Security
Headlines
HeadlinesLatestCVEs

Headline

Cybersecurity hotlines at colleges could go a long way toward filling the skills gap

These clinics offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.

TALOS
#sql#vulnerability#web#mac#microsoft#cisco#intel#rce#auth#zero_day

Thursday, June 22, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

I recently stumbled upon news that the University of Texas at Austin is launching a new cybersecurity clinic run by faculty and students studying security and IT at the university. This clinic offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.

That news led me to another discovery: Clinics like these are actually more common than you’d think.

Though UT Austin’s clinic is one of the newest ones to exist in the U.S., similar programs at the University of California Berkeley and the University of Indiana have been around for four-plus years. And in 2021, several universities got together to create the Consortium of Cybersecurity Clinics. Today, that Consortium has 14 members who have similar clinics that offer similar, free, services.

Maybe this is old news to many readers, but it’s all new to me, and it also seems like a no-brainer.

The cybersecurity world is always discussing the skills gap that exists and a high burnout rate among defenders, leading to a dearth of security practitioners in the private and public sectors. These types of clinics can help solve that gap by giving students on-hands training and experience they can eventually take into the field while helping to support organizations that are often most at risk for falling victim to a cyber attack. Small organizations don’t have the traditional resources to build a security program, and if they’re hit with a ransomware attack, they’re also more likely to do whatever allows them to return to “normal” as soon as possible, which often means paying the ransom.

Universities have long used clinic methods to train future professionals in the medical and legal fields, so they already have the infrastructure and funding in place to support these types of programs.

Reading about these clinics reminded me of working at my collegiate newspaper. Although writing about a student government association isn’t as high stakes as trying to recover from a ransomware attack, I can confidently say that gaining real-world experience is far more valuable than anything you can learn in a classroom.

Working at the paper taught me how to be a better communicator, and how to treat people fairly and it just made me a better writer in general by getting reps in.

I’m somehow already two years removed from going back to college for a cybersecurity education, but I would have relished the opportunity to work in a clinic like this as opposed to reading another textbook or going through one more coding exercise.

I’m assuming I’m not the only person late to the party on these clinics, so I only hope this serves as a PSA to someone that these options exist for students and organizations.

The one big thing

Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023. Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads. The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments.

Why do I care?

The exploitation of this vulnerability has already affected many organizations across the globe, including the BBC, British Airways, the government of Nova Scotia and U.K. pharmacy chain Boots. This clearly has wide-reaching implications, and security researchers are already discovering other vulnerabilities in MOVEit, though those aren’t being exploited in the wild.

So now what?

Talos has a list of recommendations over on our blog that potential targets should take. First and foremost, though, users should implement the patch that Progress Software released for CVE-2023-34362. Additionally, Talos released new ClamAV signatures and Snort rules to detect and prevent the exploitation of the MOVEit vulnerabilities.

Top security headlines of the week

Microsoft identified that a group of actors connected to Russia’s GRU is behind a recent wave of cyber attacks against Ukrainian government agencies and information technology vendors. The same report linked this actor, now known as “Cadet Blizzard,” to a series of data-wiping attacks that took place right before Russia’s invasion of Ukraine last year. Cadet Blizzard also appears to target NATO member countries who are supporting Ukraine during the military conflict and sending aid to the country. The actor typically uses stolen credentials to gain access to targets’ internet servers on the perimeter of their network. Then, it uses web shells to maintain persistence and carry out a variety of malicious actions. Outside of the wiper campaign in 2022, Cade Blizzard is largely considered to be less successful than other GRU-connected threat actors. (Microsoft, Yahoo! News)

The U.S. Department of Justice is adding a new unit to its organization that will specifically focus on prosecuting state-sponsored threat groups and individuals behind cyber attacks. The new National Security Cyber Section will be on the same footing as the organization’s three other sectors that also prosecute other types of crimes and terrorism. This new organization is “positioned to act quickly as soon as the FBI or an [intelligence community] partner identifies a cyber enabled threat and we will be in a position to support investigations and disruption,” according to a news release from the Department of Justice. The Department of Justice has taken a harder stance against cyber attacks in recent months and has specifically charged and arrested several high-profile threat actors during the Biden administration’s time in office. (Recorded Future, CyberScoop)

U.S. President Joe Biden convened a group of AI experts and companies to discuss the dangers the new technologies pose to privacy, the U.S. economy and more, this week. “My administration is committed to safeguarding America’s rights and safety, from protecting privacy to addressing bias and disinformation to making sure AI systems are safe before they are released,” Biden said after the meeting. Vice President Kamala Harris is also expected to meet with civil rights leaders, consumer protection groups and AI experts to discuss the inherent biases in AI models and the rise of these technologies in mainstream culture. (NBC News, Politico)

Can’t get enough Talos?

  • Talos Takes Ep. #143: The hidden threat to the software supply chain you may not be thinking about
  • Threat Roundup (June 9 – 16, 2023)
  • No Password Required: Threat Researcher at Cisco Talos and a Veteran of the Highest-Profile Cyber Incidents Who Roasts His Own Coffee Beans
  • Cisco releases new security offerings at Cisco Live 2023
  • Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience

Upcoming events where you can find Talos

BlackHat (Aug. 5 - 10)

Las Vegas, Nevada

Most prevalent malware files from Talos telemetry over the past week

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

Related news

MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers

While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.

CVE-2023-30967: Palantir | Trust and Security Portal

Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system.

CVE-2023-30959: Palantir | Trust and Security Portal

In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.

CVE-2023-30958: Palantir | Trust and Security Portal

A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0.

CVE-2023-30951: Palantir | Trust and Security Portal

The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE).

CVE-2023-30960: Palantir | Trust and Security Portal

A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.

CVE-2023-22835: Palantir | Trust and Security Portal

A security defect was identified that enabled a user of Foundry Issues to perform a Denial of Service attack by submitting malformed data in an Issue that caused loss of frontend functionality to all issue participants. This defect was resolved with the release of Foundry Issues 2.510.0 and Foundry Frontend 6.228.0.

MOVEit Transfer Faces Another Critical Data-Theft Bug

Users need to patch the latest SQL injection vulnerability as soon as possible. Meanwhile, Cl0p's data extortion rampage gallops on.

CVE-2023-30955: Palantir | Trust and Security Portal

A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.

MOVEit SQL Injection

This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.

CISA, FBI Offer $10M for Cl0p Ransomware Gang Information

The announcement was posted on Twitter via the Rewards for Justice Twitter account, alongside encrypted messaging system options for anyone to get into contact should they have viable information.

Avast, Norton Parent Latest Victim of MOVEit Data Breach Attacks

Gen Digital, the parent company of the security companies, is the latest victim in a rash of Cl0p attacks on the bug in the MOVEit transfer software, leading to employee data being revealed.

Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group

The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.

Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack

Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The

URLs have always been a great hiding place for threat actors

The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.

UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released

By Waqas Ofcom, the UK communications regulator, is the latest victim of the infamous Cl0p extortion gang, who have been exploiting MOVEit vulnerabilities to target high-profile firms. This is a post from HackRead.com Read the original post: UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released

More MOVEit vulnerabilities found while the first one still resonates

Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: MOVEit Tags: Progress Tags: Cl0p Tags: ransomware Tags: CVE-2023-34362 A security audit of the MOVEit code has revealed more SQL injection vulnerabilities, while victims of the first vulnerability are coming to the surface. (Read more...) The post More MOVEit vulnerabilities found while the first one still resonates appeared first on Malwarebytes Labs.

New Critical MOVEit Transfer SQL Injection Vulnerabilities Discovered - Patch Now!

Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain

Now’s not the time to take our foot off the gas when it comes to fighting disinformation online

YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”

Clop Ransomware Gang Likely Exploiting MOVEit Transfer Vulnerability Since 2021

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection

Cl0p ransomware gang claims first victims of the MOVEit vulnerability

Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: MOVEit Tags: Transfer Tags: CVE-2023-34362 Tags: BBC Tags: Zellis Tags: BA The first victims of the ongoing attacks on vulnerable MOVEit Transfer instances are coming forward. The Cl0p ransomware gang claims it is behind the attacks. (Read more...) The post Cl0p ransomware gang claims first victims of the MOVEit vulnerability appeared first on Malwarebytes Labs.

CVE-2023-34362: Progress Customer Community

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.

TALOS: Latest News

Malicious QR Codes: How big of a problem is it, really?