A recently patched Apache ActiveMQ vulnerability tracked as CVE-2023-46604 is being exploited to deliver ransomware.
Apache ActiveMQ is described as the “most popular open source, multi-protocol, Java-based message broker”
The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Several versions of the ActiveMQ product and Apache ActiveMQ legacy Openwire modules are affected by this vulnerability. This vulnerability has been patched in the release of updated versions.
The exploitation attempts as reported by Rapid7 cybersecurity firm state that cybercriminals linked to the HelloKitty ransomware family, whose source code was leaked roughly one month ago tried to exploit CVE-2023-46604 to deliver ransomware to the targeted system. The threat actor’s attempts at ransomware deployment were somewhat clumsy in one of the incidents Rapid7 observed, there were more than half a dozen unsuccessful attempts to encrypt assets.
Microsoft has announced a significant new cybersecurity initiative designed to help the company better respond to the increasing speed, scale, and sophistication of today’s cyber threats.
The article discusses Microsoft’s new cybersecurity initiative called the “Secure Future Initiative,” Aimed at enhancing the company’s ability to combat the increasing speed, scale, and sophistication of modern cyber threats.
The initiative is driven, in part, by the rise in sophistication of state-sponsored cyber actors and recent attacks on Microsoft’s cloud services. Brad Smith, the President of Microsoft, highlights the need for a more robust response to these innovative and diverse attacks, which include not only espionage but also sabotage, destruction, and influence operations.
Cyber-hygiene alone won’t cut it against these innovative attacks, which have become more brazen, prolific, and diverse – encompassing not just espionage but also sabotage, destruction, and influence operations, he added.
The Secure Future Initiative has three primary pillars:
1. AI-Based Cyber Defenses: Microsoft plans to leverage artificial intelligence (AI) to enhance its threat intelligence and analysis capabilities. This involves using AI technologies to identify and respond to cyber threats more effectively. It is a recognition of the growing role of AI in improving cybersecurity.
2. Advances in Fundamental Software Engineering: This pillar focused on improving the security of Microsoft’s software products. By enhancing the security of their software, they aim to reduce vulnerabilities and potential entry points for cyber threats.
3. Advocacy for Stronger Application of International Norms: Microsoft aims to promote the application of international norms to protect civilians from cyber threats. This could involve working with governments and organizations to establish and enforce rules and standards for responsible behavior in cyberspace.
This initiative underlines Microsoft’s commitment to enhancing its cybersecurity posture and contributing to global cybersecurity efforts.
The hack was attributed to an Okta employee who used a personal Google account on a company-managed laptop, which led to the exposure of credentials and subsequent data theft from multiple Okta customers. Okta’s security chief, David Bradbury, provided a post-mortem on the incident, revealing that unauthorized access was gained to files within Okta’s customer support system, affecting less than 1% of Okta customers.
Previous News
Okta, an identity security company, experienced a breach. Hackers used stolen credentials to access Okta’s support system, viewing confidential files. These files, particularly HAR files, contained sensitive data like cookies and session tokens, enabling hackers to mimic legitimate users.
Okta responded by:
-Assisting impacted clients and securing accounts.
-Advising the removal of sensitive data from files before sharing.
-Confirming that Okta’s primary service wasn’t affected.
They also issued warnings about suspicious IP addresses and urged customers to monitor their systems. BeyondTrust, another security firm, encountered a related attack but thwarted it, highlighting some vulnerabilities in Okta’s security.
This incident isn’t isolated; Okta has been previously targeted. Hackers have attempted sophisticated methods to compromise it, aiming to access connected organizations. The specifics of the attackers and their goals remain largely undisclosed.
“Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel”
Google has issued a warning about threat actors sharing a public proof-of-concept (PoC) exploit called Google Calendar RAT (GCR), which leverages Google Calendar service for command-and-control (C2) infrastructure. The tool, created by a developer known as MrSaighnal, exploits event descriptions in Google Calendar to establish a covert channel, allowing the target to connect directly to Google. Although not observed in active use, Google’s Mandiant threat intelligence unit detected threat actors sharing the PoC on underground forums. GCR operates on compromised machines, periodically polling Calendar event descriptions for new commands, executing them on the target device, and updating the event description with command output. The tool’s use of legitimate infrastructure makes it challenging for defenders to detect suspicious activity, emphasizing threat actors’ interest in abusing cloud services to blend in with victim environments and avoid detection.
URL: https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.html
ServiceNow Data Exposure: A Wake-Up Call for Companies (thehackernews.com)
The article discusses a recent security issue with ServiceNow, a widely used cloud-based platform for business management. It reveals that misconfigurations within ServiceNow could allow unauthorized access to sensitive data, posing a significant security risk for organizations. The problem primarily relates to a widget called “Simple List,” which defaults to allowing unauthenticated users to access important data. While not a flaw in ServiceNow’s code, this configuration issue requires remediation steps, including reviewing and modifying Access Control Lists, adjusting public widget settings, and using stricter access controls. Even after ServiceNow issues a fix, organizations are urged to follow these steps to ensure data security. Additionally, organizations can use SaaS Security Posture Management solutions to identify and address configuration issues in ServiceNow and other applications. The article emphasizes the critical need for securing data and configurations to prevent potential data exposure and leakage. https://thehackernews.com/2023/10/servicenow-data-exposure-wake-up-call.html
https://thehackernews.com/2023/11/us-treasury-targets-russian-money.html
A 37-year-old woman was sanctioned by the U.S. Department of Treasury for being a part of laundering virtual currency for the country’s elites and cybercriminal crews which includes the Ryuk ransomware group. She facilitated large cross-border sanctions to assist Russian individuals for the purpose of gaining access to Western financial markets and circumventing international sanctions. She utilizes a lack of anti-money laundering/combatting the financing of terrorism like OFAC designated Russian cryptocurrency exchange Garantex and she used multiple methods to move funds internationally. Garantex was also sanctioned by the U.S. because it coincided with the takedown of the dark web marketplace called Hydra. She was accused of offering her services to people who are connected to the ransomware group called Ryuk laundering 2.3 million of suspected victim payments on behalf of Ryuk.
A Duke University study reveals that US military members’ sensitive information can be easily acquired by foreign threat actors from data brokers who collect and sell personal data, including demographic, financial, and health information. This data poses risks to national security, with the study finding that the practices of data brokers in verifying customers’ identities are inconsistent and largely unregulated by the US government. The researchers recommend the enactment of comprehensive privacy laws, increased funding for regulatory agencies, and internal assessments by the Defense Department to safeguard sensitive military information from falling into the wrong hands.
https://www.infosecurity-magazine.com/news/veeam-patches-two-critical-bugs/
Veeam, a data resiliency specialist, has addressed four newly discovered vulnerabilities in its IT monitoring and analytics tool. Two of these vulnerabilities are critical. The first one, CVE-2023-38547, with a CVSS rating of 9.9, allows an unauthenticated user to access information about the SQL server connection used by Veeam ONE, potentially leading to remote code execution on the SQL server. The second critical bug, CVE-2023-38548, rated at 9.8, allows an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
The other two vulnerabilities are rated as “medium” severity. CVE-2023-38549, with a CVSS score of 4.5, affects Veeam ONE versions 11, 11a, and 12, and it requires a user to interact with the product’s administrator role to exploit. CVE-2023-41723, rated at 4.3, also affects Veeam ONE 11, 11a, and 12, allowing a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule, with no ability to make changes.
This article goes into the question of: If we are putting so many resources into cybersecurity, then why are there so many breaches? first it goes into three categories of risk. Mitigatable, transferable, and, acceptable risk. It’s through these that cyber risk is evaluated, then, there are 4 phases that go into managing cyber risks. Empowering and securing workforce, protecting data in cloud workloads, modernizing Iot/OT Security, and, engaging your customers and suppliers securely, given all of these, the security architecture is always changing and because not all companies are able to adapt to that change easily/quickly, we are seeing these large amounts of cyber attacks happening.
Critical Apache ActiveMQ Vulnerability Exploited to Deliver Ransomware
https://www.securityweek.com/critical-apache-activemq-vulnerability-exploited-to-deliver-ransomware/
A recently patched Apache ActiveMQ vulnerability tracked as CVE-2023-46604 is being exploited to deliver ransomware.
Apache ActiveMQ is described as the “most popular open source, multi-protocol, Java-based message broker”
The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Several versions of the ActiveMQ product and Apache ActiveMQ legacy Openwire modules are affected by this vulnerability. This vulnerability has been patched in the release of updated versions.
The exploitation attempts as reported by Rapid7 cybersecurity firm state that cybercriminals linked to the HelloKitty ransomware family, whose source code was leaked roughly one month ago tried to exploit CVE-2023-46604 to deliver ransomware to the targeted system. The threat actor’s attempts at ransomware deployment were somewhat clumsy in one of the incidents Rapid7 observed, there were more than half a dozen unsuccessful attempts to encrypt assets.
Microsoft Takes on Cyber-Threats with New Secure Future Initiative.
https://www.infosecurity-magazine.com/news/microsoft-secure-future-initiative/
Microsoft has announced a significant new cybersecurity initiative designed to help the company better respond to the increasing speed, scale, and sophistication of today’s cyber threats.
The article discusses Microsoft’s new cybersecurity initiative called the “Secure Future Initiative,” Aimed at enhancing the company’s ability to combat the increasing speed, scale, and sophistication of modern cyber threats.
The initiative is driven, in part, by the rise in sophistication of state-sponsored cyber actors and recent attacks on Microsoft’s cloud services. Brad Smith, the President of Microsoft, highlights the need for a more robust response to these innovative and diverse attacks, which include not only espionage but also sabotage, destruction, and influence operations.
Cyber-hygiene alone won’t cut it against these innovative attacks, which have become more brazen, prolific, and diverse – encompassing not just espionage but also sabotage, destruction, and influence operations, he added.
The Secure Future Initiative has three primary pillars:
1. AI-Based Cyber Defenses: Microsoft plans to leverage artificial intelligence (AI) to enhance its threat intelligence and analysis capabilities. This involves using AI technologies to identify and respond to cyber threats more effectively. It is a recognition of the growing role of AI in improving cybersecurity.
2. Advances in Fundamental Software Engineering: This pillar focused on improving the security of Microsoft’s software products. By enhancing the security of their software, they aim to reduce vulnerabilities and potential entry points for cyber threats.
3. Advocacy for Stronger Application of International Norms: Microsoft aims to promote the application of international norms to protect civilians from cyber threats. This could involve working with governments and organizations to establish and enforce rules and standards for responsible behavior in cyberspace.
This initiative underlines Microsoft’s commitment to enhancing its cybersecurity posture and contributing to global cybersecurity efforts.
https://www.securityweek.com/okta-hack-blamed-on-employee-using-personal-google-account-on-company-laptop/
The hack was attributed to an Okta employee who used a personal Google account on a company-managed laptop, which led to the exposure of credentials and subsequent data theft from multiple Okta customers. Okta’s security chief, David Bradbury, provided a post-mortem on the incident, revealing that unauthorized access was gained to files within Okta’s customer support system, affecting less than 1% of Okta customers.
Previous News
Okta, an identity security company, experienced a breach. Hackers used stolen credentials to access Okta’s support system, viewing confidential files. These files, particularly HAR files, contained sensitive data like cookies and session tokens, enabling hackers to mimic legitimate users.
Okta responded by:
-Assisting impacted clients and securing accounts.
-Advising the removal of sensitive data from files before sharing.
-Confirming that Okta’s primary service wasn’t affected.
They also issued warnings about suspicious IP addresses and urged customers to monitor their systems. BeyondTrust, another security firm, encountered a related attack but thwarted it, highlighting some vulnerabilities in Okta’s security.
This incident isn’t isolated; Okta has been previously targeted. Hackers have attempted sophisticated methods to compromise it, aiming to access connected organizations. The specifics of the attackers and their goals remain largely undisclosed.
“Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel”
Google has issued a warning about threat actors sharing a public proof-of-concept (PoC) exploit called Google Calendar RAT (GCR), which leverages Google Calendar service for command-and-control (C2) infrastructure. The tool, created by a developer known as MrSaighnal, exploits event descriptions in Google Calendar to establish a covert channel, allowing the target to connect directly to Google. Although not observed in active use, Google’s Mandiant threat intelligence unit detected threat actors sharing the PoC on underground forums. GCR operates on compromised machines, periodically polling Calendar event descriptions for new commands, executing them on the target device, and updating the event description with command output. The tool’s use of legitimate infrastructure makes it challenging for defenders to detect suspicious activity, emphasizing threat actors’ interest in abusing cloud services to blend in with victim environments and avoid detection.
URL: https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.html
ServiceNow Data Exposure: A Wake-Up Call for Companies (thehackernews.com)
The article discusses a recent security issue with ServiceNow, a widely used cloud-based platform for business management. It reveals that misconfigurations within ServiceNow could allow unauthorized access to sensitive data, posing a significant security risk for organizations. The problem primarily relates to a widget called “Simple List,” which defaults to allowing unauthenticated users to access important data. While not a flaw in ServiceNow’s code, this configuration issue requires remediation steps, including reviewing and modifying Access Control Lists, adjusting public widget settings, and using stricter access controls. Even after ServiceNow issues a fix, organizations are urged to follow these steps to ensure data security. Additionally, organizations can use SaaS Security Posture Management solutions to identify and address configuration issues in ServiceNow and other applications. The article emphasizes the critical need for securing data and configurations to prevent potential data exposure and leakage.
https://thehackernews.com/2023/10/servicenow-data-exposure-wake-up-call.html
https://thehackernews.com/2023/11/us-treasury-targets-russian-money.html
A 37-year-old woman was sanctioned by the U.S. Department of Treasury for being a part of laundering virtual currency for the country’s elites and cybercriminal crews which includes the Ryuk ransomware group. She facilitated large cross-border sanctions to assist Russian individuals for the purpose of gaining access to Western financial markets and circumventing international sanctions. She utilizes a lack of anti-money laundering/combatting the financing of terrorism like OFAC designated Russian cryptocurrency exchange Garantex and she used multiple methods to move funds internationally. Garantex was also sanctioned by the U.S. because it coincided with the takedown of the dark web marketplace called Hydra. She was accused of offering her services to people who are connected to the ransomware group called Ryuk laundering 2.3 million of suspected victim payments on behalf of Ryuk.
https://www.securityweek.com/data-brokers-expose-sensitive-us-military-member-info-to-foreign-threat-actors-study/
A Duke University study reveals that US military members’ sensitive information can be easily acquired by foreign threat actors from data brokers who collect and sell personal data, including demographic, financial, and health information. This data poses risks to national security, with the study finding that the practices of data brokers in verifying customers’ identities are inconsistent and largely unregulated by the US government. The researchers recommend the enactment of comprehensive privacy laws, increased funding for regulatory agencies, and internal assessments by the Defense Department to safeguard sensitive military information from falling into the wrong hands.
https://www.infosecurity-magazine.com/news/veeam-patches-two-critical-bugs/
Veeam, a data resiliency specialist, has addressed four newly discovered vulnerabilities in its IT monitoring and analytics tool. Two of these vulnerabilities are critical. The first one, CVE-2023-38547, with a CVSS rating of 9.9, allows an unauthenticated user to access information about the SQL server connection used by Veeam ONE, potentially leading to remote code execution on the SQL server. The second critical bug, CVE-2023-38548, rated at 9.8, allows an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
The other two vulnerabilities are rated as “medium” severity. CVE-2023-38549, with a CVSS score of 4.5, affects Veeam ONE versions 11, 11a, and 12, and it requires a user to interact with the product’s administrator role to exploit. CVE-2023-41723, rated at 4.3, also affects Veeam ONE 11, 11a, and 12, allowing a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule, with no ability to make changes.
https://www.forbes.com/sites/forbestechcouncil/2023/11/06/the-million-dollar-cybersecurity-question/?sh=7178b5416b60
This article goes into the question of: If we are putting so many resources into cybersecurity, then why are there so many breaches? first it goes into three categories of risk. Mitigatable, transferable, and, acceptable risk. It’s through these that cyber risk is evaluated, then, there are 4 phases that go into managing cyber risks. Empowering and securing workforce, protecting data in cloud workloads, modernizing Iot/OT Security, and, engaging your customers and suppliers securely, given all of these, the security architecture is always changing and because not all companies are able to adapt to that change easily/quickly, we are seeing these large amounts of cyber attacks happening.