The recent compromise of Mandiant’s X account has raised concerns over security measures.
The breach resulted from a brute-force password attack, a method where attackers systematically attempt various password combinations until they gain unauthorized access.
What Was the Reason For Being Vulnerable?
Mandiant acknowledged that while 2FA could have provided a layer of defense, recent team transitions and a change in X’s 2FA policy left them vulnerable.
Drainer-as-a-Service (DaaS) Group Involvement
Attributing the attack to a DaaS group adds a layer of complexity.
CLINKSINK, identified as a JavaScript drainer, is the tactic involved. It is new because it can open a pathway to targeted wallets, check balances, and execute theft by tricking victims into signing fraudulent transactions.
Zero-Day Flaws in Ivanti Connect Secure
Cybersecurity firm Volexity has disclosed the discovery of a sophisticated cyber intrusion by suspected China-linked nation-state actors.
Volexity identified the malicious activity within the network of one of its clients in the second week of December 2023.
What Might Be the Motivation Behind Group Tracking?
The hacking group responsible, dubbed UTA0178 by Volexity, showcases the evolving capabilities of nation-state actors.
Attributing a specific group adds context to the attack, hinting at geopolitical motivations and highlighting the growing sophistication of state-sponsored cyber activities.
Exploited Zero-Day Flaws
The intruders leveraged zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Policy Secure.
These flaws, CVE-2023-46805 and CVE-2024-21887, were tactically exploited to achieve unauthenticated command execution on the ICS devices, enabling the threat actors to compromise targeted systems.
Mitigation Measures and Patching Timeline
Ivanti acknowledged the vulnerabilities and is set to release phased patches starting the week of January 22, 2024.
Meanwhile, users are advised to implement workarounds to mitigate potential risks. The staggered release of patches reflects a strategic approach to addressing the vulnerabilities promptly.
Attack Tactics and Impact
Volexity’s incident analysis reveals that the attackers targeted Ivanti’s internal integrity checker (ICT) to manipulate the appliance’s state.
The exploitation involved stealing configuration data and modifying files, downloading remote files, and executing reverse tunnels from the compromised VPN appliance.
The sophistication of the attack is evident in the attacker’s modification of a legitimate CGI file and a JavaScript file on the ICS VPN appliance.
The manipulation allowed for command execution and the logging of keystrokes, enabling the exfiltration of user credentials.
Critical Flaw in Cisco Unity Connection
Cisco recently found crucial software updates to rectify a severe security vulnerability afflicting Unity Connection.
Tracked as CVE-2024-20272 with a CVSS score of 7.3, this vulnerability exposes an arbitrary file upload flaw within the web-based management interface.
The root cause lies in the absence of proper authentication in a specific API and inadequate validation of user-supplied data, potentially enabling malicious actors to execute arbitrary commands on the system.
Security Sustenance Is Not Easy!
The compromise of various high-profile accounts, including the U.S. Securities and Exchange Commission (SEC) associated with X, indicates a broader trend of attackers targeting legitimate accounts to spread misinformation and scams.
The lack of 2FA in the compromised SEC account reminds us of the importance of security practices across all platforms.
The CISA promptly recognized the situation, adding the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog so that fixes are employed by January 31, 2024.
Similarly, Cisco credited Maxim Suslov, a diligent security researcher, with discovering and reporting the vulnerability.
This collaboration between the security community and technology providers is vital in ensuring swift identification and resolution of critical security issues.
Anas Hasan
January 12, 2024
4 months ago
