Hackers from the Lazarus group, believed to be from North Korea, have developed new malware using the Log4j vulnerability. The malware, consisting of two remote access trojans (RATs) named NineRAT and DLRAT, was observed targeting a South American agricultural organization in March 2023 and a European manufacturing entity in September 2023. Lazarus, active since around 2010, targets a wide range of sectors including government, defense, finance, media, healthcare, and critical infrastructure. The group's goals include espionage, data theft, and financial gain. The malware was developed using the programming language DLang, which helped the group stay under the radar. The Lazarus group continues to exploit the Log4j vulnerability in its operations, known as Operation Blacksmith [6ab95c75].
This development adds to the growing concerns surrounding the Log4j vulnerability. A recent report by Veracode revealed that almost two in five applications are currently running vulnerable versions of Log4j, including versions with the Log4Shell vulnerabilities and outdated versions that are no longer supported. The prevalence of outdated Log4j code highlights the need for businesses to be more diligent in patching their endpoints and adopting stringent open-source security practices [4d371bbc].
In addition to the Log4j vulnerability, hackers have also been exploiting a critical vulnerability in Jenkins, an open-source automation server widely used for continuous integration and delivery of software projects. Jenkins announced the vulnerability (CVE-2024-23897) that allows remote code execution and file retrieval. The vulnerability affects Jenkins versions 2.441 and earlier, as well as Jenkins LTS 2.426.2 and earlier. A proof of concept for exploiting the vulnerability has been released, and around 45,000 Internet-exposed instances of Jenkins are vulnerable. Companies using Jenkins should update to versions 2.422 and Jenkins LTS 2.426.3 to address the vulnerability [25e2eb15].
Furthermore, other vulnerabilities have also been exploited by threat actors. Hackers have been actively exploiting vulnerabilities in Citrix's NetScaler ADC and NetScaler Gateway platforms, known as 'CitrixBleed', leading to a wave of mass cyberattacks. This vulnerability allows remote unauthenticated attackers to extract sensitive information from the memory of vulnerable Citrix devices [a2697f3d]. At least four threat groups are exploiting this bug, with one group automating the attack process. The LockBit gang recently targeted the U.S. branch of Industrial and Commercial Bank of China (ICBC) by compromising an unpatched Citrix Netscaler box, and ICBC reportedly paid the ransom demand. Other affected organizations include Boeing and international law firm Allen & Overy [21c32a0d]. Citrix has urged its customers to update to the latest versions of NetScaler ADC and NetScaler Gateway to prevent active exploitation of vulnerabilities that could lead to information disclosure and denial of service (DoS) attacks [45eac12b].
Moreover, Atlassian has released security advisories for four critical remote code execution (RCE) vulnerabilities affecting Confluence, Jira, Bitbucket servers, and a companion app for macOS. The vulnerabilities have a severity score of at least 9.0 out of 10. While none of the issues have been exploited in the wild, Atlassian advises system administrators to prioritize applying the available updates due to the popularity of their products [d1774f7a]. Atlassian's Chief Information Security Officer emphasizes the potential for significant data loss if the Confluence vulnerability is exploited, but reassures that it does not enable data theft [a75c1047].
Additionally, a critical vulnerability, known as CVE-2023-46604, has been discovered in Apache ActiveMQ, posing a significant threat to users. The vulnerability allows remote attackers to execute arbitrary shell commands by manipulating serialized class types within the OpenWire protocol. Attackers proceed to load remote binaries and execute a payload. The exploit code for CVE-2023-46604 is publicly available on GitHub, increasing the risk. Apache has issued an advisory recommending specific steps for mitigation. Staying informed about the vulnerability and utilizing up-to-date detection methods is crucial. SOC Prime's Threat Detection Marketplace provides resources for this purpose. The Hello Kitty ransomware group has exploited the vulnerability, emphasizing the need for proactive cybersecurity measures [b0fdda34].
Furthermore, CISA has added a critical vulnerability (CVE-2023-1671) in Sophos Web Appliance to its Known Exploited Vulnerabilities catalog. The vulnerability is a pre-auth command injection vulnerability that allows attackers to execute arbitrary code. The vulnerability was disclosed in April 2023 and affects all versions of the appliances prior to version 4.3.10.4. Sophos released a patch for the vulnerability and advised customers to keep the device behind a firewall. Sophos Web Appliance will reach end of life on July 20, 2023, and organizations are urged to switch to using Sophos Firewall. The delay in attackers exploiting the vulnerability may be due to the default automatic updating setting reducing the potential pool of targets [07d39bff].