FLASH Alert – Remote Unauthenticated Code Execution Vulnerability in OpenSSH server

by Daniel Collyer

July 2, 2024

CVE-2024-6387

CVSS 8.1 HIGH (Provisional)

A significant vulnerability has been identified in OpenSSH’s server (sshd) in glibc-based Linux systems. The vulnerability, a signal handler race condition in OpenSSH’s server (sshd), poses a significant security risk by allowing unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This issue impacts sshd in its default configuration.

According to data from Censys and Shodan, there are over 14 million OpenSSH server instances which are exposed to the wider internet and therefore potentially vulnerable.

This vulnerability is a regression of the previously patched CVE-2006-5051, reported in 2006. In this context, a regression means that a flaw once fixed has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue. As such, the vulnerability has been dubbed regreSSHion.

Researchers at Qualys have been able to develop a working, proof-of-concept exploit for the regreSSHion vulnerability.

Affected versions

OpenSSH versions earlier than 4.4p1 are vulnerable to this signal handler race condition unless they are patched for CVE-2006-5051 and CVE-2008-4109.
Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure.
The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.
x86 systems have been validated as vulnerable, x64 are likely to be vulnerable but this has yet to be validated.

OpenBSD systems are unaffected by this bug, as OpenBSD developed a secure mechanism in 2001 that prevents this vulnerability.

Impact

If exploited, this vulnerability could lead to a full system compromise, allowing an attacker to execute arbitrary code with the highest privileges. This would result in a complete system takeover, enabling the installation of malware, data manipulation, and the creation of backdoors for persistent access. It could also facilitate network propagation, allowing attackers to use the compromised system as a foothold to exploit other vulnerable systems within the organisation.

Gaining root access would enable attackers to bypass critical security mechanisms such as firewalls, intrusion detection systems, and logging mechanisms, further obscuring their activities. This could lead to significant data breaches, exposing all data stored on the system, including sensitive or proprietary information that could be stolen or publicly disclosed.

Despite its potential impact, this vulnerability is challenging to exploit due to its remote race condition nature, requiring multiple attempts for a successful attack. Exploiting it can cause memory corruption and necessitates overcoming Address Space Layout Randomization (ASLR). However, advancements in deep learning may significantly increase the exploitation rate, potentially giving attackers a substantial advantage in leveraging such security flaws.

Mitigation

The following steps should be considered to mitigate potential risks:

Patch Management: Urgently apply available patches for OpenSSH and prioritise ongoing update processes.
Enhanced Access Control: Limit SSH access through network-based controls to minimise the attack surface.
Network Segmentation and Intrusion Detection: Divide networks to restrict unauthorised access and lateral movements within critical environments and deploy systems to monitor and alert on unusual activities indicative of exploitation attempts.

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 01 July 2024

by Amir Hadzipasic

July 1, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-30078

Windows Wi-Fi Driver Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-30078

2. CVE-2024-22476

Improper input validation in some Intel(R) Neural Compressor software before version 2.5.0 may allow an unauthenticated user to potentially enable escalation of privilege via remote access.

https://nvd.nist.gov/vuln/detail/CVE-2024-22476

3. CVE-2024-5806

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

https://nvd.nist.gov/vuln/detail/CVE-2024-5806

4. CVE-2024-28995

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

https://nvd.nist.gov/vuln/detail/CVE-2024-28995

5. CVE-2024-0762

Potential buffer overflow
in unsafe UEFI variable handling

in Phoenix SecureCore™ for select Intel platforms

This issue affects:

Phoenix

SecureCore™ for Intel Kaby Lake: from 4.0.1.1 before 4.0.1.998;

Phoenix

SecureCore™ for Intel Coffee Lake: from 4.1.0.1 before 4.1.0.562;

Phoenix

SecureCore™ for Intel Ice Lake: from 4.2.0.1 before 4.2.0.323;

Phoenix

SecureCore™ for Intel Comet Lake: from 4.2.1.1 before 4.2.1.287;

Phoenix

SecureCore™ for Intel Tiger Lake: from 4.3.0.1 before 4.3.0.236;

Phoenix

SecureCore™ for Intel Jasper Lake: from 4.3.1.1 before 4.3.1.184;

Phoenix

SecureCore™ for Intel Alder Lake: from 4.4.0.1 before 4.4.0.269;

Phoenix

SecureCore™ for Intel Raptor Lake: from 4.5.0.1 before 4.5.0.218;

Phoenix

SecureCore™ for Intel Meteor Lake: from 4.5.1.1 before 4.5.1.15.

https://nvd.nist.gov/vuln/detail/CVE-2024-0762

6. CVE-2024-4577

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

https://nvd.nist.gov/vuln/detail/CVE-2024-4577

7. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

8. CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

9. CVE-2023-25717

Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

https://nvd.nist.gov/vuln/detail/CVE-2023-25717

10. CVE-2020-0022

In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715

https://nvd.nist.gov/vuln/detail/CVE-2020-0022

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 24 June 2024

by Amir Hadzipasic

June 24, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-30078

Windows Wi-Fi Driver Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-30078

2. CVE-2018-17144

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

3. CVE-2024-3912

Certain models of ASUS routers have an arbitrary firmware upload vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on the device.

https://nvd.nist.gov/vuln/detail/CVE-2024-3912

4. CVE-2023-38606

This issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.6.8, iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

https://nvd.nist.gov/vuln/detail/CVE-2023-38606

5. CVE-2024-32002

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule’s worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config –global core.symlinks false`), the described attack won’t work. As always, it is best to avoid cloning repositories from untrusted sources.

https://nvd.nist.gov/vuln/detail/CVE-2024-32002

6. CVE-2017-9769

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.

https://nvd.nist.gov/vuln/detail/CVE-2017-9769

7. CVE-2024-32021

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository’s `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `–no-local`), the optimizations for local cloning
will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

https://nvd.nist.gov/vuln/detail/CVE-2024-32021

8. CVE-2024-6045

Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained from analyzing the firmware.

https://nvd.nist.gov/vuln/detail/CVE-2024-6045

9. CVE-2024-30270

mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting the `rspamd_maps()` function. It allows authenticated admin users to overwrite any file writable by the www-data user by exploiting improper path validation. The exploit chain can lead to the execution of arbitrary commands on the server. Version 2024-04 contains a patch for the issue.

https://nvd.nist.gov/vuln/detail/CVE-2024-30270

10. CVE-2024-31204

mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user’s browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue.

https://nvd.nist.gov/vuln/detail/CVE-2024-31204

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 17 June 2024

by Amir Hadzipasic

June 17, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-3079

Certain models of ASUS routers have buffer overflow vulnerabilities, allowing remote attackers with administrative privileges to execute arbitrary commands on the device.

https://nvd.nist.gov/vuln/detail/CVE-2024-3079

2. CVE-2024-3080

Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device.

https://nvd.nist.gov/vuln/detail/CVE-2024-3080

3. CVE-2024-3912

Certain models of ASUS routers have an arbitrary firmware upload vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on the device.

https://nvd.nist.gov/vuln/detail/CVE-2024-3912

4. CVE-2018-17144

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

5. CVE-2024-26169

Windows Error Reporting Service Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-26169

6. CVE-2024-21893

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

https://nvd.nist.gov/vuln/detail/CVE-2024-21893

7. CVE-2023-4911

A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

https://nvd.nist.gov/vuln/detail/CVE-2023-4911

8. CVE-2023-7101

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

https://nvd.nist.gov/vuln/detail/CVE-2023-7101

9. CVE-2024-30103

Microsoft Outlook Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-30103

10. CVE-2024-29745

there is a possible Information Disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

https://nvd.nist.gov/vuln/detail/CVE-2024-29745

Ransomware

Ransomware – State of Play May 2024

by Daniel Collyer

June 13, 2024

SOS Intelligence is currently tracking 193 distinct ransomware groups, with data collection covering 384 relays and mirrors.

In the reporting period, SOS Intelligence has identified 474 instances of publicised ransomware attacks. These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. While this data represents known and publicised data breaches and ransomware attacks, the nature and operation of these groups means that not every successful attack is published and made public, so true figures on the volume of attacks are likely to be higher. Our analysis of available public data is presented below:

Threat Group Activity and Trends

Ransomware activity showed a 30% increase in May when compared to the previous month, and a 4% increase in activity when compared to the previous year. Furthermore, the number of active groups has increased to 37 from 36 the previous month.

This significant increase in activity has been driven by a surprise surge of activity from the Lockbit group. In May, the group published 176 victims to its Data Leak Site (DLS), representing 37% of all publicised attacks for the month. Further, this is a 633% increase in activity from the previous month and comes at a time when Lockbit was expected to be showing a continued decrease in activity. Rather what we have seen is Lockbit’s busiest month on record.

The sudden surge from Lockbit has been a surprise to many. The first tranche of published data emerged shortly after further law enforcement announcements regarding the group and its takedown. Notable among the data released is an unusually high volume of affected victims in Spain and India being released quickly. This may indicate the activity of an affiliate or affiliates with a particular proclivity for targeting those countries. It should be noted that some of the victims had previously had their data released in the previous year, suggesting that Lockbit might be recycling data for additional ransoms and also to appear active. Furthermore, it isn’t clear when these victims were targeted, so the actual point of breach may have been before law enforcement activity against Lockbit in February 2024.

Analysis of Geographic Targeting

Over the last month, the percentage volume of attacks against the US dropped by 7%. Targeting continues to follow financial lines, with the majority of remaining attacks targeted at G7 and BRICS bloc countries.

Compared to April, 41% more countries were targeted in May. Our data is also showing interesting geographic targeting data. We have observed emerging or developing strains targeting developing countries in Southeast Asia, Africa and South America, whereas more established variants focus more on North America, Western Europe and Australia.

Industry Targeting

Targeting has broadly increased across all victim sectors, however significant increases have been seen in the Manufacturing, Construction & Engineering and IT & Technology industries.

Notably, there appears to have been increased targeting against public-sector entities. This is likely a result of many groups abandoning their affiliate rules on targeting of such victims.

Significant Events

LockBit Black distributed via Botnet in the wild

Since April, the Phorpiex botnet has sent millions of phishing emails to distribute LockBit Black ransomware. These emails, often sent using aliases with simple names, include ZIP attachments containing executables that install the ransomware. Leveraging LockBit 3.0’s leaked builder, the campaign targets various industries worldwide. Active for over a decade, the Phorpiex botnet has evolved from a worm to an IRC-controlled trojan, and has been implicated in sextortion and cryptocurrency theft.

Social engineering attacks delivering Blackbasta

Researchers have observed the threat actor Storm-1811 using Microsoft Teams and Quick Assist for social engineering attacks that result in the deployment of Blackbasta ransomware. Storm-1811 employs voice phishing (vishing) and malicious links to gain access through Quick Assist. They use tools such as Qakbot, remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Additionally, Storm-1811 utilises EvilProxy phishing sites and SystemBC for persistence and command-and-control. After compromising a system, they use PsExec to deploy Black Basta ransomware.

INC Ransomware source code for sale

Threat actor “salfetka” is alleging to have for sale the source code to INC Ransom, valued at $300,000. The legitimacy of the sale is uncertain. This comes at a time where there have been changes within the groups operation, which suggests possible plans for a new encryptor.

Threat actors targeting Windows admins with fake ads

A ransomware campaign is targeting Windows system administrators by promoting fake download sites for Putty and WinSCP through search engine ads. These fraudulent sites offer Trojanized installers that deploy the Sliver toolkit, facilitating further network access and potential ransomware deployment. The campaign employs tactics similar to those used by BlackCat/ALPHV ransomware, highlighting an increasing threat from search engine advertisements for popular software.

New Groups

SpiderX

SpiderX, a new ransomware-as-a-service promoted by threat actors on underground forums, is designed for Windows systems and boasts advanced features surpassing its predecessor, Diablo. Key capabilities include ChaCha20-256 encryption for rapid file encryption, offline functionality for stealth operations, comprehensive targeting of all connected drives, and a built-in information stealer that exfiltrates data to MegaNz. Priced at $150, SpiderX poses a significant cybersecurity threat due to its affordability and efficiency.

Fakepenny

Researchers have identified a new North Korean hacking group, Moonstone Sleet, active since August 2023. This threat actor employs custom ransomware called ‘FakePenny,’ first detected in April 2024, which includes a loader and an encryptor with ransom notes resembling those used by Seashell Blizzard’s NotPetya. Moonstone Sleet’s ransom demands are notably high, with one reaching $6.6 million in Bitcoin, surpassing previous North Korean ransomware demands such as WannaCry 2.0 and H0lyGh0st.

Arcusmedia

First identified in May, the Arcusmedia group has been responsible for at least 17 incidents to date, primarily targeting South America across a wide range of sectors, including government, banking, finance, construction, architecture, music, entertainment, IT, manufacturing, professional services, healthcare, and education.

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 10 June 2024

by Amir Hadzipasic

June 10, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2020-13699

TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: –play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.

https://nvd.nist.gov/vuln/detail/CVE-2020-13699

2. CVE-2024-24919

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

https://nvd.nist.gov/vuln/detail/CVE-2024-24919

3. CVE-2024-4577

https://nvd.nist.gov/vuln/detail/CVE-2024-4577

4. CVE-2022-21661

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2022-21661

5. CVE-2023-48122

An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.

https://nvd.nist.gov/vuln/detail/CVE-2023-48122

https://nvd.nist.gov/vuln/detail/

10.

https://nvd.nist.gov/vuln/detail/

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 03 June 2024

by Amir Hadzipasic

June 3, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-4671

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-4671

2. CVE-2024-1086

A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.

We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

https://nvd.nist.gov/vuln/detail/CVE-2024-1086

3. CVE-2024-4947

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-4947

4. CVE-2024-23222

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, tvOS 17.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.

https://nvd.nist.gov/vuln/detail/CVE-2024-23222

5. CVE-2023-46805

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

https://nvd.nist.gov/vuln/detail/CVE-2023-46805

6. CVE-2024-4761

Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-4761

7. CVE-2023-41265

An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

https://nvd.nist.gov/vuln/detail/CVE-2023-41265

8. CVE-2020-13699

https://nvd.nist.gov/vuln/detail/CVE-2020-13699

9. CVE-2023-41266

A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

https://nvd.nist.gov/vuln/detail/CVE-2023-41266

10. CVE-2024-20674

Windows Kerberos Security Feature Bypass Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-20674

Flash Alert

FLASH Alert – Information Disclosure vulnerability in Check Point’s Quantum Gateway

by Daniel Collyer

May 30, 2024

CVE-2024-24919

CVSS 7.5 HIGH (Provisional)

On 27 May 2024, Check Point disclosed a vulnerability impacting the following products:

CloudGuard Network
Quantum Maestro
Quantum Scalable Chassis
Quantum Security Gateways
Quantum Spark Appliances

CVE-2024-24919 is an information disclosure vulnerability which would allow an unauthenticated threat actor to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades.

The following versions are known to be affected:

R77.20 (EOL)
R77.30 (EOL)
R80.10 (EOL)
R80.20 (EOL)
R80.20.x
R80.20SP (EOL)
R80.30 (EOL)
R80.30SP (EOL)
R80.40 (EOL)
R81, R81.10
R81.10.x
R81.20

The vulnerability is exploitable on affected systems if ONE of the following conditions is met:

The IPsec VPN Blade is enabled, but ONLY when included in the Remote Access VPN community.
The Mobile Access Software Blade is enabled.

Check Point has issued detailed instructions for applying hotfixes to affected services to mitigate this vulnerability. Additionally, The following has also been recommended:

Change the password of the Security Gateway’s account in Active Directory
Prevent Local Accounts from connecting to VPN with Password Authentication

The announcement of this vulnerability comes after Check Point identified a small number of login attempts on older local VPN accounts that used an unrecommended password-only authentication method. This indicates that the vulnerability is being exploited in the wild, and so the recommended hotfixes should be applied as soon as practicable.

Investigation

China – A Step Ahead In Digital Espionage

by Daniel Collyer

May 29, 2024

In the digital age, data has emerged as one of the most valuable resources, driving economies, shaping public opinion, and determining the success of nations. Amid this reality, cybercrime has become a potent tool for state actors, with China often cited as a significant player in the realm of cyber espionage and cybercrime. This article delves into how China has allegedly used cybercrime to obtain data, the motivations behind these actions, their methods, and the implications on global geopolitics.

UPDATE – join us on the 13th June for the accompanying webinar.

The Who – Those Working In The Shadows

On the digital battlefield, whether state-sponsored or self-motivated hacker, anonymity is key. This makes the task of attributing the activity of threat actors to real-world identities that much harder. More often than not, we see the evidence of digital crime, and can use available intelligence to make best estimates of a culprit, but a threat actor who wants to remain anonymous can do so with a reasonable application of effort. However, despite these efforts, identification of threat actors and attribution of criminal activity can be possible.

China’s cyber activities are primarily conducted by state-sponsored groups. These groups, often referred to as Advanced Persistent Threats (APTs), include:

APT 1

APT1, also known as the Comment Crew or Shanghai Group, is a highly active cyber espionage unit linked to the Chinese military, specifically PLA Unit 61398. Identified by cybersecurity firm Mandiant in a 2013 report, APT1 is known for targeting a wide array of industries, including information technology, aerospace, telecommunications, and scientific research.

Their primary method of infiltration involves spear-phishing emails, followed by deploying custom and publicly available malware to maintain access and exfiltrate sensitive data. The group’s activities have largely focused on U.S.-based organisations, aiming to steal intellectual property and trade secrets to benefit Chinese companies and government entities.

APT 10

APT10, also known as Stone Panda or MenuPass Group, is a cyber espionage group attributed to the Chinese government. The group has been active since at least 2009 and is known for targeting managed IT service providers (MSPs) and their clients across various industries, including healthcare, aerospace, and manufacturing. APT10’s operations typically involve sophisticated tactics such as spear-phishing, the use of custom malware, and leveraging legitimate credentials to infiltrate networks and exfiltrate data. Their focus on MSPs allows them to gain access to multiple organisations through a single breach, maximising the impact of their espionage efforts.

APT10’s activities have had significant global repercussions, prompting extensive investigations and responses from cybersecurity firms and government agencies. In December 2018, the U.S. Department of Justice indicted two Chinese nationals associated with APT10, accusing them of stealing sensitive data from dozens of companies and government agencies.

APT 31

APT31, also known as Zirconium, Judgment Panda, or Bronze Vinewood, is a Chinese state-sponsored cyber espionage group. The group is known for its advanced and persistent cyber operations targeting a wide range of sectors, including government, finance, technology, and aerospace. APT31 employs sophisticated tactics such as spear-phishing, supply chain attacks, and the deployment of custom malware to infiltrate and maintain access to targeted networks. Their primary goal is to steal sensitive information and intellectual property to support Chinese national interests and provide strategic advantages.

The activities of APT31 have significant global implications, prompting extensive countermeasures from affected organisations and governments. Notably, in 2020, APT31 was linked to cyberattacks targeting the U.S. presidential election campaign, highlighting the group’s capability and intent to influence political processes.

APT 41

APT41, also known as Winnti, Barium, or Wicked Panda, is a Chinese state-sponsored cyber threat group known for its dual role in cyber espionage and financially motivated cybercrime. Active since at least 2012, APT41 targets a wide range of sectors, including healthcare, telecommunications, finance, and video game industries. The group employs diverse tactics, techniques, and procedures (TTPs), such as spear-phishing, supply chain compromises, and the use of custom malware to infiltrate networks. APT41 is particularly notable for its ability to pivot from traditional espionage activities to financially driven attacks, including ransomware and cryptocurrency mining.

The activities of APT41 have led to significant economic and security repercussions globally. In September 2020, the U.S. Department of Justice charged five Chinese nationals associated with APT41 with hacking into over 100 companies and entities worldwide.

These groups are composed of highly skilled hackers and often operate under the direction of the Chinese government, particularly the Ministry of State Security (MSS) and the People’s Liberation Army (PLA).

The What & The Why – China’s Motivations For Stealing Data

“Know yourself and know your enemy, and you shall never be defeated.”

Chinese Advanced Persistent Threats (APTs) target a wide range of data across various sectors. The specific data targeted and stolen can vary depending on the APT group and their specific objectives, but generally includes the following types:

Intellectual Property (IP) and Trade Secrets:
- Technological innovations: This includes sensitive information from sectors where technological innovation is key, such as aerospace (e.g., designs for new aircraft or satellite technology), biotechnology (e.g., genetic research), semiconductors (e.g., chip designs), and automotive (e.g., electric vehicle technology). The aim is often to reduce the time and cost associated with research and development by acquiring innovations from other nations.
- Manufacturing processes: This encompasses proprietary methods, production techniques, and formulas used in manufacturing. For example, a pharmaceutical company’s proprietary process for producing a drug or an electronics company’s methods for fabricating microchips.

Corporate Data:

Strategic plans: Corporate strategies can include market expansion plans, new product launches, or competitive tactics. Accessing this information gives competitors an unfair advantage.
Client and partner information: Information about key clients, partners, and their contracts or negotiations can be exploited to undercut or sabotage business deals.
Employee data: Personal information about employees, such as social security numbers, addresses, and employment history, can be used for targeted attacks or to compromise individuals who hold critical positions within an organisation.

Government and Military Information:

Defence and military secrets: This includes detailed information about defence systems, weapons designs, military operational plans, and intelligence reports. Such data is critical for national security and military advantage.
Diplomatic communications: Sensitive communications between diplomats, government officials, and international bodies. This can provide insights into negotiation tactics, foreign policy strategies, and international relations.

Healthcare Data:

Patient records: Patient data includes medical histories, diagnoses, treatments, and personal identification information. This data is valuable not only for identity theft but also for crafting highly targeted social engineering attacks.
Medical research: Data from clinical trials and research into new treatments and drugs is invaluable for both economic and public health reasons. Stealing this data can provide a competitive edge in the pharmaceutical industry.

Financial Data:

Banking information: Includes account numbers, transaction histories, credit card information, and other financial records. This data can be used for financial fraud or to gain insights into the financial health of organisations.
Payment systems: Information related to the security and operation of payment processing systems, such as those used in banking and retail. Compromising these systems can lead to large-scale financial theft or disruption.

Energy and Infrastructure Data:

Operational data: Details about the daily operations of critical infrastructure such as power grids, water supply systems, and telecommunications networks. This information can be used to disrupt services or to understand and replicate operational efficiencies.
Designs and security details: Blueprints and security protocols for infrastructure facilities, which can be used to plan attacks or unauthorised access.

Academic and Research Data:

Scientific research: Data from academic research projects, particularly those in cutting-edge fields like artificial intelligence, quantum computing, and nanotechnology. This can accelerate a nation’s technological progress by acquiring the latest scientific breakthroughs.
Educational resources: Curricula, exam results, and other educational materials can be used to understand and influence the educational standards and outputs of other countries.

The Where – Understanding Which Nations Are Targeted

Chinese Advanced Persistent Threat (APT) groups, which are often associated with state-sponsored cyber activities, have targeted a wide range of countries over the years. Some of their primary targets include:

United States:
- Chinese APT groups have consistently targeted U.S. government agencies, including defence, diplomatic, and intelligence entities, to gather political and military intelligence.
- Additionally, they have sought to steal intellectual property from U.S. corporations, particularly in the technology, aerospace, healthcare, and energy sectors.
- Some notable incidents include the hacking of the Office of Personnel Management (OPM) in 2015, which compromised the sensitive personal data of millions of federal employees, and the targeting of defence contractors involved in sensitive military projects.

European Countries:

European nations have been targeted for intellectual property theft, economic espionage, and political influence operations.
Chinese APT groups have focused on stealing cutting-edge technology, research, and development data from industries such as aerospace, automotive, telecommunications, and pharmaceuticals.
European governments and diplomatic institutions have also been targeted for intelligence gathering and monitoring political developments.

Asian Countries:

China’s regional rivals, such as Japan and South Korea, have been targeted for political and military intelligence gathering, as well as stealing advanced technology.
Countries like India have experienced cyber intrusions aimed at accessing sensitive government information, military strategies, and technological advancements.
Southeast Asian nations have been targeted for economic espionage, particularly related to infrastructure projects, natural resources, and geopolitical influence.

Taiwan:

Due to the ongoing political tensions between China and Taiwan, Taiwanese government agencies, defence contractors, and organisations have been frequent targets of Chinese cyber espionage.
The aim is to gather intelligence on Taiwan’s defence capabilities, political developments, and cross-strait relations.

Australia:

Australian government institutions, defence contractors, and companies across various sectors have been targeted for intellectual property theft, economic espionage, and monitoring of political developments.
Notable incidents include cyber intrusions targeting universities and research institutions to steal sensitive research data and technology.

Canada:

Canadian government agencies, particularly those involved in defence, foreign affairs, and natural resources, have been targeted for intelligence gathering.
Chinese APT groups have also targeted Canadian companies in sectors such as aerospace, telecommunications, and mining for economic espionage purposes.

Africa and Latin America:

While less extensively reported, there have been instances of Chinese cyber espionage targeting countries in Africa and Latin America.
These activities often revolve around gaining access to natural resources, monitoring infrastructure projects, and influencing political developments in alignment with China’s strategic interests.

Overall, Chinese APT groups demonstrate a global reach in their cyber operations, driven by motivations such as geopolitical competition, economic advantage, and technological advancement. They employ sophisticated techniques to infiltrate networks, exfiltrate data, and maintain persistent access for intelligence gathering and other strategic objectives.

The When – A Timeline of Chinese Threat Actor Activity

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

For 2500 years, the teachings of Sun Tzu have been the backbone of Chinese military doctrine. As his text, The Art of War, has become more popularised, its teachings have been applied across other walks of life, particularly business and governance. Chinese offensive cyber policy has also followed these principles, and what we have previously discussed shows how China is utilising cyber crime activity to gather information and intelligence to satisfy a broad range of objectives.

Over the years, the finger of blame has been levelled at China for some of the biggest data breaches and incidents of corporate espionage. We look at some of these below:

The How – Common TTPs Utilised By Chinese Threat Actors

Chinese Advanced Persistent Threat (APT) groups employ various sophisticated techniques to steal data from targeted organisations. Their methods often involve multiple stages, including reconnaissance, initial compromise, establishing a foothold, escalating privileges, internal reconnaissance, data exfiltration, and covering their tracks. Here are some common techniques and tactics used by Chinese APTs:

Reconnaissance

Chinese APTs conduct thorough reconnaissance to tailor their attacks effectively:

Open Source Intelligence (OSINT): Gathering information from social media platforms, corporate websites, and public records to identify key personnel and network architecture.
Phishing Campaigns: Utilising spear-phishing emails targeting specific individuals within an organisation to collect credentials or deliver malware. For example, APT41 has been known to send emails mimicking trusted contacts or business partners.

Initial Compromise

Common methods for initial network penetration by Chinese APTs include:

Spear-Phishing Emails: Highly targeted emails containing malicious attachments or links. APT10 frequently used this method to deliver malware like PlugX or Poison Ivy.
Exploiting Zero-Day Vulnerabilities: Identifying and exploiting vulnerabilities before they are publicly known. APT3, for instance, has leveraged zero-days in widely used software such as Adobe Flash and Internet Explorer.
Supply Chain Attacks: Compromising software updates or hardware components. APT41 has been implicated in attacks on software supply chains, embedding malware in legitimate software updates.

Establishing a Foothold

Once access is gained, Chinese APTs work to maintain a persistent presence:

Malware Deployment: Installing Remote Access Trojans (RATs) like Sakula, used by APT10, or variants of the Cobalt Strike framework employed by APT41.
Setting Up Command and Control (C2) Channels: Creating secure channels to communicate with infected systems. APT41 often uses DNS tunnelling and HTTP/S protocols to evade detection.

Privilege Escalation

To gain higher privileges, Chinese APTs use various techniques:

Credential Dumping: Tools like Mimikatz are frequently used by groups such as APT41 to extract credentials from Windows systems.
Exploiting Privilege Escalation Vulnerabilities: Utilising known vulnerabilities in operating systems and applications. APT3 has exploited vulnerabilities in Windows to escalate privileges and move laterally within networks.

Internal Reconnaissance

Mapping the internal network to locate valuable data involves:

Network Scanning: Using tools like Nmap to identify live hosts and services. APT10 often employs custom network scanning tools.
Lateral Movement: Utilising credentials and tools like PsExec or WMI to move across the network. APT41 is known for its proficiency in lateral movement, using legitimate administrative tools to avoid detection.

Data Exfiltration

Stealing data while avoiding detection is critical:

Data Compression and Encryption: Compressing and encrypting data to expedite transfer and evade detection. APT10 has been known to use tools like WinRAR for compression and encryption.
Steganography: Embedding data within other files or images. APT groups may use steganography to hide data within innocuous files.
Covert Channels: Employing techniques like DNS tunnelling or HTTPS to transfer data. APT41, for example, has used custom protocols to exfiltrate data over HTTPS.

Covering Tracks

Chinese APTs employ various methods to avoid detection and analysis:

Log Deletion and Manipulation: Removing or altering logs to erase evidence of their activities. APT10 has been observed cleaning up after themselves by deleting logs and temporary files.
Use of Proxy Chains: Routing traffic through multiple compromised systems to obscure the origin of their actions. APT41 often uses a series of compromised machines to route their traffic, making it difficult to trace.
Anti Forensic Techniques: Using tools to thwart forensic investigations, such as wiping tools or encrypting malware payloads. APT3 has been known to employ these techniques to hinder analysis.

In Conclusion

China’s use of cybercrime to obtain data is a testament to the strategic importance of information in the modern world. As China continues to leverage cyber capabilities to advance its national interests, the global community faces the challenge of balancing technological advancement with security and ethical considerations.

The ongoing cyber skirmishes highlight the need for robust international norms and cooperation to address the complexities of cyber espionage and cybercrime, ensuring a secure and stable digital future for all.

By understanding the scope, motivations, and methods behind China’s cyber activities, the international community can better prepare and respond to the evolving landscape of cyber warfare. As data becomes increasingly integral to national security and economic prosperity, safeguarding it against state-sponsored cybercrime will be crucial in maintaining global stability and trust in the digital age.

The future of cybersecurity will depend on collective efforts to strengthen defences, establish clear policies, and foster international collaboration to mitigate the risks posed by cyber espionage and cybercrime.

UPDATE – join us on the 13th June for the accompanying webinar.

Further Reading

UK Electoral Commission Breach

https://www.bbc.co.uk/news/uk-politics-68652374

MOD Payroll Breach

https://www.bbc.co.uk/news/uk-68967805

How does China use it’s data

https://www.nzz.ch/english/how-does-china-use-the-personal-data-it-steals-ld.1828192

https://www.forbes.com/sites/heatherwishartsmith/2023/11/04/trafficking-data-chinas-digital-sovereignty-and-its-control-of-your-data/?sh=2b78939543a4

F22/F35 Program Breaches

https://www.sandboxx.us/news/the-man-who-stole-americas-stealth-fighters-for-china

Photo by Li Yang on Unsplash.

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 27 May 2024

by Amir Hadzipasic

May 27, 2024

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-4761

Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-4761

2. CVE-2024-20356

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with Administrator-level privileges to perform command injection attacks on an affected system and elevate their privileges to root. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to elevate their privileges to root.

https://nvd.nist.gov/vuln/detail/CVE-2024-20356

3. CVE-2024-4671

https://nvd.nist.gov/vuln/detail/CVE-2024-4671

4. CVE-2024-4947

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-4947

5. CVE-2023-2551

PHP Remote File Inclusion in GitHub repository unilogies/bumsys prior to 2.1.1.

https://nvd.nist.gov/vuln/detail/CVE-2023-2551

6. CVE-2023-43770

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

https://nvd.nist.gov/vuln/detail/CVE-2023-43770

7. CVE-2024-1630

Path traversal vulnerability in “getAllFolderContents” function of Common Service Desktop, a GE HealthCare ultrasound device component

https://nvd.nist.gov/vuln/detail/CVE-2024-1630

8. CVE-2022-23940

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.

https://nvd.nist.gov/vuln/detail/CVE-2022-23940

9. CVE-2024-1628

OS command injection vulnerabilities in GE HealthCare ultrasound devices

https://nvd.nist.gov/vuln/detail/CVE-2024-1628

10. CVE-2024-1629

Path traversal vulnerability in “deleteFiles” function of Common Service Desktop, a GE HealthCare ultrasound device component

https://nvd.nist.gov/vuln/detail/CVE-2024-1629

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

FLASH Alert – Remote Unauthenticated Code Execution Vulnerability in OpenSSH server

The SOS Intelligence CVE Chatter Weekly Top Ten – 01 July 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 24 June 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 17 June 2024

Ransomware – State of Play May 2024

Threat Group Activity and Trends

Analysis of Geographic Targeting

Industry Targeting

Significant Events

New Groups

The SOS Intelligence CVE Chatter Weekly Top Ten – 10 June 2024

The SOS Intelligence CVE Chatter Weekly Top Ten – 03 June 2024

FLASH Alert – Information Disclosure vulnerability in Check Point’s Quantum Gateway

China – A Step Ahead In Digital Espionage

The Who – Those Working In The Shadows

The What & The Why – China’s Motivations For Stealing Data

The Where – Understanding Which Nations Are Targeted

The When – A Timeline of Chinese Threat Actor Activity

The How – Common TTPs Utilised By Chinese Threat Actors

In Conclusion

The SOS Intelligence CVE Chatter Weekly Top Ten – 27 May 2024

Recent Posts

Recent Comments