Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 27 January - 2 February
NSA admits massive purchase of browsing data without authorization
According to statements made by Senator Ron Wyden, Reuters recently published that the U.S. National Security Agency (NSA) confirmed having purchased Internet browsing records from data intermediaries to identify websites and applications used by Americans without a warrant.
Wyden reportedly expressed in a statement his concern about funding a questionable industry that apparently violates privacy and legality, since browsing metadata could expose privacy risks, especially in sensitive issues such as health. Meanwhile, the NSA claimed to have taken compliance and data minimization measures but admitted to purchasing confidential information from third parties.
These facts add to the trend of intelligence agencies about buying data from companies, revealing non-transparent practices and possible privacy violations. Wyden finally highlights the lack of notifications to consumers about the sale of data, noting that the breach could affect the entire industry.
New Ivanti 0-day vulnerability actively exploited
The company Ivanti has issued a new security advisory warning about two new vulnerabilities, one of which is a 0-day vulnerability that is being actively exploited. This new security flaw has been registered as CVE-2024-21893, CVSSv3 of 8.2, and is a server-side request forgery vulnerability in the SAML component that would allow attackers to bypass authentication and access restricted resources on vulnerable devices.
The other security flaw is registered as CVE-2024-21888, CVSSv3 of 8.8, which affects the web component of gateways allowing threat actors to escalate privileges. According to Ivanti, these security flaws affect all versions 9.x and 22.x.
Finally, it should be noted that the company has also released patches for two 0-day vulnerabilities disclosed in early January CVE-2024-21887, CVSSv3 of 9.1 and CVE-2023-46805, CVSSv3 of 8.2.
Network operator credentials exposed
The Resecurity research team has published an article in which they have identified a total of 1,572 credentials belonging to the RIPE, AFRINIC and LACNIC Internet registries exposed on sites hosted on the Dark Web.
This investigation was prompted by the recent cyberattack against Orange Spain, which suffered an intrusion in its RIPE Network Coordination Center account, resulting in a sabotage that led to the interruption of the network service to its customers for several hours. According to experts, the credentials identified during the investigation would have been exfiltrated through the use of infostealers such as Redline, Azorult or Vidar, among others.
Some of the accounts identified include unidentified financial organizations in Kenya and Spain, an Iraqi government agency and technology providers, among others. Due to the criticality of these assets, which can lead to massive cyber-attacks, researchers point out the need to take security measures to protect critical assets.
Cryptojacking campaign targeting the Docker API
The Docker API is under attack by a cryptojacking campaign called Commando Cat. The attackers use benign containers generated with the Commando project to escape and execute payloads on the Docker host. The campaign has been active since early 2024 and uses Docker as an initial access vector to release a number of payloads, such as a cryptocurrency miner and a backdoor.
The campaign uses checks to determine if certain services are active on the compromised system before moving on to the next phase. Similarities to previous cryptojacking groups, such as TeamTNT, have been noted. Commando Cat is generally capable of stealing credentials, acting as a backdoor and mining cryptocurrencies, making it very versatile.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
