Tag Archive for: Suspected

China suspected to be behind Ivanti zero-day exploits

/in


Ivanti is working on a patch to fix two high-impact vulnerabilities allowing attackers to control an affected system.

Attackers have been exploiting two zero-day vulnerabilities affecting the security software provider Ivanti’s products. CISA urged admins to take note of the flaws and added the vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, to the Known Exploited Vulnerabilities catalog, requiring government institutions to remediate the issue.

“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system. In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” researchers at Volexity said.

However, Ivanti has yet to release a patch for the affected systems. For the time being, the company issued a workaround via its blog.

“We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT,” reads Ivanti’s blog.

The zero-days are an authentication bypass and command-injection vulnerabilities that allow attackers to perform a wide array of attacks, including remote code execution and system takeover. According to Ivanti, the company is aware of “less than ten customers” who were impacted by the vulnerabilities.

Ivanti claims to have over 40 thousand customers in total.

Researchers believe that the affected systems may have been exploited as early as December 3rd, 2023. The culprits behind the exploits are suspected to be UTA0178, believed to be a Chinese nation-state-level threat actor.

There‘s little insight into the attacker‘s motives. However, researchers observed threat actors carrying out reconnaissance and system exploration tasks.

“This primarily consisted of looking through user files, configuration files, and testing access to systems. The primary notable activity beyond that was deployment of webshells to multiple systems,” Volexity researchers said.

“>

More…

Source…

Ukraine faces second day of huge phone and internet outage after suspected Russian cyberattack

/in


Ukraine on Wednesday entered the second day of limited communications after its largest mobile phone and internet provider was hit by a huge cyberattack, Ukrainian officials and the internet provider said Wednesday.

The company, Kyivstar, shut down all mobile and internet service Tuesday after experiencing what its CEO said was a Russian cyberattack.

The Kyivstar hack is one of the biggest cyberattacks on the civilian telecommunications industry in history, and one of the most influential of the Russia-Ukraine war. Kyivstar’s website is still inaccessible, but an archived version of it from November said it has more than 25 million customers nationwide, more than half the country’s population.

Kyivstar announced Wednesday it had begun to restore service, but Kentik, a company that tracks global internet connectivity, said Kyivstar was operating at a fraction of its normal traffic levels.

In addition to cutting off communications for millions of Ukrainians, the Kyivstar attack resulted in other critical services shutting down.

The head of Kyiv’s Regional Military Administration, Ruslan Kravchenko, said on Telegram that the outage disrupted air alert systems in multiple cities, forcing authorities to use backup alarms. Russia launched a missile attack Wednesday morning, Kyiv’s mayor said on his Telegram channel, resulting in 53 people being injured and 20 being hospitalized.

Ukraine’s largest bank, PrivatBank, announced that a lack of functioning internet connection had resulted in some ATMs and point-of-sale terminals not working.

In the city of Liviv, which uses internet-connected smart streetlights, the Kyivstar outage meant that the lights had to be disconnected manually, the City Council said on its website.

Ukrainian authorities, including communications officials and representatives from the Security Service of Ukraine, indicated in emailed statements Wednesday that the culprit was a unit within Russian military intelligence, the GRU, that Western governments and cybersecurity researchers have said is responsible for previous destructive attacks on Ukrainian infrastructure. Russia’s Ministry of Foreign Affairs didn’t respond to a request for comment.

Both the Security…

Source…

Ukrainian cellular and Internet still out, 1 day after suspected Russian cyberattack

/in


A service center for
Enlarge / A service center for “Kyivstar”, a Ukrainian telecommunications company, that provides communication services and data transmission based on a broad range of fixed and mobile technologies.

Getty Images

Ukrainian civilians on Wednesday grappled for a second day of widespread cellular phone and Internet outages after a cyberattack, purportedly carried out by Kremlin-supported hackers, hit the country’s biggest mobile phone and Internet provider a day earlier.

Two separate hacking groups with ties to the Russian government took responsibility for Tuesday’s attack striking Kyivstar, which has said it serves 24.3 million mobile subscribers and more than 1.1 million home Internet users. One group, calling itself Killnet, said on Telegram that “an attack was carried out on Ukrainian mobile operators, as well as on some banks,” but didn’t elaborate or provide any evidence. A separate group known as Solntsepek said on the same site that it took “full responsibility for the cyberattack on Kyivstar” and had “destroyed 10,000 computers, more than 4,000 servers, and all cloud storage and backup systems.” The post was accompanied by screenshots purporting to show someone with control over the Kyivstar systems.

In the city of Lviv, street lights remained on after sunrise and had to be disconnected manually, because Internet-dependent automated power switches didn’t work, according to NBC News. Additionally, the outage prevented shops throughout the country from processing credit payments and many ATMs from functioning, the Kyiv Post said.

The outage also disrupted air alert systems that warn residents in multiple cities of incoming missile attacks, a Ukrainian official said on Telegram. The outage forced authorities to rely on backup alarms.

“Cyber ​​specialists of the Security Service of Ukraine and ‘Kyivstar’ specialists, in cooperation with other state bodies, continue to restore the network after yesterday’s hacker attack,” officials with…

Source…

Unmasking Putin’s Schadenfreude and His Suspected Cyberwarfare

/in


Amy Neustein

Amy Neustein

Bewilderment, angst and fear would grip an entire world on Oct. 7 as savagery and barbarism were unleashed by the Hamas terrorist group on the kibbutzim and towns in Israel along the Gazan border in the early morning hours of Simchas Torah and Shabbat.

Astonishingly, Israel, known for its superior reconnaissance and military savvy, was caught off guard; the consequences were verily catastrophic. Cybersecurity gaps may have contributed to this debacle.

Deputy Editor James Coker of Infosecurity Magazine reported last week that Radware, a publicly-traded cybersecurity company headquartered in Tel Aviv-Yafo with offices in Europe, Africa and Asia Pacific, found that Israel topped the list worldwide in its receipt of DDoS (Distributed Denial of Service) attacks just five days before the Hamas raid and in the days that followed. Such cyberattacks involve multiple connected online devices, collectively known as “botnet,” in which a targeted website is overwhelmed with fake traffic.

Coker stated Israel received 143 such DDoS attacks “making it the most targeted nation” in the world during that period. Radware found that more than a third of the claimed DDoS attacks were aimed at Israeli governmental agencies. Killnet, a pro-Russian (and purportedly Kremlin-associated) cybersecurity threat group that engaged in DDoS attacks targeting websites in countries that supported Ukraine following the Russian invasion, claimed several attacks on Israel’s cybersystem along with pro-Palestinian hacktivist groups.

Radware pointed to Killnet’s claim on Telegram Messenger, a cloud-based, cross platform instant messaging service, to targeting Israel’s banks and government sites that included Shabak.gov.il, Israel’s internal security service. The Jerusalem Post wrote on X (formerly Twitter) that it suffered downtime due to cyberattacks two days subsequent to the massacre.

Rob Joyce, director of cybersecurity at the National Security Agency, a national level intelligence agency of the United States Department of Defense, weighed in…

Source…