Media Coverage

Threat actors are actively attempting to exploit a recently fixed Progress WhatsUp Gold remote code execution vulnerability on exposed servers for initial access to corporate networks. Threat monitoring organization Shadowserver Foundation reports that the attempts started on August 1, 2024, coming from six distinct IP addresses.

The vulnerability leveraged in these attacks is CVE-2024-4885, a critical-severity (CVSS v3 score: 9.8) unauthenticated remote code execution flaw impacting Progress WhatsUp Gold 23.1.2 and older.

In the first half of 2024, we observed consistent public disclosure of exploitation in the wild from product companies, security firms, researchers, government agencies, and the broader security community. These disclosures provide defenders with crucial visibility into threats to their environments, allowing for timely action. It’s common for security teams to use this knowledge for vulnerability prioritization and security product teams to use this shared knowledge to prioritize building detection capabilities among many other purposes.

For the 390 vulnerabilities first identified in the first half of 2024, VulnCheck collected 10,611 references of exploitation in the wild. From hundreds of reputable sources, we identified 68 different sources that were the earliest reporters of exploitation during this period. The chart above demonstrates the number of unique exploited vulnerabilities reported first by a source.

Microsoft has issued a significant security alert regarding a vulnerability in VMware ESXi hypervisors, which ransomware operators have actively exploited. According to the Shadowserver Foundation, the vulnerability, identified as CVE-2024-37085, exposed 20,275 instances as of July 30, 2024.

The CVE-2024-37085 vulnerability is an authentication bypass flaw with a CVSS score of 6.8. It specifically affects domain-joined ESXi hypervisors, allowing attackers with sufficient Active Directory (AD) permissions to gain full administrative control over the hypervisor.

Security analysts have identified 6,635 GeoServer instances exposed to the Internet, which makes them vulnerable to critical remote code execution (RCE) attacks. A recent tweet from the Shadowserver Foundation stated that the vulnerability, tracked as CVE-2024-36401, affects GeoServer versions before 2.23.6, 2.24.4, and 2.25.2.

GeoServer, an open-source server enabling users to share and edit geospatial data, is widely used in various industries, including urban planning, environmental monitoring, and resource management.

EURid’s Q2 2024 report highlights its quarterly achievements and strategic advancements.

Partnership with Shadowserver Alliance: EURid has partnered with this prominent global cybersecurity organization to collectively enhance cybersecurity measures.

Attackers are actively  exploiting a critical remote code execution (RCE) vulnerability in Apache HugeGraph-Server, which is tracked as CVE-2024-27348. The vulnerability affects versions 1.0.0 to 1.3.0 of the popular open-source graph database tool.

The flaw, which carries a severe CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary operating system commands on vulnerable servers by  exploiting missing reflection filtering in the SecurityManager. This gives attackers complete control over the affected systems, potentially enabling data theft, network infiltration, ransomware deployment, and other malicious activities.

The Shadowserver Foundation has reported observing exploitation attempts of CVE-2024-27348 from multiple sources, specifically targeting the “/gremlin” endpoint with POST requests.

The National Crime Agency has coordinated global action against illicit software which has been used by cybercriminals for over a decade to infiltrate victims’ IT systems and conduct attacks. Action was taken against 690 individual instances of malicious Cobalt Strike software located at 129 internet service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down.

A number of private industry partners, including BAE Systems Digital Intelligence, Trellix, Shadowserver, Spamhaus and Abuse CH also supported law enforcement in identifying malicious instances and use of Cobalt Strike by cybercriminals.

Using a platform known as the Malware Information Sharing Platform, private sector organisations shared real time threat intelligence with law enforcement. More than 730 pieces of threat intelligence containing almost 1.2 million indicators of compromise were shared.

Law enforcement has teamed up with the private sector to fight against the abuse of a legitimate security tool by criminals who were using it to infiltrate victims’ IT systems. Older, unlicensed versions of the Cobalt Strike red teaming tool were targeted during a week of action coordinated from Europol’s headquarters between 24 and 28 June. Known as Operation MORPHEUS, this investigation was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland and the United States.

Cooperation with the private sector was instrumental in the success of this disruptive action. A number of private industry partners supported the action, including BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch and The Shadowserver Foundation. These partners deployed enhanced scanning, telemetry and analytical capabilities to help identify malicious activities and use by cybercriminals.

Thought last year’s MOVEit hellscape was well and truly behind you? Unlucky, buster. We’re back for round two after Progress Software lifted the lid on fresh vulnerabilities affecting MOVEit Transfer and Gateway.

In typical fashion, researchers at watchTowr have penned a comprehensive account of CVE-2024-5806 – the one affecting MOVEit Transfer – and the two damaging attacks it can facilitate. To the surprise of probably no one, within just a few hours of watchTowr’s writeup going live, attack attempts using CVE-2024-5806 began, according to Shadowserver’s telemetry.

As for how many MOVEit customers are currently exposed, different vendors’ telemetry will always vary. Shadowserver’s data suggests less than 2,000 are exposed to the internet, while Censys puts that figure more in the 2,700 region. Both agree that most are localized to North America, however.

Michael Smith of Vercara delves into DNS’s critical role as foundational internet infrastructure and outlines essential steps to secure it against escalating cyber threats.

To safeguard DNS like we would traditional critical infrastructure, consider the following best practices and steps:

1) Ensure DNS redundancy; 2) Protect DNS servers from DDoS; 3) Scan DNS servers:

Vulnerability scanning services and some of the free scanning data provided by Shadowserver can help you identify these vulnerabilities and misconfigurations in your internet-accessible DNS servers.

4) Use DNSSEC; 5) Use protective DNS services; 6) Separate public and non-public zones ; and 7) Change control, audit, and rollback