Two Ivanti zero days now being exploited en masse
Two zero-day vulnerabilities in Ivanti's Connect Secure VPN and Policy Secure network access control appliances are now being exploited on a large scale. These vulnerabilities, identified as CVE-2023-46805 (an authentication bypass) and CVE-2024-21887 (a command injection flaw), have been used in attacks since December, with widespread incidents starting January 11th. Victims span across the globe, including small businesses and major organizations in various industries.
Cyber security researchers have issued a warning, stating that the victims of these attacks are diverse and global, ranging from small businesses to some of the largest organisations in the world, including multiple Fortune 500 companies across various industries.
Ivanti has not yet released patches for these vulnerabilities, prompting admins to apply vendor-provided mitigation measures to all ICS VPNs in their networks. However, Ivanti has said patches will be made available the week of Jan 22nd. Ivanti's Integrity Checker Tool is recommended to identify potential breaches, and any data on compromised appliances should be considered as breached.
Anonymous Sudan claims it launched cyber attacks on London Internet Exchange in retaliation for UK and US airstrikes on Houthi Targets
Russian linked hacktivist group, Anonymous Sudan claimed that it had launched a cyber attack against the London Internet Exchange (LINX).
The group alleges that their attack was in retaliation against the UK's support for Israel and recent air strikes on Yemen. Anonymous Sudan has further threatened a significant cyberattack against the UK in the near future.
The claim emerged on January 12th, through their Telegram channel. However, the authenticity of the claim remains unconfirmed. LINX’s website remained operational during the alleged attack period, casting doubt on the group's assertions.
Anonymous Sudan, is notorious for its DDoS attacks against entities they perceive as anti-Russian or anti-Muslim. Their targets have included airlines, government institutions, banks, large corporations, airports, and telecommunications companies, with attacks occurring almost weekly.
Majorca's Calvià City Council Hit by Ransomware Attack, Rejects €10 Million Ransom Demand
The Calvià City Council in Majorca, a popular tourist destination with a population of 50,000, was hit by a ransomware attack on Saturday, severely affecting its municipal services.
Known for attracting around 1.6 million tourists annually, Calvià faced significant disruption when its systems were compromised. In response, the council formed a crisis committee to assess the damage and develop a strategy to mitigate the impact.
The council announced its efforts to restore normality following the cyberattack, which aimed to extort the council through ransomware. Mayor Juan Antonio Amengual revealed that IT specialists are conducting a forensic analysis to determine the extent of the breach and to recover the affected systems.
The attack has led to the suspension of all administrative deadlines for submissions until January 31, 2024.
While apologising for the inconvenience and assuring continued telephone and face-to-face communication, the council has not identified the perpetrators. Local media reported a ransom demand of €10 million (approximately $11 million), but Mayor Amengual firmly stated that the municipality would not pay the ransom.
This incident highlights the threat of ransomware, the vulnerability of small councils and the potential for significant disruptions to essential services and operations.
Google Patches Critical Chrome Zero-Day Exploit CVE-2024-0519
Google has patched a critical and actively exploited Chrome zero-day vulnerability, marking the first such exploit discovered in 2024. The company issued a security advisory acknowledging the existence of the exploit for CVE-2024-0519. This high-severity flaw, found in the Chrome V8 JavaScript engine, allows out-of-bounds memory access, potentially leading to data breaches or system crashes.
Updated versions of Chrome for Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) were released swiftly, less than a week after the issue was reported.
Chrome users can expect automatic updates or can manually initiate the process. The vulnerability involves an out-of-bounds memory access weakness, as described by MITRE, which could lead to unauthorized data access or segmentation faults.
Google has not disclosed details of the attacks exploiting this vulnerability, opting to restrict access to bug details until most users receive the fix. This approach also applies if the bug is present in third-party libraries used by other projects.
In addition to CVE-2024-0519, Google fixed other vulnerabilities in the V8 engine, including an out-of-bounds write (CVE-2024-0517) and type confusion (CVE-2024-0518) flaws, both of which could allow arbitrary code execution on compromised systems.
Citrix issues urgent patch alert for Netscaler ADC and gateway appliances due to two actively exploited Zero-Day vulnerabilities
Citrix has issued a critical alert to its customers, urging immediate patching of Netscaler ADC and Gateway appliances against two actively exploited zero-day vulnerabilities, CVE-2023-6548 and CVE-2023-6549. These vulnerabilities pose serious risks, including remote code execution and denial-of-service attacks, primarily affecting the Netscaler management interface.
To exploit the code execution vulnerability, attackers require access to low-privilege accounts and management interfaces like NSIP, CLIP, or SNIP. Appliances are vulnerable to DoS attacks when configured as a gateway or an AAA virtual server. The vulnerabilities impact customer-managed NetScaler appliances but do not affect Citrix-managed cloud services or Adaptive Authentication.
Over 1,500 Netscaler interfaces are currently exposed online. Citrix's security advisory emphasises the urgency of patching these appliances to thwart potential attacks. The company has observed exploits on unmitigated devices and advises customers to update to the latest versions immediately.
For those using the end-of-life NetScaler ADC and Gateway version 12.1, upgrading to a supported version is recommended.
In the interim, Citrix advises admins block network traffic to vulnerable instances and ensure they are not exposed online. The company strongly recommends physically or logically separating network traffic to the appliance's management interface from normal traffic and advises against exposing the management interface to the internet, as detailed in their secure deployment guide.
