Clop ransomware gang along with many others have emerged again and have been extorting companies whose data was stolen using zero day vulnerabilities with the use of GoAnywhere tool. CISA has also issued new warnings with the use of LastPass. The Plex bug is still being actively exploited in the wild after the breach as well. Furthermore, CISA has also warned some of the significant critical infrastructure which might be vulnerable to ransomware attacks. A new FortiOS bug has also been used a zero-day vulnerability to attack government networks. Kali Linux has released a purple team edition – Kali 2023. This post reviews some of these data breaches, current mitigation techniques in place and discussions around the new Kali Purple team edition
Customers were warned in February by the developers of the GoAnywhere MFT file transfer solution that a zero-day remote code execution vulnerability was being exploited on exposed administrative consoles. While no details were publicly shared on how the vulnerability was exploited, a proof-of-concept exploit was soon released, followed by a patch for the flaw. The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they were responsible for the attacks. The extortion group said they used the flaw over ten days to steal data from 130 companies. At the time, BleepingComputer could not independently confirm these claims, and Fortra did not respond to our emails
While it is unclear how much the threat actors are demanding, they had previously demanded $10 million in ransoms in similar attacks using an Accellion FTA zero-day vulnerability in December 2020. [Reference]
CISA has updated its list of security flaws exploited in attacks to include a nearly three-year-old high-severity remote code execution (RCE) vulnerability in the Plex Media Server. Based off the CVE 2020-5741, this security flaw allows threat actors with admin privileges to execute arbitrary Python code remotely in low-complexity attacks that don’t require user interaction.Even though LastPass didn’t disclose what software flaw was exploited to hack into the engineer’s computer, Ars Technica reported that the software package exploited on the employee’s home computer was Plex.
With the inclusion of the Ransomware Vulnerability Warning Pilot dubbed RVWP, CISA is taking a new effort to warn CI entities with exposed vulnerabilities that may be exploited by ransomware threat actors. This is part of a broader effort to fend off the escalating ransomware threat that started almost two years ago after a barrage of cyberattacks targeting critical infrastructure organizations and U.S. government agencies, starting with ransomware attacks that hit the networks of Colonial Pipeline, JBS Foods and Kaseya
Unknown attackers harnessed a new FortiOS bug patched this month with zero-day exploits in attacks against government and large organisations, resulting in OS and file corruption and data loss.
While the flaw’s advisory didn’t mention that the bug was exploited in
the wild before patches were released, a Fortinet report published last
week revealed that CVE-2022-41328 exploits had been used to hack and take down multiple FortiGate firewall devices belonging to one of its customers.
Finally, a great news for security professionals – Kali Purple is here. Finally an OS that contains both offense and defensive tools, a perfect SOC out-of-the-box solution including Elastic security. Though there hasn’t been a dramatical inclusion of the purple team tools apart from Cyberchef, Elastic security, leaving out MITRE, YARA and probably the CTI stack. Major improvements have been for Python packages and docker in the new Kali edition. Some potentially encouraging developments can be seen in the security world with different distros, the race is still not anywhere closer to the threat actors. Though, AI language learning tools like ChatGPT are becoming more prominent, its time to see their application make considerable improvements and optimization while dealing with cyberattacks as well.