Last updated at Tue, 27 Feb 2024 17:16:10 GMT

*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*

Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions.…

Read More

Threat actors of advanced capability seek to compromise network edge devices such as Ivanti systems to establish advanced footholds, from which to perform targeted reconnaissance identifying organizations with data of high value. Three vulnerabilities recently announced in Ivanti systems underscore the importance of layered security for internet-exposed systems.…

Read More
Identifying the Exploit

In November 2023, the Huntress team identified novel indicators of an attack where the threat actor used [.highlight]finger.exe[.highlight] (top portion illustrated in Figure 1) to exfiltrate reconnaissance information from an endpoint. Due to the novelty of the observed activity, Huntress analysts conducted a thorough analysis of the available data, documented and shared the findings internally, and then published a blog post to share those findings with the community.…

Read More

Remote Monitoring & Management (RMM) software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. However, these same tools have caught the eye of cybercriminals, who exploit them to infiltrate company networks and pilfer sensitive data.…

Read More

The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.

The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the  advanced persistent threat (APT) group we track as Water Hydra (aka DarkCasino) that targeted financial market traders.…

Read More

[Update] March 20, 2024: “Technical Documentation and Detailed Exploit Code on CVE-2024-21762”

[Update] March 18, 2024: “PoC Exploit for FortiOS SSL VPN Vulnerability (CVE-2024-21762) Emerges on a Hacker Forum”

[Update] March 11, 2024: “Nearly 150,000 FortiOS Devices Are Vulnerable to CVE-2024-21762”

[Update] February 16, 2024: “Scanning Activity Detected for CVE-2024-22024 in Ivanti; Thousands of Instances Are Still Vulnerable”

Fortinet has revealed a new critical Remote Code Execution (RCE) vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks.…

Read More

Affected Platforms: FortiGateImpacted Users: Government, service provider, consultancy, manufacturing, and large critical infrastructure organizationsImpact: Data loss and OS and file corruptionSeverity Level: High

Executive Summary

The following supplementary research provides an analysis of the exploitation of resolved N-Day Fortinet vulnerabilities. “N-Day vulnerabilities” refer to known vulnerabilities for which a patch or fix is available but for which organizations have not yet resolved via patching.…

Read More
SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.…

Read More
10 Billion Attacks Blocked in 2023, Qakbot’s Resurrection, and Google API Abused Foreword

Welcome to the new edition of our report. As we bid farewell to the year 2023, let’s briefly revisit the threat landscape that defined the past year. In 2023, the overall number of unique blocked attacks surged, reaching an unprecedented milestone of more than 10 billion attacks and a remarkable 49% increase year-over-year.…

Read More
Key Takeaways  Cyble Research and Intelligence Labs (CRIL) has uncovered an active malware campaign targeting cryptocurrency users.  In this campaign, the Threat Actors (TA) utilized deceptive websites posing as legitimate cryptocurrency applications, including Metamask, Wazirx, Lunoapp, and Cryptonotify.  All these malicious sites are distributing the same clipper payload – that CRIL has dubbed “XPhase Clipper” – designed to intercept and modify cryptocurrency wallet addresses copied by users. …
Read More
Executive Summary

On December 13, 2023, Lumen’s Black Lotus Labs reported our findings on the KV-botnet, a covert data transfer network used by state-sponsored actors based in China to conduct espionage and intelligence activities targeting U.S. critical infrastructure. Around the time of the first publication, we identified a spike in activity that we assess aligns with a significant effort by the operators managing this network to combat takedown efforts underway by the U.S.…

Read More
Key Findings Two new 1-day LPE exploits were used by the Raspberry Robin worm before they were publicly disclosed, which means that Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time. Raspberry Robin is continually updated with new features and evasions to be even stealthier than before.…
Read More

The recent identification of CVE-2024-23897 in Jenkins versions up to 2.441 has significantly heightened concerns within the cybersecurity community, particularly focusing on the implications for public-facing Jenkins servers. Jenkins servers are important for many organizations as they are used in continuous integration/continuous deployment (CI/CD) pipelines, automating stages of software development and deployment.…

Read More