Science of Security (SoS) Program Review: 2011-2023 Report
The "Science of Security (SoS) Program Review: 2011-2023" report is now available.
"CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Ivanti Connect Secure and Policy Secure Vulnerabilities"
"CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Ivanti Connect Secure and Policy Secure Vulnerabilities"
The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 24-01 in response to the widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances. Ivanti recently released information about two vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, which enable an attacker to move laterally across a target network, exfiltrate data, and gain persistent system access.
"Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware"
"Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware"
The Russia-backed Advanced Persistent Threat (APT) group ColdRiver, also known as Blue Charlie, Callisto, Star Blizzard, or UNC4057, has unleashed custom malware called Spica. According to Google's Threat Analysis Group (TAG), Spica is the first custom malware developed and used by ColdRiver. ColdRiver typically targets Non-Governmental Organizations (NGOs), former intelligence and military officers, and NATO governments for cyber espionage.
"VMware Confirms Critical vCenter Flaw Now Exploited in Attacks"
"VMware Confirms Critical vCenter Flaw Now Exploited in Attacks"
VMware has confirmed the active exploitation of a critical vCenter Server Remote Code Execution (RCE) that was patched in October 2023. The vCenter Server management platform is for VMware vSphere environments and helps administrators manage ESX and ESXi servers, as well as Virtual Machines (VMs). The vulnerability, discovered by Trend Micro, stems from an out-of-bounds write flaw in vCenter's DCE/RPC protocol implementation.
"US Gov Publishes Cybersecurity Guidance for Water and Wastewater Utilities"
"US Gov Publishes Cybersecurity Guidance for Water and Wastewater Utilities"
The US government recently published new guidance aimed at helping organizations in the water and wastewater (WWS) sector improve their cyber resilience and incident response capabilities. Released in response to an increased interest by financially and politically motivated threat actors in the United States WWS sector, the guide outlines how water utility owners and operators can interact with federal partners to prepare for, mitigate, and respond to incidents.
"Protect AI Finds Vulnerabilities in Open-Source AI and Machine Learning Tools"
"Protect AI Finds Vulnerabilities in Open-Source AI and Machine Learning Tools"
Protect AI has released a new report highlighting vulnerabilities recently discovered in open-source Artificial Intelligence (AI) and Machine Learning (ML) tools by its bug bounty program. The first vulnerability posed a significant risk of server takeover and the loss of sensitive data. The MLflow tool, used for storing and tracking models, was discovered to contain a critical flaw in its code that could trick users into connecting to a malicious remote data source, thus allowing attackers to run commands on a victim's system.
"New Docker Malware Steals CPU for Crypto and Drives Fake Website Traffic"
"New Docker Malware Steals CPU for Crypto and Drives Fake Website Traffic"
A novel campaign is targeting vulnerable Docker services, with threat actors deploying both the XMRig cryptocurrency miner and the 9Hits Viewer software as part of a multi-pronged monetization strategy. According to the cloud security company Cado, this is the first documented case of malware using the 9Hits application as a payload. The development further demonstrates that adversaries are constantly looking for new ways to profit from compromised hosts. This article continues to discuss findings regarding the novel campaign targeting vulnerable Docker services.
"Poorly Secured PostgreSQL, MySQL Servers Targeted by Ransomware Bot"
"Poorly Secured PostgreSQL, MySQL Servers Targeted by Ransomware Bot"
Border0 researchers warn that users who expose poorly secured PostgreSQL and MySQL servers online risk having their databases wiped by a ransomware bot. The attackers request a small sum to return and not publish the data. However, those who pay will not recover their data because the bot takes a small portion of it before wiping it all. This article continues to discuss how the ransomware bot operates.
"'Chaes' Infostealer Code Contains Hidden Threat Hunter Love Notes"
"'Chaes' Infostealer Code Contains Hidden Threat Hunter Love Notes"
An analysis of Chaes version 4.1 reveals hidden ASCII art and a message to cybersecurity researchers, thanking them for their interest in the malware. The current Chaes campaign uses a Portuguese-language email regarding an important legal matter. If the user clicks the malicious link in the email, they are taken to a spoofed TotalAV website, where they are asked to enter their password to download a document. This article continues to discuss findings from the analysis of Chaes 4.1.