Hackers from the Lazarus group, believed to be from North Korea, have been exploiting the Log4j vulnerability to deploy new malware. The malware includes two remote access trojans (RATs) named NineRAT and DLRAT, as well as a malware downloader called BottomLoader. The Lazarus group is using the Telegram API for command and control communication. The attacks specifically target publicly facing VMWare Horizon servers that use a vulnerable version of the Log4j logging library. Once the servers are compromised, the Lazarus group sets up a proxy tool for persistent access, runs reconnaissance commands, creates admin accounts, and deploys credential-stealing tools. The NineRAT malware supports a wide range of commands and may be used to collect data for other advanced persistent threat (APT) groups. The Lazarus group's tactics and tools continue to evolve, posing a persistent threat [b4f83d24].
This development adds to the growing concerns surrounding the Log4j vulnerability. A recent report by Veracode revealed that almost two in five applications are currently running vulnerable versions of Log4j, including versions with the Log4Shell vulnerabilities and outdated versions that are no longer supported. The prevalence of outdated Log4j code highlights the need for businesses to be more diligent in patching their endpoints and adopting stringent open-source security practices [4d371bbc].
In addition to the Log4j vulnerability, other vulnerabilities have also been exploited by threat actors. Hackers have been actively exploiting vulnerabilities in Citrix's NetScaler ADC and NetScaler Gateway platforms, known as 'CitrixBleed', leading to a wave of mass cyberattacks. This vulnerability allows remote unauthenticated attackers to extract sensitive information from the memory of vulnerable Citrix devices [a2697f3d]. At least four threat groups are exploiting this bug, with one group automating the attack process. The LockBit gang recently targeted the U.S. branch of Industrial and Commercial Bank of China (ICBC) by compromising an unpatched Citrix Netscaler box, and ICBC reportedly paid the ransom demand. Other affected organizations include Boeing and international law firm Allen & Overy [21c32a0d]. Citrix has urged its customers to update to the latest versions of NetScaler ADC and NetScaler Gateway to prevent active exploitation of vulnerabilities that could lead to information disclosure and denial of service (DoS) attacks [45eac12b].
Furthermore, Atlassian has released security advisories for four critical remote code execution (RCE) vulnerabilities affecting Confluence, Jira, Bitbucket servers, and a companion app for macOS. The vulnerabilities have a severity score of at least 9.0 out of 10. While none of the issues have been exploited in the wild, Atlassian advises system administrators to prioritize applying the available updates due to the popularity of their products [d1774f7a]. Atlassian's Chief Information Security Officer emphasizes the potential for significant data loss if the Confluence vulnerability is exploited, but reassures that it does not enable data theft [a75c1047].
Moreover, a critical vulnerability, known as CVE-2023-46604, has been discovered in Apache ActiveMQ, posing a significant threat to users. The vulnerability allows remote attackers to execute arbitrary shell commands by manipulating serialized class types within the OpenWire protocol. Attackers proceed to load remote binaries and execute a payload. The exploit code for CVE-2023-46604 is publicly available on GitHub, increasing the risk. Apache has issued an advisory recommending specific steps for mitigation. Staying informed about the vulnerability and utilizing up-to-date detection methods is crucial. SOC Prime's Threat Detection Marketplace provides resources for this purpose. The Hello Kitty ransomware group has exploited the vulnerability, emphasizing the need for proactive cybersecurity measures [b0fdda34].
Additionally, CISA has added a critical vulnerability (CVE-2023-1671) in Sophos Web Appliance to its Known Exploited Vulnerabilities catalog. The vulnerability is a pre-auth command injection vulnerability that allows attackers to execute arbitrary code. The vulnerability was disclosed in April 2023 and affects all versions of the appliances prior to version 4.3.10.4. Sophos released a patch for the vulnerability and advised customers to keep the device behind a firewall. Sophos Web Appliance will reach end of life on July 20, 2023, and organizations are urged to switch to using Sophos Firewall. The delay in attackers exploiting the vulnerability may be due to the default automatic updating setting reducing the potential pool of targets [07d39bff].