Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 6 - 12 January
0-days exploited in Ivanti product
Volexity's research team discovered that malicious actors are reportedly exploiting two 0-day vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways. Ivanti published a security advisory warning about these two security flaws, which have been registered as CVE-2023-46805, CVSSv3 8.2 according to manufacturer.
This vulnerability produces an authentication bypass allowing an attacker to access restricted resources by circumventing security checks, and CVE-2024-21887, CVSSv3 9.1 according to manufacturer, which could allow authenticated administrators to execute arbitrary commands. It should be noted that the researchers who discovered these security exploits state that all versions of the affected products are vulnerable.
Volexity also attributes this campaign to a threat actor backed by the Chinese state.
Microsoft patches a total of 53 vulnerabilities
Microsoft's January Patch Tuesday security updates fix 53 different issues in various products, including Windows, Office, Azure, .NET Framework, Visual Studio, SQL Server, Windows Hyper-V and Internet Explorer. Specifically, two of the fixed vulnerabilities are considered critical, while 47 others have a high severity.
- The first critical vulnerability (CVE-2024-20700) allows remote code execution on Windows Hyper-V, although it requires the attacker to already have access to the restricted network.
- The second critical vulnerability (CVE-2024-20674) affects Windows Kerberos and could be exploited by an unauthenticated attacker to perform a machine-in-the-middle (MITM) or local network spoofing attack.
In both cases, the attacker must have gained access to the restricted network before launching the attack. According to Microsoft, it should be noted that none of the fixed issues are being exploited.
Critical vulnerabilities in Splunk
Splunk has issued a total of cuatro security advisories patching up to a total of 15 vulnerabilities, including one critical, 12 high risk and two medium critical. The most critical security flaw affects Splunk Enterprise Security and is registered as CVE-2022-37601, CVSSv3 of 9.8, which is a flaw in the parseQuery function.
This security advisory contains six other high-risk vulnerabilities in Splunk Enterprise Security third-party packages, which are fixed by upgrading to version 7.1.2, 7.2.0, 7.3.0 or higher. It should be noted that the two vulnerabilities with medium criticality also affect the same product and their exploitation can trigger denial of service conditions.
On the other hand, the security advisory affecting Splunk User Behavior Analytics contains six high severity vulnerabilities and the manufacturer recommends its customers to upgrade to versions 5.3.0, 5.2.1 or higher.
NIST publishes report on adversarial machine learning attack
Researchers at the National Institute of Standards and Technology (NIST) published a report on attacks involving adversarial machine learning, as well as possible mitigations for them.
The report includes the four main types of attacks that can be employed against artificial intelligence systems: evasion, poisoning, privacy and abuse.
While evasion attacks involve altering an input to change the system's response, poisoning attacks involve introducing corrupted data in the AI training phase. On the other hand, in privacy attacks attackers try to obtain valuable data by querying the AI and in abuse attacks the goal is to compromise legitimate training sources.
Although the agency stresses that there is currently no foolproof method of protection, it has encouraged the community to keep searching for better defenses against these types of attacks.
Sea Turtle APT targets European organizations
According to research by Hunt & Hackett, Sea Turtle, also known as SILICON, is an advanced persistent threat (APT) group based in Turkey that engages in espionage and information theft through DNS hijacking.
The group targets organisations in Europe and the Middle East, especially government agencies, Kurdish political groups, NGOs, telecommunications entities, ISPs, IT service providers, and media and entertainment organisations. It aims to steal valuable and confidential data, such as call logs and metadata on website connections.
Its modus operandi is to intercept internet traffic to victims' websites to allow unauthorised access to government networks and organisational systems, using a reverse shell mechanism to speed up data collection.
