Media Coverage

Exploitation of the recently disclosed Ivanti Endpoint Manager Mobile (EPMM) vulnerability has started to pick up, just as the vendor announced the discovery of a new flaw. The EPMM zero-day tracked as CVE-2023-35078, which allows an unauthenticated attacker to obtain sensitive information and make changes to the targeted system, was exploited in attacks aimed at the Norwegian government since at least April 2023. While initially the flaw was only exploited in targeted attacks, threat intelligence firm GreyNoise started seeing exploitation attempts from dozens of unique IP addresses on July 31. The company has seen attacks coming from a total of 75 IPs. The ShadowServer Foundation reports that there are still roughly 700 internet-exposed instances of the mobile management software that are vulnerable to attacks. In the attacks exploiting CVE-2023-35078, threat actors also leveraged a different EPMM security hole, CVE-2023-35081, to upload webshells on the device and run commands.

Hundreds of Citrix Netscaler ADC and Gateway servers have already been compromised and backdoored in a series of attacks targeting a critical Remote Code Execution (RCE) vulnerability identified as CVE-2023-3519. The vulnerability was previously exploited as a zero-day to breach the network of a US critical infrastructure agency.

Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to strengthening internet security, have now revealed that the attackers deployed web shells on at least 640 Citrix servers in these attacks.

Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The largest number of impacted IP addresses are based in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. The exploitation of CVE-2023-3519 to deploy web shells was previously disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which said the attack was directed against an unnamed critical infrastructure organization in June 2023.

Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an “extremely severe” flaw that could result in pre-authenticated remote code execution on affected installations. Tracked as CVE-2023-38646, the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1. “An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on,” Metabase said in an advisory released last week. While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 2023. A majority of the instances are located in the U.S., India, Germany, France, the U.K., Brazil, and Australia.

Ivanti ‘s mobile device management software EPMM(Endpoint manager mobile), aka Mobile iron core version lower than 11.8.1.0, was impacted by the actively exploited zero-day vulnerability.  On Sunday, the company released the security patches for the remote unauthenticated API access vulnerability tracked as CVE-2023-35078. Ivanti is an asset management software system used to remotely inventory and manage desktop computers.  It has the ability to report on installed software and hardware, allow remote assistance, and install security patches. If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week warned of cyber attacks against Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices exploiting recently discovered zero-day CVE-2023-3519. The Agency states that threat actors targeted a NetScaler ADC appliance deployed in the network of a critical infrastructure organization. Citrix this week warned customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler Application Delivery Controller (ADC) and Gateway that is being actively exploited in the wild. The U.S. CISA revealed that threat actors are exploiting the vulnerability to drop web shells on vulnerable systems. Researchers from the non-profit organization Shadowserver Foundation this week reported that at least 15,000 Citrix servers were exposed to CVE-2023-3519 attacks based on their version information. Most of the servers are located in the United States and Germany.

Thousands of Citrix Netscaler ADC and Gateway servers exposed online are vulnerable to attacks exploiting a critical remote code execution (RCE) bug that was previously abused in the wild as a zero-day. Security researchers from the Shadowserver Foundation, a non-profit organization dedicated to enhancing internet security, revealed this week that at least 15,000 appliances were identified as exposed to attacks leveraging the flaw (CVE-2023-3519) based on their version information. “We tag all IPs where we see a version hash in a Citrix instance. This is due fact that Citrix has removed version hash information in recent revisions,” Shadowserver said. “Thus safe to assume in our view all instances that still provide version hashes have not been updated and may be vulnerable.” They also noted that they’re also undercounting since some revisions known to be vulnerable but with no version hashes have not been tagged and added to the total number of exposed Citrix servers. Citrix released security updates to address this RCE vulnerability on July 18th, saying that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and urging customers to install the patches as soon as possible. The company added that unpatched Netscaler appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (the so-called AAA server) to be vulnerable to attacks. The CVE-2023-3519 RCE zero-day was likely available online since the first week of July when a threat actor began advertising Citrix ADC zero-day flaw on a hacker forum.

Organizations that have yet to patch a 9.8-severity vulnerability in network devices made by Zyxel have emerged as public nuisance No. 1 as a sizable number of them continue to be exploited and wrangled into botnets that wage DDoS attacks. Zyxel patched the flaw on April 25. Five weeks later, Shadowserver, an organization that monitors Internet threats in real time, warned that many Zyxel firewalls and VPN servers had been compromised in attacks that showed no signs of stopping. The Shadowserver assessment at the time was: “If you have a vulnerable device exposed, assume compromise.” On Wednesday—12 weeks since Zyxel delivered a patch and seven weeks since Shadowserver sounded the alarm—security firm Fortinet published research reporting a surge in exploit activity being carried out by multiple threat actors in recent weeks. As was the case with the active compromises Shadowserver reported, the attacks came overwhelmingly from variants based on Mirai, an open source application hackers use to identify and exploit common vulnerabilities in routers and other Internet of Things devices.

In today’s interconnected world, cybersecurity has become a critical concern for nations. Asean countries, for example, with their rapidly growing digital economies and expanding online presence, face increasing cyberthreats. To effectively address these challenges and build a robust cybersecurity environment, partnerships and collaborations are essential. According to the United Kingdom’s Foreign, Commonwealth and Development Office (FCDO) cyberpolicy lead for the Indo-Pacific, Henry Carver, cybersecurity has become a global challenge. “The whole world has been more reliant on digitalisation since the Covid-19 pandemic. More and more technology and the way we live are moving online. Just as it’s true for every citizen, it’s also true for government services, and its critical infrastructure. As a result, we have a larger footprint, which means we have a greater surface area where cybercriminals and people with malicious intentions can come in and pursue their objectives,” he said. “We’ve been working with an organisation called Shadowserver, which has done a lot of Internet scanning for business and government on some of the cyber insights that they have.” The FCDO also shares a lot of good practice on how we protect our own system with our Malaysian counterparts, like our public services cybersecurity strategy, skills and education. “Although it may not be 100 per cent relevant here, it’s about sharing what works for us and for countries to take the good practices and make them their own, and we are really excited to continue our collaboration,” he added.

Rockwell Automation has released patches for a critical remote code execution vulnerability that affects many versions of its communications modules, and is warning customers that an exploit for the bug exists, although no exploitation has been observed yet. Rockwell discovered the vulnerability internally, and reported it to the Cybersecurity and Infrastructure Security Agency, which published an advisory on Wednesday. There is a separate bug (CVE-2023-3596) identifier for the vulnerability in the 1756-EN4* series of products, since exploitation results in a denial of service rather than RCE. Rockwell said that it had discovered and analyzed an exploit for the bug, which it attributed to an unnamed APT actor. The affected modules are used in critical manufacturing settings, and Rockwell has released firmware updates for all of the modules. The Shadowserver Foundation, which tracks exploit activity and vulnerabilities, identified about 107 vulnerable modules exposed to the Internet on Thursday. One of the interesting aspects of this vulnerability is that researchers were able to identify the exploit and discover that an APT actor had also discovered the bug, before the actor actually used the exploit. Organizations running affected Rockwell ControlLogix modules should install the updated firmware as soon as possible.