34 Cybercriminals Arrested in Spain for Multi-Million Dollar Online Scams
Spanish law enforcement officials have announced the arrest of 34 members of a criminal group that carried out various online scams, netting the gang about €3 million ($3.2 million) in illegal profits.
Authorities conducted searches across 16 locations Madrid, Malaga, Huelva, Alicante, and Murcia, seizing two simulated firearms, a katana sword, a baseball bat, €80,000 in cash, four high-end Read More
The Hacker News | #1 Trusted Cybersecurity News Site
APT Hackers Exploiting Ivanti Connect Secure VPN New Zero-Day Flaw in the Wild
Hackers exploit Zero-Day flaws in VPNs as these vulnerabilities are unknown to the software vendor, making them difficult to patch immediately.
This can be particularly lucrative for the threat actors seeking to exploit the growing reliance on VPNs (Virtual private networks) for secure online communication.
Recently, cybersecurity researchers at Google’s Mandiant discovered that APT hackers are actively exploiting the Ivanti connect secure VPNs’ new zero-day flaw in the wild.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Ivanti Connect Secure VPN New Zero-Day Flaw
Security analysts at Ivanti discovered the following two vulnerabilities affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances:-
Successful exploitation of these vulnerabilities may lead to authentication bypass and command injection that enables network compromise.
While the zero-day exploitation by UNC5221 began in Dec 2023, Ivanti, with Mandiant, is addressing issues and providing mitigations.
After exploiting the above-mentioned vulnerabilities, UNC5221 used custom malware in CS by trojanizing files. While the PySoxy and BusyBox enabled post-exploitation.
UNC5221 employed a Perl script (sessionserver.pl) to remount read-only sections by deploying THINSPOOL, a shell script dropper.
This writes the LIGHTWIRE web shell to a legitimate Connect Secure file, along with other tools.
THINSPOOL is a key tool for Mandiant that ensures persistence and evasion in UNC5221’s attacks. It serves as an initial dropper for the LIGHTWIRE web shell, which helps in post-exploitation.
LIGHT WIRE and WIREFIRE shells provide lightweight footholds for continued access to CS appliances, suggesting targeted persistence.
Custom Malware Discovered
Here below, we have mentioned all the custom malware that was discovered:-
ZIPLINE Passive Backdoor
THINSPOOL Dropper
LIGHTWIRE Web Shells
WIREFIRE Web Shells
WARPWIRE Credential Harvester
Security analysts at Mandiant couldn’t recognize the origin of this threat actor due to insufficient data. Besides this, targeting edge infrastructure with zero days is a common tactic, as Mandiant has already seen APT actors using appliance-specific malware.
UNC5221 shows that living on network edges is still an attractive target for spies, as the zero-days, compromised devices, and evading detection are espionage signatures.
As a recommendation cybersecurity experts strongly recommend users immediately apply the available security patches to mitigate threats like this.
IOCs
IoCs (Source – Mandiant)
Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.
SOC 2, ISO, HIPAA, Cyber Essentials – all the security frameworks and certifications today are an acronym soup that can make even a compliance expert’s head spin. If you’re embarking on your compliance journey, read on to discover the differences between standards, which is best for your business, and how vulnerability management can aid compliance.
What is cybersecurity compliance? Read More
The Hacker News | #1 Trusted Cybersecurity News Site
The creating of a new American surveillance state.
Our guest this week is Byron Tau, an author who discusses his new book “MEANS OF CONTROL: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State.” Ben discusses Supreme Court oral arguments on a case relating to social media censorship. Dave’s got the story of congress’ potential compromise on section 702. Read More