Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 3 - 10 November
0-day in SysAid exploited by Cl0p ransomware operators
The Microsoft research team has published the results of an investigation in which they point out that operators of the Cl0p ransomware, notorious for exploiting MoveIT Transfer 0-day, are exploiting a 0-day vulnerability in SysAid, a comprehensive IT service management solution.
Specifically, the security flaw they refer to is the one registered as CVE-2023-47246 and whose exploitation could lead to the execution of unauthorized code. Based on these facts, the vendor published a blog post on a technical analysis of this vulnerability, pointing out that it was exploited by loading a WAR file containing a Webshell in the root of the SysAid Tomcat web service, allowing threat actors to execute PowerShell scripts and load malware on vulnerable machines.
It should be noted that SysAid has explained the recommendations to be taken by users by upgrading to version 23.3.36 or later to avoid exploitation of the security flaw.
Four 0-day vulnerabilities discovered in Microsoft Exchange
Trend Micro, through its Zero Day Initiative (ZDI) program, has published about four 0-day vulnerabilities affecting Microsoft Exchange that allow threat actors to execute remote code and steal information.
The first of the vulnerabilities, ZDI-23-1578, is an RCE that allows remote attackers to execute arbitrary code on affected installations. The other three security flaws, identified as ZDI-23-1579, ZDI-23-1580 and ZDI-23-1581, involve incorrect Uniform Resource Identifier (URI) validation that could expose information and allow threat actors to access sensitive data.
All of these security flaws require authentication for exploitation, which reduces their CVSS rating to between 7.1 and 7.5. However, despite requiring authentication, attackers could still obtain Exchange credentials, so multifactor authentication and restricting interaction with Exchange applications are recommended as mitigation measures.
On the other hand, as reported by digital media BleepingComputer, ZDI discovered and notified Microsoft about these vulnerabilities in September 2023. Although Microsoft acknowledged the bugs, it did not prioritize fixes immediately, claiming that some have already been fixed or do not qualify for immediate service under its internal policies.
BlueNoroff targets macOS systems with new ObjCShellz malware
The team of researchers at Jamf Threat Labs has published the results of an investigation in which they point out that the North Korean threat actor BlueNoroff is targeting macOS systems with its new ObjCShellz malware.
According to experts, this malicious agent is known for carrying out attacks against financial institutions and cryptocurrency exchanges, so its purpose is financial gain. This time, Jamf warns that they are using a new malware based on Objective-C that has different characteristics from other malware used by this actor.
However, it stands out because it is used in later stages of exploitation to execute commands and allows shells to be opened remotely on infected computers.
It should be noted that, although it is quite simple, ObjCShellz is very functional for the operations carried out by BlueNoroff.
Critical vulnerability in Atlassian Confluence exploited in ransomware attacks
It was recently observed that threat actors are exploiting the critical authentication bypass flaw in Atlassian Confluence, known as CVE-2023-22518, to encrypt files and deploy ransomware.
Atlassian issued an update to its security advisory resetting the CVSS from 9.1 to 10.0, due to these changes in the scope of the attack and reminding that the vulnerability affects all versions of its Confluence Data Center and Server software.
It should be noted that the company issued the respective security updates on October 31 and urged administrators to immediately patch vulnerable instances, warning that the flaw could also delete data.
A second warning was issued two days after releasing the patch, about a proof-of-concept available online for which there was no evidence of ongoing exploitation. However, days later it was reported that threat actors were already exploiting the flaw in attacks.
Such widespread exploitation was detected as of November 5 in attacks against organizations in the U.S., Taiwan, Ukraine, Georgia, Latvia and Moldova, from three different IP addresses, according to Andrew Morris, CEO of threat intelligence firm GreyNoise.
Dolly data exposed despite paying ransom demands
According to Cybernews, the moving company Dolly agreed to pay the ransom demanded by the ransomware group that had gained access to its systems so that the criminals would not publish the exfiltrated data, but the criminals published it anyway because they considered that the amount paid by Dolly was not enough.
Cybernews adds that the actor of the threat published on the dark web the conversation with Dolly, in which the head of Dolly agreed to pay the demanded amount.
.jpg "CIA publishes report on Deepfakes and how to deal with this threat")
