#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

CISA | Breaking Cybersecurity News | The Hacker News

NextGen Healthcare Mirth Connect Under Attack - CISA Issues Urgent Warning

NextGen Healthcare Mirth Connect Under Attack - CISA Issues Urgent Warning
May 21, 2024 Healthcare / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  added  a security flaw impacting NextGen Healthcare Mirth Connect to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The flaw, tracked as  CVE-2023-43208  (CVSS score: N/A), concerns a case of unauthenticated remote code execution arising from an incomplete patch for another critical flaw CVE-2023-37679 (CVSS score: 9.8). Details of the vulnerability were first revealed by Horizon3.ai in late October 2023, with additional technical specifics and a proof-of-concept (PoC) exploit released earlier this January. Mirth Connect is an open-source data integration platform widely used by healthcare companies, allowing for data exchange between different systems in a standardized manner. CVE-2023-43208 is "ultimately related to insecure usage of the Java XStream library for unmarshalling XML payloads," security researcher Naveen Sunkavally  said , describing t

CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now

CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now
May 17, 2024 Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  two security flaws impacting D-Link routers to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2014-100005  - A cross-site request forgery (CSRF) vulnerability impacting D-Link DIR-600 routers that allows an attacker to change router configurations by hijacking an existing administrator session CVE-2021-40655  - An information disclosure vulnerability impacting D-Link DIR-605 routers that allows attackers to obtain a username and password by forging an HTTP POST request to the /getcfg.php page There are currently no details on how these shortcomings are exploited in the wild, but federal agencies have been urged to apply vendor-provided mitigations by June 6, 2024. It's worth noting that CVE-2014-100005 affects legacy D-Link products that have reached end-of-life (EoL) status, necessitating tha

CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability

CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability
May 02, 2024 Vulnerability / Data Breach
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  a critical flaw impacting GitLab to its Known Exploited Vulnerabilities ( KEV ) catalog, owing to active exploitation in the wild. Tracked as  CVE-2023-7028  (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address. GitLab, which disclosed details of the shortcoming earlier this January, said it was introduced as part of a code change in version 16.1.0 on May 1, 2023. "Within these versions, all authentication mechanisms are impacted," the company  noted  at the time. "Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login." Successful exploitation of the issue can have serious consequences as it not only enables an adversary to take control of a GitLab user account, b

Protecting Your Organization From Insider Threats - All You Need to Know

cyber security
websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.

It's Time to Master the Lift & Shift: Migrating from VMware vSphere to Microsoft Azure

It's Time to Master the Lift & Shift: Migrating from VMware vSphere to Microsoft Azure
May 15, 2024Enterprise Security / Cloud Computing
While cloud adoption has been top of mind for many IT professionals for nearly a decade, it's only in recent months, with industry changes and announcements from key players, that many recognize the time to make the move is now. It may feel like a daunting task, but tools exist to help you move your virtual machines (VMs) to a public cloud provider – like Microsoft Azure – with relative ease. Transitioning from VMware vSphere to Microsoft Azure requires careful planning and execution to ensure a smooth migration process. In this guide, we'll walk through the steps involved in moving your virtualized infrastructure to the cloud giant, Microsoft Azure. Whether you're migrating your entire data center or specific workloads, these steps will help you navigate the transition effectively. 1. Assess Your Environment: Before diving into the migration process, assess your current VMware vSphere environment thoroughly. Identify all virtual machines (VMs), dependencies, and resource

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt
Apr 16, 2024 Supply Chain / Software Security
Security researchers have uncovered a "credible" takeover attempt targeting the OpenJS Foundation in a manner that evokes similarities to the recently uncovered incident aimed at the open-source XZ Utils project. "The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails," OpenJS Foundation and Open Source Security Foundation (OpenSSF)  said  in a joint alert. According to Robin Bender Ginn, executive director of OpenJS Foundation, and Omkhar Arasaratnam, general manager at OpenSSF, the email messages urged OpenJS to take action to update one of its popular JavaScript projects to remediate critical vulnerabilities without providing any specifics. The email author(s) also called on OpenJS to designate them as a new maintainer of the project despite having little prior involvement. Two other popular JavaScript projects not hosted by OpenJS are also sai

U.S. Federal Agencies Ordered to Hunt for Signs of Microsoft Breach and Mitigate Risks

U.S. Federal Agencies Ordered to Hunt for Signs of Microsoft Breach and Mitigate Risks
Apr 12, 2024 Cyber Attack / Data Breach
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft's systems that led to the theft of email correspondence with the company. The attack, which  came to light  earlier this year, has been attributed to a Russian nation-state group tracked as Midnight Blizzard (aka APT29 or Cozy Bear). Last month, Microsoft revealed that the adversary managed to access some of its source code repositories but noted that there is no evidence of a breach of customer-facing systems. The emergency directive, which was originally issued privately to federal agencies on April 2, was  first reported  on by CyberScoop two days later. "The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Micros

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products
Mar 26, 2024 Cyber Attack / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  placed  three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerabilities added are as follows - CVE-2023-48788  (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529  (CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability CVE-2019-7256  (CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability The shortcoming impacting Fortinet FortiClient EMS  came to light  earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available. CVE-20

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
Feb 16, 2024 Ransomware / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports that it's being likely exploited in Akira ransomware attacks. The vulnerability in question is  CVE-2020-3259  (CVSS score: 7.5), a high-severity information disclosure issue that could allow an attacker to retrieve memory contents on an affected device. It was  patched  by Cisco as part of updates released in May 2020. Late last month, cybersecurity firm Truesec said it found evidence suggesting that it has been weaponized by Akira ransomware actors to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year. "There is no publicly available exploit code for [...] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to b

U.S. State Government Network Breached via Former Employee's Account

U.S. State Government Network Breached via Former Employee's Account
Feb 16, 2024 Cybersecurity / Data Breach
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization's network environment was compromised via an administrator account belonging to a former employee. "This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point," the agency  said  in a joint advisory published Thursday alongside the Multi-State Information Sharing and Analysis Center (MS-ISAC). "The threat actor connected to the [virtual machine] through the victim's VPN with the intent to blend in with legitimate traffic to evade detection." It's suspected that the threat actor obtained the credentials following a separate data breach owing to the fact that the credentials appeared in publicly available channels containing leaked account information. The admin account, which had access to a virtualized SharePoint server, also enabled the attackers to access another set

Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now

Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now
Feb 13, 2024 Vulnerability / Email Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  added  a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The issue, tracked as  CVE-2023-43770  (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of linkrefs in plain text messages. "Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages," CISA said. According to a description of the bug on NIST's National Vulnerability Database (NVD), the vulnerability impacts Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The flaw was  addressed  by Roundcube maintainers with  version 1.6.3 , which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with dis

U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks

U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks
Feb 03, 2024 Intelligence Agency / Cyber Security
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries. The  officials  include Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, who are part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Reza Lashgarian is also the head of the IRGC-CEC and a commander in the IRGC-Qods Force. He is alleged to have been involved in various IRGC cyber and intelligence operations. The Treasury Department  said  it's holding these individuals responsible for carrying out "cyber operations in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company." In late November 2023, the U.S. Cybersecurity and Infras

U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers

U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers
Feb 01, 2024 Cyber Threat / Network Security
The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign. The existence of the botnet, dubbed  KV-botnet , was  first disclosed  by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The law enforcement effort was  reported  by Reuters earlier this week. "The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," the Department of Justice (DoJ)  said  in a press statement. Volt Typhoon  (aka DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda) is the moniker assigned to a China-based adversarial collect

CISA Warns of Active Exploitation Apple iOS and macOS Vulnerability

CISA Warns of Active Exploitation Apple iOS and macOS Vulnerability
Feb 01, 2024 Vulnerability / Software Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as  CVE-2022-48618  (CVSS score: 7.8), concerns a bug in the kernel component. "An attacker with arbitrary read and write capability may be able to bypass  Pointer Authentication ," Apple said in an advisory, adding the issue "may have been exploited against versions of iOS released before iOS 15.7.1." The iPhone maker said the problem was addressed with improved checks. It's currently not known how the vulnerability is being weaponized in real-world attacks. Interestingly, patches for the flaw were released on December 13, 2022, with the release of  iOS 16.2, iPadOS 16.2 ,  macOS Ventura 13.1 ,  tvOS 16.2 , and  watchOS 9.2 , although it was only publicly disclosed more than a yea

U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability
Jan 19, 2024 Cyber Theat / Zero-Day
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities ( KEV ) catalog, stating it's being actively exploited in the wild. The vulnerability in question is  CVE-2023-35082  (CVSS score: 9.8), an authentication bypass that's a patch bypass for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0), which was actively exploited in attacks targeted Norwegian government entities as a zero-day in April 2023. "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti  noted  in August 2023. All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below are impacted by the vulnerability. Cyb

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials
Jan 17, 2024 Botnet / Cloud Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)  warned  that threat actors deploying the  AndroxGh0st  malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware,  AndroxGh0st  was first documented by Lacework in December 2022, with the malware inspiring several  similar tools  like AlienFox, GreenBot (aka Maintance), Legion, and Predator. The cloud attack tool is capable of infiltrating servers vulnerable to known security flaws to access Laravel environment files and steal credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio. Some of the notable flaws weaponized by the attackers include  CVE-2017-9841  (PHPUnit),  CVE-2021-41773  (Apache HTTP Server), and  CVE-2018-15133  (Laravel Framework). "AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitat

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe, D-Link, Joomla Under Attack

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe, D-Link, Joomla Under Attack
Jan 10, 2024 Patch Management / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  six security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. This includes  CVE-2023-27524  (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1. Details of the issue  first came to light  in April 2023, with Horizon3.ai's Naveen Sunkavally describing it as a "dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data." It's currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws - CVE-2023-38203  (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability CVE-2023-29300  (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrus

CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats

CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats
Dec 18, 2023 Software Security / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is  urging  manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations. In an alert published last week, the agency called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S. Default passwords  refer to factory default software configurations for embedded systems, devices, and appliances that are typically publicly documented and identical among all systems within a vendor's product line. As a result, threat actors could scan for internet-exposed endpoints using tools like Shodan and attempt to breach them through default passwords, often gaining root or administrative privileges to  perform po

Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks
Dec 06, 2023 Vulnerability / Mobile Security
Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. The  vulnerabilities  are as follows - CVE-2023-33063  (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP. CVE-2023-33106  (CVSS score: 8.4) - Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND. CVE-2023-33107  (CVSS score: 8.4) - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call. Google's Threat Analysis Group and Google Project Zero  revealed  back in October 2023 that the three flaws, along with  CVE-2022-22071  (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks. A security researcher named luckyrb, the Google Android Security team, and TAG researcher BenoĆ®t Sevens and Jann Horn of Google Proje

CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation

CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation
Nov 09, 2023 Cyber Attack / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  a high-severity flaw in the Service Location Protocol (SLP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as  CVE-2023-29552  (CVSS score: 7.5), the issue relates to a denial-of-service (DoS) vulnerability that could be weaponized to launch massive DoS amplification attacks. It was  disclosed  by Bitsight and Curesec earlier this April. "The Service Location Protocol (SLP) contains a denial-of-service (DoS) vulnerability that could allow an unauthenticated, remote attacker to register services and use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor," CISA  said . SLP is a protocol that allows systems on a local area network (LAN) to discover each other and establish communications. The exact details surrounding the nature of exploitation of the flaw are currently unknown, bu

Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild

Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild
Oct 17, 2023 Vulnerability / Network Security
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that's under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is tracked as  CVE-2023-20198  and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It's worth pointing out that the shortcoming only affects enterprise networking gear that have the web UI feature enabled and when it's exposed to the internet or to untrusted networks. "This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege  level 15 access ," Cisco  said  in a Monday advisory. "The attacker can then use that account to gain control of the affected system." The problem impacts both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS server feature enabled. As a mitigation, it's recommended to disable the HTTP server feature on internet-facing systems. The network
Expert Insights
Cybersecurity Resources