Tag Archive for: Threat Report

Joseph Lee

Threat Report May 2025: Hack, Rinse, Repeat

May 2025 was a volcanic month for cybersecurity news, including several large breaches and new critical severity vulnerabilities. The Greenbone blog has already covered some major events, such as new actively exploited vulnerabilities in SAP Netweaver, Commvault Command Center and Ivanti EPMM. In total 4,014 new vulnerabilities were added to MITRE’s CVE (Common Vulnerabilities and Exposures) program. Greenbone added over 2,500 vulnerability tests to the Enterprise Feed, many capable of detecting multiple CVEs.

In this threat report for May 2025, we will round up some of the riskiest new CVEs disclosed this month, review a nation-state backed cyber campaign impacting tech companies around the world, and review how AI is poised to escalate cyber risk with intelligent automation at all stages of the Cyber Kill Chain.

The Inevitable AI-Enabled Attack Cycle: Hack, Rinse, Repeat

AI is now a force multiplier in the cyber attack lifecycle. Threat actors are leveraging AI in two fundamental ways; expediting the conversion of public vulnerability knowledge into exploit tools, and building more convincing social engineering content. Researchers have proposed a long list of additional capabilities that AI can further optimize, including automation of initial access attacks and command-and-control (C2) operations.

Even without AI, skilled human hackers can exfiltrate sensitive information within minutes of initial access. If significant vulnerabilities exist on the LAN side of a victim’s network, manual deployment of ransomware is trivial. In 2017, WannaCry demonstrated that ransomware attacks can be automated and wormable, i.e., capable of spreading between systems autonomously.

According to Norton’s latest Gen Threat Report, data-theft has increased 186% in Q1 2025. As discussed last month, data-theft-related class action filings have risen more than 1,265% over six years. When a victim’s cyber hygiene is non-compliant, multi-million dollar settlements are the norm. The top 10 data-breach class action settlements in 2023 totaled over 515 million dollars; the largest was a 350 million dollar settlement involving T-Mobile. This stolen data is often sold on the dark web, becoming fuel for subsequent cyber attacks. We should expect AI to reach full autonomy at all stages of the Cyber Kill Chain in the near future, resulting in a fully autonomous vicious cycle of exploitation; hack, rinse, repeat.

Russian GRU-Backed Espionage Campaign Hits Global Tech and Logistic Firms

CISA (Cybersecurity and Infrastructure Security Agency) and defense entities from nine other countries have warned of a cyber espionage-oriented campaign. The operation is being conducted by the Russian General Staff Main Intelligence Directorate (GRU), specifically the 85th Main Special Service Center (85th GTsSS), military unit 26165. The group is tracked under several aliases including the well-known FancyBear and APT28.

The full report outlines detailed Tactics, Techniques and Procedures (TTPs) leveraged in the campaign, which includes reconnaissance [TA0043], credential brute forcing [T1110.003], spearphishing to attain credentials and deliver malware [T1566], exploiting trust relationships to gain access [T1199], proxying attacks through compromised devices [T1665] and exploiting known software vulnerabilities – both for initial access [T1190] and privilege escalation [T1068]. The sheer diversity of attack techniques indicates a highly sophisticated threat.

The campaign targets a wide range of small office/home office (SOHO) devices, Microsoft Outlook, RoundCube Webmail and WinRAR as well as undisclosed CVEs in other internet-facing infrastructure – including corporate VPNs and SQL injection flaws. Greenbone includes detection tests for all CVEs referenced in the report. Those CVEs include:

  • CVE-2023-23397 (CVSS 9.8): A privilege escalation vulnerability in Microsoft Outlook that leverages replay of captured Net-NTLMv2 hashes.
  • CVE-2020-12641 (CVSS 9.8): Allows attackers to execute arbitrary code via shell metacharacters in a Roundcube Webmail configuration setting for `im_convert_path` or `im_identify_path`.
  • CVE-2020-35730 (CVSS 5.0): An XSS flaw in Roundcube Webmail via a plain text email message, containing a JavaScript link reference.
  • CVE-2021-44026 (CVSS 9.8): An SQL injection flaw in Roundcube via search or search_params.
  • CVE-2023-38831 (CVSS 7.8): Allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.

DragonForce Ransomware Spreads its Wings

Emerging in mid-2023, DragonForce transitioned from a hacktivist collective into a financially motivated Ransomware-as-a-Service (RaaS) operation. Fast forward to 2025, and DragonForce has established itself as an apex threat in the ransomware ecosystem.

DragonForce ransomware attacks impacted the following countries:

  • United States – 43 confirmed incidents
  • United Kingdom – including recent May 2025 breaches of Marks & Spencer, Co-op and Harrods
  • Saudi Arabia – a data leak from a major Riyadh construction firm
  • Australia – e.g., Yakult Australia
  • Singapore – Coca-Cola operations
  • Palau – a government breach in March 2024
  • Canada – among the top five most attacked nations
  • India – has faced increased targeting, particularly in the past month

Campaigns have included exploitation of SimpleHelp remote monitoring and management (RMM) [1], Confluence Server and Data Center [2], Log4Shell (aka Log4J), Microsoft Windows vulnerabilities, as well as various flaws in Ivanti products [3]. Greenbone provides multiple active check and version detection tests for all CVEs identified in DragonForce campaigns.

DragonForce has been observed exploiting:

In line with the attack trajectory of other prominent ransomware actors, DragonForce is known to use other techniques in addition to breaching public-facing vulnerabilities such as phishing emails, credential theft, brute-force, and credential stuffing attacks on exposed services and remote management (RMM) tools like AnyDesk, Atera, and TeamViewer, for persistence and lateral movement. Therefore, organizations need comprehensive cybersecurity programs that include user awareness training to prevent social engineering attacks and regular penetration testing to simulate real-world adversarial activity.

CVE-2025-32756: Stack-Based Buffer Overflow Vulnerability in Multiple Fortinet Products

CVE-2025-32756 (CVSS 9.8), published on May 13, 2025, is a critical severity stack-based buffer overflow vulnerability [CWE-12] affecting multiple Fortinet products. It allows remote, unauthenticated attackers to execute arbitrary code via a crafted HTTP cookie. The flaw is being actively exploited in the wild – primarily against FortiVoice systems – and is linked to attacks involving malware deployment, credential theft using cron job, and network reconnaissance. Proof-of-concept details are publicly available, and a full technical analysis has been published increasing the risk factor.

Fortinet flaws have a historically high conversion rate for use in ransomware attacks. A total of 18 vulnerabilities in Fortinet products have been added to CISA Known Exploited Vulnerabilities (KEV) list since late 2021 – 11 of these are known to be leveraged by ransomware operators. In addition to CISA, several other national CERT entities have issued alerts, including CERT-EU, the Centre for Cybersecurity Belgium (CCB), and Germany’s CERT-BUND.

The root cause is a missing length check in the `cookieval_unwrap()` function of libhttputil.so. A malicious AuthHash cookie can induce memory corruption to control the return memory address, allowing an attacker to hijack execution flow at the process level. Greenbone Enterprise Feed provides a vulnerability test to detect affected products and almost 1,000 other tests for detecting other vulnerabilities in Fortinet products.

CVE-2025-32756 affects dozens of firmware versions across multiple FortiNet products, including:

  • FortiVoice (6.4.0 – 7.2.0)
  • FortiMail (7.0.0 – 7.6.2)
  • FortiNDR (1.1 – 7.6.0)
  • FortiRecorder (6.4.0 – 7.2.3)
  • all versions of FortiCamera 1.1 and 2.0 as well as 2.1.0 – 2.1.3

Fortinet advises upgrading to the latest fixed versions immediately. If patching is not feasible, users should disable the HTTP/HTTPS administrative interface to prevent successful attacks.

Trio of SysAid Flaws Now Have CVEs and Public PoC

In May, three critical-severity vulnerabilities were disclosed affecting on-premises SysAid IT Service Management (ITSM) platform. These flaws can be chained, allowing unauthenticated Remote Code Execution (RCE). Full technical details and Proof-of-Concept (PoC) were published by watchTowr. Also, considering that SysAid vulnerabilities have been targeted by ransomware operators in the past, these flaws are especially high risk.

CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777 (each CVSS 9.3) are unauthenticated XML External Entity (XXE) [CWE-611] vulnerabilities, found in the Checkin, Server URL and lshw functions respectively. All allow admin account takeover and arbitrary file read on the victim’s system. SysAid On-Prem versions ≤ 23.3.40 are affected. Notably, the flaws were patched by the vendor in March, but CVE IDs were not reserved or issued. This type of scenario contributes to a less transparent threat landscape for software users, reducing visibility and complicating operational vulnerability management. Greenbone offers detection tests for all aforementioned CVEs.

SysAid has a global presence of over 10,000 customers across 140 countries, including organizations such as Coca-Cola, Panasonic, Adobe, and LG. While it holds a smaller share of the ITSM market compared to larger competitors like ServiceNow or Jira Service Management, it remains a popular solution for mid-sized businesses.

A CVSS 10 in Cisco IOS XE Wireless Controller

CVE-2025-20188 is a new critical-severity (CVSS 10) vulnerability disclosed in May 2025. It affects Cisco’s flagship platform, the Catalyst 9800 Series. Although not known to be actively exploited yet, a full technical walkthrough is now available, which will provide less sophisticated threat actors with a head start.

The root cause of the vulnerability is a hard-coded JSON Web Token (JWT) which could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges via specially crafted HTTP request. Specifically, a hardcoded fallback secret – the string `notfound` – is used to verify the authenticity of a JWT if `/tmp/nginx_jwt_key` is not present.

Although this key file may be generated at certain times, such as when an administrator logs into the management console, it may not be present at certain times, such as immediately after a device reboot or service start.

Crucially, the flaw does not affect all HTTP endpoints – it is limited to the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for WLAN Controllers (WLCs). While Cisco’s advisory claims this service is not enabled by default, Horizon.ai researchers found that it was. Therefore, while there are several conditions affecting the exploitability of CVE-2025-20188, if those conditions are present, exploitation is trivial – and likely affects many organizations.

Cisco has released an advisory which recommends that affected users either upgrade to the patched version, or disable the Out-of-Band AP Image Download feature. Greenbone Enterprise Feed includes a version detection test for identifying affected devices and verifying patch level.

Summary

May 2025 delivered a surge of critical vulnerabilities, major breaches and escalating nation-state activity. It’s important to keep in mind that AI-enhanced attack cycles are destined to become a reality – the chaotic and urgent cybersecurity landscape shows no sign of easing any time soon.

New actively exploited flaws in Cisco, Fortinet, and SysAid products force organizations to maintain vigilant, continuous detection efforts, followed by prioritization and mitigation.

Greenbone’s Enterprise coverage helps security teams see vulnerabilities that threat actors can exploit to stay ahead in a fast-moving threat landscape.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

April 2025 Threat Report: The Consequences Are Real

In the early days of digital, hacking was often fame or prank driven. Fast forward to 2025; hacking has been widely monetized for illicit gains. Cybercrime is predicted to cost the global economy 10.5 trillion Dollar in 2025. Globally, the trend of increasing geocriminality is pushing individual countries and entire economic regions [1][2] to make deeper commitments to cyber defenses. An accelerating threat environment underscores the urgency for proactive, well-funded cybersecurity strategies across all sectors, in all regions of the world.

The continuous deluge of critical vulnerabilities, novel attack techniques, active ransomware and espionage campaigns signal the need for comprehensive cybersecurity measures to prevent the most catastrophic consequences. In this month’s threat report, we will review the post pressing threats from the cybersecurity landscape that emerged in April 2025. Without further ado, let’s get started!

Considering the Consequences

Dire consequences loom for those unprepared to weather sophisticated cyber attacks. Ransomware is widely considered the biggest existential cyber threat business, but data breach lawsuits are escalating dramatically. Breach related class action filings have risen more than 1,265% over six years, with filings in the U.S. more than doubling from 604 in 2022 to 1,320 in 2023. Robust backups can help a victim escape paying ransom, and a well executed incident response plan may minimize downtime, but breach victims have little recourse from costs related to regulatory or legal action.

Equifax’s 2019 settlements are the highest in history for a cybersecurity-related incident – with a total cost estimated at 1.5 billion Dollar. Failure to patch CVE-2017-5638 in Apache Struts, was implicated as the root cause of the breach. In April 2025, U.S. defense contractor Raytheon agreed to pay an 8.5 million Dollar settlement for failing to implement required security measures for 29 of their Department of Defense (DoD) contracts.

Healthcare providers are especially hard-hit because personal healthcare information fetches roughly 1,000 Dollar per record on darkweb marketplaces, compared to 5 Dollar per record for payment card data due to its effective use in identifying fraud. In 2023, the U.S. healthcare sector reported 725 data breaches, exposing over 133 million records. Most recently, on April 23, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a 600,000 Dollar settlement with PIH Health, Inc. due to inadequate technical safeguards. However, legal consequences for cyber breaches are impacting organizations across all industries. Data breach-related securities class actions have also seen substantial settlements, with three of the top ten largest settlements occurring in 2024, totaling 560 million Dollar.

Considering the consequences, organizations should carefully assess their posture to cyber hygiene, paying special attention to core IT security best practices such as implementing multi-factor authentication (MFA), vulnerability management and network segmentation.

Verizon: Increase in Exploited Vulnerabilities for Initial Access

Verizon’s 2025 Data Breach Investigations Report (DBIR), released in April, reported a 34% increase in exploited vulnerabilities (CVEs) as a root cause of cyberbreaches occurring in between October 2023 and December 2024. Exploited vulnerabilities served as the initial access vector in 20% data breaches studied. While the report indicates that ransom payments are down – 64% of victim organizations did not pay the ransoms, compared to 50% two years ago – the rate of ransomware attacks increased by 37%.

Edge devices and VPNs accounted for 22% of exploitation actions – a sharp rise from just 3% the year before. Despite the growing threat, organizations fully remediated only about 54% of these vulnerabilities, with a median time to remediation of 32 days. Furthermore, edge exploitation for initial access reached 70% in espionage-motivated breaches. This trend of edge device exploitation shows no signs of abating; proactive vulnerability management is more critical than ever to reduce exposure and limit the impact of breaches.

Newly Emerging Threats on the Edge in April 2025

The message from cyber landscape reports is clear: organizations need to be acutely aware of their publicly exposed assets. Detection and remediation of vulnerabilities is critical. Below are the highlights of emerging threat activity affecting network edge devices in April 2025. Greenbone is able to detect all emerging threats referenced below and more.

  • SonicWall SMA100 Appliances: CVE-2023-44221 (CVSS 7.2) and CVE-2021-20035 (CVSS 6.5), both OS Command Injection Vulnerabilities [CWE-78] were added to CISA KEV (Cybersecurity and Infrastructure Security Agency; Known Exploited Vulnerabilities). In April, SonicWall also reported that Proof-of-Concept (PoC) exploits are now publicly available for another vulnerability: CVE-2024-53704 (CVSS 9.8).
  • Ivanti Connect Secure, Policy Secure, and ZTA Gateways: CVE-2025-22457 (CVSS 9.8) is a Stack-Based Buffer Overflow [CWE-121] vulnerability now being actively exploited. Google’s Mandiant threat research group attributed attacks to UNC5221, a Chinese (state sponsored) threat actor. Security firm GreyNoise also observed a 9X increase in bots scanning for exposed Connect Secure endpoints.
  • Fortinet FortiOS and FortiProxy: CVE-2025-24472 (CVSS 9.8) is an Authentication Bypass [CWE-288] flaw that could allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests. The CVE is considered actively exploited. Fortinet also detailed new exploitation activity against older critical vulnerabilities in FortiGate devices, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 (all CVSS 9.8).
  • Juniper Junos OS: CVE-2025-21590 (CVSS 6.7) is an actively exploited flaw that allows a local attacker with high privileges to compromise the integrity of the device. Classified as an Improper Isolation or Compartmentalization [CWE-653] weakness, a local attacker with access to the Juniper CLI shell can inject arbitrary code to compromise an affected device.
  • Multiple Cisco Flaws Exploited: Analysts confirmed targeted attacks against unpatched Cisco infrastructure, especially in telecom environments [1][2]. Chinese state-sponsored group Salt Typhoon continues to exploit CVE-2018-0171 (CVSS 9.8) in Smart Install RCE and CVE-2023-20198 (CVSS 10) in Web UI Privilege Escalation.
  • DrayTek Routers: Three CVEs have been observed in exploitation campaigns, including CVE-2020-8515 (CVSS 9.8), CVE-2021-20123 (CVSS 7.5) and CVE-2021-20124 (CVSS 7.5).
  • Microsoft Remote Desktop Gateway Service: CVE-2025-27480 is a Use After Free [CWE-416] flaw that allows an unauthorized attacker to execute code over a network. While active threats have not been observed yet, Microsoft tracks the vulnerability with an “Exploitation More Likely” status.
  • Erlang/OTP SSH has Public PoC Exploit: Multiple PoC exploits [1][2][3] are now publicly available for CVE-2025-32433 (CVSS 10), a new maximum-severity vulnerability in the Erlang/OTP SSH server. Erlang/OTP is a widely used platform for building scalable and fault-tolerant distributed systems and is in use by large technology companies such as Ericsson, Cisco, Broadcom, EMQ Technologies and Apache Software Foundation, among others.
  • Broadcom Brocade Fabric OS (FOS): CVE-2025-1976 (CVSS 6.7) is a Code Injection Vulnerability [CWE-94] both disclosed and actively exploited in April. FOS is a specialized firmware designed for managing Fibre Channel switches within Storage Area Networks (SANs). The flaw allows a local user with administrative privileges to execute arbitrary code with full root privileges.

New Windows Common Log File System Flaw Used in Ransomware Attacks

A new high severity vulnerability, CVE-2025-29824 (CVSS 7.8) identified in the Microsoft Windows Common Log File System (CLFS) driver allows privilege escalation for local authenticated attackers to gain SYSTEM level access. Furthermore, the vulnerability is being exploited globally in ransomware attacks [1][2], particularly by Storm-2460, to deploy PipeMagic malware payloads.

The Windows CLFS driver has a series of critical privilege escalation vulnerabilities that span multiple years and versions making it a persistent high-value target for attackers. Eight CVEs from 2019 through 2025 have been cataloged in the CISA KEV list with at least four – CVE-2023-28252, CVE-2023-23376, CVE-2022-24521 and CVE-2025-29824 mentioned above – known to be leveraged in ransomware campaigns.

Due to active exploitation of critical vulnerabilities in Microsoft products, it’s essential for organizations to verify that the latest Microsoft security updates have been applied across their IT infrastructure and monitor systems for Indicators of Compromise (IoC). Greenbone can detect vulnerability to all CLFS CVEs mentioned above and missing patch-levels for Microsoft Windows 10 (32-bit & x64), Windows 11 (x64) and Windows Server 2012–2025 endpoints via authenticated Local Security Checks (LSC).

Remote Code Execution Flaw Impacts Craft CMS

CVE-2025-32432 (CVSS 10) is a high impact Remote Code Execution (RCE) vulnerability in Craft CMS (Content Management System) that is considered trivial to exploit. Craft CMS is a website creation framework built on top of the Yii PHP framework. The CVE was reported by Orange Cyberdefense’s CSIRT who discovered it during an incident response. The flaw has been exploited in the wild. Also, technical details and PoC exploits [1][2] including a Metasploit module are publicly available, greatly increasing the threat. Craft CMS is used by prominent organizations including The New York Times, Amazon, Intel, Tesla, NBC, Bloomberg and JPMorgan Chase for creating custom e-commerce and content-driven websites.

Greenbone is able to detect web applications vulnerable to CVE-2025-32432 with an active check that sends a specially crafted POST request and analyzes the response. Craft CMS versions 3.x through 3.9.14, 4.x through 4.14.14, and 5.x through 5.6.16 are affected and users should upgrade to a patched version as soon as possible. If upgrade is not possible the vendor proposes implementing firewall rules to block POST requests to the `actions/assets/generate-transform` endpoint or installing the Craft CMS Security Patches library.

Dualing CVEs in CrushFTP Leveraged by Ransomware

CVE-2025-31161 (CVSS 9.8) poses a severe threat to CrushFTP users. The flaw is an authentication bypass vulnerability [CWE-287] in the HTTP Authorization header that allows remote unauthenticated attackers to authenticate as any existing user account (e.g., crushadmin). The flaw is being leveraged by the Kill threat actor among others in ongoing ransomware attacks.

CVE-2025-31161 affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vendor has released an advisory with updated instructions. Greenbone is able to detect CVE-2025-31161 with both an active check, and a version detection test.

Initially, this vulnerability was tracked with another identifier (CVE-2025-2825). When a third party CNA published it before, CrushFTP had the opportunity to assess the details. The premature disclosure forced CrushFTP to respond publicly before they had developed a patch. This incident highlights a significant risk: because CrushFTP was not a CVE Numbering Authority (CNA), it lacked the authority to assign CVE identifiers to its own products. Instead CrushFTP needed to rely on the third-party researchers who discovered the flaw to manage CVE disclosure.

In the CVE Program, a CNA can define its scope such that it may assign CVE IDs to vulnerabilities affecting its own products and restrict other parties from doing so. If an application’s vendor is a registered CNA, third-party security researchers must disclose their findings to the vendor directly, allowing more control over the timeline of events and a more strategic disclosure. Considering the risks, software vendors should consider becoming a registered CNA with MITRE’s CVE program.

Summary

April 2025 highlighted ongoing threats from edge device vulnerabilities, ransomware activity and newly exploited flaws in widely used software like Craft CMS, Microsoft CLFS and CrushFTP. These developments reinforce the need for organizations to maintain visibility over exposed assets, apply timely patches and stay vigilant against emerging threats that can escalate quickly from initial access to full compromise.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

November 2024 Threat Report: Vulnerability Management is Becoming Crucial

The world may be entering into a new phase of cyber, and a new technological paradigm. So-called “industry leading” or “enterprise grade” software is perpetually shown to be vulnerable with new critical vulnerabilities exposed and evidence of active exploitation on a weekly basis. Fancy new features keep us engaged but, considering the risk of fast-moving technologies, it’s important to work with organizations that keep things simple, stick to their core competencies and do things right.

In this November 2024’s edition of the Greenbone vulnerability report, we examine some recently released reports from the BSI and CISA to see what government cybersecurity agencies make of the current threat environment, then we follow up with news of the most pressing and actively exploited vulnerabilities in this month. Considering the high degree of risk presented by the current landscape of cybersecurity threats, it’s important to prioritize the fundamentals of IT security – and software design – to avoid building operations on a proverbial house of cards.

BSI Releases Its Annual IT Security Summary for 2024

Policy in the EU continues to rapidly evolve in response to increasing cyber risk. Cybersecurity for all requires cross-border cooperation on many levels. According to the 2024 summary report, the German Federal Office for Information Security (BSI) is focused on harmonizing national specifications with cybersecurity best practices while considering the economic and technical feasibility of new measures. Referred to as the “Europeanisation of Cybersecurity”, European standardisation and Germany’s collaboration with the three European Standardisation Organisations CEN, CENELEC and ETSI promote a risk-based approach to enforcing security best practices among critical infrastructure and providers of virtually all digital products.

Regarding the Cyber Resilience Act (CRA), each member state will have authority to remove non-compliant products from the market and penalise offending vendors. “Important products” (Class I), such as password managers and routers, must follow harmonised European standards (hEN). Regarding NIS2, the BSI received 726 reports representing 141 incidents from critical infrastructure facilities so far in 2024. This includes sectors like healthcare, energy, water, food, IT and telecommunications, financial and insurance services, among others.

The BSI also observed an overall increase in new malware variants and 256% increase in malware exploiting Windows. Reading the full report relays trends in attacker behaviors such as an increase in Bring Your Own Vulnerable Driver (BYOVD) attacks capable of disabling EDR security products. There were also ongoing efforts to sinkhole botnets that contribute to mass exploitation attacks at scale, and the continuing fragmentation of cybercrime activities into initial access brokering and second stage ransomware groups.

How do these observations pertain to Greenbone and vulnerability management in general? While effective vulnerability management and compliance auditing are only one piece of the enterprise cybersecurity puzzle, closing known security gaps and regularly attesting strong security configurations is a critical core competency that all organizations need to master.

CISA’s Most Exploited Vulnerabilities of 2023 Are Revealing

The 2023 Top Routinely Exploited Vulnerabilities report from the Cybersecurity & Infrastructure Security Agency (CISA) observed an increase in exploited zero-day vulnerabilities compared to 2022 and their use in attacks on high-priority targets. Other than zero-days, the report lists the top 47 CVEs (Common Vulnerabilities and Exposures) exploited by attackers. Networking (40%) and productivity software (34%) make up the vast majority of highly targeted CVEs. There is also a strong trend in the type of software flaws most exploited. Mishandling untrusted input accounts for 38% of the most attacked software flaws, while improper authentication and authorization make up 34%. Sadly, considerations for securing these flaws are elementary, covered in application design 101. Also, 90% of the top exploited vulnerabilities in the report are in closed source proprietary products indicating that cyber criminals are not hindered by reverse engineering barriers.

While the EU is motivated to improve security via legal requirements, CISA continues its plea for software vendors to employ Secure by Design principles during development stages. They also suggest that more pay-to-hack bug bounty programs could incentivize ethical security researchers.

Multiple Critical Flaws in Palo Alto Products Attacked

On November 8, 2024, Palo Alto Networks issued a security advisory revealing a zero-day remote code execution (RCE) vulnerability affecting its PAN-OS operating system. The advisory was soon updated after evidence of active exploitation emerged. Here is a summary of new vulnerabilities in Palo Alto products disclosed in November 2024.

  • CVE-2024-0012 (CVSS 9.8 High): An authentication bypass in PAN-OS allows unauthenticated access to administrator privileges. Attackers may perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
  • CVE-2024-9474 (CVSS 7.2 High): A privilege escalation vulnerability in PAN-OS software allows PAN-OS administrators to perform actions on the firewall with root privileges.
  • CVE-2024-9463 (CVSS 7.5 High): An OS command injection vulnerability in Expedition allows an unauthenticated attacker to run arbitrary OS commands as root. This allows unauthorized disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1 High): SQL injection could allow an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations and device API keys, or create and read arbitrary files on the Expedition system.
  • CVE-2024-5910 (CVSS 9.8 High): Missing authentication for a critical function in Expedition can lead to admin account takeover remotely and expose configuration secrets, credentials and other data.

Greenbone is able to detect all new CVEs published in Palo Alto devices in November 2024. Ideally, ensure networking management interfaces are not accessible via the public Internet and for best practices, use firewall configuration to prevent access from unauthorized internal network endpoints.

US Critical Telecom Infrastructure Breached

The recent breaches involving major US telecom providers serves as a stark warning to all organizations operating complex IT infrastructure at scale. Blame has been laid on Chinese backed hacking groups who reportedly used the access to intercepted U.S. political officials’ calls, SMS text-messages and intercepted mobile metadata. According to Adam Meyers, vice president of intelligence at CrowdStrike, by compromising the telecoms directly, threat actors circumvent the need for breaching the individual networks of their targets. Considering the sheer number of critical vulnerabilities in products from US networking vendors such as Palo Alto Networks, Oracle, Cisco, Citrix, Ivanti, Broadcom, Microsoft and Fortinet more intensive application security testing would greatly reduce the risk to their core customers – US companies at home and abroad, and other large global firms.

Liminal Panda, Salt Typhoon, Volt Typhoon and others are known to attack “shadow IT” – legacy mobile protocols that IT administrators are not aware is still active or actively monitoring. Sophisticated, highly skilled APT actors are highly adaptable and have the resources to develop malware for virtually any known vulnerability that is exploitable, as well as actively develop zero-day exploits yet unknown.

5 Privilege Escalation Flaws Found in Ubuntu’s Needrestart

A flaw in Ubuntu’s Needrestart feature could allow an unprivileged local attacker to execute shell commands as root user. The new CVEs impact all versions of Needrestart going back to 2014. Needrestart determines whether any processes need to be restarted after systemwide packages are updated to avoid a full reboot and is invoked by the apt package manager. The vulnerability is caused when untrusted data such as environment variables are passed unsanitized to the Module::ScanDeps library which executes as root. These user-level environment variables can also influence Python and Ruby interpreters during Needrestart’s execution.

The vulnerabilities can be mitigated by updating Needstart to a patched version or by disabling the interpreter scanning feature by setting $nrconf{interpscan} = 0 in the needrestart.conf configuration file. Greenbone includes detection for all CVEs related to Needrestart feature [1][2][3].

Here is a brief description the newly disclosed CVEs:

  • CVE-2024-11003 (CVSS 7.8 High): Unsanitized data passed to the Module::ScanDeps library could allow a local attacker to execute arbitrary shell commands.
  • CVE-2024-10224 (CVSS 5.3): Unsanitized input passed to the Module::ScanDepscan library allows execution of arbitrary shell commands by opening a “pesky pipe” (such as passing “commands|” as a filename) or by passing arbitrary strings to eval().
  • CVE-2024-48990 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking Needrestart into running the Python interpreter via the PYTHONPATH environment variable.
  • CVE-2024-48991 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by winning a race condition and pointing Needrestart to a fake Python interpreter instead of the system’s real Python interpreter.
  • CVE-2024-48992 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter via the RUBYLIB environment variable.

Is Third Time the Charm for VMware vCenter Critical RCE Flaws?

VMware has been grappling with the challenge of effectively patching critical vulnerabilities in its vCenter server products. Broadcom, which owns VMware, initially released patches in September for two significant vulnerabilities in vCenter, CVE-2024-38812 (CVSS 9.8 High) classified as a heap-overflow vulnerability in the implementation of the DCERPC protocol, and CVE-2024-38813 (CVSS 9.8 High) which offers privilege escalation via ​​specially crafted network packets.

However, these initial patches were insufficient, prompting a second round of patches in October. Despite these efforts, it was confirmed in November that the CVEs were still vulnerable and had been exploited in the wild. vCenter is a prime target for attackers due to its widespread use, and the situation highlights ongoing security challenges. VMware users should apply patches promptly. When CVEs such as these in VMware vCenter are updated with new information, Greenbone’s team of security analysts reviews the changes and updates our vulnerability tests accordingly.

Helldown Ransomware Exploiting Zyxel and Its Customers

In November 2024, a Linux variant of the Helldown ransomware payload was discovered. Helldown is known to exploit the IPSec VPN of Zyxel devices via CVE-2024-42057 (CVSS 8.1 High) for initial access. After gaining a foothold, Helldown steals any accessible credentials and creates new users and VPN tunnels to maintain persistence. The new variant targets VMware ESXi virtual machines to exfiltrate their data and encrypt them. This technique is shared by other ransomware groups such as the Play gang.

The Helldown ransomware group is considered an emerging threat, claiming over 30 victims since August, including the maker of Zyxel products themselves. Zyxel has issued an article acknowledging the attacks with mitigation instructions and Truesec has published known Helldown TTP (Tactics Techniques and Procedures) from their response efforts. Greenbone is able to detect all vulnerabilities known to be associated with Helldown ransomware attacks including CVE-2024-42057 in Zyxel products [1][2][3] as well as known software vulnerabilities used by other ransomware threat actors to gain initial access, escalate privileges and move laterally to high value targets within the victim’s network.

Summary

From EU policy advancements to CISA’s insights on exploited vulnerabilities: the critical need for better software development practices, effective vulnerability management and defense in depth is evident. November’s events, such as Palo Alto’s zero-days, Ubuntu’s Needrestart flaws and VMware vCenter’s ongoing challenges, emphasize the importance of timely monitoring and patching of critical infrastructure. Emerging threats like Helldown ransomware reinforce the need for proactive defense strategies. Greenbone continues to support organizations by detecting critical vulnerabilities, providing actionable insights and advocating for a security-first approach with fundamental IT security best practices.

Contact Test Now Buy Here Back to Overview

/by