Threat Intel Roundup: RocketMQ, APT-C-36, FortiGate
Data Breach at Federal Board of Intermediate and Secondary Education, 800 Gbps DDoS Attack, VulnCheck Identifies Remote Command Injection in Contec SolarView
RocketMQ Remote Command Execution: RocketMQ versions 5.1.0 and below are vulnerable to remote command execution due to certain conditions. This vulnerability affects multiple components, including NameServer, Broker, and Controller, which are exposed on the extranet without permission verification. Exploiting this flaw, an attacker can leverage the update configuration function to execute commands as the system users running RocketMQ. Additionally, the attacker can achieve the same effect by forging the RocketMQ protocol content. To mitigate these attacks, users are advised to upgrade to version 5.1.1 or higher for RocketMQ 5.x or 4.9.6 or higher for RocketMQ 4.x.
Data Breach at Federal Board of Intermediate and Secondary Education: The Federal Board of Intermediate and Secondary Education experienced a data breach, with the hacker group responsible for publicly announcing their success in accessing and leaking result cards of 55,000 students. These result cards contain sensitive information, including identification photos. The group claims to possess an additional 111,000 student records.
800 Gbps DDoS Attack: An organization faced an unprecedented DDoS attack reaching a peak volume of 800 Gbps. The attack aimed to overwhelm the organization’s network infrastructure, resulting in service unavailability and significant disruption.
Operation Spalax by APT-C-36 (BlindEagle) in Colombia: APT-C-36, also known as BlindEagle, has launched Operation Spalax targeting organizations in Colombia. The operation utilizes deceptive email techniques and a series of malicious websites to infiltrate targeted networks.
VulnCheck Identifies Remote Command Injection in Contec SolarView: VulnCheck, a vulnerability detection tool, has identified a remote command injection vulnerability in the Contec SolarView series, affecting ICS (Industrial Control Systems) hardware. The vulnerability can be exploited by attackers to execute arbitrary commands on vulnerable systems.
Key Findings
it is crucial for organizations and individuals to prioritize remediation and patching efforts to safeguard their systems and data. The following key findings highlight the importance of proactive measures to mitigate risks associated with various vulnerabilities and threats:
RocketMQ: CVE-2023-33246
AFor RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
Rewterz is a dedicated and dedicated information security company that helps companies ensure their data is safe, while giving companies a chance to get ahead while knowing that theirdata is in good hands, reports the company.s.
Risk Level: Critical
Recommended Actions:
We regret to inform you that a significant data breach has occurred within the “Federal Board of Intermediate and Secondary Education” in Pakistan. As a result, the result cards of approximately 55,000 students have been leaked on the messaging platform Telegram. This incident poses a serious threat to the privacy and security of the affected students and their personal information.
Summary of the Data Breach: A hacker group has claimed responsibility for breaching the systems of the Federal Board of Intermediate and Secondary Education. They have publicly announced their success in accessing and leaking the result cards of 55,000 students. These result cards contain sensitive information, including identification photos of the students. Furthermore, the hacker group has also claimed to possess an additional 111,000 student records.
Actions Taken and Ongoing Investigation: Upon discovering the breach, the Federal Board of Intermediate and Secondary Education immediately initiated an investigation and engaged cybersecurity experts to assess the extent of the incident. The board is working diligently to ascertain the nature and scope of the breach and to implement measures to prevent any further unauthorized access.
Recommended Actions for Affected Students and Parents:
Distributed Denial of Service (DDoS) attacks continue to pose a significant threat to organizations worldwide, aiming to disrupt online services and compromise network infrastructure. Recently, a noteworthy incident involved a staggering 800 Gbps DDoS attack, challenging the resilience and mitigation capabilities of targeted entities. In this article, we delve into the details of this incident, exploring the strategies and insights gained in successfully handling such massive DDoS attacks.
The 800 Gbps DDoS Attack: As reported by The Hacker News in a recent article (source: https://thehackernews.com/2023/07/surviving-800-gbps-storm-gain-insights.html), a prominent organization encountered an unprecedented DDoS attack reaching a peak volume of 800 Gbps. This overwhelming assault aimed to overwhelm the organization’s network infrastructure, rendering services inaccessible and causing significant disruption.
Insights and Strategies for Mitigation:
4. Incident Response and Monitoring: Establishing a well-defined incident response plan, including dedicated teams for monitoring and mitigating DDoS attacks, is crucial. Continuous monitoring of network traffic, real-time threat intelligence, and timely response can minimize the impact of attacks and ensure swift recovery.
5. Collaboration and Communication: Engaging with Internet Service Providers (ISPs) and establishing strong communication channels can be beneficial during large-scale DDoS attacks. Close collaboration allows for effective coordination in diverting traffic, blocking attack vectors, and implementing countermeasures at the network level.
A sophisticated threat group known as APT-C-36, also referred to as BlindEagle, has recently launched a targeted operation named Spalax, focusing on organizations in Colombia. This article explores the interesting tactics employed by APT-C-36 and sheds light on the operation’s key components, including malicious websites and associated payloads.
Operation Spalax: APT-C-36 Strikes Colombia The APT-C-36 group, commonly known as BlindEagle, has set its sights on Colombian organizations with Operation Spalax. This campaign aims to infiltrate target networks using a series of malicious websites and deceptive email techniques.
Phishing Emails and Malicious Websites: To gain initial access, APT-C-36 leverages phishing emails that mimic law firms or legal entities. These emails contain seemingly harmless PDF or Word attachments, accompanied by non-clickable links to malicious websites hosted on website[.]org domains. Notable examples include notificacionesjuridicasonline.otcy[.]com and notificacionesjuridicas.blog-online[.]eu.
Downloads and Infection Flow: Upon clicking the attachments, victims are directed to password-protected .uue files hosted on Discord. Subsequently, victims encounter a series of obfuscated files, including .vbs (obfuscated with Vbs-Crypter “Code”) and .ps1, ultimately leading to the download of DLL files from cryptersandtools.minhacasa[.]tv. These DLL files serve as decoys.
Final Payloads: The APT-C-36 operation culminates with the deployment of two main remote access trojans (RATs):
Cryptersandtools.minhacasa[.]tv and Associated Infrastructure: Cryptersandtools.minhacasa[.]tv serves as a potential crypter and tools service catering to different threat actors. The platform appears to operate as Malware-as-a-Service (MaaS), offering attack resources in various languages and targeting different regions worldwide.
Additionally, APT-C-36 utilizes several infrastructures associated with third-party providers, including 91.213.50[.]74/CRYPS/, 91.213.50[.]74/GREEN/, and 79.110.49[.]55/.
The APT-C-36 group’s operation, known as Spalax or BlindEagle, presents a significant threat to organizations in Colombia. With a complex infection flow involving phishing emails, malicious websites, and a variety of obfuscated files, this campaign showcases the group’s advanced capabilities. It is crucial for Colombian organizations to remain vigilant and implement robust security measures to detect and prevent such sophisticated attacks. By staying informed and adopting proactive defense strategies, organizations can mitigate the risk posed by APT-C-36 and protect their valuable assets from compromise.
https://twitter.com/1ZRR4H/status/1677439564237905921
VulnCheck detects remote command injection vulnerability in Contec SolarView series, affecting ICS hardware
The decentralized nature of blockchain technology has brought about numerous advancements in the world of finance. However, it has also given rise to new risks and vulnerabilities. In a recent incident, an unfortunate individual fell victim to a phishing scam, resulting in the loss of 104 ETH (Ethereum), currently valued at a substantial sum. This article aims to shed light on the incident and emphasize the importance of staying vigilant to protect oneself from similar scams.
The “Claim” Phishing Scam: The victim, whose transaction is documented on Etherscan (transaction link: https://etherscan.io/tx/0xbac3a8bba26504a4b6c3aaa7f1531384f6d030be8baba2a16ce3ebb3d93ee8b5), fell prey to a phishing scam that involved a deceptive “Claim” mechanism. The scammer created a fraudulent website designed to resemble a legitimate platform, enticing users to claim a reward or bonus by providing their private keys or wallet credentials. Tragically, the victim, in a moment of vulnerability or lack of awareness, unknowingly disclosed sensitive information, leading to the loss of their hard-earned cryptocurrency.
Understanding the Implications: Losing 104 ETH can have devastating financial consequences for any individual. Cryptocurrency transactions, once executed, are typically irreversible, leaving victims with little to no recourse to recover their funds. This incident highlights the ever-present threat posed by cybercriminals who exploit human vulnerabilities, employing sophisticated techniques to deceive unsuspecting users.
The unfortunate loss of 104 ETH serves as a stark reminder of the risks associated with phishing scams in the cryptocurrency realm. Safeguarding your digital assets requires continuous vigilance, staying informed, and adopting robust security practices. By arming yourself with knowledge and exercising caution, you can reduce the likelihood of falling victim to such scams and protect your hard-earned cryptocurrencies from falling into the wrong hands.
In the realm of cybersecurity, the identification and mitigation of vulnerabilities and exploits are of paramount importance. This article examines two critical vulnerabilities, CVE-2019-19781 and CVE-2022-22963, along with associated exploits involving #opendir hosting, #mimikatz, #metasploit, #LinPEAS, #powerup, and #sharpire. Additionally, we will explore the development of detection rules to enhance security measures.
CVE-2019-19781 refers to a critical vulnerability affecting certain versions of a specific software. Attackers can exploit this vulnerability to execute arbitrary code remotely, potentially leading to unauthorized access and data compromise. Exploits involving #opendir hosting, #mimikatz, #metasploit, #LinPEAS, #powerup, and #sharpire have been observed in association with this vulnerability.
CVE-2022-22963: Vulnerability Overview and Exploits: CVE-2022-22963 represents another significant vulnerability, impacting a different software or system. This vulnerability exposes the system to potential attacks, allowing threat actors to execute malicious code or gain unauthorized access. While specific exploits associated with #opendir hosting, #mimikatz, #metasploit, #LinPEAS, #powerup, and #sharpire have not been explicitly mentioned, it is crucial to remain vigilant for potential exploit attempts.
A recently discovered security vulnerability, identified as CVE-2023-27997, has raised concerns among users of Fortinet’s FortiGate firewalls. This vulnerability poses a significant risk as it enables attackers to exploit the firewall’s defenses and gain unauthorized access to sensitive information. In this article, we will delve into the details of CVE-2023-27997, its potential implications, and the recommended actions for FortiGate firewall users.
Understanding CVE-2023-27997: CVE-2023-27997 is a critical vulnerability that affects Fortinet’s widely-used FortiGate firewalls. It provides attackers with an opportunity to bypass the firewall’s security measures and gain unauthorized access to the targeted system. The specific technical details of the vulnerability have been outlined in a blog post by Bishop Fox, a cybersecurity consulting firm.
Exploitation and Potential Impact: If successfully exploited, this vulnerability can have severe consequences for affected systems. Attackers can potentially compromise sensitive data, escalate privileges, and launch further attacks on the network infrastructure. The unauthorized access granted by the vulnerability could be leveraged to exfiltrate confidential information, execute arbitrary code, or disrupt essential services, leading to financial loss, reputational damage, and operational disruptions.
Mitigation and Recommended Actions: Fortinet has been made aware of this vulnerability and is actively working on addressing the issue. It is crucial for FortiGate firewall users to promptly apply the security patches and updates released by Fortinet to mitigate the risk posed by CVE-2023-27997.
A critical vulnerability, identified as CVE-2023-34362, has recently been uncovered in a certain software application. This article highlights the significance of the vulnerability and its potential impact on affected systems, as well as the importance of prompt mitigation.
CVE-2023-34362 represents a security flaw that has been documented in a GitHub repository. The vulnerability exposes the software application to potential exploitation, compromising the integrity, confidentiality, or availability of the system. Detailed information regarding the technical aspects and specific risks associated with the vulnerability can be found in the GitHub repository.
https://github.com/sfewer-r7/CVE-2023-34362
In the ever-evolving landscape of cyber threats, researchers from Check Point have recently uncovered an intriguing case involving a custom router implant. This article delves into the details of this discovery, exploring the tactics, techniques, and procedures used by threat actors to compromise network infrastructure and highlighting the significance of such findings in cybersecurity research.
The Dragon Who Sold His Camaro: Unveiling the Custom Router Implant Check Point’s research team has published a comprehensive report (source: https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/) that unravels the intricacies of a custom router implant deployed by threat actors. This implant, named “The Dragon,” represents a sophisticated and stealthy attack vector that can compromise network security and facilitate unauthorized access to sensitive information.
Analyzing the Custom Router Implant: The Dragon implant primarily targets SOHO (Small Office/Home Office) routers commonly used in residential and small business environments. It exhibits a range of advanced capabilities and evasive techniques to maintain persistence and avoid detection by traditional security solutions.
