X-Force Exchange - Collection Feed

Summary ***UPDATED, June 9, 2022*** Multiple, reliable sources are reporting on a vulnerability in the Microsoft Support Diagnostic Tool in Windows. The vulnerability, if exploited, could allow for remote code execution. Additional details have been published on another exploit of this vulnerability that has been named, "DogWalk." Threat Type Vulnerability Overview ***UPDATE #6, June 14, 2022*** Microsoft has released an update to its Windows June 2022 cumulative update. Specifically, the patches include a

Summary ***UPDATED*** IBM X-Force is tracking the disclosure of a remote code execution vulnerability in Confluence Server and Data Center.  This vulnerability, if exploited, could lead to the execution of arbitrary code on the victim device. Atlassian has released updates to its product line to address the issue. Details can be found below. Threat Type Vulnerability Overview ***UPDATE #3, June 6, 2022*** According to multiple reputable sources, Proof of Concept code for this vulnerability was released on

Summary An emergency directive (ED) from CISA directs U.S. government agencies update VMWare products in response to critical vulnerabilities that could affect those agencies. Threat Type Vulnerability Overview Be advised that X-Force Incident Command is tracking Cybersecurity Directive ED 22-03 and an advisory issued by CISA in response to multiple vulnerabilities in VMware products. The Cybersecurity & Infrastructure Security Agency has issued an emergency directive regarding critical vulnerabilities in t

Summary ***UPDATED, May 12, 2022*** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding the critical vulnerability. ***UPDATED, May 9, 2022*** New Proofs-of-Concept have been released by two leading offensive attack teams as reported by The Daily Swig. ***Original Summary*** A critical vulnerability in BIG-IP can allow for Remote Code Execution (RCE) that could allow an attacker to take control over an affected system. The Hacker News and F5 have both reported

Summary A critical flaw in Atlassian's Jira software that could be used to bypass authentication has been identified. Atlassian has issued an advisory detailing the versions vulnerable to the exploit. Threat Type Vulnerability Overview Be advised that X-Force Incident Command is tracking the disclosure of an authentication bypass vulnerability in Jira's web authentication framework, Seraph. Tracked as CVE-2022-0540 , the vulnerability scores a 9.9 CVSS score. A specially crafted HTTP request sent to vulnera

X-Force Executive Update Serial: 2022-IRIS-13309  | Date: 2022-04-22 | TLP: GREEN ICS Cyber Threat Landscape Expands with Discovery of Incontroller Summary Incontroller, a malware framework designed to enable a range of actions against industrial control systems (ICS) devices and networks, expands the ICS-specific cyber threat landscape. This framework was discovered before known use in operational networks, a unique development in the history of the relatively small number of ICS-specific malware families,

X-Force Executive Update Serial: 2022-IRIS-13268  | Date: 2022-04-15 | TLP: GREEN Industroyer2 Discovered in Foiled Cyber Attack Against Ukrainian Electric Grid Summary A foiled Russian cyber attack on Ukraine's electric grid involving a new piece of ICS-specific malware, Industroyer2, is the highest-profile cyber operation that has taken place since Russia invaded Ukraine on 24 February and raises the specter of further attacks against Ukrainian networks. X-Force assesses that Russia is likely to continue

Summary F5 has published an advisory pertaining to a vulnerability in its NGINX reference implementation. The vulnerability was disclosed on April 9, 2022. Threat Type Vulnerability Overview Vulnerability Information A post from F5 contains information about a vulnerability in its NGINX v1.18 reference implementation. While certain parameters must be met, these seem to be trivial in nature thus making exploitation seem to be relatively easy from reports out of the self- hacktivist group. F5 has provided the

Summary ***Updated 04/08/2022*** The Spring-Projects team has released a blog in an effort to clear up confusion about the alleged deserialization RCE vulnerability. There are, however, vulnerabilities that have been patched and a Yara rule has been published. Please see the latest recommendations. Threat Type Vulnerability Overview ***UPDATE #5, April 8, 2022*** A report from Chinese cybersecurity firm, Qihoo 360, has reported on the first confirmed case(s) of Spring4Shell being leveraged to gain access a

Summary According to multiple sources an OpenSSL vulnerability in some Palo Alto appliances could be exploited to trigger a denial of service (DOS) condition. This vulnerability has been patched in OpenSSL but not all Palo Alto appliances. Threat Type Vulnerability Overview X-Force is tracking the disclosure of an OpenSSL vulnerability in some Palo Alto appliances that if exploited could lead to a denial of service (DOS) condition. In early March of 2022, updates were released by OpenSSL to address CVE-20

Summary ***UPDATED March 30, 2022*** The Lapsus$ group is ramping up its already breakneck pace of infiltration, exfiltration, and extortion campaigns against several high profile companies including Microsoft, NVIDIA, Samsung, and others. Threat Type Threat Group Overview ***UPDATE #4, March 30, 2022*** Lapsus$ returns from its self-imposed hiatus to compromise Globant, a software services company. Images of data extracted as well as credentials for the DevOps structure were posted on the group's Telegram

Summary Multiple vulnerabilities, seven in total and three of which are remotely exploitable to execute arbitrary code, have been reported in PTC's Axeda agent, and Axeda Desktop Server. Threat Type Vulnerability Overview Researchers from CyberMDX (now a Forescout company) have disclosed seven vulnerabilities in PTC's Axeda agent and Axeda Desktop Server. The Axeda products are used to remotely access and manage connected devices. They are used in the healthcare sector and other verticals such as financial

Summary A post from Veeam details vulnerabilities in its backup and replication solution. The vulnerability could lead to remote code execution (RCE) in versions 9.5, 10, and 11. Threat Type Vulnerability Overview Vulnerabilities in Veeam's backup and replication software have the potential to be used for RCE and eventual gaining control over the target system. Scoring 9.8 on the CVSS v3 scale, these vulnerabilities are critical. Patches have been issued for versions 10 and 11. Version 9.5 is no longer sup

Summary Bleeping Computer has published an article detailing a ransomware attack against Romania's petroleum provider, Rompetrol. The attack has halted gas station service throughout the country. Threat Type Ransomware Overview A ransomware attack against Romania's petroleum provider has crippled the country's Fill&Go service and websites. Bleeping Computer states the actors behind the attack are the Hive ransomware gang. This is unconfirmed however, the ransom note left on the network is indicative of Hive

Summary A list of more than 17,000 IP addresses has been released by Vladimir Putin. The current unsubstantiated claim is that those listed are conducting active Distributed Denial of Service attacks against Russian targets. Threat Type DDoS Overview For more information on this story, please follow this link to the latest in our ongoing coverage of the Ukrainian/Russian war. Indicators of Compromise A list of IoCs can be found in the Reports section to the right. References https://www.cyberscoop.com/russi

Summary An advisory from IBM's X-Force Research has uncovered an exploit proof of concept (PoC) involving a vulnerability in several Cisco SSL VPN devices. Threat Type Vulnerability Overview According IBM's X-Force Research team, a critical vulnerability in Cisco RV340/RV345 series SSL VPN devices has led to the discovery of a PoC that has been released to the public. Should this vulnerability be exploited, a unauthenticated remote adversary obtaining privileged arbitrary code execution. On February 11, 20

Summary Wordfence has issued a report detailing a trio of vulnerabilities in the PHP Everywhere plugin for WordPress. Threat Type Vulnerabilities Overview A critical trio of vulnerabilities has been disclosed by Wordfence. The vulnerabilities could allow for an authenticated user, including subscribers and customers, to execute code on a vulnerable site. All three vulnerabilities, CVE-2022-24663, CVE-2022-24664, and CVE-2022-24665, have a critical rating with a 9.9 CVSS score. Should a website admin install

Summary The Cybersecurity & Infrastructure Security Agency has issued an alert for SAP applications using SAP Internet Communication Manager (ICM). These vulnerabilities are critical in nature and should be addressed immediately. Threat Type Vulnerability Overview SAP and CISA has issued advisories regarding vulnerabilities in the SAP ICM. The most severe of these vulnerabilities score a 10 on the CVSS V3 system. The SAP ICM handles critical processes such as resource planning, lifecycle management, custom

Summary According to multiple reliable sources, Oiltanking Deutschland GmbH & Co., a German oil company, has suffered a cyber attack that severely degraded operations has been reported by several reliable sources. Threat Type Cyber Attack Overview A cyber attack on a German oil company has been reported by several news outlets. The attack is reminiscent of the Colonial Pipeline attack suffered last year. According to the German newspaper, Handelsblatt, an internal report from Oiltanking states: "systems wer

Summary Critical vulnerabilities have been disclosed with Samba that require immediate attention. These vulnerabilities could have far reaching impact. Threat Type Vulnerabilities Overview A trio of vulnerabilities in Samba have been disclosed by Samba. The vulnerabilities have the potential for remote code execution, impersonation of arbitrary services, and information leak. The first vulnerability, CVE-2021-44141 , is an information leak via symlinks of existence of files or directories outside exported