Media Coverage

Cozy Bear, a threat group linked with the Russian foreign intelligence service (SVR), has been conducting a global hacking campaign targeting servers hosting JetBrains TeamCity software, according to US, UK and Polish government agencies. On December 13, the UK-backed Shadowserver Foundation said it was still detecting 800 unpatched instances of JetBrains TeamCity worldwide. JetBrains’ Russkih commented: “The estimate from the Shadowserver Foundation doesn’t distinguish the instances patched with a dedicated security plugin JetBrains released for customers with older versions (since they only look at the version number). We have already reached out to them to discuss possible improvements.”

Hackers are attempting to leverage a recently fixed critical vulnerability (CVE-2023-50164) in Apache Struts that leads to remote code execution, in attacks that rely on publicly available proof-of-concept exploit code.

It appears that threat actors have just started, according to the Shadowserver scanning platform, whose researchers observed a small number of IP addresses engaged in exploitation attempts.

The Department of Water and Sanitation (DWS) has told MyBroadband that it does not use the programmable controllers exploited in a recent attack on a United States water facility. This comes after the Shadowserver Foundation revealed that South Africa was among the countries most impacted by a recent attack on Unitronics programmable logic controllers (PLCs). Shadowserver scanned the Internet for potentially vulnerable controllers following a U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisory.

The Shadowserver Foundation has revealed that South Africa is among the countries most impacted by a recent attack on Unitronics programmable logic controllers (PLCs). This comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning that a state-sponsored Iranian hacking group had exploited security weaknesses in the controllers. CISA stated that, in addition to water and wastewater systems, the targeted Unitronics PLCs are also used in energy, food and beverage manufacturing, and healthcare.

Shadowserver said it specifically scanned the default Unitronics TCP port, 20256, on 2 December 2023.

The US government has confirmed that an Iranian hacking group named Cyber Av3ngers has gained access to equipment at water facilities across multiple US states. CISA, the FBI, the NSA, and other agencies say the attacks began as far back as November 22 and exploited PLCs manufactured by Israeli company Unitronics. The group targeted Unitronics PLCs that were still using the default password “1111.” CISA asked US organizations last week to change the default password, enable MFA, and remove the devices from the internet. US officials say the Cyber Av3ngers group is affiliated with the IRGC, an Iranian military and intelligence organization. According to the Shadowserver Foundation, from 500 to 800 Unitronics PLCs are currently exposed on the internet, with the vast majority in Australia and Singapore.

Representatives from governments, international organizations, and private sector gathered in Accra, Ghana today for the inaugural Global Conference on Cyber Capacity Building. The landmark event saw the release of an action framework known as the Accra Call on wednesday, November 29th. The highlight of the first day of the event was the endorsement of the Call by over 30 entities.

It has now been more than six weeks since virtualization and cloud services provider Citrix reported the existence of a particularly critical vulnerability in two of its products, NetScaler ADC and NetScaler Gateway. But, as often happens, equipped organizations are slow to apply the patches. Which delights cybercriminals of all kinds. According to data from Shadowserver , a foundation dedicated to researching malicious activities, there are still around 91 vulnerable instances in France. This is much less than when the flaw was announced on October 10, when 813 instances were identified, but it is still far too many. “These are the most common attacks observed on our honeypots,” warns the foundation.

The malware group behind the LockBit ransomware attacks has gotten even more sophisticated. Australian cybersecurity officials, the FBI and the Cybersecurity and Infrastructure Security Agency on Tuesday jointly released a security advisory on how the group is exploiting the CitrixBleed vulnerability.

The group isn’t the only one using this issue, which compromises various Citrix load balancing and networking equipment. And though various warnings were issued about a month ago when the exploit first came to light, many enterprises have been slow to patch their gear. The below chart from The ShadowServer Foundation shows more than 3,000 affected devices, mostly in North America and Europe.

Both nation-state hackers and cybercriminal gangs are exploiting a vulnerability affecting Citrix products, federal cyber officials warned on Tuesday. The ‘Citrix Bleed’ bug has caused alarm for weeks as cybersecurity experts warned that many government agencies and major companies were leaving their appliances exposed to the internet — opening themselves up to attacks. Despite a security bulletin from Citrix in October rating the bug a 9.4 out of 10 on the CVSS severity scale, research tool ShadowServer shows that thousands of instances where the tool is used were still vulnerable to the issue as of November 2, with nearly 2,000 in North America alone.