Media Coverage

A coalition of dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.

At a speech at the UK-France Cyber Proliferation conference at Lancaster House in London today, UK Deputy Prime Minister Oliver Dowden announced the kickoff for the spyware initiative, dubbed the “Pall Mall Process,” which will be a “multi-stakeholder initiative … to tackle the proliferation and irresponsible use of commercially available cyber-intrusion capabilities,” he explained.

He also announced that the UK will invest £1 million into the nonprofit Shadowserver Foundation, to “help them expand the access they provide to early warning systems, and to cyber resilience support for those impacted by cyberattacks.”

An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers. Exploitation of CVE-2024-21893 allowed attackers to bypass authentication and access restricted resources on vulnerable devices (versions 9.x and 22.x).

Threat monitoring service Shadowserver is now seeing multiple attackers leveraging the SSRF bug, with 170 distinct IP addresses attempting to exploit the flaw.

According to ShadowServer, there are currently almost 22,500 Ivanti Connect Secure devices exposed on the Internet. However, it is unknown how many are vulnerable to this particular vulnerability.

Operation Synergia, which ran from September to November 2023, was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats. The operation involved 60 law enforcement agencies from more than 50 INTERPOL member countries, with officers conducting house searches and seizing servers as well as electronic devices.

Operation Synergia demonstrated how cybersecurity is most effective when international law enforcement, national authorities, and private sector partners cooperate to share best practices and pro-actively combat cybercrime. INTERPOL and its Gateway Partners Group-IB, Kaspersky, TrendMicro, Shadowserver and Ad hoc partner Team Cymru provided analysis and intelligence support throughout the operation.

A GitLab vulnerability enabling file writing to arbitrary locations on a server was patched last Thursday, two weeks after the company patched a critical account takeover bug. The latest vulnerability, tracked as CVE-2024-0402, received a CVSS score of 9.9 and allows authenticated users to write files anywhere on a GitLab server while creating a workspace.

The Shadowserver Foundation, which tracks malicious activity and vulnerabilities online, previously said it detected more than 5,300 GitLab instances vulnerable to CVE-2023-7028 on Jan. 23. As of Jan. 30, Shadowserver’s dashboard showed 4,826 GitLab instances still running unpatched versions. Shadowserver CEO Piotr Kijewski told SC Media that while the organization is not currently scanning for CVE-2024-0402, it is most likely that instances still vulnerable to CVE-2023-7028 are also vulnerable to the latest bug. “The total CVE-2024-0402 population will be expected to be higher, however,” Kijewski said.

Researchers found roughly 45,000 Jenkins instances exposed online that are vulnerable to CVE-2024-23897, a critical remote code execution (RCE) flaw for which multiple public proof-of-concept (PoC) exploits are in circulation. Jenkins is a leading open-source automation server for CI/CD, allowing developers to streamline the building, testing, and deployment processes. It features extensive plugin support and serves organizations of various missions and sizes.

Today, threat monitoring service Shadowserver reported that its scanners have “caught” roughly 45,000 unpatched Jenkins instances, indicating a massive attack surface. Most of the vulnerable internet-exposed instances are in China (12,000) and the United States (11,830), followed by Germany (3,060), India (2,681), France (1,431), and the UK (1,029).

In pursuit of comprehensive threat intelligence, PTA has subscribed to Shadowserver—a renowned platform that provides data pertaining to cyber threats within Pakistan. This subscription enables PTA to compile a holistic view of the threat landscape, and to take proactive measures to mitigate risks related to the telecom sector. Access to reliable threat intelligence is crucial in strengthening the country’s CS posture and safeguarding critical infrastructure.

More than 5,300 GitLab servers connected to the internet are vulnerable to zero-click account takeover CVE-2023-7028 (CVSS score: 10.0) announced by GitLab earlier this month. This vulnerability allows an attacker to send a password reset email for a targeted account to an email address controlled by the attacker, allowing the attacker to change the password and take over the account. Account takeover will not be successful if the target has 2FA enabled, because the attacker will not be able to log in if they do not have control over two-factor authentication (2FA).

Currently, 13 days after the security update became available, threat monitoring service ShadowServer reports seeing 5,379 GitLab instances that are vulnerable to attack. Most servers with the vulnerability were in the United States (964), followed by Germany (730), Russia (721), China (503), France (298), the United Kingdom (122), India (117), and Canada (99 ).

Security researchers are observing exploitation attempts for the CVE-2023-22527 remote code execution flaw vulnerability that affects outdated versions of Atlassian Confluence servers.

Threat monitoring service Shadowserver reports today that its systems recorded thousands of attempts to exploit CVE-2023-22527, the attacks originating from a little over 600 unique IP addresses. The service says that attackers are trying out callbacks by executing the ‘whoami‘ command to gather information about the level of access and privileges on the system.

The total number of exploitation attempts logged by The Shadowserver Foundation is above 39,000, most of the attacks coming from Russian IP addresses. Shadowserver reports that its scanners currently detect 11,100 Atlassian Confluence instances accessible over the public internet. However, not all of those necessarily run a vulnerable version.

DDoS or denial of access attack against BGP sessions is well known but not common in cyberspace. In June of last year, FIRST recorded 2 such cases where two of the organization’s BGP sessions were successfully attacked by a DDoS attack (TCP port 179) and both sessions were terminated. The IT security organization Shadowserver and the Shodan service have collected information about +300,000 BGP port 179 sessions that are at risk and could become a target for similar attacks. About 150 such BGP services exposed on the Internet have been found in Latvia. Simultaneous attacks on these services could lead to serious consequences and global “chaos on the Internet”.

Shadowserver unprotected BGP session information panel . Shadowserver notifications now also include two new free BGP session messages – available BGP service and open BGP service .

VMware is warning customers that CVE-2023-34048, a critical vCenter Server vulnerability patched in October 2023, is being widely exploited.

According to a report by the Shadowserver Foundation, there are currently hundreds of VMware vCenter Server instances exposed to the Internet that are potentially vulnerable. It’s not uncommon for VMware products to be targeted by malicious attackers. The catalog of known exploited vulnerabilities maintained by the US security agency CISA currently includes 21 VMware product flaws .