The Good, the Bad and the Ugly in Cybersecurity – Week 5

The Good | Recent Cyber Operations Combat Insider Threats and Disrupt Sophisticated Malware

In a series of cyber arrests and operations this week, law enforcement agencies around the world made strides in taking down cyber threats across different regions.

In the U.S., three former Department of Homeland Security employees, including a former Acting Inspector General, were sentenced for stealing proprietary government software and the personal data of 200,000 federal employees. The trio pleaded guilty to conspiring to share the stolen assets with Indian software developers to create and sell a similar commercial product to other government agencies.

In Brazil, joint federal operatives arrested several operators of Grandoreiro malware, a banking trojan known for targeting Latin American countries. A design flaw in Grandoreiro’s network protocol uncovered by cybersecurity researchers was used to identify the victimology patterns. Grandoreiro, active since 2017, targets banking information through keyloggers and overlays, with the threat actors leveraging phishing lures and a domain generation algorithm (DGA) to evade detection. Since the arrests, the malware operation has come to a full stop at the time of this writing.

Source: Zscaler

Meanwhile, KV Botnet, a part of Volt Typhoon’s arsenal, has been successfully disrupted after the FBI hacked into the botnet’s command and control (C2) server. The PRC-based state hackers were known to use the botnet to evade detection in their attacks against U.S. critical infrastructure. These attacks utilized compromised devices, including cameras and vulnerable routers that were reaching end-of-life status, to avoid detection during attacks on communication, energy, transportation, and water sectors. CISA and the FBI issued guidance for small office/home office (SOHO) router manufacturers to secure against ongoing attacks, emphasizing automated security updates and secure web management interfaces.

The Bad | Continued String of New Ivanti Vulnerabilities Trigger First CISA Emergency Directive of 2024

In early January, we covered an ongoing exploitation of two zero-day vulnerabilities in Ivanti’s Connect Secure and Policy Secure Gateways products. In the hands of an attacker, CVE-2023-46805 and CVE-2024-21887 could allow unauthorized command-injection attacks to expose targeted systems and restricted resources. Reports linked UNC5221 operators to the exploits where the threat group were observed leveraging various backdoors, webshells, credential harvesters, and post-exploitation tools.

The latest development this week adds two more high-severity flaws found in the same Ivanti products. Tracked as CVE-2024-21888 and CVE-2024-21893, these vulnerabilities are both currently under targeted exploitation in the wild. CVE-2024-21888 enables an attacker to elevate privileges to admin-level while CVE-2024-21893 targets a server-side request forgery, allowing attackers to bypass authentication and access restricted resources.

Ivanti has said that no customers have been impacted by CVE-2024-21888 to date, but the Utah-based company has confirmed in-the-wild exploitation of CVE-2024-21893 that appears to target a limited number of customers. Ivanti urges its customers to factory reset their appliance before applying the patches to prevent attackers from establishing persistence in affected environments.

Source: Shodan

To protect U.S. federal agencies, CISA has ordered those using Ivanti Connect Secure and Policy Secure to disconnect any affected VPN appliances before Saturday, February 3, 2024. This is a required action, appended to the first emergency directive of 2024 (ED-24-01), which mandates all Federal Civilian Executive Branch (FCEB) agencies to secure their ICS and IPS devices against the Ivanti flaws.

The emergency directive highlights the continued risks posed by various vulnerable Ivanti products that have been involved in active attacks including those announced in July and August of 2023.

The Ugly | Two In-the-Wild Jenkins CI/CD Vulnerabilities Pose Risk to Over 45K Servers

Multiple proof-of-concept (PoC) exploits have surfaced for critical-level flaws in Jenkins, widely used in software development for Continuous Integration (CI) and Continuous Deployment (CD).

Security researchers have pinpointed two flaws, the first being CVE-2024-23897, which allows unauthenticated attackers with overall/read permissions to access data from arbitrary files on the Jenkins server. Should specific conditions be met, this could lead to privilege escalation as well as arbitrary remote code execution (RCE). Even those without this permission can read the initial lines of files, depending on available CLI commands.

This vulnerability stems from the CLI’s default feature automatically replacing an @ character followed by a file path with file contents. Attackers exploiting CVE-2024-23897 can read arbitrary files on the Jenkins controller’s file system, potentially compromising sensitive information based on their permissions. Based on recent scans, approximately 45,000 publicly exposed Jenkins instances remain vulnerable to CVE-2024-23897.

The second flaw, CVE-2024-23898, involves a cross-site WebSocket hijacking issue, enabling attackers to execute arbitrary CLI commands by tricking users into clicking malicious links. While Jenkins released fixes for both flaws in late January, validated PoCs are now available on GitHub that make it easier for attackers scanning exposed servers to exploit the flaws with minimal or no modification.

Jenkin’s security bulletin advises admin users that are unable to patch immediately to disable access to the CLI to prevent exploitation completely. Applying this workaround does not require a Jenkins restart, and further instructions on the process can be found in their knowledge base article.