Threat Alerts

Cisco recently disclosed CVE-2024-20295 , a vulnerability with a CVSS score of 8.8. Said vulnerability affects the Cisco Integrated Management Controller (IMC) CLI, and could enable a local attacker with authenticated access to execute command injection attacks on the OS and gain root-level privileges. However, to carry out this attack, the attacker needs at least read-only privileges on the targeted device.

The root cause of this vulnerability lies in the inmproper validation of input provided by users. An attacker could take advantage of this by entering a specially crafted CLI command. If successful, the attacker could escalate their privileges to root.

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC in the default configuration:

• 5000 Series Enterprise Network Compute Systems (ENCS)

• Catalyst 8300 Series Edge uCPE

• UCS C-Series Rack Servers in standalone mode

• UCS E-Series Servers

Cisco appliances that are based on a preconfigured version of a Cisco UCS C-Series Server are also affected if they expose access to the Cisco IMC CLI.

Researchers found new variant of Cerber ransomware a targeting Linux servers running Confluence, a popular enterprise collaboration application. This Linux variant exploits a vulnerability (CVE-2023-22518) to gain access to the system.

The attack flow typically involves the ransomware exploiting the vulnerability to deploy a web shell. This web shell then downloads and executes the Cerber payload on the compromised server. Once Cerber has infected the system, it attempts to encrypt files. However, because Confluence typically runs under a low-privilege user account, the ransomware’s encryption capabilities are restricted to files owned by that user. This can limit the damage caused by the attack.

Cerber is a relatively sophisticated ransomware payload. While the use of the Confluence vulnerability allows it to compromise a large amount of likely high-value systems, often the data it is able to encrypt will be limited to just the confluence data and in well configured systems this will be backed up.

The SteganoAmor campaign, orchestrated by the cybercrime group TA558, has significantly escalated its global attacks on companies and public institutions, expanding beyond its typical focus on Latin America. This campaign distinctively utilizes a blend of sophisticated tools and malware such as AgentTesla, Remcos, and LokiBot. Employing steganography, TA558 embeds malicious code in images and documents, leveraging compromised legitimate servers for command and control operations and phishing. Security investigations have identified and attributed over 300 such attacks worldwide to TA558, underscoring the broad scope and impact of their operations.

A recent cyber campaign targeting German organizations showcased a rising trend in the cyber landscape – the utilization of AI to craft malicious scripts.

The attack, attributed to threat actor TA547, featured the deployment of the Rhadamanthys information stealer. TA547, also known as Scully Spider, has a history of malware dissemination and has recently incorporated Rhadamanthys, enhancing its data collection capabilities. This marks the first known instance of Rhadamanthys within TA547’s operations.

The PowerShell script employed in the campaign displayed distinctive characteristics, including meticulously commented lines, indicative of potential AI involvement in its creation. Although not definitively confirmed, evidence strongly suggests TA547’s adoption of generative AI technology for script development.

This incident underscores the emerging trend of threat actors harnessing AI to generate sophisticated attack tools, posing significant challenges to cybersecurity defenses.

Microsoft’s April 2024 Patch Patch Tuesday updates address around 150 vulnerabilities, including two Windows issues that seem to have been actively targeted.

Fortinet issued critical security patches for a flaw in FortiClientLinux allowing attackers to run arbitrary code execution.