Several new vulnerabilities with critical severity scores are worrying experts and cyber managers.
Zero-day bugs affecting Citrix and Apache products were recently added to the Cybersecurity and Infrastructure Security Agency’s (CISA) list of Known Exploited Vulnerabilities (KEV).
Incident responders at cybersecurity company Rapid7 warned of hackers connected to HelloKitty ransomware exploiting a vulnerability affecting Apache ActiveMQ, classified CVE-2023-46604. Apache ActiveMQ is an open source message broker in Java language that facilitates communication between servers.
Speakers said they encountered two situations where HelloKitty ransomware was used after the bug was exploited. Proof of concept exploitation code is available and looks similar to what they saw in the two incidents they responded to, Rapid7 said.
LPCC added the vulnerability to its catalog of known exploited bugs Thursday evening, giving federal civilian agencies until November 23 to resolve the problem. The agency did not confirm whether the ransomware actors were exploiting the bug.
Apache disclosed the vulnerability and released new versions from ActiveMQ on October 25.
Huntress Experts confirmed that they too have seen hackers exploit the vulnerability and attempt to deploy HelloKitty ransomware.
The vulnerability has the highest CVSS severity score of 10 out of 10.
“Exploitation for this attack is trivial,” they said, adding that the module used in the attacks “works wonderfully against vulnerable ActiveMQ instances.”
Mandiant Warns of “Citrix Bleed”
A vulnerability dubbed “Citrix Bleed” is being exploited in attacks against government organizations as well as companies in the professional services and technology sectors. The vulnerability allows hackers to access sensitive information, according to a safety bulletin from Citrix.
On October 10, Citrix stated that the bug… CVE-2023-4966 — impacts NetScaler ADC and NetScaler Gateway appliances.
Researchers at cybersecurity firm AssetNote have since published a proof of concept (PoC) exploit. The bug was rated 9.4 out of 10 on the CVSS severity scale.
Mandiant identified zero-day exploitation of this vulnerability in the wild from the end of August.
The Google-owned cybersecurity giant is currently investigating several successful exploits that allowed hackers to take over NetScaler ADC and Gateway appliances.
“Netscaler exploitation is currently at scale,” said Timothy Morris, a security advisor at cyber firm Tanium.
CISA added the bug to its catalog of exploited bugs last month, giving federal civilian agencies until November 8 to fix the problem.
But several cybersecurity experts have warned that simply patching the vulnerability is not enough. Those who use these products should investigate signs of compromise. Hoxhunt CEO Mika Aalto told Recorded Future News that it is likely that many organizations are using the affected products and have not implemented recommended mitigation measures.
The ShadowServer Search Tool watch that thousands of cases where the tool is used are still vulnerable to the issue as of November 2, including nearly 2,000 in North America alone. Kevin Beaumont, cybersecurity expert said at least two ransomware gangs are now trying to exploit the attack vulnerability, while Mandiant found four different groups attempting to exploit.
Beaumont call for on the social media site Mastodon.
“People love it: it’s simple remote desktop access inside the organization’s firewalls, without generating alerts or logs,” he wrote.
Future saved
Intelligence cloud.
No previous articles
No new articles
Jonathan Greig
Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.