Cyble Global Sensors pick up persistent exploitation of Ivanti Connect Secure Vulnerabilities
Cyble Global Sensor Intelligence (CGSI) has detected the continuous exploitation of recently revealed vulnerabilities in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways. Ivanti issued a security alert on January 10, 2024, addressing vulnerabilities found in Ivanti Connect Secure (ICS), namely CVE-2023-46805 and CVE-2024-21887. When CVE-2024-21887 is combined with CVE-2023-46805, unauthorized exploitation becomes possible without authentication, allowing a Threat Actor (TA) to create malicious requests, leading to the execution of arbitrary commands on the system. The Cybersecurity and Infrastructure Security Agency (CISA) also warned about these vulnerabilities.
On the same day, Volexity revealed instances of real-world exploitation of the previous two vulnerabilities, facilitating unauthenticated remote code execution on Ivanti Connect Secure VPN devices. The TA utilized these exploits to exfiltrate configuration data, alter existing files, retrieve remote files, and establish a reverse tunnel from the ICS VPN appliance.
Furthermore, a cybercriminal offered an exploit for sale on a forum for USD 30,000. This ongoing threat highlights the need for organizations to follow mitigation strategies, apply patches, and maintain vigilance in monitoring vulnerabilities to fortify their cybersecurity infrastructure.
Read Cyble’s detailed analysis of this vulnerability here.
Threat Actors Target US Asylum Seekers with MetaStealer Malware
Cyble Research and Intelligence Labs (CRIL) uncovered a malicious campaign targeting individuals seeking asylum in the US with MetaStealer malware. The campaign involves a ZIP archive file distributed via a URL or potentially through spam emails. Inside the ZIP file is a deceptive shortcut LNK file disguised as a PDF document. When executed, this LNK file triggers a VPN application, which uses DLL sideloading to load a hidden malicious DLL, both concealed within the ZIP. The loaded DLL drops an MSI installer, initiating the download of a deceptive PDF lure and a malware stealer known as “MetaStealer,” which connects to a Command-and-Control (C&C) server for data exfiltration.
The attackers utilize social engineering tactics by disguising the lure as a legitimate “I-589, Application for Asylum and for Withholding of Removal” PDF document, increasing the chances of users opening it. Once executed, MetaStealer collects sensitive information, manipulates Windows Defender settings to evade detection, and establishes communication with the C&C server over encrypted HTTP connections. The multi-layered attack strategy effectively conceals the malicious activities and enables the exfiltration of data.
Read Cyble’s detailed analysis of this campaign here.
loanDepot Cyberattack Update: Over 16 Million Customers’ Data Exposed
LoanDepot, Inc., a prominent home lending solutions provider, disclosed a cyberattack in which an unauthorized third party accessed sensitive personal information of approximately 16.6 million individuals. In response, the company has taken swift action, notifying affected individuals and offering free credit monitoring and identity protection services. An ongoing investigation, conducted in collaboration with external forensics and security experts, aims to understand the extent of the breach and restore normal operations.
CEO Frank Martell expressed regret over the incident, emphasizing the increasingly frequent and sophisticated nature of cyberattacks. The company is dedicated to resolving the situation and supporting affected customers. Substantial progress has been made in restoring loan origination and servicing systems, including customer portals. The company’s ongoing efforts and collaboration with cybersecurity experts aim to bolster its defenses against future threats. Customers and stakeholders can stay informed through the dedicated microsite loandepot.cyberincidentupdate.com.
Read The Cyber Express’ coverage of this incident here.
Supply Chain Risk Webinar
The global supply chain is vulnerable to cyberattacks due to its diverse and multifaceted aspects. Cybersecurity supply chain risk management guidance is essential for businesses to protect themselves, their partners, and their consumers. They must assess cybersecurity risks at all levels of their organization and consider the vulnerabilities of all players involved in creating a product or service, particularly in light of increasing incidences of cyberattacks carried on supply chains. Threat Actors have shifted their tactics to compromise firms via their supply chains in an attempt to identify and exploit the weakest links, requiring organizations to reevaluate their cybersecurity approach accordingly.
Join Kaustubh Medhe, VP Research and Threat Intelligence at Cyble, as he presents his findings and predictions at the CSA CloudBytes Webinar on January 31, 2024.
