Hackers are actively exploiting vulnerabilities in Citrix's NetScaler ADC and NetScaler Gateway platforms, known as 'CitrixBleed', leading to a wave of mass cyberattacks. This vulnerability allows remote unauthenticated attackers to extract sensitive information from the memory of vulnerable Citrix devices [a2697f3d]. At least four threat groups are exploiting this bug, with one group automating the attack process. The LockBit gang recently targeted the U.S. branch of Industrial and Commercial Bank of China (ICBC) by compromising an unpatched Citrix Netscaler box, and ICBC reportedly paid the ransom demand. Other affected organizations include Boeing and international law firm Allen & Overy [21c32a0d]. Citrix has urged its customers to update to the latest versions of NetScaler ADC and NetScaler Gateway to prevent active exploitation of vulnerabilities that could lead to information disclosure and denial of service (DoS) attacks [45eac12b].
In addition to the CitrixBleed vulnerability, Atlassian has issued a warning regarding a vulnerability in Confluence software that could expose systems to data destruction attacks. The vulnerability, identified as CVE-2023-22518, affects all versions of Confluence Data Center and Confluence Server software. Atlassian advises immediate action to safeguard Confluence instances and recommends upgrading the software or applying mitigation measures. Although there have been no reports of active exploitation, the company has discovered a publicly available exploit that increases the risk for instances exposed to the internet. Atlassian's Chief Information Security Officer emphasizes the potential for significant data loss if the vulnerability is exploited, but reassures that it does not enable data theft [a75c1047].
Furthermore, a critical vulnerability, known as CVE-2023-46604, has been discovered in Apache ActiveMQ, posing a significant threat to users. The vulnerability allows remote attackers to execute arbitrary shell commands by manipulating serialized class types within the OpenWire protocol. Attackers proceed to load remote binaries and execute a payload. The exploit code for CVE-2023-46604 is publicly available on GitHub, increasing the risk. Apache has issued an advisory recommending specific steps for mitigation. Staying informed about the vulnerability and utilizing up-to-date detection methods is crucial. SOC Prime's Threat Detection Marketplace provides resources for this purpose. The Hello Kitty ransomware group has exploited the vulnerability, emphasizing the need for proactive cybersecurity measures [b0fdda34].
CISA has added a critical vulnerability (CVE-2023-1671) in Sophos Web Appliance to its Known Exploited Vulnerabilities catalog. The vulnerability is a pre-auth command injection vulnerability that allows attackers to execute arbitrary code. The vulnerability was disclosed in April 2023 and affects all versions of the appliances prior to version 4.3.10.4. Sophos released a patch for the vulnerability and advised customers to keep the device behind a firewall. Sophos Web Appliance will reach end of life on July 20, 2023, and organizations are urged to switch to using Sophos Firewall. The delay in attackers exploiting the vulnerability may be due to the default automatic updating setting reducing the potential pool of targets [07d39bff].