Eagerly waiting for a fix for the heavily exploited Ivanti zero days? Please stay cautious for a few more weeks as the last patch will take at least a fortnight to arrive. Meanwhile, a patch for a critical vulnerability in Jenkins' command line interface has been issued. Yet, nearly 45,000 publicly accessible Jenkins instances—predominantly located in China and the U.S.—were found vulnerable to the highly severe RCE vulnerability.

In other news, the Akira ransomware group reportedly returned to an old Cisco bug. The bug threatens sensitive memory contents, potentially revealing user credentials. On the scam side, courier services are being exploited to collect funds and valuables from victims, particularly senior citizens, in impersonation scams. Adversaries accumulated over $50 million in eight months.

Top Breaches Reported in the Last 24 Hours

Terabytes of data stolen from energy firm

Schneider Electric suffered a data breach in its Sustainability Business division. The Cactus ransomware group claimed responsibility, asserting the theft of terabytes of corporate data. The incident disrupted Schneider Electric's Resource Advisor cloud platform services, while other company divisions remained unaffected. Notably, the ransomware group, operational since March 2023, is yet to make its leak site public despite utilizing a double-extortion model.

Source code and internal data exposed

Researchers from RedHunt Labs discovered a significant security lapse at Mercedes-Benz, where a private key and authentication token were unintentionally left accessible online. The exposed token could provide unrestricted access to the company's GitHub Enterprise Server, resulting in the exposure of source code, cloud access keys, blueprints, single sign-on passwords, API keys, and more. The affected repositories also contained Azure and AWS credentials.

User credentials for sale

Security analysts at Resecurity found 1,572 compromised credentials on the dark web belonging to telecom network administrators and engineers from various companies including RIPE, Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC), and the Latin America and Caribbean Network Information Center (LACNIC). Victims of the incident span across various sectors, including an Iranian research organization, a Kenyan financial institution, a major Spanish financial organization, and an Iraqi government agency.

Insurance broker discloses breach

California-based insurance broker Keenan & Associates notified over 1.5 million individuals about a ransomware and data exfiltration attack from last year. An unauthorized party had gained access to some of the internal systems of the firm multiple times for about a week. The compromised data includes names, birth dates, SSNs, passport numbers, driver's license numbers, and health-related information.

Top Malware Reported in the Last 24 Hours

Akira operators abuse old Cisco flaw

Truesec’s CSIRT team uncovered an Akira ransomware campaign exploiting an old Cisco ASA and FTD bug tracked as CVE-2020-3259. The vulnerability allows unauthenticated remote attackers to extract sensitive memory contents from affected devices, potentially exposing usernames and passwords in clear text. Six of eight infected devices, where the attackers used Cisco AnyConnect SSL VPN as entry points, were found running different versions of the vulnerable software.

Microsoft Teams used to drop DarkGate

Threat actors have been spotted exploiting Microsoft Teams’ external access feature—enabled by default—allowing users to add external members to Teams chats. An AT&T customer identified an unsolicited Teams chat from an external user, suspected to be a phishing lure. The MDR SOC team traced the attack to DarkGate malware, preventing significant damage.

Top Vulnerabilities Reported in the Last 24 Hours

Jenkins flaw exposes 45,000 instances

Security researchers have identified approximately 45,000 Jenkins instances exposed online, which are vulnerable to a critical RCE bug CVE-2024-23897. The security issue can be abused in several ways, including manipulating Resource Root URLs, "Remember me" cookies, or CSRF protection bypass. Depending on permissions, attackers can exploit the flaw to access sensitive information, potentially leading to the decryption of stored secrets and other malicious activities.

Juniper Networks issues updates

Juniper Networks released out-of-band updates to address high-severity vulnerabilities, CVE-2024-21619 and CVE-2024-21620, affecting SRX Series and EX Series. These flaws, rooted in the J-Web component and impacting all versions of Junos OS, could allow threat actors to take control of vulnerable systems. CVE-2024-21619 is a missing authentication vulnerability, while CVE-2024-21620 is a cross-site scripting (XSS) vulnerability.

Ivanti zero-day bug patch delayed

Two zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, in Ivanti Connect Secure and Ivanti Policy Secure, will be delayed - according to an updated blog post by Ivanti. The authentication bypass and command-injection vulnerabilities have impacted thousands of organizations to date. Only one nation-state threat actor could compromise over 2,100 systems.

Flaws in WatchGuard and Panda Security products

Multiple vulnerabilities in Panda Kernel Memory Access driver (pskmad_64.sys) used by WatchGuard EPDR, Panda AD360, and Panda Dome for Windows could allow attackers to trigger DoS conditions or execute arbitrary code with system privileges, explained Sophos. The flaws, CVE-2023-6330 and CVE-2023-6331, involved memory pool overflow, and an out-of-bounds write, potentially leading to code execution. An attacker would need administrative privileges for successful exploitation.

Top Scams Reported in the Last 24 Hours

Scammers target senior citizens

The FBI issued a public service announcement cautioning about scammers exploiting courier services in tech support and government impersonation scams. Perpetrators, often targeting senior citizens, coerce victims into liquidating assets, buying precious metals, or wiring funds based on false claims of compromised financial accounts. The scammers then arrange for couriers to collect cash or valuables in person. The elaborate scheme has led to aggregated losses exceeding $55 million from May to December 2023.