Researchers Warn of Ongoing Attacks Exploiting Critical Zimbra Postjournal Flaw
Cybersecurity researchers are warning about active exploitation attempts targeting a newly disclosed security flaw in Synacor’s Zimbra Collaboration.
Enterprise security firm Proofpoint said it began observing the activity starting September 28, 2024. The attacks seek to exploit CVE-2024-45519, a severe security flaw in Zimbra’s postjournal service that could enable unauthenticated attackers to execute arbitrary commands on affected installations.
“The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands,” Proofpoint said in a series of posts on X. “The addresses contained Base64 strings that are executed with the sh utility.” The critical issue was addressed by Zimbra in versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1 released on September 4, 2024. A security researcher named lebr0nli (Alan Li) has been credited with discovering and reporting the shortcoming.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / Helpnet security
Link: https://thehackernews.com/2024/10/researchers-sound-alarm-on-active.html
Link: https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now
Link: https://www.securityweek.com/critical-zimbra-vulnerability-exploited-one-day-after-poc-release/
Link: https://www.helpnetsecurity.com/2024/10/02/cve-2024-45519-exploited/
Critical Ivanti RCE flaw with public exploit now used in attacks
CISA warned today that a critical Ivanti vulnerability that can let threat actors gain remote code execution on vulnerable Endpoint Manager (EPM) appliances is now actively exploited in attacks.
Ivanti EPM is an all-in-one endpoint management solution that helps admins manage client devices on various platforms, including Windows, macOS, Chrome OS, and IoT operating systems.
Tracked as CVE-2024-29824, this SQL Injection vulnerability in Ivanti EPM’s Core server that unauthenticated attackers within the same network can exploit to execute arbitrary code on unpatched systems. Ivanti released security updates to patch this security flaw in May, when it also addressed five other remote code execution bugs in EPM’s Core server, all impacting Ivanti EPM 2022 SU5 and prior.
Source: Bleeping computer
Unix Printing Vulnerabilities Enable Easy DDoS Attacks
It turns out that remote code execution is not the only way attackers can leverage a critical set of four vulnerabilities that a researcher recently disclosed in the Common Unix Printing System (CUPS) for managing printers and print jobs.
The vulnerabilities apparently also enable adversaries to stage substantial distributed denial-of-service (DDoS) attacks in mere seconds and at a cost of less of than 1 cent, using any modern cloud platform.
Some 58,000 Internet-exposed devices are currently vulnerable to the attack and can be relatively easily co-opted into launching an endless stream of attempted connections and requests at target systems. An attacker that corralled all 58,000 vulnerable hosts could send a small request to each vulnerable CUPS host and get them to direct between 1GB and 6GB of useless data at a target system.
“Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target’s need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario,” researchers at Akamai said this week after discovering the new attack vector.
Source: Dark reading / Securityweek / Akamai blog / SANS internet storm center
Link: https://www.darkreading.com/vulnerabilities-threats/unix-printing-vulnerabilities-easy-ddos-attacks
Link: https://www.akamai.com/blog/security-research/october-cups-ddos-threat
Link: https://isc.sans.edu/diary/Patch%20for%20Critical%20CUPS%20vulnerability%3A%20Don%27t%20Panic/31302
Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam
Attackers are abusing normal features of legitimate web sites to transmit spam, such as the traditional method of verifying the creation of a new account. This web infrastructure and its associated email infrastructure is otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders.
The breadth of different sources of spam suggests that the attackers have automated the process of initially identifying web infrastructure vulnerable to abuse. However, the complexity of executing each individual attack suggests more human involvement.
Attackers are also testing credentials obtained from data breaches by credential stuffing IMAP and SMTP accounts.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/simple-mail-transfer-pirates/
Cybersecurity Awareness Month: Cybersecurity awareness for developers
It’s the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.
For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers are buying in.
Microsoft is one company that’s trying to change how software developers feel about security and is actively taking steps to train teams in concepts like threat intelligence and attacker motivation.
Siri Varma, tech lead and software development engineer with Microsoft Security, works with both developers and cybersecurity teams every day.
Here, Varma answers three key questions for us about the relationship between developers and cybersecurity.
Source: IBM security intelligence
Link: https://securityintelligence.com/articles/cybersecurity-awareness-developers/