Day, Patch Tuesday, Vulnerabilities, Windows Update, Remote Code Execution

Affected: Windows Installer, Windows Mark of the Web, Microsoft Publisher, Windows Update, Active Directory Lightweight Directory Services, XPS Viewer, Internet Explorer 11, LPD Print Service, IIS, Windows Media Player

2024-09-10

Cisco Online Store Breached Due to Magento Vulnerability

Learn about the critical importance of timely patch management to protect your clients from data-stealing attacks.

In a recent cybersecurity incident, Cisco's online store selling branded merchandise was compromised in a Magecart attack due to a critical vulnerability in Adobe's Magento platform. This flaw, rated 9.8 in severity, allowed attackers to inject data-stealing JavaScript, potentially exposing customers' credit card information and other sensitive data during transactions. Despite Adobe patching the vulnerability in June, many eCommerce sites had not updated their systems, leaving them vulnerable to such exploits. Cisco has since addressed the issue, ensuring the security of their online store.

Risks: Patch Management, Web App & API Vulnerability, Sensitive Data

CVEs: CVE-2024-34102

Keywords: Magecart, Cisco, Adobe Magento, Data Breach, Vulnerability Exploit

Affected: Cisco, Adobe Magento

2024-09-10

Critical Vulnerabilities Discovered in IBM webMethods Integration Server

Learn about the critical vulnerabilities threatening integration platforms and understand the importance of securing enterprise environments.

IBM has disclosed multiple critical vulnerabilities in its webMethods Integration Server that could allow attackers to execute arbitrary commands, posing a severe risk to organizations using this platform. The most critical vulnerability allows authenticated users to upload and execute files, with a high potential for exploitation due to low attack complexity and no user interaction needed. Another vulnerability enables privilege escalation, while a third allows directory traversal attacks, potentially exposing sensitive information. These issues underscore the importance of securing integration platforms, which are crucial in enterprise environments and increasingly targeted by cyber attackers.

Risks: Patch Management, Over Permissive Roles & Privilege Escalation, Web App & API Vulnerability

CVEs: CVE-2024-45076; CVE-2024-45075; CVE-2024-45074;

Keywords: IBM, webMethods, Integration Server, vulnerabilities, CVE-2024-45076, command execution, privilege escalation

Affected: IBM webMethods Integration Server

2024-09-09

Critical RCE Vulnerability Found in Progress LoadMaster Products

Learn about the critical importance of patch management and how vulnerabilities in widely used software like LoadMaster can impact security.

Progress Software has released an urgent patch for a critical vulnerability in its LoadMaster and LoadMaster Multi-Tenant Hypervisor products, which could enable attackers to remotely execute commands by exploiting an improper input validation flaw. This security issue allows unauthenticated attackers to send specially crafted HTTP requests to the management interface, leading to arbitrary command execution on affected systems. The vulnerability has been addressed by sanitizing user input, but the fix does not cover the free version of LoadMaster, leaving it exposed to potential exploitation.

Risks: Patch Management, Web App & API Vulnerability

CVEs: CVE-2024-7591

Keywords: Progress Software, LoadMaster, RCE, Vulnerability, CVE-2024-7591, Input Validation

Affected: Progress Software, LoadMaster, LoadMaster Multi-Tenant Hypervisor

2024-09-09

Critical Vulnerabilities Found in Baxter Connex Health Portal

Need some FUD to showcase the critical importance of securing healthcare data? Discover how unchecked vulnerabilities can lead to serious breaches.

The Baxter Connex Health Portal is affected by critical vulnerabilities, including SQL Injection and Improper Access Control, which can be exploited remotely with low attack complexity. These security flaws may allow attackers to execute malicious code, disrupt database services, and access, modify, or delete sensitive data. It is crucial to implement defensive measures to reduce the risk of exploitation, such as minimizing network exposure and ensuring systems are not accessible from the internet.

Risks: Web App & API Vulnerability, Sensitive Data

CVEs: CVE-2024-6795; CVE-2024-6796

Keywords: Baxter, Connex Health Portal, SQL Injection, Access Control, Healthcare Security

Affected: Baxter, Connex Health Portal

2024-09-08

Avis Experiences Data Breach Exposing Customer Information

Learn about the critical importance of implementing robust security measures to prevent data breaches and protect customer information.

Avis, the car rental giant, recently disclosed a data breach affecting customers. The breach occurred when an attacker gained unauthorized access to a business application from August 3 to August 6, leading to the theft of customers' personal information, including names and other sensitive data. Avis has since reinforced its security measures but has not provided further details about the breach.

Risks: Sensitive Data, Web App & API Vulnerability, Weak or Compromised Credentials

CVEs:

Keywords: Avis, Data Breach, Customer Information, Unauthorized Access, Security Measures

Affected: Avis

2024-09-06

Veeam Releases Patches for Critical Vulnerabilities in Backup and Management Software

Learn about the critical importance of timely patch management and how to protect against vulnerabilities in key software systems like Veeam.

Veeam has released security updates addressing 18 vulnerabilities, including five critical ones. These critical issues involve vulnerabilities in Veeam Backup & Replication, Veeam ONE, and Veeam Service Provider Console that allow remote code execution and unauthorized access to sensitive information. The updates also resolve 13 other high-severity vulnerabilities that could lead to privilege escalation and bypassing multi-factor authentication. Organizations using these Veeam products are advised to apply the updates promptly to safeguard their systems.

Risks: Patch Management, Remote Code Execution, Weak or Compromised Credentials

CVEs: CVE-2024-40711; CVE-2024-42024; CVE-2024-42019; CVE-2024-38650

Keywords: Veeam, Vulnerabilities, Remote Code Execution, Patch Management, Data Protection

Affected: Veeam Backup & Replication, Veeam ONE, Veeam Service Provider Console

2024-09-06

GitHub Actions Exposed to Typosquatting Attacks

Got you some real good FUD, learn about the dangers of supply chain attacks through GitHub Actions typosquatting.

GitHub Actions, a CI/CD platform, is vulnerable to typosquatting attacks where threat actors exploit minor typing errors made by developers to run malicious code. This attack method allows adversaries to publish malicious GitHub Actions by creating accounts with temporary emails. If developers mistakenly reference these malicious actions due to typos, their workflows could be compromised, leading to tampered source code, stolen secrets, and malware delivery. This low-cost, high-impact attack poses significant risks to software supply chains, as it can affect multiple projects and downstream customers.

Risks: Supply Chain, Open Source, Malware

CVEs:

Keywords: GitHub Actions, Typosquatting, Supply Chain Attack, Open Source Security, CI/CD Vulnerability

Affected: GitHub Actions, PyPI, npm, Maven Central, NuGet, RubyGems, Crate

2024-09-06

DrayTek Software Vulnerabilities Exploited Due to Unpatched Systems

Learn about the critical role of timely patch management and how unpatched vulnerabilities can be exploited, emphasizing the need for proactive cybersecurity measures.

The article discusses two vulnerabilities in DrayTek VigorConnect, a management software for network equipment, which have been added to CISA's Known Exploited Vulnerabilities catalog. These vulnerabilities, identified in 2021, allow attackers to download files with root privileges. Despite being patched in October 2021, the flaws are still exploited due to organizations' lack of timely patching, underscoring the importance of regular updates to safeguard against threats.

Risks: Patch Management, Web App & API Vulnerability

CVEs: CVE-2021-20123; CVE-2021-20124

Keywords: DrayTek, VigorConnect, path traversal, CISA KEV, unpatched vulnerabilities

Affected: DrayTek, DrayTek VigorConnect

2024-09-06

GeoServer Vulnerability Exploited for Malware Deployment

Learn about the critical need for securing open-source tools and the potential impact of unpatched vulnerabilities in cloud environments.

A critical vulnerability in OSGeo GeoServer GeoTools has been exploited by attackers to deliver various malware, including cryptocurrency miners, botnet malware, and a backdoor known as SideWalk. This remote code execution flaw allows attackers to take control of affected systems, utilizing them to establish connections with command-and-control servers and execute further malicious activities. Attack chains have been observed deploying a shell script to download binaries for different architectures, extracting and connecting to encrypted configuration servers, and using tools like Fast Reverse Proxy to maintain persistent access and evade detection.

Risks: Remote Code Execution, Malware, Open Source, Web App & API Vulnerability

CVEs: CVE-2024-36401

Keywords: GeoServer, Remote Code Execution, SideWalk Backdoor, Cryptocurrency Miners, Botnet Malware

Affected: OSGeo GeoServer GeoTools, ARM, MIPS, X86

2024-09-06

White House Launches Campaign to Address Cybersecurity Talent Shortage

Discover how the growing demand for cybersecurity professionals can create new opportunities for partnerships and expansions in the cybersecurity field.

The White House has launched the Service for America campaign, a two-month initiative to address the significant shortage of cybersecurity professionals in the United States. With around 500,000 open cyber jobs and growing demand due to technological advancements like artificial intelligence, the campaign aims to encourage Americans to consider careers in cybersecurity as a form of national service.

Risks: Other

CVEs:

Keywords: cyber talent gap, Service for America, White House initiative, cybersecurity careers, workforce development

Affected:

2024-09-06

Critical Vulnerability in SonicWall SonicOS Threatens Security

Need some ammo against SonicWall? This article highlights vulnerabilities in their systems, offering a strategic edge for CloudGuard solutions.

SonicWall has urged users to update their systems to patch a critical security flaw in SonicOS, which is potentially being actively exploited. This vulnerability affects the management access and SSLVPN features, potentially allowing unauthorized access and causing firewall crashes. The flaw, with a high severity score, highlights the importance of updating to the latest software versions to mitigate risks. While specific exploitation methods are not detailed, the history of similar vulnerabilities being targeted suggests a significant threat.

Risks: Patch Management, Web App & API Vulnerability

CVEs: CVE-2024-40766

Keywords: SonicWall, SonicOS, Firewall Vulnerability, SSLVPN, CVE-2024-40766

Affected: SonicWall, SonicOS, SSLVPN

2024-09-06

Critical Vulnerability Found in WordPress LiteSpeed Cache Plugin

Learn about the risks of plugin vulnerabilities and how securing WordPress sites can protect against unauthorized access and potential breaches.

Researchers have identified a critical security flaw in the LiteSpeed Cache plugin for WordPress, which could enable unauthenticated users to take over accounts, potentially even gaining Administrator access. This vulnerability arises due to a publicly exposed debug log file that could reveal sensitive information, such as user cookies, allowing attackers to hijack active sessions. This issue was discovered during a comprehensive security review of the plugin, which had previously uncovered another severe vulnerability.

Risks: Web App & API Vulnerability, Sensitive Data, Over Permissive Roles & Privilege Escalation

CVEs: CVE-2024-44000; CVE-2024-28000

Keywords: WordPress, LiteSpeed Cache, Vulnerability, CVE-2024-44000, Account Takeover

Affected: WordPress, LiteSpeed Cache

2024-09-05

Cisco Uncovers Critical Backdoor Vulnerability in Smart Licensing Utility

Need some ammo against Cisco? Learn about the vulnerabilities impacting their systems and the importance of robust security measures.

Cisco has disclosed a critical vulnerability in its Smart Licensing Utility, which allows attackers to remotely access systems using a backdoor administrative account. Additionally, a separate vulnerability could enable attackers to access sensitive data by exploiting the system's API. These issues are part of a pattern, as Cisco has previously addressed similar vulnerabilities in other products. Recent patches have also fixed severe vulnerabilities in various Cisco systems, including issues that allowed unauthorized password changes and malware installation on switches, as well as zero-day exploits targeting government networks.

Risks: Hardcoded Secrets, Web App & API Vulnerability, Weak or Compromised Credentials

CVEs: CVE-2024-20439; CVE-2024-20440; CVE-2024-20419; CVE-2024-20399

Keywords: Cisco, Smart Licensing Utility, Backdoor Vulnerability, CVE-2024-20439, Information Disclosure

Affected: Cisco Smart Licensing Utility, Cisco Smart Software Manager On-Prem, Cisco Digital Network Architecture Center, Cisco IOS XE, Cisco Wide Area Application Services, Cisco Emergency Responder, Cisco NX-OS, Cisco MDS switches, Cisco Nexus switches

2024-09-05

Revival Hijack: New Supply Chain Attack Targets Python Packages

Got you some real good FUD, learn about the dangers of supply chain attacks and the vulnerabilities lurking in widely used Python packages.

A new supply chain attack technique called Revival Hijack targets the Python Package Index (PyPI) registry by exploiting the re-registration of removed packages. This method allows attackers to hijack over 22,000 packages, potentially leading to widespread distribution of malicious software. The attack is more effective than typosquatting and involves attackers registering removed packages under their own accounts and publishing malicious versions. Revival Hijack has already been used in the wild, demonstrating a significant risk to developers who might inadvertently install compromised packages during updates.

Risks: Supply Chain, Open Source

CVEs:

Keywords: Revival Hijack, PyPI attack, supply chain vulnerability, Python package security, software re-registration

Affected: Python Package Index, PyPI, pip

2024-09-04

Vulnerabilities Found in Ninja Forms and Fluent Forms Affect Over 1.1 Million WordPress Sites

Learn about the risks of unpatched WordPress plugins and highlight the importance of proactive vulnerability management to safeguard cloud environments.

Two widely used WordPress contact form plugins, Ninja Forms and Fluent Forms, affecting over 1.1 million installations collectively, have been found to contain separate security vulnerabilities. Ninja Forms is susceptible to a reflected cross-site scripting attack due to a failure in escaping a URL, while Fluent Forms has a vulnerability that allows unauthorized API modifications because of an insufficient capability check. The latter requires an attacker to have subscriber-level authorization, which can be exploited on sites with subscriber registration enabled.

Risks: Web App & API Vulnerability, Over Permissive Roles & Privilege Escalation, Patch Management

CVEs: CVE-2024-7354; CVE-2024-5053

Keywords: WordPress, Ninja Forms, Fluent Forms, XSS Vulnerability, API Exploit, Plugin Security

Affected: Ninja Forms, Fluent Forms

2024-09-04

CBIZ Experiences Data Breach Due to Web Vulnerability

Learn about the critical importance of robust cybersecurity measures to protect sensitive customer data and prevent costly breaches.

CBIZ experienced a cyberattack between June 2 and June 21, during which sensitive customer data was stolen due to a vulnerability in their web infrastructure. This breach underscores the critical need for organizations to protect personal identifiable information (PII) and implement strong cybersecurity measures to prevent such incidents. Specific details about the vulnerability and any resulting actions or fines remain undisclosed.

Risks: Sensitive Data, Web App & API Vulnerability

CVEs:

Keywords: CBIZ, data breach, web vulnerability, customer data, PII protection

Affected: CBIZ

2024-09-04

Critical Vulnerability Found in VMware Fusion

Learn about the critical importance of timely patch management to prevent system compromises and service disruptions.

VMware has addressed a high-severity code execution vulnerability in its Fusion product, caused by an insecure environment variable, which could lead to system compromise. Additionally, the update includes an OpenSSL upgrade to version 3.0.14, resolving vulnerabilities that could cause denial-of-service conditions or slow down affected applications.

Risks: Patch Management, Open Source

CVEs: CVE-2024-38811

Keywords: VMware Fusion, CVE-2024-38811, code execution, OpenSSL, patch management

Affected: VMware Fusion, OpenSSL

2024-09-03

CBIZ Data Breach Exposes Sensitive Client Information

Learn about the risks of web vulnerabilities and the critical importance of proactive security measures to protect customer data.

CBIZ Benefits & Insurance Services recently disclosed a data breach that affected around 36,000 individuals due to a vulnerability on one of its web pages. The breach allowed unauthorized access to sensitive information, including names, contact details, Social Security numbers, and health and welfare plan details, between June 2 and June 21, 2024. Discovered on June 24, the breach led CBIZ to notify affected clients starting August 28, 2024, and offer them two years of credit monitoring and identity theft protection services. While no misuse of the stolen data has been detected, the company advises clients to take additional precautions such as credit freezes and fraud alerts.

Risks: Sensitive Data, Web App & API Vulnerability

CVEs:

Keywords: CBIZ, Data Breach, Web Vulnerability, Identity Theft Protection, Client Data Exposure

Affected: CBIZ Benefits & Insurance Services

2024-09-02

Roblox Developers Targeted by Malicious npm Packages Mimicking noblox.js

Got you some real good FUD, learn about the dangers of supply chain attacks.

Roblox developers are being targeted by a malicious campaign using fake npm packages that mimic the popular 'noblox.js' library to compromise systems. These packages, published by threat actors, aim to steal sensitive data and deliver malware, including a stealer known as Luna Token Grabber and a remote access trojan called Quasar RAT. The attack, first documented in August 2023, employs techniques like starjacking to appear legitimate and serves additional payloads from a GitHub repository.

Risks: Malware, Supply Chain, Open Source

CVEs:

Keywords: Roblox, npm packages, noblox.js, supply chain attack, malware, Luna Token Grabber, Quasar RAT

Affected: Roblox, npm

2024-09-01

Persistence Techniques Used by Threat Actors on Linux Systems

Need some FUD? Learn about the advanced persistence techniques threat actors use on Linux systems and how CloudGuard can help secure these environments.

Threat actors employ a variety of advanced techniques to maintain persistence on Linux systems, including manipulating init systems like System V and Upstart, leveraging run control scripts such as rc.local, and exploiting Message of the Day (MOTD) files. They also misuse udev rules, which are part of the Linux device management system, and take advantage of package managers like APT, YUM, and DNF for persistent access. Additionally, threat actors exploit Git hooks and pager configurations to execute arbitrary code, abuse process capabilities to escalate privileges, and hijack system binaries to run malicious code. These tactics highlight the diverse methods used to ensure continued access and control over compromised Linux environments.

Risks: Over Permissive Roles & Privilege Escalation, Malware, Open Source

CVEs:

Keywords: Linux persistence, System V, Upstart, rc.local, udev, APT, YUM, DNF, Git hooks, binary hijacking

Affected: Linux, System V, Upstart, rc.local, udev, APT, YUM, DNF, Git

2024-08-31

Vulnerabilities Found in Popular WordPress Themes Betheme and Enfold

Learn about the critical importance of patch management and proactive vulnerability assessment in safeguarding WordPress environments.

Two popular WordPress themes, Betheme and Enfold, available on ThemeForest with over 500,000 sales, have been found vulnerable to security exploits. Betheme suffers from a high-severity PHP Object Injection vulnerability, allowing attackers with contributor-level access to inject malicious PHP objects, potentially leading to arbitrary file deletion and code execution. A patch for Betheme has been released but not yet acknowledged by Wordfence. The Enfold theme has a medium-severity Stored Cross-Site Scripting (XSS) vulnerability, which remains unpatched, allowing similar-level attackers to inject harmful scripts. Users are advised to update Betheme and consider replacing or mitigating risks associated with Enfold.

Risks: Patch Management, Web App & API Vulnerability

CVEs:

Keywords: WordPress, Betheme, Enfold, PHP Object Injection, Cross-Site Scripting, Theme Vulnerability

Affected: WordPress, Betheme, Enfold