#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

CISA | Breaking Cybersecurity News | The Hacker News

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

CISA Alerts on Active Exploitation of Flaws in Fortinet, Ivanti, and Nice Products

Mar 26, 2024 Cyber Attack / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  placed  three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerabilities added are as follows - CVE-2023-48788  (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529  (CVSS score: 9.8) - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability CVE-2019-7256  (CVSS score: 10.0) - Nice Linear eMerge E3-Series OS Command Injection Vulnerability The shortcoming impacting Fortinet FortiClient EMS  came to light  earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available. CVE-20
CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

Feb 16, 2024 Ransomware / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports that it's being likely exploited in Akira ransomware attacks. The vulnerability in question is  CVE-2020-3259  (CVSS score: 7.5), a high-severity information disclosure issue that could allow an attacker to retrieve memory contents on an affected device. It was  patched  by Cisco as part of updates released in May 2020. Late last month, cybersecurity firm Truesec said it found evidence suggesting that it has been weaponized by Akira ransomware actors to compromise multiple susceptible Cisco Anyconnect SSL VPN appliances over the past year. "There is no publicly available exploit code for [...] CVE-2020-3259, meaning that a threat actor, such as Akira, exploiting that vulnerability would need to b
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
U.S. State Government Network Breached via Former Employee's Account

U.S. State Government Network Breached via Former Employee's Account

Feb 16, 2024 Cybersecurity / Data Breach
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization's network environment was compromised via an administrator account belonging to a former employee. "This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point," the agency  said  in a joint advisory published Thursday alongside the Multi-State Information Sharing and Analysis Center (MS-ISAC). "The threat actor connected to the [virtual machine] through the victim's VPN with the intent to blend in with legitimate traffic to evade detection." It's suspected that the threat actor obtained the credentials following a separate data breach owing to the fact that the credentials appeared in publicly available channels containing leaked account information. The admin account, which had access to a virtualized SharePoint server, also enabled the attackers to access another set
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now

Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now

Feb 13, 2024 Vulnerability / Email Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  added  a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The issue, tracked as  CVE-2023-43770  (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of linkrefs in plain text messages. "Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages," CISA said. According to a description of the bug on NIST's National Vulnerability Database (NVD), the vulnerability impacts Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The flaw was  addressed  by Roundcube maintainers with  version 1.6.3 , which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with dis
U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks

U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks

Feb 03, 2024 Intelligence Agency / Cyber Security
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries. The  officials  include Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, who are part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). Reza Lashgarian is also the head of the IRGC-CEC and a commander in the IRGC-Qods Force. He is alleged to have been involved in various IRGC cyber and intelligence operations. The Treasury Department  said  it's holding these individuals responsible for carrying out "cyber operations in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company." In late November 2023, the U.S. Cybersecurity and Infras
U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers

U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers

Feb 01, 2024 Cyber Threat / Network Security
The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign. The existence of the botnet, dubbed  KV-botnet , was  first disclosed  by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The law enforcement effort was  reported  by Reuters earlier this week. "The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," the Department of Justice (DoJ)  said  in a press statement. Volt Typhoon  (aka DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda) is the moniker assigned to a China-based adversarial collect
CISA Warns of Active Exploitation Apple iOS and macOS Vulnerability

CISA Warns of Active Exploitation Apple iOS and macOS Vulnerability

Feb 01, 2024 Vulnerability / Software Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as  CVE-2022-48618  (CVSS score: 7.8), concerns a bug in the kernel component. "An attacker with arbitrary read and write capability may be able to bypass  Pointer Authentication ," Apple said in an advisory, adding the issue "may have been exploited against versions of iOS released before iOS 15.7.1." The iPhone maker said the problem was addressed with improved checks. It's currently not known how the vulnerability is being weaponized in real-world attacks. Interestingly, patches for the flaw were released on December 13, 2022, with the release of  iOS 16.2, iPadOS 16.2 ,  macOS Ventura 13.1 ,  tvOS 16.2 , and  watchOS 9.2 , although it was only publicly disclosed more than a yea
U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

Jan 19, 2024 Cyber Theat / Zero-Day
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities ( KEV ) catalog, stating it's being actively exploited in the wild. The vulnerability in question is  CVE-2023-35082  (CVSS score: 9.8), an authentication bypass that's a patch bypass for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0), which was actively exploited in attacks targeted Norwegian government entities as a zero-day in April 2023. "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti  noted  in August 2023. All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below are impacted by the vulnerability. Cyb
Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

Jan 17, 2024 Botnet / Cloud Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)  warned  that threat actors deploying the  AndroxGh0st  malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware,  AndroxGh0st  was first documented by Lacework in December 2022, with the malware inspiring several  similar tools  like AlienFox, GreenBot (aka Maintance), Legion, and Predator. The cloud attack tool is capable of infiltrating servers vulnerable to known security flaws to access Laravel environment files and steal credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio. Some of the notable flaws weaponized by the attackers include  CVE-2017-9841  (PHPUnit),  CVE-2021-41773  (Apache HTTP Server), and  CVE-2018-15133  (Laravel Framework). "AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitat
CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe, D-Link, Joomla Under Attack

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe, D-Link, Joomla Under Attack

Jan 10, 2024 Patch Management / Threat Intelligence
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  added  six security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. This includes  CVE-2023-27524  (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1. Details of the issue  first came to light  in April 2023, with Horizon3.ai's Naveen Sunkavally describing it as a "dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data." It's currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws - CVE-2023-38203  (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability CVE-2023-29300  (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrus
CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats

CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats

Dec 18, 2023 Software Security / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is  urging  manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations. In an alert published last week, the agency called out Iranian threat actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) for exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S. Default passwords  refer to factory default software configurations for embedded systems, devices, and appliances that are typically publicly documented and identical among all systems within a vendor's product line. As a result, threat actors could scan for internet-exposed endpoints using tools like Shodan and attempt to breach them through default passwords, often gaining root or administrative privileges to  perform po
Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

Dec 06, 2023 Vulnerability / Mobile Security
Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. The  vulnerabilities  are as follows - CVE-2023-33063  (CVSS score: 7.8) - Memory corruption in DSP Services during a remote call from HLOS to DSP. CVE-2023-33106  (CVSS score: 8.4) - Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND. CVE-2023-33107  (CVSS score: 8.4) - Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call. Google's Threat Analysis Group and Google Project Zero  revealed  back in October 2023 that the three flaws, along with  CVE-2022-22071  (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks. A security researcher named luckyrb, the Google Android Security team, and TAG researcher Benoît Sevens and Jann Horn of Google Proje
CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation

CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation

Nov 09, 2023 Cyber Attack / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  a high-severity flaw in the Service Location Protocol (SLP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as  CVE-2023-29552  (CVSS score: 7.5), the issue relates to a denial-of-service (DoS) vulnerability that could be weaponized to launch massive DoS amplification attacks. It was  disclosed  by Bitsight and Curesec earlier this April. "The Service Location Protocol (SLP) contains a denial-of-service (DoS) vulnerability that could allow an unauthenticated, remote attacker to register services and use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor," CISA  said . SLP is a protocol that allows systems on a local area network (LAN) to discover each other and establish communications. The exact details surrounding the nature of exploitation of the flaw are currently unknown, bu
Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild

Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild

Oct 17, 2023 Vulnerability / Network Security
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that's under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is tracked as  CVE-2023-20198  and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It's worth pointing out that the shortcoming only affects enterprise networking gear that have the web UI feature enabled and when it's exposed to the internet or to untrusted networks. "This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege  level 15 access ," Cisco  said  in a Monday advisory. "The attacker can then use that account to gain control of the affected system." The problem impacts both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS server feature enabled. As a mitigation, it's recommended to disable the HTTP server feature on internet-facing systems. The network
FBI, CISA Warn of Rising AvosLocker Ransomware Attacks Against Critical Infrastructure

FBI, CISA Warn of Rising AvosLocker Ransomware Attacks Against Critical Infrastructure

Oct 13, 2023 Data Security / Malware
The AvosLocker ransomware gang has been linked to attacks against critical infrastructure sectors in the U.S., with some of them detected as recently as May 2023. That's according to a new joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) detailing the ransomware-as-a-service (RaaS) operation's tactics, techniques, and procedures (TTPs). "AvosLocker affiliates compromise organizations' networks by using legitimate software and open-source remote system administration tools," the agencies  said . "AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data." The ransomware strain  first emerged  on the scene in mid-2021, and has since leveraged sophisticated techniques to disable antivirus protection as a detection evasion measure. It affects Windows, Linux, and VMware ESXi environment
CISA Warns of Actively Exploited Adobe Acrobat Reader Vulnerability

CISA Warns of Actively Exploited Adobe Acrobat Reader Vulnerability

Oct 11, 2023 Vulnerability / Exploit
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday  added  a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as  CVE-2023-21608  (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the privileges of the current user. A patch for the flaw was released by Adobe in January 2023. HackSys security researchers Ashfaq Ansari and Krishnakant Patil were  credited  with discovering and reporting the flaw. The  following versions  of the software are impacted - Acrobat DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310) Acrobat Reader DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310) Acrobat 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436) Acrobat Reader 2020 - 20.005.30418 and earl
CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities

CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities

Oct 05, 2023 Vulnerability / Cyber Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  two security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793  (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability CVE-2023-28229  (CVSS score: 7.0) - Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability CVE-2023-42793 relates to a  critical authentication bypass vulnerability  that allows for remote code execution on TeamCity Server. Data gathered by GreyNoise has revealed exploitation attempts targeting the flaw from  74 unique IP addresses  to date. On the other hand, CVE-2023-28229 is a  high-severity flaw  in the Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service that allows an attacker to gain specific limited SYSTEM privileges. There are curren
China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies

China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies

Sep 28, 2023 Cyber Espionage / Threat Intel
Cybersecurity agencies from Japan and the U.S. have warned of attacks mounted by a state-backed hacking group from China to stealthily tamper with branch routers and use them as jumping-off points to access the networks of various companies in the two countries. The attacks have been tied to a malicious cyber actor dubbed  BlackTech  by the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC). "BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets," the agencies  said  in a joint alert. Targeted sectors encompass government, industrial, technology, media, electronics
Cybersecurity Resources