CISA Flags 8 Actively Exploited Flaws in Samsung and D-Link Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a set of eight flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
This includes six shortcomings affecting Samsung smartphones and two vulnerabilities impacting D-Link devices. All the flaws have been patched as of 2021.
CVE-2021-25394 (CVSS score: 6.4) – Samsung mobile Read More
APT Hackers Exploiting Ivanti Connect Secure VPN New Zero-Day Flaw in the Wild
Hackers exploit Zero-Day flaws in VPNs as these vulnerabilities are unknown to the software vendor, making them difficult to patch immediately.
This can be particularly lucrative for the threat actors seeking to exploit the growing reliance on VPNs (Virtual private networks) for secure online communication.
Recently, cybersecurity researchers at Google’s Mandiant discovered that APT hackers are actively exploiting the Ivanti connect secure VPNs’ new zero-day flaw in the wild.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Ivanti Connect Secure VPN New Zero-Day Flaw
Security analysts at Ivanti discovered the following two vulnerabilities affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances:-
Successful exploitation of these vulnerabilities may lead to authentication bypass and command injection that enables network compromise.
While the zero-day exploitation by UNC5221 began in Dec 2023, Ivanti, with Mandiant, is addressing issues and providing mitigations.
After exploiting the above-mentioned vulnerabilities, UNC5221 used custom malware in CS by trojanizing files. While the PySoxy and BusyBox enabled post-exploitation.
UNC5221 employed a Perl script (sessionserver.pl) to remount read-only sections by deploying THINSPOOL, a shell script dropper.
This writes the LIGHTWIRE web shell to a legitimate Connect Secure file, along with other tools.
THINSPOOL is a key tool for Mandiant that ensures persistence and evasion in UNC5221’s attacks. It serves as an initial dropper for the LIGHTWIRE web shell, which helps in post-exploitation.
LIGHT WIRE and WIREFIRE shells provide lightweight footholds for continued access to CS appliances, suggesting targeted persistence.
Custom Malware Discovered
Here below, we have mentioned all the custom malware that was discovered:-
ZIPLINE Passive Backdoor
THINSPOOL Dropper
LIGHTWIRE Web Shells
WIREFIRE Web Shells
WARPWIRE Credential Harvester
Security analysts at Mandiant couldn’t recognize the origin of this threat actor due to insufficient data. Besides this, targeting edge infrastructure with zero days is a common tactic, as Mandiant has already seen APT actors using appliance-specific malware.
UNC5221 shows that living on network edges is still an attractive target for spies, as the zero-days, compromised devices, and evading detection are espionage signatures.
As a recommendation cybersecurity experts strongly recommend users immediately apply the available security patches to mitigate threats like this.
IOCs
IoCs (Source – Mandiant)
Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.
Transform Your Data Security Posture – Learn from SoFi’s DSPM Success
As cloud technology evolves, so does the challenge of securing sensitive data. In a world where data duplication and sprawl are common, organizations face increased risks of non-compliance and unauthorized data breaches.
Sentra’s DSPM (Data Security Posture Management) emerges as a comprehensive solution, offering continuous discovery and accurate classification of sensitive data in the cloud. Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Blackwood hackers hijack WPS Office update to install malware
A previously unknown advanced threat actor tracked as ‘Blackwood’ is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals. […] Read More