Tag Archive for: Mass

Researchers say easy-to-exploit security bugs in ConnectWise remote-access software now under mass attack

/in


Security researchers say a pair of easy-to-exploit flaws in a popular remote-access tool used by more than a million companies around the world are now being mass exploited, with hackers abusing the vulnerabilities to deploy ransomware and steal sensitive data.

Cybersecurity giant Mandiant said in a post on Friday that it has “identified mass exploitation” of the two flaws in ConnectWise ScreenConnect, a popular remote access tool that allows IT and technicians to remotely provide technical support directly on customer systems over the internet.

The two vulnerabilities comprise CVE-2024-1709, an authentication bypass vulnerability that researchers deemed “embarrassingly easy” for attackers to exploit, and CVE-2024-1708, a path-traversal vulnerability that allows hackers to remotely plant malicious code, such as malware, on vulnerable ConnectWise customer instances.

ConnectWise first disclosed the flaws on February 19 and urged on-premise customers to install security patches immediately. However, thousands of servers remain vulnerable, according to data from the Shadowserver Foundation, and each of these servers can manage up to 150,000 customer devices.

Mandiant said it had identified “various threat actors” exploiting the two flaws and warned that “many of them will deploy ransomware and conduct multifaceted extortion,” but did not attribute the attacks to specific threat groups.

Finnish cybersecurity firm WithSecure said in a blog post Monday that its researchers have also observed “en-mass exploitation” of the ScreenConnect flaws from multiple threat actors. WithSecure said these hackers are exploiting the vulnerabilities to deploy password stealers, back doors, and in some cases ransomware.

WithSecure said it also observed hackers exploiting the flaws to deploy a Windows variant of the KrustyLoader back door on unpatched ScreenConnect systems, the same kind of back door planted by hackers recently exploiting vulnerabilities in Ivanti’s corporate VPN software. WithSecure said it could not yet attribute the activity to a particular threat group, though others have linked the past activity to a China-backed hacking group focused…

Source…

“This vulnerability is now under mass exploitation.” Citrix Bleed bug bites hard

/in


“This vulnerability is now under mass exploitation.” Citrix Bleed bug bites hard

Getty Images

A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.

Citrix Bleed, the common name for the vulnerability, carries a severity rating of 9.4 out of a possible 10, a relatively high designation for a mere information-disclosure bug. The reason: the information disclosed can include session tokens, which the hardware assigns to devices that have already successfully provided credentials, including those providing MFA. The vulnerability, tracked as CVE-2023-4966 and residing in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, has been under active exploitation since August. Citrix issued a patch on October 10.

Repeat: This is not a drill

Attacks have only ramped up recently, prompting security researcher Kevin Beaumont on Saturday to declare: “This vulnerability is now under mass exploitation.” He went on to say, “From talking to multiple organizations, they are seeing widespread exploitation.”

He said that as of Saturday, he had found an estimated 20,000 instances of exploited Citrix devices where session tokens had been stolen. He said his estimate was based on running a honeypot of servers that masquerade as vulnerable Netscaler devices to track opportunistic attacks on the Internet. Beaumont then compared those results with other data, including some provided by Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security company that also deploys honeypots, was showing exploits for CVE-2023-4966 coming from 135 IP addresses when this post went live on Ars. That’s a 27-fold increase from the five IPs spotted GreyNoise saw five days ago.

The most recent numbers available from security organization Shadowserver showed that there were roughly 5,500 unpatched devices. Beaumont has acknowledged that the estimate is at odds with his estimate…

Source…

Security News This Week: US Energy Firm Targeted With Malicious QR Codes in Mass Phishing Attack

/in


At the Defcon security conference in Las Vegas last weekend, thousands of hackers competed in a red-team challenge to find flaws in generative AI chat platforms and help better secure these emerging systems. Meanwhile, researchers presented findings across the conference, including new discoveries about strategies to bypass a recent addition to Apple’s macOS that is supposed to flag potentially malicious software on your computer. 

Kids are facing a massive online scam campaign that targets them with fake offers and promotions related to the popular video games Fortnite and Roblox. And the racket all traces back to one rogue digital marketing company. The social media platform X, formerly Twitter, has been filing lawsuits and pursuing a strategic legal offensive to oppose researchers who study hate speech and online harassment using data from the social network.

On Thursday, an innovation agency within the US Department of Health and Human Services announced plans to fund research into digital defenses for health care infrastructure. The goal is to rapidly develop new tools that can protect US medical systems against ransomware attacks and other threats.

But wait, there’s more! Each week, we round up the stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A large phishing campaign that’s been active since May has been targeting an array of companies with malicious QR codes in attempts to steal Microsoft account credentials. Notably, researchers from the security firm Cofense observed the attacks against “a major Energy company based in the US.” The campaign also targeted organizations in other industries, including finance, insurance, manufacturing, and tech. Malicious QR codes were used in nearly a third of the emails reviewed by researchers. QR codes have disadvantages in phishing, since victims need to be compelled to scan them for the attack to progress. But they make it more difficult for victims to evaluate the trustworthiness of the URL they’re clicking on, and it’s more likely that emails containing a QR code will reach their target, because it’s more difficult for spam filters to assess QR…

Source…

Russian Ransomware Group Reveals More Victims Of Moveit Mass Hack

/in


(MENAFN– IANS) San Francisco, June 16 (IANS) The Russia-linked ransomware group Clop, which exploited a critical security vulnerability in a popular corporate file transfer tool, has listed several other victims of its mass hack, that also include banks and universities, apart from federal government agencies.
On its website, the group called Clop listed US-based financial services organisations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the UK-based energy giant Shell, among other victims, reports TechCrunch.
The ransomware gang exploited a security flaw in MOVEit Transfer, a tool used by corporations and enterprises to share large files over the internet.
Progress Software, which develops the MOVEit software, has patched the vulnerability.
The US Cybersecurity and Infrastructure Security Agency “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications”, the agency’s Executive Assistant Director for Cybersecurity, Eric Goldstein, told CNN about the software impacted.
Other victims listed include financial software provider Datasite, educational non-profit National Student Clearinghouse, student health insurance provider United Healthcare Student Resources, US manufacturer Leggett & Platt and the University System of Georgia (USG), among others
Clop contacts its victims to demand a ransom payment to decrypt or delete their stolen files.
The Government of Nova Scotia, which uses MOVEit to share files across departments, also confirmed it was affected.
Many more victims are expected to be revealed in the coming days and weeks, according to the report.
According to researchers, Clop may have been exploiting the MOVEit vulnerability as far back as 2021.
–IANS
na/kvd

MENAFN16062023000231011071ID1106445987


Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the…

Source…