The SOS Intelligence CVE Chatter Weekly Top Ten – 22 January 2024

by Amir Hadzipasic

January 22, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-32560

An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution.

Thanks to a Researcher at Tenable for finding and reporting.

Fixed in version 6.4.1.

https://nvd.nist.gov/vuln/detail/CVE-2023-32560

2. CVE-2023-34056

vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

https://nvd.nist.gov/vuln/detail/CVE-2023-34056

3. CVE-2023-34048

vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

https://nvd.nist.gov/vuln/detail/CVE-2023-34048

4. CVE-2023-29689

PyroCMS 3.9 contains a remote code execution (RCE) vulnerability that can be exploited through a server-side template injection (SSTI) flaw. This vulnerability allows a malicious attacker to send customized commands to the server and execute arbitrary code on the affected system.

https://nvd.nist.gov/vuln/detail/CVE-2023-29689

5. CVE-2019-14899

A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.

https://nvd.nist.gov/vuln/detail/CVE-2019-14899

6. CVE-2023-1389

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

https://nvd.nist.gov/vuln/detail/CVE-2023-1389

7. CVE-2023-37569

This vulnerability exists in ESDS Emagic Data Center Management Suit due to lack of input sanitization in its Ping component. A remote authenticated attacker could exploit this by injecting OS commands on the targeted system.

Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on targeted system.

https://nvd.nist.gov/vuln/detail/CVE-2023-37569

https://nvd.nist.gov/vuln/detail/

10.

https://nvd.nist.gov/vuln/detail/

Flash Alert

Flash Alert – Vulnerabilities reported in Ivanti ICS, Ivanti Policy Secure and Citrix NetScaler

by Daniel Collyer

January 18, 2024

In the past week, the following vulnerabilities have been disclosed, affecting:

Ivanti ICS
Ivanti Policy Secure
Citrix NetScaler ADC
Citrix NetScaler Gateway

Ivanti ICS & Ivanti Policy Secure

CVE-2023-46805

CVSS: 8.2 HIGH

CVE-2024-21887

CVSS: 9.1 CRITICAL

Ivanti has disclosed the existence of two significant vulnerabilities affecting their Connect Secure and Policy Secure gateways, specifically versions 9.x and 22.x.

CVE-2023-46805 is an authentication bypass vulnerability, which allows a threat actor to remotely access restricted resources by bypassing control checks. CVE-2024-21887 is a command injection vulnerability, granting an authenticated user the ability to send specially crafted requests and execute arbitrary commands on the vulnerable device.

When utilised together, a threat actor can compromise a vulnerable device and execute code with admin rights, leaving the victim company open to a significant risk of network intrusion and further criminal activity.

Palo Alto’s Unit 42 has observed over 30,000 vulnerable devices spread across 141 countries. It is actively responding to incidents involving these vulnerabilities, highlighting their use by threat actors in the wild.

Ivanti is currently working on patches to fix these vulnerabilities. In the meantime, it is recommended that the mitigations they have suggested are implemented to avoid unnecessary risk. These can be found here.

Citrix NetScaler ADC & Citrix NetScaler Gateway

CVE-2023-6548

CVSS: 5.5 MEDIUM

CVE-2023-6549

CVSS: 8.2 HIGH

Citrix has identified and disclosed further vulnerabilities in its NetScaler ADC and NetScaler Gateway products. The following supported versions are affected:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
NetScaler ADC 13.1-FIPS before 13.1-37.176
NetScaler ADC 12.1-FIPS before 12.1-55.302*
NetScaler ADC 12.1-NDcPP before 12.1-55.302*

*NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable

CVE-2023-6548 allows a threat actor authenticated, low-privileged access to remotely execute code on the management interface of a compromised device. This requires them to have access to the NSIP, CLIP or SNIP which itself has management interface access.

CVE-2023-6549 applies to appliances configured as one of the following:

VPN virtual servers
ICA proxies
CVPNs
RDP proxies
AAA virtual servers

Exploitation of this vulnerability involves a threat actor restricting operations within the memory buffer, thereby causing an unauthenticated Denial of Service attack.

A patch will follow in due course, but in the meantime, Citrix recommends the following:

Ensure network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic
Ensure the management interface is not exposed to the internet
Ensure all previous patches are installed and software is up-to-date

Citrix has noted that these vulnerabilities have been observed in the wild and targeted by threat actors.

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 15 January 2024

by Amir Hadzipasic

January 15, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-51467

Pre-auth RCE in Apache Ofbiz 18.12.09.

It’s due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10.
Users are recommended to upgrade to version 18.12.10

https://nvd.nist.gov/vuln/detail/CVE-2023-51467

2. CVE-2023-49070

Pre-auth RCE in Apache Ofbiz 18.12.09.

It’s due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10.
Users are recommended to upgrade to version 18.12.10

https://nvd.nist.gov/vuln/detail/CVE-2023-49070

3. CVE-2016-10509

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2016-10509

4. CVE-2018-13067

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2018-13067

5. CVE-2018-11494

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2018-11494

6. CVE-2023-4966

Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server.

https://nvd.nist.gov/vuln/detail/CVE-2023-4966

7. CVE-2020-20491

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2020-20491

8. CVE-2023-47444

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2023-47444

9. CVE-2023-5360

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.

https://nvd.nist.gov/vuln/detail/CVE-2023-5360

10. CVE-2023-46747

https://nvd.nist.gov/vuln/detail/CVE-2023-46747

Investigation, Ransomware

Ransomware – State of Play December 2023

by Daniel Collyer

January 11, 2024

SOS Intelligence is currently tracking 170 distinct ransomware groups, with data collection covering 319 relays and mirrors.

In the reporting period, SOS Intelligence has identified 373 instances of publicised ransomware attacks. These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

We first look at strain activity. As ever, the ransomware landscape is dominated by strains using affiliate models (Ransomware-as-a-Service (RaaS)). Lockbit remains the most active strain, and while there has been a decrease in overall activity, it maintains a 22% market share. 8base, AlphV and Play remain significantly active, but this month we have also seen significant activity by Hunters (RaaS), Cactus (RaaS), and Dragonforce.

Dragonforce are a newly emerged group, with little known about them at the time of print. Given the level of successful disruption by law enforcement during 2023, it is suspected that this group may be a rebranding of a previous threat group.

The Werewolves group has been observed increasing their level of attacks. The group appears relatively new, however, they have taken responsibility for a 2022 attack on the Electric Company of Ghana which resulted in significant power outages. The veracity of this claim is not known. Their level of activity is called into question by several of their victims also appearing on the LockBit breach site. Six identical posts were seen across both sites. Additionally, the ransomware used is a public domain version of Lockbit3, while their attacks make use of tools leaked from the Conti group. This would seem to indicate that the group was previously an affiliate of LockBit.

What makes this group standout is the targeting of Russian victims. Ransomware groups and operators are quite often pro-russian, with several groups supporting the Russian government publicly in its war against Ukraine. The targeting may explain a potential split from LockBit, and hint at a possible location for the group.

Finally, we have observed increased activity from the SiegedSec group. They appear focused more on data exfiltration, and are politically, rather than financially, motivated. Their focus has been on hacktivism, with a significant focus on targeting Israel and the USA.

As seen in previous months, the USA remains the primary target of ransomware groups and threat actors. We have observed a steady release of data from Canada, France, Germany, Italy, and the UK. As members of the G7, these countries have strong economies and therefore possess lucrative targets for financially-minded threat actors.

However, this surge in activity may be politically motivated. In recent weeks these countries have all shown support for Israel in its conflict with Hamas, which may give certain threat actors additional motivation to target those countries. As highlighted previously, there have also been significant increases in the targeting of Israel and Russia.

Manufacturing, Construction and Engineering, and IT and Technology have remained the key targeted industries for December. These industries would be more reliant on technology in order to continue their business activities, and so it logically follows that they would be more likely to pay a ransom in order to regain access to compromised computer systems. The Financial and Education sectors have also seen increased activity over the period.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

Photo by FLY:D on Unsplash

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 08 January 2024

by Amir Hadzipasic

January 8, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-4966

Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server.

https://nvd.nist.gov/vuln/detail/CVE-2023-4966

2. CVE-2020-20491

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2020-20491

3. CVE-2021-29200

Pre-auth RCE in Apache Ofbiz 18.12.09.

It’s due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10.
Users are recommended to upgrade to version 18.12.10

https://nvd.nist.gov/vuln/detail/CVE-2021-29200

4. CVE-2018-11494

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2018-11494

5. CVE-2016-10509

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2016-10509

6. CVE-2018-13067

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2018-13067

7. CVE-2023-47444

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

https://nvd.nist.gov/vuln/detail/CVE-2023-47444

8. CVE-2023-49070

Pre-auth RCE in Apache Ofbiz 18.12.09.

It’s due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10.
Users are recommended to upgrade to version 18.12.10

https://nvd.nist.gov/vuln/detail/CVE-2023-49070

9. CVE-2023-51467

The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code

https://nvd.nist.gov/vuln/detail/CVE-2023-51467

10. CVE-2023-50968

Pre-auth RCE in Apache Ofbiz 18.12.09.

It’s due to XML-RPC no longer maintained still present.
This issue affects Apache OFBiz: before 18.12.10.
Users are recommended to upgrade to version 18.12.10

https://nvd.nist.gov/vuln/detail/CVE-2023-50968

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 01 January 2024

by Amir Hadzipasic

January 1, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

https://nvd.nist.gov/vuln/detail/

10.

https://nvd.nist.gov/vuln/detail/

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 25 December 2023

by Amir Hadzipasic

December 25, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-32844

In 5G Modem, there is a possible system crash due to improper error handling. This could lead to remote denial of service when receiving malformed RRC messages, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01130204; Issue ID: MOLY01130204 (MSV-849).

https://nvd.nist.gov/vuln/detail/CVE-2023-32844

2. CVE-2023-29324

https://nvd.nist.gov/vuln/detail/CVE-2023-29324

3. CVE-2023-4966

Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

https://nvd.nist.gov/vuln/detail/CVE-2023-4966

4. CVE-2023-50164

Microsoft Outlook Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-50164

5. CVE-2023-23397

Microsoft Outlook Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-23397

6. CVE-2012-2459

Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.6, 0.5.x before 0.5.5, 0.6.0.x before 0.6.0.7, and 0.6.x before 0.6.2 allows remote attackers to cause a denial of service (block-processing outage and incorrect block count) via unknown behavior on a Bitcoin network.

https://nvd.nist.gov/vuln/detail/CVE-2012-2459

7. CVE-2023-40044

https://nvd.nist.gov/vuln/detail/CVE-2023-40044

8. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

9. CVE-2023-32315

https://nvd.nist.gov/vuln/detail/CVE-2023-32315

10. CVE-2021-42063

A security vulnerability has been discovered in the SAP Knowledge Warehouse – versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.

https://nvd.nist.gov/vuln/detail/CVE-2021-42063

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 18 December 2023

by Amir Hadzipasic

December 18, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-23397

Microsoft Outlook Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-23397

2. CVE-2023-48122

An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.

https://nvd.nist.gov/vuln/detail/CVE-2023-48122

3. CVE-2023-32243

Microsoft Outlook Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-32243

4. CVE-2023-42326

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

https://nvd.nist.gov/vuln/detail/CVE-2023-42326

5. CVE-2023-42327

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

https://nvd.nist.gov/vuln/detail/CVE-2023-42327

6. CVE-2023-32315

https://nvd.nist.gov/vuln/detail/CVE-2023-32315

7. CVE-2023-42325

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

https://nvd.nist.gov/vuln/detail/CVE-2023-42325

8. CVE-2023-6553

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

https://nvd.nist.gov/vuln/detail/CVE-2023-6553

9. CVE-2023-50164

Microsoft Outlook Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-50164

10. CVE-2009-0658

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2009-0658

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 11 December 2023

by Amir Hadzipasic

December 11, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2018-17144

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

2. CVE-2023-40813

OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation.

https://nvd.nist.gov/vuln/detail/CVE-2023-40813

3. CVE-2023-28370

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

https://nvd.nist.gov/vuln/detail/CVE-2023-28370

4. CVE-2023-48122

An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.

https://nvd.nist.gov/vuln/detail/CVE-2023-48122

5. CVE-2023-24023

Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.

https://nvd.nist.gov/vuln/detail/CVE-2023-24023

6. CVE-2023-32315

https://nvd.nist.gov/vuln/detail/CVE-2023-32315

7. CVE-2023-34124

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in SonicWall GMS, SonicWall Analytics enables an authenticated attacker to execute arbitrary code with root privileges. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.

https://nvd.nist.gov/vuln/detail/CVE-2023-34124

8. CVE-2022-30190

Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E.

https://nvd.nist.gov/vuln/detail/CVE-2022-30190

9. CVE-2018-15473

https://nvd.nist.gov/vuln/detail/CVE-2018-15473

10. CVE-2023-45866

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.

https://nvd.nist.gov/vuln/detail/CVE-2023-45866

Investigation, Ransomware

Ransomware – State of Play November 2023

by Daniel Collyer

December 6, 2023

SOS Intelligence is currently tracking 166 distinct ransomware groups. Data collection covers 309 relays and mirrors, 110 of which are currently online.

In the reporting period, SOS Intelligence has identified 437 instances of publicised ransomware attacks. These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

As in previous months, the ransomware landscape is dominated by strains using affiliate models. Lockbit remains the most active strain, and has seen a 73% increase in breach posts when compared to the previous month. High on the list is 8base, who release a large amount of data on 30th November. In contrast to the other high-profile groups observed, it is believed that the 8base group do not have their own proprietary ransomware, but instead rely on using other ransomware-as-a-service (RaaS) variants, such as Phobos.

As seen in previous months, the USA remains the primary target of ransomware groups and threat actors. We have observed an increased release of data from France, Germany and Italy, while the UK and Canada have remained high on the list of targeted countries.

As members of the G7, these countries have strong economies and therefore possess lucrative targets for financially-minded threat actors. However, this surge in activity may be politically motivated. In recent weeks these countries have all shown support for Israel in its conflict with Hamas, which may give certain threat actors additional motivation to target those countries.

Logistics, manufacturing, and construction have remained the key targeted industries for November. These industries would be more reliant on technology in order to continue their business activities, and so it logically follows that they would be more likely to pay a ransom in order to regain access to compromised computer systems. We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

New for this month we have also considered the victim ownership; whether they’re privately or publicly owned. Within breach sites, the publicised victims are overwhelmingly privately owned. Publicly-owned victims tend to be either smaller, local government entities or educational districts within the US school system. Higher level public entities, while offering a lucrative target for hostile state actors, but may be more than a financially-motivated threat actor wishes to take on, owing to the likely increased law enforcement effort to obtain a judicial outcome.

Photo by FLY:D on Unsplash

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

The SOS Intelligence CVE Chatter Weekly Top Ten – 22 January 2024

Flash Alert – Vulnerabilities reported in Ivanti ICS, Ivanti Policy Secure and Citrix NetScaler

The SOS Intelligence CVE Chatter Weekly Top Ten – 15 January 2024

Ransomware – State of Play December 2023

The SOS Intelligence CVE Chatter Weekly Top Ten – 08 January 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 01 January 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 25 December 2023

The SOS Intelligence CVE Chatter Weekly Top Ten – 18 December 2023

The SOS Intelligence CVE Chatter Weekly Top Ten – 11 December 2023

Ransomware – State of Play November 2023

Recent Posts

Recent Comments