CCTR
CCTR
  • Brewing Cyber Coffee
  • CCTR.23.MAY.24
  • CCTR.22.MAY.24
  • CCTR.21.MAY.24
  • CCTR.20.MAY.24
  • CCTR.19.May.24
  • CCTR.18.April.24
  • CCTR.17.April.24
  • CCTR.16.April.24
  • CCTR.15.April.24
  • CCTR.14.April.24
  • CCTR.13.March.24
  • CCTR.12.March.24
  • CCTR.11.March.24
  • CCTR.10.FEB.24
  • CCTR.9.FEB.24
  • CCTR.8.FEB.24
  • CCTR.7.FEB.24
  • CCTR.6.FEB.24
  • CCTR.5.JAN.24
  • CCTR.4.JAN.24
  • CCTR.3.JAN.24
  • CCTR.2.JAN.24
  • CCTR.1.JAN.24
Powered by GitBook
On this page

CCTR.11.March.24

Zeek, TeamCity, VMware, APT

PreviousCCTR.12.March.24NextCCTR.10.FEB.24

Last updated 11 months ago

The Ethercat Zeek Plugin, a component of the Industrial Control Systems Network Protocol Parsers (ICSNPP) utilised in the opensource network security monitoring tool Zeek, has been identified with multiple vulnerabilities, namely CVE-2023-7244, CVE-2023-7243, and CVE-2023-7242. These vulnerabilities pose a risk of potential unauthorized access to ICS networks. It's noteworthy that this plugin is automatically integrated with various popular security software, such as Security Onion. Consequently, these vulnerabilities have the potential to impact not only ICS environments but also extend their reach to broader IT environments as well. CI-ISAC Australia CISA The recently disclosed JetBrains TeamCity vulnerability, CVE-2024-27198 (CVSS 9.8), has been added to the CISA Known Exploited Vulnerabilities (KVE) catalogue due to observed exploitation shortly after disclosure. Patches have been released for two authentication bypass vulnerabilities affecting TeamCity, with the critical flaw allowing a remote, unauthenticated attacker to take complete control of a vulnerable server, posing a significant risk for launching supply chain attacks. Ref VMware has released critical patches to address sandbox escape vulnerabilities in its ESXi, Workstation, Fusion, and Cloud Foundation products. Sandbox escape vulnerabilities, which are among my favourite types, are far too rare to come by. These could allow malicious actors to break out of virtual machine sandboxes and execute code on host systems. Organisations are urged to apply the patches promptly to mitigate the risk of exploitation and safeguard virtualised environments. Ref Microsoft has provided an update on the activities of Midnight Blizzard (NOBELIUM), a Russian state-sponsored hacker group targeting Microsoft. The group gained access to source code repositories and internal systems, raising concerns about potential targeted attacks. As Rob Dartnall - CCTIM pointed out, there is worry that they might use the acquired data to identify vulnerabilities and enhance their capabilities, posing a significant risk to re-target Microsoft and potentially targeting its customers with the same information. Ref The North Korean APT group Kimsuky is exploiting recent disclosed ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed Toddler Shark which designed for longterm espionage and intelligence gathering. Ref

https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02
https://www.securityweek.com/critical-teamcity-vulnerability-exploitation-started-immediately-after-disclosure/
https://www.vmware.com/security/advisories/VMSA-2024-0006.html
https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddlershark-malware/