Media Coverage

Users of the ConnectWise ScreenConnect remote desktop management tool are under active cyberattack, after a proof-of-concept (PoC) exploit surfaced for a max-critical security vulnerability in the platform. The situation has the potential to blow up into a mass compromise event, researchers are warning. ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it offers a conduit to threat actors looking to infiltrate high-value endpoints and any other areas of corporate networks to which they might have access.

Piotr Kijewski, CEO at the Shadowserver Foundation, confirmed seeing initial exploitation requests in the nonprofit’s honeypot sensors. “Check for signs of compromise (like new users added) and patch!” he stressed via the Shadowserver mailing list, adding that as of Tuesday, a full 93% of ScreenConnect instances were still vulnerable (about 3,800 installations), most of them located in the US.

Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. Microsoft addressed the issue on February 13, when it had already been leveraged as a zero-day. Currently, 28,500 servers have been identified as being vulnerable. Exchange Server is widely used in business environments to facilitate communication and collaboration among users, providing email, calendar, contact management, and task management services.

Today, threat monitoring service Shadowserver announced that its scanners have identified approximately 97,000 potentially vulnerable servers. Out of the total 97,000, the vulnerable state for an estimated 68,500 servers depends on whether administrators applied mitigations, while 28,500 are confirmed to be vulnerable to CVE-2024-21410.

Exploitation of CVE-2024-21410 can have serious consequences for an organization because attackers with elevated permissions an Exchange Server can access confidential data like email communication and use the server as a ramp for further attacks on the network.

A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.

The Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.

The FBI Philadelphia and Boston Field Offices and Cyber Division, U.S. Attorney’s Office for the Eastern District of Pennsylvania, and the National Security Division’s National Security Cyber Section led the disruption effort. The Criminal Division’s Computer Crime and Intellectual Property Section and Office of International Affairs, Shadowserver Foundation, Microsoft Threat Intelligence, and other partners provided valuable assistance.

A coalition of dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.

At a speech at the UK-France Cyber Proliferation conference at Lancaster House in London today, UK Deputy Prime Minister Oliver Dowden announced the kickoff for the spyware initiative, dubbed the “Pall Mall Process,” which will be a “multi-stakeholder initiative … to tackle the proliferation and irresponsible use of commercially available cyber-intrusion capabilities,” he explained.

He also announced that the UK will invest £1 million into the nonprofit Shadowserver Foundation, to “help them expand the access they provide to early warning systems, and to cyber resilience support for those impacted by cyberattacks.”

An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers. Exploitation of CVE-2024-21893 allowed attackers to bypass authentication and access restricted resources on vulnerable devices (versions 9.x and 22.x).

Threat monitoring service Shadowserver is now seeing multiple attackers leveraging the SSRF bug, with 170 distinct IP addresses attempting to exploit the flaw.

According to ShadowServer, there are currently almost 22,500 Ivanti Connect Secure devices exposed on the Internet. However, it is unknown how many are vulnerable to this particular vulnerability.

Operation Synergia, which ran from September to November 2023, was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats. The operation involved 60 law enforcement agencies from more than 50 INTERPOL member countries, with officers conducting house searches and seizing servers as well as electronic devices.

Operation Synergia demonstrated how cybersecurity is most effective when international law enforcement, national authorities, and private sector partners cooperate to share best practices and pro-actively combat cybercrime. INTERPOL and its Gateway Partners Group-IB, Kaspersky, TrendMicro, Shadowserver and Ad hoc partner Team Cymru provided analysis and intelligence support throughout the operation.

A GitLab vulnerability enabling file writing to arbitrary locations on a server was patched last Thursday, two weeks after the company patched a critical account takeover bug. The latest vulnerability, tracked as CVE-2024-0402, received a CVSS score of 9.9 and allows authenticated users to write files anywhere on a GitLab server while creating a workspace.

The Shadowserver Foundation, which tracks malicious activity and vulnerabilities online, previously said it detected more than 5,300 GitLab instances vulnerable to CVE-2023-7028 on Jan. 23. As of Jan. 30, Shadowserver’s dashboard showed 4,826 GitLab instances still running unpatched versions. Shadowserver CEO Piotr Kijewski told SC Media that while the organization is not currently scanning for CVE-2024-0402, it is most likely that instances still vulnerable to CVE-2023-7028 are also vulnerable to the latest bug. “The total CVE-2024-0402 population will be expected to be higher, however,” Kijewski said.

Researchers found roughly 45,000 Jenkins instances exposed online that are vulnerable to CVE-2024-23897, a critical remote code execution (RCE) flaw for which multiple public proof-of-concept (PoC) exploits are in circulation. Jenkins is a leading open-source automation server for CI/CD, allowing developers to streamline the building, testing, and deployment processes. It features extensive plugin support and serves organizations of various missions and sizes.

Today, threat monitoring service Shadowserver reported that its scanners have “caught” roughly 45,000 unpatched Jenkins instances, indicating a massive attack surface. Most of the vulnerable internet-exposed instances are in China (12,000) and the United States (11,830), followed by Germany (3,060), India (2,681), France (1,431), and the UK (1,029).

In pursuit of comprehensive threat intelligence, PTA has subscribed to Shadowserver—a renowned platform that provides data pertaining to cyber threats within Pakistan. This subscription enables PTA to compile a holistic view of the threat landscape, and to take proactive measures to mitigate risks related to the telecom sector. Access to reliable threat intelligence is crucial in strengthening the country’s CS posture and safeguarding critical infrastructure.

More than 5,300 GitLab servers connected to the internet are vulnerable to zero-click account takeover CVE-2023-7028 (CVSS score: 10.0) announced by GitLab earlier this month. This vulnerability allows an attacker to send a password reset email for a targeted account to an email address controlled by the attacker, allowing the attacker to change the password and take over the account. Account takeover will not be successful if the target has 2FA enabled, because the attacker will not be able to log in if they do not have control over two-factor authentication (2FA).

Currently, 13 days after the security update became available, threat monitoring service ShadowServer reports seeing 5,379 GitLab instances that are vulnerable to attack. Most servers with the vulnerability were in the United States (964), followed by Germany (730), Russia (721), China (503), France (298), the United Kingdom (122), India (117), and Canada (99 ).