Media Coverage

A critical vulnerability in Ivanti Virtual Traffic Manager (vTM) was added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity & Infrastructure Security Agency (CISA) on Tuesday.

The Shadowserver Foundation began tracking internet-exposed Ivanti vTM instances, regardless of patching status, in mid-August, and only discovered 31 exposed instances as of Aug. 17. However, they observed an exploit attempt based on the available PoC on Aug. 18, according to a post on X. As of Sept. 24, only 21 internet-exposed instances were detected, according to Shadowserver’s time series dashboard.

A China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installing either the Cobalt Strike client or a custom backdoor known as EagleDoor on compromised machines.

Dubbed Earth Baxia by cybersecurity firm Trend Micro, the group primarily uses spear-phishing to compromise victims, but it has also exploited a vulnerability (CVE-2024-36401) in the open source GeoServer software used to distribute geospatial data. The GeoServer attacks appear to have started at least two months ago, with the Shadowserver Foundation noting that the attack first appeared in its logs on July 9. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability (KEV) catalog on July 15.

It deserves emphasizing that this is a team sport: Even as the operations relied on Justice Department legal process, we are often not alone in planning or executing them. We are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work.

In disrupting the GRU botnet, for example, we planned and coordinated with the Shadowserver Foundation, Microsoft, and other private sector partners. Shortly after we announced the operation, the FBI, NSA, Cyber Command, and 11 foreign partner entities released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU’s relevant tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders.

We recently performed research that started off “well-intentioned” (or as well-intentioned as we ever are) – to make vulnerabilities in WHOIS clients and how they parse responses from WHOIS servers exploitable in the real world (i.e. without needing to MITM etc).

We hope you’ve enjoyed (and/or been terrified by) today’s post, in which we took control of a chunk of the Internet’s infrastructure, opened up a big slab of juicy attack surface, and found a neat way of undermining TLS/SSL – the fundamental protocol that allows for secure communication on the web.

We want to thank the UK’s NCSC and the ShadowServer Foundation for rapidly working with us ahead of the release of this research to ensure that the ‘dotmobiregistry.net’ domain is suitably handled going forwards, and that a process is put in place to notify affected parties.

While the private sector has increasingly contributed to law enforcement operations against cybercriminals and nation-state actors, infosec professionals agree there’s more to be done as threats continue to rise. In some cases, private sector collaborations made those law enforcement operations more successful through information sharing with government agencies.

One of the most significant botnet takedowns ever occurred in May. The international effort resulted in four arrests, more than 100 server seizures and 2,000 domain takeovers. Operation Endgame involved agencies from all over the world as well as private industry partners such as BitDefender, Proofpoint and the Shadowserver Foundation.

Last week, a critical vulnerability in Ivanti’s Virtual Traffic Manager (vTM) became known. Now IT researchers have discovered an exploit attempt based on a publicly available proof-of-concept exploit. Admins should update the software quickly – updates are now available for all supported versions.

The Shadowserver Foundation has announced on X, formerly Twitter, that it has found very few Ivanti vTM devices openly accessible on the Internet. However, on Saturday last weekend, the group observed an attempt to abuse the vulnerability based on a publicly available proof-of-concept exploit.

The US cybersecurity agency CISA on Thursday informed organizations about threat actors targeting improperly configured Cisco devices. The agency has observed malicious hackers acquiring system configuration files by abusing available protocols or software, such as the legacy Cisco Smart Install (SMI) feature.

After CISA published its alert, the non-profit cybersecurity organization The Shadowserver Foundation reported seeing over 6,000 IPs with the Cisco SMI feature exposed to the internet.

Daniel Clark Lee (SOC manager) and city of Los Angeles CISO Tim Lee talked about the challenge of battling practically unlimited threats.

The solution to the challenges lies in finding ways to quickly identify the vulnerabilities that put the city at greatest risk. This helps administrators prioritize patching, results in easy wins and allows cybersecurity professionals to clearly communicate their strategic decisions to the rest of the organization.

He added that organizations should look to take advantage of free services to assist with vulnerability scanning. For instance, he highlighted the Shadowserver Foundation, a nonprofit security organization, as well as CISA’s Cyber Hygiene vulnerability and web application scanning services.

Threat actors are actively attempting to exploit a recently fixed Progress WhatsUp Gold remote code execution vulnerability on exposed servers for initial access to corporate networks. Threat monitoring organization Shadowserver Foundation reports that the attempts started on August 1, 2024, coming from six distinct IP addresses.

The vulnerability leveraged in these attacks is CVE-2024-4885, a critical-severity (CVSS v3 score: 9.8) unauthenticated remote code execution flaw impacting Progress WhatsUp Gold 23.1.2 and older.

In the first half of 2024, we observed consistent public disclosure of exploitation in the wild from product companies, security firms, researchers, government agencies, and the broader security community. These disclosures provide defenders with crucial visibility into threats to their environments, allowing for timely action. It’s common for security teams to use this knowledge for vulnerability prioritization and security product teams to use this shared knowledge to prioritize building detection capabilities among many other purposes.

For the 390 vulnerabilities first identified in the first half of 2024, VulnCheck collected 10,611 references of exploitation in the wild. From hundreds of reputable sources, we identified 68 different sources that were the earliest reporters of exploitation during this period. The chart above demonstrates the number of unique exploited vulnerabilities reported first by a source.