Media Coverage

A recently patched vulnerability affecting the Apache ActiveMQ message broker is being exploited by cybercriminals in an apparent attempt to deliver ransomware.  Apache ActiveMQ is described as the “most popular open source, multi-protocol, Java-based message broker”. Several 5.x.x versions of the product, as well as the Apache ActiveMQ Legacy OpenWire Module, are affected by CVE-2023-46604, a security hole that can be exploited for remote code execution. On October 30, the Shadowserver Foundation reported seeing over 7,000 internet-exposed ActiveMQ instances, including roughly 3,300 that had been vulnerable to attacks exploiting CVE-2023-46604.

Researchers have reported suspected exploitation activity related to a recently disclosed security vulnerability in Apache ActiveMQ, tracked as CVE-2023-46604. This vulnerability, with a maximum CVSS score of 10.0, can potentially lead to remote code execution (RCE) attacks.CVE-2023-46604 allows remote attackers with network access to a broker to execute arbitrary shell commands. This is achieved by exploiting serialized class types within the OpenWire protocol, which, in turn, leads to the broker instantiating any class available on the classpath. Shadowserver has identified 7,249 servers with accessible ActiveMQ services. Among them, 3,329 servers were running a version vulnerable to CVE-2023-46604.

The unexpected drop in malicious activity connected with the Mozi botnet in August 2023 was due to a kill switch that was distributed to the bots. Mozi is an Internet of Things (IoT) botnet that emerged from the source code of several known malware families, such as Gafgyt, Mirai, and IoT Reaper. First spotted in 2019, it’s known to exploit weak and default remote access passwords as well as unpatched security vulnerabilities for initial access.

Over three thousand internet-exposed Apache ActiveMQ servers are vulnerable to a recently disclosed critical remote code execution (RCE) vulnerability.The flaw in question is CVE-2023-46604, a critical severity (CVSS v3 score: 10.0) RCE allowing attackers to execute arbitrary shell commands by exploiting the serialized class types in the OpenWire protocol. Researchers from threat monitoring service ShadowServer found 7,249 servers accessible with ActiveMQ services. Of those, 3,329 were found to run an ActiveMQ version vulnerable to CVE-2023-46604, with all of these servers vulnerable to remote code execution.

Citrix Bleed, the critical information-disclosure bug that affects NetScaler ADC and NetScaler Gateway, is now under “mass exploitation,” as thousands of Citrix NetScaler instances remain vulnerable, according to security teams.

As of October 30, Shadowserver spotted just over 5,000 vulnerable servers on the public internet. And in the past week, GreyNoise observed 137 individual IP addresses attempting to exploit this Citrix vulnerability. The vulnerability allows attackers to access a device’s memory, and in that RAM find session tokens that miscreants can then extract and use to impersonate an authenticated user. Thus even if the hole is patched, copied tokens will remain valid unless further steps are taken.

On August 29, 2023, the U.S. Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) teamed up with France, Germany, the Netherlands, Romania, and Latvia to launch a multinational operation to dismantle the Qakbot malware botnet (Operation Duck Hunt). According to a report published by the non-profit organization The Shadowserver Foundation on devices infected with Qakbot from July 2019 to August 2023, approximately 40,000 devices were confirmed in Japan .

About 42,000 Roundcube Webmail servers contain a vulnerability that attackers are currently actively exploiting . Nine hundred of the servers are in the Netherlands, the Shadowserver Foundation states based on its own scans. Roudcube is open source webmail software and is used by all kinds of organizations. A vulnerability (CVE-2023-5631) in the software enables stored cross-site scripting (XSS).

This Monday, Citrix issued a warning to administrators of NetScaler ADC and Gateway appliances, urging them to patch the flaw (CVE-2023-4966) immediately, as the rate of exploitation has started to pick up.

Today, researchers at Assetnote shared more details about the exploitation method of CVE-2023-4966 and published a PoC exploit on GitHub to demonstrate their findings and help those who want to test for exposure. Threat monitoring service Shadowserver reports spikes of exploitation attempts following the publication of Assetnote’s PoC, so the malicious activity has already started.

As these types of vulnerabilities are commonly used for ransomware and data theft attacks, it is strongly advised that system administrators immediately deploy patches to resolve the flaw.

This week, Cisco warned that hackers exploited two zero-day vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to hack over 50,000 Cisco IOS XE devices to create privileged user accounts and install a malicious LUA backdoor implant. On Saturday, multiple cybersecurity organizations reported that the number of Cisco IOS XE devices with a malicious implant has mysteriously dropped from approximately 60,000 devices to only 100-1,200, depending on the different scans.

Piotr Kijewski, the CEO of The Shadowserver Foundation, also told BleepingComputer that they have seen a sharp drop in implants since 10/21, with their scans only seeing 107 devices with the malicious implant. “The implant appears to have been either removed or updated in some way,” Kijewski told BleepingComputer via email.

Update 10/23/23: Today, cybersecurity firm Fox-IT explained that the cause of the sudden drop of detected implants is due to the threat actors rolling out a new version of the backdoor on Cisco IOS XE devices. According to Fox-IT the new implant version now checks for an Authorization HTTP header before responding.

A critical cybersecurity threat disclosed by Cisco has resulted in mass exploitation of its devices, with the number of impacted systems surpassing 40,000 hosts worldwide. Nonprofit security group Shadowserver has detected over 32,800 devices compromised so far.

Cisco released a security advisory on October 16 to warn users about a critical zero-day privilege escalation vulnerability in its IOS XE Web UI software.

As per Censys, by October 18 the number of infections had increased from the previously reported 34,140 to 41,983 hosts, while 34,140 had backdoor installed It is tracked as CVE-2023-20198 and has been used to exploit tens of thousands of devices. The US had the highest number of compromised devices followed by the Philippines.