Cyble Research & Intelligence Labs (CRIL) analyzed 29 vulnerabilities in its weekly vulnerability report for June 26-July 2, including high severity and critical flaws in products from Juniper Networks, OpenSSH and GitLab. The report also emphasized a medium-severity vulnerability in Cisco Nexus switches that’s show more ...
being actively exploited, and discussed exploits for sale on the dark web, and industrial control system (ICS) vulnerabilities too. Of the thousands of new security vulnerabilities discovered each year, only a small percentage are actively exploited by threat actors. To help security teams focus patching and mitigation efforts on the most important threats, The Cyber Express each week partners with Cyble’s highly skilled dark web and threat intelligence researchers to highlight security vulnerabilities that warrant particularly close attention. The Week’s Top Vulnerabilities These are the three high-severity and critical vulnerabilities Cyble researchers focused on this week, plus a Cisco medium-severity vulnerability. CVE-2024-6387: OpenSSH Server Impact Analysis: This unauthenticated remote code execution (RCE) vulnerability in OpenSSH’s server (sshd) grants the attacker full root access. An attacker's successful exploitation of this vulnerability could allow the execution of arbitrary code with root privileges, install malware and create backdoors, manipulate data and traverse other vulnerable systems, bypass security mechanisms like firewalls and intrusion detection systems, and conduct significant data breaches, resulting in the leakage of sensitive information. Internet Exposure? Yes Patch? Yes CVE-2024-2973: Juniper Networks Impact Analysis: This is a critical authentication bypass vulnerability in Juniper Networks' Session Smart Router, Session Smart Conductor, and WAN Assurance Router products. If exploited, attackers could gain unauthorized access to network configurations and sensitive data, potentially enabling further malicious activities such as launching larger-scale attacks on other systems connected to the compromised router. Internet Exposure? No Patch? Yes CVE-2024-5655: GitLab CE/EE Impact Analysis: This is a critical vulnerability in GitLab CE/EE that affects versions 15.8 to 16.11.5, 17.0 to 17.0.3, and 17.1 to 17.1.1. The flaw allows attackers to trigger a pipeline as another user under certain conditions, which can lead to unauthorized actions within GitLab. If exploited, it could allow an attacker to perform actions with the same permissions as the impersonated user, leading to potential data breaches, unauthorized code execution, and compromise of the CI/CD pipeline. Internet Exposure? Yes Patch? Yes CVE-2024-20399: Cisco Nexus Switches Cyble researchers also noted that Velvet Ant, a Chinese state-sponsored threat actor group, is actively exploiting vulnerability CVE-2024-20399. The group has been targeting Cisco Nexus switches to install custom malware. Exploiting this vulnerability allows attackers to gain root privileges on the compromised devices, enabling them to execute arbitrary commands, upload malicious files, and maintain persistent access. The exploitation of this vulnerability poses significant risks, including unauthorized access to sensitive data and potential disruption of network operations. Patch? Yes Vulnerabilities and Exploits Discussed on the Dark Web Cyble researchers also noted a number of exploits they’ve seen for sale on the dark web, including proof of concepts (PoCs) for a Mozilla Firefox vulnerability (CVE-2024-29943), the OpenSSH vulnerability, and CVE-2024-28955 and CVE-2024-28955, path traversal vulnerabilities present in Sharp and Toshiba Tec's digital multi-function peripherals (MFPs). Cyble also noticed threat actors on forums discussing the CVE-2024-34102 vulnerability present in versions of Adobe Commerce and the CVE-2024-5565 vulnerability present in the Vanna Python library. The researchers also observed alleged zero days for sale affecting Google Chrome for Windows, ABB ASPECT control panels and EntroLink VPN appliances. The full report available for clients covers all these vulnerabilities and more, including 17 industrial control system (ICS) vulnerabilities affecting the likes of Mitsubishi ICONICS, Johnson Controls and marKoni.
The Alabama State Department of Education (ALSDE) narrowly avoided a crippling ransomware attack on June 17, but not before hackers breached sensitive data, raising concerns about the security of student and employee information. While ALSDE officials successfully prevented a complete system lockdown, they show more ...
acknowledged in a statement earlier this week that the attackers gained access to some data before being stopped. The department is currently working with federal law enforcement to investigate the scope of the breach and determine what information was compromised. Education Ransomware Attacks Soar The incident comes amidst a wave of cyberattacks targeting educational institutions across the United States. In fact, 2023 was the worst ransomware year on record for the education sector, with a 92% spike. Although the attacks were carried out by several ransomware gangs, LockBit and Rhysida (a rebrand of Vice Society) had the lion’s share of 2023 attacks, with half credited to them. While ransomware attacks against education are a global phenomenon, the U.S. education sector has faced 80% of known attacks. Scope of Alabama Education Department Breach Unknown The exact nature of the stolen data remains unclear. ALSDE has not confirmed the type of information compromised, but at a press conference, State Superintendent Eric Mackey warned that student and employee data, including "some personally identifiable information," may have been accessed. The department has set up a dedicated webpage, alabamaachieves.org/databreach, to provide updates on the investigation. While ALSDE has taken steps to mitigate the damage, several questions remain unanswered. The investigation into the attack is ongoing, and the department has not responded to requests for further details about the compromised data. The potential impact on students, families, and school employees will depend on the nature and volume of the information accessed by the attackers. The department reiterated its firm stance against negotiating with cybercriminals. We have taken the position not to negotiate with foreign actors and extortionists," the department's statement said, reflecting growing law enforcement guidance against feeding the ransomware ecosystem. Importance of Data Backups for Ransomware Protection Despite the breach, ALSDE was able to restore its systems and data using clean backups, highlighting the importance of robust data backup and recovery strategies for organizations of all sizes. The incident underscores the need for educational institutions to invest in cybersecurity measures to protect sensitive student and staff data, and serves as a stark reminder of the growing cybersecurity threats faced by educational institutions. As schools continue to collect and store sensitive student data, robust cybersecurity protocols and incident response plans are critical to safeguard this valuable information.
