Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 28 September - 4 October
Storm-0501 expands its attacks to cloud environments with Embargo ransomware
Microsoft's research team has published an investigation in which it identified that the Storm-0501 actor uses the ransomware embargo against cloud environments. According to experts, Storm-0501 has been attacking organizations in different sectors such as government, industry, transportation and judicial authorities in the U.S.
The actor gains access to cloud environments by exploiting weak credentials and leveraging privileged accounts, with the goal of stealing data and executing a ransomware payload. Specifically, it gains initial network access with stolen or purchased credentials, or by exploiting vulnerabilities such as CVE-2022-47966, CVSSv3 of 9.8, CVE-2023-4966, CVSSv3 of 7.5 depending on vendor, and possibly CVE-2023-29300, CVSSv3 of 9.8 or CVE-2023-38203 CVSSv3 of 9.8. It also uses tools such as Impacket and Cobalt Strike to move laterally, steals data via a custom Rclone binary, and evades security solutions with PowerShell cmdlets.
Pure Storage patches five critical vulnerabilities
Pure Storage has released new patches that fix five new critical severity vulnerabilities that would affect FlashArray and FlashBlade storage systems. Specifically, the company has reported two flaws with CVSSv3 10 according to vendor, CVE-2024-0001 and CVE-2024-0002. While the first would allow an attacker with an account with active local configuration to escalate privileges, the second would be a remote access flaw through the use of accounts with high privileges.
Likewise, the other three vulnerabilities have a CVSSv3 of 9.1 according to Pure Storage, and would be named CVE-2024-0003, which would allow privileged accounts to be created using remote administration services, CVE-2024-0004, which can allow code execution, and CVE-2024-0005, which can be exploited to execute remote commands using custom SNMP configurations.
Rackspace company suffers security incident
The company Rackspace has confirmed having suffered a security incident that would have led to the compromise of data affecting several of its customers. Specifically, the incident was caused by a malicious actor exploiting a 0-day remote code execution vulnerability in a third-party tool used on the ScienceLogic SL1 platform.
It should be noted that the company has not provided details of the affected asset, in order to prevent other actors from exploiting the vulnerability; however, it has developed security measures to be implemented in all customers to prevent this from happening again. In a statement sent to the digital media Bleeping Computer, the company points out that limited performance monitoring information with low security sensitivity was improperly accessed.
Attack technique using VS Code to obtain remote access
Cyble's research team has published a research paper in which they have identified malicious actors using VS Code to gain unauthorized access to their victims' networks. The operations start with the distribution of a .lnk file that is possibly forwarded as an attachment via phishing messages. Once executed by the victim, the file downloads a Python package that is used to execute a script that circumvents security solutions and serves to establish persistence.
Subsequently, a remote tunnel is created using VS Code and sends an activation code to the actor to facilitate unauthorized remote access to the computer. Finally, it should be noted that this attack methodology has been observed to be used by the Chinese APT Stately Taurus, also known as Mustang Panda.
CosmicSting vulnerability actively exploited
Researchers at Sansec have detected multiple attacks targeting e-commerce websites using Adobe Commerce and Magento by exploiting the CosmicSting flaw. The vulnerability, identified as CVE-2024-34102, CVSSv3 of 9.8, is an information disclosure flaw that, chained with CVE-2024-2961, could allow an attacker to execute remote code on a vulnerable server.
The attacks are reported to have been occurring since June 2024, with thousands of stores being breached, including Whirlpool, Ray-Ban, National Geographic, Segway and Cisco.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
