rapid7 | Breaking Cybersecurity News | The Hacker News

The North Korea-linked threat actor known as  Kimsuky  (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data. Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe. According to Rapid7, attack chains have leveraged weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, with the group also employing CHM files to  deploy malware  on  compromised hosts . The cybersecurity firm has attributed the activity to Kimsuky with moderate confidence, citing similar tradecraft observed in the past. "While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened," the company  said . The CHM file is propagated within an IS

Threat actors are leveraging a recently disclosed security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor codenamed  DSLog  on susceptible devices. That's according to  findings  from Orange Cyberdefense, which said it observed the exploitation of CVE-2024-21893 within hours of the public release of the proof-the-concept (PoC) code. CVE-2024-21893, which was  disclosed  by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication. The Utah-based company has since acknowledged that the flaw has limited targeted attacks, although the exact scale of the compromises is unclear. Then, last week, the Shadowserver Foundation  revealed  a surge in exploitation attempts targeting the vulnerability originating from over 170 unique IP addresses, shortly after both

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

A recently disclosed server-side request forgery ( SSRF ) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation  said  it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit  CVE-2024-21893  (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication. Ivanti had previously divulged that the vulnerability had been exploited in targeted attacks aimed at a "limited number of customers," but cautioned the status quo could change post public disclosure. That's exactly what appears to have happened, especially following the  release  of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7 last week. The PoC involves fashioning an exploit cha

Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7  said  it observed the exploitation of  CVE-2023-22518  and  CVE-2023-22515  in multiple customer environments, some of which have been leveraged for the deployment of  Cerber  (aka  C3RB3R ) ransomware. Both vulnerabilities are critical, allowing threat actors to create unauthorized Confluence administrator accounts and lead to a loss of confidentiality, integrity, and availability. Atlassian, on November 6,  updated its advisory  to note that it observed "several active exploits and reports of threat actors using ransomware" and that it is revising the CVSS score of the flaw from 9.1 to 10.0, indicating maximum severity. The escalation, the Australian company said, is due to the change in the scope of the attack. Attack chains involve mass exploitation of vulnerable internet-facing Atlassian Confluence servers to

Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7  disclosed  in a report published Wednesday. "Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October." The intrusions are said to involve the exploitation of  CVE-2023-46604 , a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It's worth noting that the  vulnerability  carries a CVSS score of 10.0, indicating maximum severity. It has been  addressed  in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3

Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports. The Shadowserver Foundation  said  that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC) became available. The  issues , tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web component of Junos OS on Juniper SRX and EX Series. They could be chained by an unauthenticated, network-based attacker to execute arbitrary code on susceptible installations. Patches for the flaw were released on August 17, 2023, a week after which watchTowr Labs published a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode. Currently, there are  more than 8,200 Junip

Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign. The flaw, tracked as  CVE-2023-28121  (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover. "Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall  said  in a Monday post. Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions o

Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution. "A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company  said  in an advisory published Thursday. Cybersecurity firm Rapid7, which  discovered  and reported the flaw on April 13, 2022, said that the weakness could permit a remote unauthenticated adversary to execute code as the "nobody" user on impacted appliances. Tracked as  CVE-2022-30525  (CVSS score: 9.8), the flaw impacts the following products, with patches released in version ZLD V5.30 - USG FLEX 100(W), 200, 500, 700 USG FLEX 50(W) / USG20(W)-VPN ATP series, and  VPN series Rapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a

Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year. "A small subset of our source code repositories for internal tooling for our [Managed Detection and Response] service was accessed by an unauthorized party outside of Rapid7," the Boston-based firm  said  in a disclosure. "These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers." On April 15, software auditing startup Codecov alerted customers that its Bash Uploader utility had been infected with a backdoor as early as January 31 by unknown parties to gain access to authentication tokens for various internal software accounts used by developers. The incident didn't come to light until April 1. "The actor gained access bec

A group of Pro-Palestine hackers ' KDMS Team ' today has been able to hijack the Metasploit website simply by sending a fax and hijacked their DNS records. Rapid7 is a leading Security Company and Creator of world's best penetration testing software called ' Metasploit '. The company confirmed via Twitter that Metasploit.com was hacked via a spoofed DNS change request sent via fax to its registrar, Register.com . The group came to prominence earlier this week when it managed to hijack the websites of popular messaging service WhatsApp and anti-virus company AVG among others. On the website, the hacker posted " Hello Metasploit.  After Whatsapp , Avira, Alexa , AVG and other sites. We were thinking about quitting hacking and disappear again! But we said: there is some sites must be hacked. You are one of our targets. Therefore we are here. And there is another thing do you know Palestine? " Rapid7 official statement regarding the in