Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
In the last month, two critical zero-day CVEs were published for Ivanti Connect Secure VPN software: CVE-2023-46805 and CVE-2024-21887.
In December of 2023, Volexity incident response teams discovered a vulnerability regarding an authentication bypass to an organization’s Ivanti Connect Secure (ICS) VPN server appliance (previously known as Pulse Connect Secure).…
Gather ‘round, cyber friends, and I’ll let you in on a little secret: no one knows what the Next Big Thing on the threat landscape will be. But we can look back on 2023, identify notable changes and actor behaviors, and make educated assessments about what 2024 will bring. …
On January 16, 2024, Atlassian disclosed a remote code execution vulnerability affecting the Confluence Data Center and Confluence Server [1]. CVE-2023-22527 is an OGNL injection vulnerability with a CVSS score of 10 (Critical). Although the vulnerability is fixed with patches, the number of outdated and publicly exposed Atlassian Confluence instances is in the thousands, posing significant risks to organizations.…
Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan.…
By Oleg Zaytsev (Guardio Labs)
The Guardio Labs research team uncovered a critical zero-day vulnerability in the popular Opera web browser family. This vulnerability allowed attackers to execute malicious files on Windows or MacOS systems using a specially crafted browser extension.…
Update (Jan. 31): We released a follow-up blog post containing additional details from our investigations into this threat, along with more recommendations for defenders.
Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed.…
Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise.…
JANUARY 4th, 2024:
On 12/29/2023, version 0.66 of Spreadsheet::ParseExcel was published. This release fixes CVE-2023-7101.
https://metacpan.org/dist/Spreadsheet-ParseExcel/changes
For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and upgrading to the latest version of Spreadsheet::ParseExcel.
DECEMBER 24th, 2023:
In our ongoing investigation, Barracuda has determined that a threat actor has utilized an Arbitrary Code Execution (ACE) vulnerability within a third party library, Spreadsheet::ParseExcel, to deploy a specially crafted Excel email attachment to target a limited number of ESG devices.…
Threat actors often employ stealthy attack techniques to elude detection and stay under the defender’s radar. One way they do so is by using uncommon programming languages to develop malware. Using an uncommon programming language to develop malware provides several benefits, including:
Evading some signature based detections Impeding analysis by malware analysts that are unfamiliar with the language Limited community detection and published analysisNetskope recently analyzed a malicious backdoor written in Nim, which is a relatively new programming language.…
This post is also available in: 日本語 (Japanese)
Executive SummaryEarly this year, Ukrainian cybersecurity researchers found Fighting Ursa leveraging a zero-day exploit in Microsoft Outlook (now known as CVE-2023-23397). This vulnerability is especially concerning since it doesn’t require user interaction to exploit. Unit 42 researchers have observed this group using CVE-2023-23397 over the past 20 months to target at least 30 organizations within 14 nations that are of likely strategic intelligence value to the Russian government and its military.…
Authors: Shilpesh Trivedi and Nisarga C M
In April 2023, the cybersecurity community faced a significant challenge with the discovery of CVE-2023-38831, a vulnerability affecting versions of WinRAR prior to 6.23. This security flaw has become a critical concern due to its exploitation by various advanced persistent threat (APT) groups, who have used it to gain control of victim systems through deceptive methods.…
On November 8 2023, SysAid published an advisory for CVE-2023-47246 regarding a critical zero-day vulnerability on their SysAid On-Premise software. SysAid describes the vulnerability as a path traversal vulnerability leading to code execution for the same software. This blog includes immediate recommendations for SysAid On-Premise software customers, best practices for long-term protection against these kinds of vulnerabilities, and a brief analysis of the attack chain.…
In 2022, NSFOCUS Research Labs revealed a large-scale APT attack campaign called DarkCasino and identified an active and dangerous aggressive threat actor. By continuously tracking and in-depth study of the attacker’s activities, NSFOCUS Research Labs has ruled out its link with known APT groups, confirmed its high-level persistent threat nature, and following the operational name, named this APT group DarkCasino.…
Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity, making it harder to detect their activities.…
Written by Sasha Shapirov CTO @ SysAid & Profero Incident Response Team
On Nov 2nd, a potential vulnerability in our on-premise software came to our security team’s attention. We immediately initiated our incident response protocol and began proactively communicating with our on-premise customers to ensure they could implement a mitigation solution we had identified. …
Estimated reading time: 13 minutes
SEQRITE Labs APT-Team has discovered multiple campaigns of APT SideCopy, targeting Indian government and defense entities in the past few months. The threat group is now exploiting the recent WinRAR vulnerability CVE-2023-38831 (See our advisory for more details) to deploy AllaKore RAT, DRat and additional payloads.…
ESET Research
ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible
Matthieu Faou
25 Oct 2023 • , 5 min. read
ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023.…
In October 2023, Netskope analyzed a malicious Word document and the malware it contained, dubbed “Menorah.” The malware was attributed to an advanced persistent threat group APT34, and was reported to be distributed via spear-phishing. The malicious Office file uses dispersed and obfuscated VBA code to evade detection. …
Almost a year after Void Rabisu shifted its targeting from opportunistic ransomware attacks with an emphasis on cyberespionage, the threat actor is still developing its main malware, the ROMCOM backdoor.
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.…
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.…