Media Coverage

A GitLab vulnerability enabling file writing to arbitrary locations on a server was patched last Thursday, two weeks after the company patched a critical account takeover bug. The latest vulnerability, tracked as CVE-2024-0402, received a CVSS score of 9.9 and allows authenticated users to write files anywhere on a GitLab server while creating a workspace.

The Shadowserver Foundation, which tracks malicious activity and vulnerabilities online, previously said it detected more than 5,300 GitLab instances vulnerable to CVE-2023-7028 on Jan. 23. As of Jan. 30, Shadowserver’s dashboard showed 4,826 GitLab instances still running unpatched versions. Shadowserver CEO Piotr Kijewski told SC Media that while the organization is not currently scanning for CVE-2024-0402, it is most likely that instances still vulnerable to CVE-2023-7028 are also vulnerable to the latest bug. “The total CVE-2024-0402 population will be expected to be higher, however,” Kijewski said.

Researchers found roughly 45,000 Jenkins instances exposed online that are vulnerable to CVE-2024-23897, a critical remote code execution (RCE) flaw for which multiple public proof-of-concept (PoC) exploits are in circulation. Jenkins is a leading open-source automation server for CI/CD, allowing developers to streamline the building, testing, and deployment processes. It features extensive plugin support and serves organizations of various missions and sizes.

Today, threat monitoring service Shadowserver reported that its scanners have “caught” roughly 45,000 unpatched Jenkins instances, indicating a massive attack surface. Most of the vulnerable internet-exposed instances are in China (12,000) and the United States (11,830), followed by Germany (3,060), India (2,681), France (1,431), and the UK (1,029).

In pursuit of comprehensive threat intelligence, PTA has subscribed to Shadowserver—a renowned platform that provides data pertaining to cyber threats within Pakistan. This subscription enables PTA to compile a holistic view of the threat landscape, and to take proactive measures to mitigate risks related to the telecom sector. Access to reliable threat intelligence is crucial in strengthening the country’s CS posture and safeguarding critical infrastructure.

More than 5,300 GitLab servers connected to the internet are vulnerable to zero-click account takeover CVE-2023-7028 (CVSS score: 10.0) announced by GitLab earlier this month. This vulnerability allows an attacker to send a password reset email for a targeted account to an email address controlled by the attacker, allowing the attacker to change the password and take over the account. Account takeover will not be successful if the target has 2FA enabled, because the attacker will not be able to log in if they do not have control over two-factor authentication (2FA).

Currently, 13 days after the security update became available, threat monitoring service ShadowServer reports seeing 5,379 GitLab instances that are vulnerable to attack. Most servers with the vulnerability were in the United States (964), followed by Germany (730), Russia (721), China (503), France (298), the United Kingdom (122), India (117), and Canada (99 ).

Security researchers are observing exploitation attempts for the CVE-2023-22527 remote code execution flaw vulnerability that affects outdated versions of Atlassian Confluence servers.

Threat monitoring service Shadowserver reports today that its systems recorded thousands of attempts to exploit CVE-2023-22527, the attacks originating from a little over 600 unique IP addresses. The service says that attackers are trying out callbacks by executing the ‘whoami‘ command to gather information about the level of access and privileges on the system.

The total number of exploitation attempts logged by The Shadowserver Foundation is above 39,000, most of the attacks coming from Russian IP addresses. Shadowserver reports that its scanners currently detect 11,100 Atlassian Confluence instances accessible over the public internet. However, not all of those necessarily run a vulnerable version.

DDoS or denial of access attack against BGP sessions is well known but not common in cyberspace. In June of last year, FIRST recorded 2 such cases where two of the organization’s BGP sessions were successfully attacked by a DDoS attack (TCP port 179) and both sessions were terminated. The IT security organization Shadowserver and the Shodan service have collected information about +300,000 BGP port 179 sessions that are at risk and could become a target for similar attacks. About 150 such BGP services exposed on the Internet have been found in Latvia. Simultaneous attacks on these services could lead to serious consequences and global “chaos on the Internet”.

Shadowserver unprotected BGP session information panel . Shadowserver notifications now also include two new free BGP session messages – available BGP service and open BGP service .

VMware is warning customers that CVE-2023-34048, a critical vCenter Server vulnerability patched in October 2023, is being widely exploited.

According to a report by the Shadowserver Foundation, there are currently hundreds of VMware vCenter Server instances exposed to the Internet that are potentially vulnerable. It’s not uncommon for VMware products to be targeted by malicious attackers. The catalog of known exploited vulnerabilities maintained by the US security agency CISA currently includes 21 VMware product flaws .

Network manufacturer Juniper warns customers of a critical vulnerability that could allow an unauthenticated attacker to take over firewalls and switches remotely. The vulnerability (CVE-2024-21591) resides in the J-Web configuration tool in Juniper Networks Junos OS SRX Series and EX Series firewalls and switches. The J-Web interface makes it possible to monitor, configure and manage the device via a browser.

According to the Shadowserver Foundation, the J-Web interface of 8,300 Juniper systems is accessible from the Internet, including 139 in the Netherlands.

The Government, through the National Cybersecurity Center (CNCS), made an automatic notification service for vulnerabilities and exposure in cyberspace available to public and private entities. The new service, which is offered free of charge, aims to help organizations strengthen their cybersecurity and protect their digital assets to promote a safer, more reliable and resilient cyberspace, through timely notifications.

The resource, presented by the National Cyber ​​Incident Response Team (CSIRT-RD), together with the Shadowserver Foundation, is aligned with the Digital Agenda 2030, our National Digital Transformation Strategy. The director of the CNCS, Juan Gabriel Gautreaux, explained that those interested in obtaining the service must subscribe by registering an official and authorized contact of the organization to which they belong and complete a form.

Hackers have been exploiting the two zero-day vulnerabilities in Ivanti Connect Secure disclosed this week since early December to deploy multiple families of custom malware for espionage purposes. Identified as CVE-2023-46805 and CVE-2024-21887, the security issues allow bypassing authentication and injecting arbitrary commands on vulnerable systems.

Today, threat monitoring service Shadowserver has posted on X that its scanners detect 17,100 Invanti CS appliances on the public web, most of them in the United States. However, there is no indication to how many of them are vulnerable.