Weekly Threat Briefing: January 8 - 12, 2024

Weekly Threat Briefing: January 8 - 12, 2024

Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.


Ivanti Zero-Day Vulnerabilities Exploited

On January 10th , Ivanti, in coordination with Volexity, disclosed two zero-day vulnerabilities that impact Ivanti Connect Secure and Ivanti Policy Secure Gateways. When used in tandem, these vulnerabilities would enable a remote attacker to bypass authentication requirements and execute arbitrary code on vulnerable systems. The two vulnerabilities are tracked as follows:

  • CVE-2023-46805 (CVSS: 8.2) – Authentication Bypass in the web component of Ivanti Connect Secure (ICS) 9.x, 22.x and Ivanti Policy Secure
  • CVE-2024-21887 (CVSS: 9.1) – Command Injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure

Security patches to address CVE-2023-46805 and CVE-2024-21887 are not currently available. Ivanti will be releasing patches in a staggered approach on the weeks of January 22nd and February 19th.

Until security patches are released, it is critical that organizations apply the relevant mitigations provided by Ivanti. In addition to apply mitigations, it is important to conduct active threat hunts to identify all potentially impacted systems for signs of compromise.

Learn more in the full threat advisory here.


Microsoft Patch Tuesday

This month Microsoft addressed a total of 49 vulnerabilities, out of which only two are rated as critical.

The two critical vulnerabilities are as follows:

  • CVE-2024-20674 (CVSS: 9.0) - Windows Kerberos Security Feature Bypass Vulnerability: The authentication feature could be bypassed as this vulnerability allows impersonation.
  • CVE-2024-20700 (CVSS: 7.8) - Windows Hyper-V Remote Code Execution Vulnerability: After gaining access to a restricted network, an attacker may exploit this vulnerability to execute code.

CVE-2024-20674 stands out as particularly notable. The potential impact to a core authentication protocol and low complexity rating make this a valuable target for adversaries.

Another notable vulnerability from the release is:

  • CVE-2024-20677 (CVSS: 8.0) - Microsoft Office Remote Code Execution Vulnerability: Based on available details, it is believed that an attacker may add an FBX file to a Word document, interacting with this FBX document would enable code execution.

It is important that organizations review and action the full Microsoft Patch Tuesday release. Vulnerabilities that are confirmed to be exploited should be prioritized for immediate patching. Similarly, vulnerabilities in Internet-facing applications should be prioritized, as they are more likely to be targeted by threat actors.

In addition, eSentire Managed Vulnerability Service (MVS) has plugins in place to identify these vulnerabilities.

Learn more in the full threat advisory here.


Pro-Ukraine Hackers Breach Russian ISP

On December 12th , Kyivstar was impacted by a cyberattack resulting in the destruction of thousands of virtual servers and PCs, leading to internet and phone outages for 24 million Ukrainians. On January 4th, Illia Vitiuk, the cyber chief of the Security Service of Ukraine (SBU), disclosed additional details on the attack. These details identified the known Russian state-sponsored APT group Sandworm (ELECTRUM, BlackEnergy, Voodoo Bear, IRIDIUM) as the group responsible for the attack. This group has previously targeted critical infrastructure in Ukraine with wiper malware.

On January 9th , in retaliation for the attack on Kyivstar, a pro-Ukrainian hacktivist group named ‘Blackjack’ executed a cyberattack against the Russian internet service provider M9 Telecom. The attack reportedly destroyed 20 terabytes of data, including the company's official website and cyber protection services, leaving some Moscow residents without internet and television access.

Learn more in the full threat advisory here.


About the eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.

John T.

Manager Cyber Defense

11mo

Thanks for sharing, that breach situation is such a grey area for repudiation implications.

Like
Reply
Edward C.

Want to improve your human sensor? We are building an AI Assistant that goes beyond the human firewall (prevention) to developing the human sensor (detection/response) which helps organizations reduce attacker dwell time

11mo

Looking forward to these every Tuesday.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics