Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 24 February - 1 March
CISA warns of Ivanti vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning that malicious actors can maintain persistence on previously compromised Ivanti Connect Secure and Ivanti Policy Secure devices despite having implemented security recommendations.
According to the researchers, those malicious actors who exploited any of the vulnerabilities published over the past few weeks, CVE-2023-46805, CVSSv3 of 8.2, CVE-2024-21887, CVSSv3 of 9.1, CVE-2024-22024, CVSSv3 of 8.3 and CVE-2024-21893, CVSSv3 of 8. 2, might not have been identified by Ivanti ICT, the analysis tools provided to detect the compromise, so that a threat actor can obtain persistence despite performing factory resets.
Ivanti has released a statement indicating that they are not aware of any case of persistence obtained by any malicious actor after the implementation of security updates and factory resets recommended by the manufacturer.
New information on the LockBit ransomware infrastructure
The operators of the LockBit ransomware have announced the resumption of LockBit ransomware operations over the weekend. The malicious actors have moved their leak site to a new .onion address with new victims and a statement informing about the events during the Cronos operation.
However, information about Lockbitsupp, allegedly the figure behind the management of the ransomware's operations, was also recently released by the authorities. The authorities specifically stated that they knew who he is and where he lives, as well as that he would be collaborating with the authorities. However, from VX-Underground they point out that the group did not believe this to be true.
It should be noted that according to the analysis of hundreds of cryptocurrency wallets carried out by experts, they estimate that during the last 18 months the operations carried out by LockBit would have generated movements worth more than 125 million dollars, although the authorities indicate that the figure would be more due to the fact that its operations have been active for 4 years.
Vulnerability in Facebook password reset patched
Meta has patched a critical vulnerability in the Facebook password reset process. The flaw allowed attackers to take control of any Facebook account by exploiting an option where a unique six-digit authorization code was sent to a different device.
This code, which confirmed the user's identity, was active for approximately two hours and had no protection against brute force attacks. Attackers could use pentesting tools to crack the code and reset the password or gain access to the attacked account.
When exploiting this vulnerability, the user would receive a notification from Facebook revealing the code or prompting the user to tap the notification to view it, making it a one-click exploit instead of a zero-click exploit.
Cyberattack on the Regional Transport Consortium of Madrid
The Madrid Regional Transport Consortium (Spain) has admitted that it was the victim of a cyberattack in November 2023. The attack resulted in the compromise of databases containing information on Public Transport Card holders.
The exact content of the information extracted is unknown, but includes personal data such as names, mailing address, email addresses and phone numbers. The attack was neutralized the same day it occurred and the necessary measures were taken to block the attack by implementing additional security measures.
Although there is no evidence of actual damage to affected individuals, there is a risk of receiving unwanted communications or falling victim to phishing campaigns.
Exposed LDAP records of Junta de Andalucía
User fpa from the BreachForums site posted about exfiltrating over 3000 LDAP user records from the Junta de Andalucía, the self-governing body of the autonomous region of Andalucía in Spain.
Such LDAP directories are commonly used to store information about users, groups, network devices and other resources on a computer network. It appears that the published file contains email addresses, usernames, and hashes. The publication was made recently and does not provide further details about the method of obtaining this data.
However, it should be noted that the threat actor in question is the same one who published the database of the Comisiones Obreras (CC OO) trade union.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
