company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Microchip

Play Ransomware

loading..
loading..
loading..

Play Ransomware Cripples U.S. Semiconductor Supplier Microchip in Cyberattack

Play ransomware breaches Microchip Tech, exposing sensitive employee data. Read how this notorious group escalates its global cyber reign.

05-Sep-2024
6 min read

Related Articles

loading..

Apache Ofbiz

Apache OFBiz fixed a critical flaw (CVE-2024-45195) allowing arbitrary code exec...

Apache has addressed a severe security vulnerability in its open-source OFBiz (Open For Business) software. This flaw, tracked as CVE-2024-45195, could allow unauthorized attackers to execute arbitrary code on affected Linux and Windows servers. OFBiz, a versatile suite for customer relationship management (CRM) and enterprise resource planning (ERP) applications, also serves as a Java-based web framework for web development. #### Vulnerability Overview Discovered by Rapid7 researchers, the vulnerability stems from a forced browsing weakness, which exposes restricted paths to unauthenticated direct request attacks. According to Ryan Emmons, a security researcher at Rapid7, this flaw allows attackers to bypass missing view authorization checks in the OFBiz web application, potentially leading to arbitrary code execution on the server. **Proof-of-Concept (PoC) Exploit:** Emmons provided a PoC exploit code in his report, illustrating how an attacker can exploit this vulnerability without valid credentials. #### Remediation The Apache security team has addressed CVE-2024-45195 in OFBiz version 18.12.16 by introducing necessary authorization checks. Users of OFBiz are strongly advised to upgrade to this version to mitigate potential security risks. #### Connection to Previous Vulnerabilities CVE-2024-45195 is identified as a bypass for three earlier OFBiz vulnerabilities: CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. Emmons' analysis indicates that these vulnerabilities share a common root cause—a controller-view map fragmentation issue—that allows attackers to execute code or SQL queries, resulting in remote code execution without authentication. **Historical Context:** - **CVE-2024-32113:** Patched in May 2024, this vulnerability was noted for being actively exploited in attacks shortly after its disclosure. - **CVE-2024-38856:** This pre-authentication RCE bug was also a focus of SonicWall researchers, revealing technical details in the same timeframe. - **CVE-2024-36104:** Details about this vulnerability were less publicly available but were part of the same vulnerability class. #### Federal and Organizational Response The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in early August about the exploitation of CVE-2024-32113, shortly after SonicWall's disclosure of CVE-2024-38856. CISA added these vulnerabilities to its catalog of actively exploited flaws, enforcing a binding operational directive (BOD 22-01) for federal agencies to patch their servers within three weeks. **Note:** While BOD 22-01 specifically applies to Federal Civilian Executive Branch (FCEB) agencies, CISA has urged all organizations to prioritize these patches to prevent potential network breaches. #### Ongoing Threats In December, additional exploitation of OFBiz vulnerabilities, including CVE-2023-49070, was reported. Attackers utilized public PoC exploits to target vulnerable Confluence servers, underscoring the importance of prompt patching and continuous monitoring. The patching of CVE-2024-45195 is a crucial update for OFBiz users, addressing a significant security flaw with potential for severe impact. Organizations must act swiftly to apply the latest update to safeguard their systems from exploitation and to ensure compliance with security directives.

loading..   07-Sep-2024
loading..   3 min read
loading..

SonicWall

Access Control

Critical SonicWall CVE-2024-40766 flaw exploited in attacks. Apply patches now t...

A critical access control flaw, **CVE-2024-40766**, impacting SonicWall's firewall devices, is now **actively exploited** in the wild, according to an updated advisory from SonicWall. This vulnerability affects **Gen 5, Gen 6, and Gen 7** devices, with a severity score of **9.3 (CVSS v3)**. SonicWall is urging administrators to immediately apply patches to prevent unauthorized access and potential network disruption. ### Key Details of CVE-2024-40766 Initially disclosed on **August 22, 2024**, the flaw was thought to be limited to **SonicOS management access**. However, a recent update reveals that **SSLVPN** functionalities are also vulnerable. SonicWall warns that threat actors may exploit this flaw to gain unauthorized access to critical network resources and crash firewalls, disabling essential security protections. Although SonicWall hasn't provided specifics about how the flaw is exploited, historical attacks on similar SonicWall vulnerabilities have shown that cybercriminals frequently target **SSLVPN endpoints** due to their exposure on the internet for remote VPN access. ### Compromised Products and Security Patch Releases SonicWall has provided a detailed breakdown of affected devices and the corresponding patches: | **SonicWall Generation** | **Affected Versions** | **Fixed Version** | |--------------------------|----------------------------------------------------|-------------------------------------------------| | **Gen 5** | SonicOS 5.9.2.14-12o and older | SonicOS 5.9.2.14-13o | | **Gen 6** | SonicOS 6.5.4.14-109n and older | 6.5.2.8-2n (SM9800, NSsp 12400, NSsp 12800) <br> 6.5.4.15-116n (Other Gen 6 Firewalls) | | **Gen 7** | SonicOS 7.0.1-5035 and older | Non-reproducible in 7.0.1-5035 and later builds | ### Mitigation and Recommendations SonicWall has issued the following **mitigation strategies** to minimize the risk of exploitation while patches are being applied: 1. **Restrict Firewall Management Access**: Limit management access to trusted internal sources and **disable WAN portal** access from the internet where possible. 2. **Restrict SSLVPN Access**: Restrict **SSLVPN access** to trusted sources and **disable** SSLVPN entirely if not required. 3. **Update Local SSLVPN User Passwords**: For **Gen 5 and Gen 6** devices, SSLVPN users with local accounts should update their passwords immediately. Admins should enable the **"User must change password"** feature for local accounts. 4. **Enable Multi-Factor Authentication (MFA)**: Implement **MFA** for all SSLVPN users, using **Time-based One-Time Passwords (TOTP)** or email-based **OTPs**. Detailed configuration guidance for enabling MFA is available from SonicWall. ### Exploitation in the Wild Although **SonicWall** has not disclosed specific details on how **CVE-2024-40766** is being actively exploited, historical evidence indicates that SonicWall's vulnerabilities are frequently targeted by threat actors. These actors take advantage of their internet exposure for **remote access**, as demonstrated by past incidents, such as the **March 2023** campaign where suspected **Chinese hackers (UNC4540)** targeted unpatched SonicWall devices to deploy custom malware, which persisted through firmware upgrades. Similar exploitation patterns could emerge, as **SSLVPN vulnerabilities** have been historically attractive targets for attackers seeking to compromise corporate networks, bypass firewall protections, and establish persistent footholds in enterprise systems. ### Action Items for Administrators **Immediate patching** is the most effective way to secure your network against this vulnerability. Admins are strongly encouraged to download the latest patch from **MySonicWall.com** and apply it to affected devices. Furthermore, admins should review SonicWall’s recommendations on reducing exposure, enhancing access controls, and enforcing multi-factor authentication for enhanced security. For further details on patches, configurations, and advisories, visit SonicWall's **official advisory** page. **CVE-2024-40766** poses a critical risk to organizations using **SonicWall firewall devices**. As attacks exploiting this vulnerability have already been observed, swift patching and the application of mitigations are essential to prevent unauthorized access, disruption of network defenses, and potential data breaches. Organizations must take immediate action by applying the latest patches, restricting SSLVPN access, and enabling MFA to safeguard against potential attacks. #### Resources: - [SonicWall Advisory Page](https://mysonicwall.com) - [SSLVPN Configuration Guide](https://link_to_sslvpn_configuration)

loading..   06-Sep-2024
loading..   4 min read
loading..

Backdoor

Smart Licensing Utility

Cisco resolves critical backdoor vulnerability in Smart Licensing Utility, patch...

**Cisco Closes Critical Backdoor in Smart Licensing Utility Amid Broader Security Patch Rollout** Cisco has patched a critical vulnerability in the Cisco Smart Licensing Utility (CSLU), eradicating a dangerous backdoor account that allowed unauthorized access to administrative systems. This vulnerability, tracked as CVE-2024-20439, enabled attackers to gain administrative privileges via an "undocumented static user credential," posing a severe threat to unpatched systems. The potential for exploitation was vast, with attackers able to infiltrate systems and take control over the application programming interface (API) of the Smart Licensing Utility, which is critical for managing licenses and associated products on-premise. The CLSU, a pivotal Windows-based application, is often deployed by organizations to maintain an offline licensing environment, distinct from Cisco's cloud-based Smart Software Manager. However, the very architecture that made it convenient for offline operations became a liability, as the unpatched systems were left vulnerable to remote exploits. The exploit, which did not require authentication, could have facilitated full administrative control over the impacted systems. A successful breach would allow attackers to manipulate licensing functions or, worse, pivot to other critical infrastructures. Alongside this alarming backdoor account, Cisco patched another high-severity vulnerability (CVE-2024-20440) within the CLSU. This flaw allowed threat actors to send crafted HTTP requests to gain access to log files containing sensitive information, including API credentials. The security implications of such an exploit are profound, as it could lead to further compromises, including lateral movement within affected networks. It's important to note that both vulnerabilities only affect specific versions of the Cisco Smart Licensing Utility, particularly those from releases 2.0.0 to 2.2.0. Systems running release 2.3.0 and beyond are secure, as Cisco has fully resolved the issues in these versions. Cisco's Product Security Incident Response Team (PSIRT) has not yet discovered any evidence that these vulnerabilities have been exploited in the wild. Nonetheless, the potential threat was significant, prompting an urgent call for users to patch their systems. These security flaws follow a concerning trend within Cisco's product portfolio. The company has a history of backdoor account discoveries across various platforms, including its Digital Network Architecture (DNA) Center, IOS XE, and Wide Area Application Services (WAAS) software. Each of these backdoor credentials has posed severe security risks, raising questions about the underlying security protocols within Cisco's product development lifecycle. Further exacerbating Cisco's security challenges, the company also had to respond to a maximum severity vulnerability (CVE-2024-20419) in its Cisco Smart Software Manager On-Prem (SSM On-Prem). This flaw allowed attackers to change any user password on unpatched license servers, providing a convenient gateway for credential abuse and system hijacking. Just weeks after its disclosure, exploit code was published online, urging Cisco to warn administrators about the necessity of immediate patches to avoid catastrophic breaches. In an unsettling series of events earlier this year, Cisco faced a zero-day vulnerability (CVE-2024-20399) affecting its NX-OS operating system, which had been actively exploited since April. Hackers utilized this flaw to install malware on vulnerable MDS and Nexus switches, amplifying concerns about the security resilience of Cisco's networking devices. In conjunction with these incidents, Cisco reported that state-backed hackers, notably UAT4356 and STORM-1849, had exploited two additional zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to infiltrate government networks globally. With this latest patch release, Cisco has taken significant strides to address its mounting security vulnerabilities. However, the frequency of these discoveries underscores the persistent need for enterprises to remain vigilant in applying updates, patching systems, and safeguarding against potential exploits. The interconnectedness of Cisco's products across the global network infrastructure means that every unpatched vulnerability poses a substantial risk, not just to individual organizations but to the broader cybersecurity landscape. For enterprises relying on Cisco's Smart Licensing Utility, prompt migration to a fixed release is imperative to ensure protection. Versions 2.0.0 through 2.2.0 should be upgraded immediately, as Cisco continues to emphasize the importance of keeping systems secure from known threats.

loading..   04-Sep-2024
loading..   4 min read