CISA | Breaking Cybersecurity News | The Hacker News

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries. The  officials  include Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, who are part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Reza Lashgarian is also the head of the IRGC-CEC and a commander in the IRGC-Qods Force. He is alleged to have been involved in various IRGC cyber and intelligence operations. The Treasury Department  said  it's holding these individuals responsible for carrying out "cyber operations in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company." In late November 2023, the U.S. Cybersecurity and Infras

The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign. The existence of the botnet, dubbed  KV-botnet , was  first disclosed  by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The law enforcement effort was  reported  by Reuters earlier this week. "The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," the Department of Justice (DoJ)  said  in a press statement. Volt Typhoon  (aka DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda) is the moniker assigned to a China-based adversarial collect

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as  CVE-2022-48618  (CVSS score: 7.8), concerns a bug in the kernel component. "An attacker with arbitrary read and write capability may be able to bypass  Pointer Authentication ," Apple said in an advisory, adding the issue "may have been exploited against versions of iOS released before iOS 15.7.1." The iPhone maker said the problem was addressed with improved checks. It's currently not known how the vulnerability is being weaponized in real-world attacks. Interestingly, patches for the flaw were released on December 13, 2022, with the release of  iOS 16.2, iPadOS 16.2 ,  macOS Ventura 13.1 ,  tvOS 16.2 , and  watchOS 9.2 , although it was only publicly disclosed more than a yea

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities ( KEV ) catalog, stating it's being actively exploited in the wild. The vulnerability in question is  CVE-2023-35082  (CVSS score: 9.8), an authentication bypass that's a patch bypass for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0), which was actively exploited in attacks targeted Norwegian government entities as a zero-day in April 2023. "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti  noted  in August 2023. All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below are impacted by the vulnerability. Cyb

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)  warned  that threat actors deploying the  AndroxGh0st  malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware,  AndroxGh0st  was first documented by Lacework in December 2022, with the malware inspiring several  similar tools  like AlienFox, GreenBot (aka Maintance), Legion, and Predator. The cloud attack tool is capable of infiltrating servers vulnerable to known security flaws to access Laravel environment files and steal credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio. Some of the notable flaws weaponized by the attackers include  CVE-2017-9841  (PHPUnit),  CVE-2021-41773  (Apache HTTP Server), and  CVE-2018-15133  (Laravel Framework). "AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  six security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. This includes  CVE-2023-27524  (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1. Details of the issue  first came to light  in April 2023, with Horizon3.ai's Naveen Sunkavally describing it as a "dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data." It's currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws - CVE-2023-38203  (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability CVE-2023-29300  (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrus

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is  urging  manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations. In an alert published last week, the agency called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S. Default passwords  refer to factory default software configurations for embedded systems, devices, and appliances that are typically publicly documented and identical among all systems within a vendor's product line. As a result, threat actors could scan for internet-exposed endpoints using tools like Shodan and attempt to breach them through default passwords, often gaining root or administrative privileges to  perform po

Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. The  vulnerabilities  are as follows - CVE-2023-33063  (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP. CVE-2023-33106  (CVSS score: 8.4) - Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND. CVE-2023-33107  (CVSS score: 8.4) - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call. Google's Threat Analysis Group and Google Project Zero  revealed  back in October 2023 that the three flaws, along with  CVE-2022-22071  (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks. A security researcher named luckyrb, the Google Android Security team, and TAG researcher Benoît Sevens and Jann Horn of Google Proje

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  a high-severity flaw in the Service Location Protocol (SLP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as  CVE-2023-29552  (CVSS score: 7.5), the issue relates to a denial-of-service (DoS) vulnerability that could be weaponized to launch massive DoS amplification attacks. It was  disclosed  by Bitsight and Curesec earlier this April. "The Service Location Protocol (SLP) contains a denial-of-service (DoS) vulnerability that could allow an unauthenticated, remote attacker to register services and use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor," CISA  said . SLP is a protocol that allows systems on a local area network (LAN) to discover each other and establish communications. The exact details surrounding the nature of exploitation of the flaw are currently unknown, bu

Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that's under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is tracked as  CVE-2023-20198  and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It's worth pointing out that the shortcoming only affects enterprise networking gear that have the web UI feature enabled and when it's exposed to the internet or to untrusted networks. "This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege  level 15 access ," Cisco  said  in a Monday advisory. "The attacker can then use that account to gain control of the affected system." The problem impacts both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS server feature enabled. As a mitigation, it's recommended to disable the HTTP server feature on internet-facing systems. The network

The AvosLocker ransomware gang has been linked to attacks against critical infrastructure sectors in the U.S., with some of them detected as recently as May 2023. That's according to a new joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) detailing the ransomware-as-a-service (RaaS) operation's tactics, techniques, and procedures (TTPs). "AvosLocker affiliates compromise organizations' networks by using legitimate software and open-source remote system administration tools," the agencies  said . "AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data." The ransomware strain  first emerged  on the scene in mid-2021, and has since leveraged sophisticated techniques to disable antivirus protection as a detection evasion measure. It affects Windows, Linux, and VMware ESXi environment

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday  added  a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as  CVE-2023-21608  (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the privileges of the current user. A patch for the flaw was released by Adobe in January 2023. HackSys security researchers Ashfaq Ansari and Krishnakant Patil were  credited  with discovering and reporting the flaw. The  following versions  of the software are impacted - Acrobat DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310) Acrobat Reader DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310) Acrobat 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436) Acrobat Reader 2020 - 20.005.30418 and earl

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  two security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793  (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability CVE-2023-28229  (CVSS score: 7.0) - Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability CVE-2023-42793 relates to a  critical authentication bypass vulnerability  that allows for remote code execution on TeamCity Server. Data gathered by GreyNoise has revealed exploitation attempts targeting the flaw from  74 unique IP addresses  to date. On the other hand, CVE-2023-28229 is a  high-severity flaw  in the Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service that allows an attacker to gain specific limited SYSTEM privileges. There are curren

Cybersecurity agencies from Japan and the U.S. have warned of attacks mounted by a state-backed hacking group from China to stealthily tamper with branch routers and use them as jumping-off points to access the networks of various companies in the two countries. The attacks have been tied to a malicious cyber actor dubbed  BlackTech  by the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC). "BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets," the agencies  said  in a joint alert. Targeted sectors encompass government, industrial, technology, media, electronics

Cybersecurity company Trend Micro has  released  patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as  CVE-2023-41179  (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted products is as follows - Apex One - version 2019 (on-premise), fixed in SP1 Patch 1 (B12380) Apex One as a Service - fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637 Worry-Free Business Security - version 10.0 SP1, fixed in 10.0 SP1 Patch 2495 Worry-Free Business Security Services - fixed in July 31, 2023, Monthly Maintenance Release Trend Micro said that a successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. However, it requires that the adversary already has administrative

Cisco has released security fixes to address multiple security flaws, including a critical bug, that could be exploited by a threat actor to take control of an affected system or cause a denial-of service (DoS) condition. The most severe of the issues is CVE-2023-20238, which has the maximum CVSS severity rating of 10.0. It's described as an authentication bypass flaw in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. Successful exploitation of the vulnerability -- a weakness in the single sign-on (SSO) implementation and discovered during internal testing -- could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system. "This vulnerability is due to the method used to validate SSO tokens," Cisco  said . "An attacker could exploit this vulnerability by authenticating to the application with forged credentials. A successful exploit could allow the attacker to commit toll fraud or to e