X-Force Exchange - Collection Feed

Summary A critical vulnerability in SonicWall SMA 100 series appliances has been disclosed by SonicWall. The vulnerability has a CVSS score of 9.8. Threat Type Vulnerability Overview A critical vulnerability in SonicWall's SMA 100 series appliances has been disclosed. The vulnerability could allow a remote, unauthenticated attacker to cause a buffer overflow which, in turn, would result in code execution as the 'nobody' user. SonicWall's PSIRT post states, "The Vulnerability is due to the SonicWall SMA SSL

Summary IBM X-Force Incident Command is following a recent disclosure regarding a vulnerability in the in the Log4j Java library. A report by LunaSec details the vulnerability as well as mitigation strategies for the vulnerability. Threat Type Vulnerability Overview ***UPDATE #9, January 5, 2021*** One of the largest cryptocurrency platforms in Vietnam (ONUS) has been hacked using the Log4Shell vulnerability. The payment software used by ONUS, Cyclos was compromised and escalated due to misconfigurations an

Summary IBM X-Force Incident Command is following a recent disclosure regarding a Windows-based zero-day attack that allows for local privilege escalation in Windows 10, Windows 11, and Windows Server. Threat Type Zero-Day Overview IBM X-Force Incident Command is following this disclosure of a zero-day exploit that allows for local privilege escalation in various versions of Windows to include Windows 10, 11, and Windows Server. The exploit has been tested and verified by Bleeping Computer. IBM has yet to v

Summary IBM X-Force Incident Command is following a breaking story regarding Nobelium and its ongoing espionage campaign. Nobelium is the same group responsible for the 2020 SolarWinds attack. Threat Type Espionage Overview IBM X-Force Incident Command is following an espionage campaign purportedly being carried out by Nobelium. Tracked by IBM as Hive0099, this group is the same group responsible for the 2020 SolarWinds attacks. Microsoft released an advisory on October 24, 2021 detailing the ongoing nature

Summary According to multiple sources, an Apache zero-day vulnerability that purportedly was being exploited in the wild has been patched. The vulnerability involved the HTTP Web Server project, as reported by The Record. Overview An actively exploited vulnerability in Apache's HTTP Web Server has been patched as of Monday, October 4. The vulnerability, CVE-2021-41773, affects only Apache web servers running version 2.4.49 and involves a bug in how the Apache server converts different URL path schemes. This

Summary Researchers at Claroty discovered 11 vulnerabilities in NagiosXI that, in combination, could be used to take over network infrastructure remotely. Updates to NagiosXI have been released to address the issues. Overview Eleven vulnerabilities in NagiosXI were discovered and disclosed by researchers at Claroty. These include remote code execution (RCE), server-side request forgery (SSRF), SQL injection, local privilege escalation (LPE), local file inclusion, open redirect, and path traversal vulnerabil

Summary Apple has issued a patch for a zero-click, zero-day vulnerability that can allow for the installation of a spyware program called Pegasus. Overview A vulnerability in Apple OS's has allowed for the execution and installation of the Pegasus spyware on phones of at least four Bahraini activists and possibly many more. A report from Citizen Lab details the vulnerability and inner workings of the Pegasus spyware. The vulnerability mainly targets users of iMessage by delivering a malicious link that doe

Summary A vulnerability in MSHTML is being exploited in the wild as reported by Microsoft and various media outlets. Overview ***UPDATE September 13, 2021*** Information has been uncovered by researchers that allows for the bypass of Microsoft's disabling of ActiveX. Threat actors have been able to replicate this workaround and have modified them for further capabilities as well as a new intrusion vector using document preview. On Thursday, September 9, 2021, threat actors shared public information about th

Summary A new vulnerability named ProxyToken has been disclosed by the Zero-Day Initiative Blog. Like ProxyShell, this vulnerability targets Microsoft Exchange servers. Overview A new vulnerability in Microsoft Exchange named ProxyToken has been observed by researchers and disclosed to the Zero-Day Initiative program. The vulnerability allows attackers to skip authentication and change an Exchange server's backend configuration. According to Le Xuan Tuyen, the original researcher credited for discovering th

Summary Multiple sources, including T-Mobile, have reported on a data breach that occurred against the cellular communications company. The data breach affects more than 100 million of T-Mobile's customers. Threat Type Data Breach Overview First reported by Vice on Saturday, August 14, T-Mobile has suffered a data breach that purportedly affects more than 100 million of its customers. More than 106GB of data, including social security numbers, names, addresses, IMEI numbers, and driver license information a

Summary IBM Security X-Force researchers have published a blog on Security Intelligence with additional information related to a recent Black Hat speaking engagement on ITG18's TTPs. Threat Type Threat Group, Malware Overview A supplemental blog from IBM Security X-Force researchers has uncovered more information on ITG18 on the heels of a Black Hat speaking engagement. According to researchers, continued analysis led to the observation of the successful compromise of victims within the Iranian reformist mo

Summary An attack on the University of California-San Diego Health's system has exposed personally identifiable information to hackers. The university and several news agencies have reported on the breach. Threat Type Data Breach, Phishing Overview A phishing email may have provided attackers with personally identifiable information from patients, employees, and students for an extended period of time. The breach occurred on or around December 2, 2020 and was only discovered March 12, 2021. The attackers m

Summary CERT/CC has issued a vulnerability note addressing a Microsoft Print Spooler Remote Code Execution flaw. Functional exploit code has been made available for this vulnerability. Threat Type Vulnerability Overview ***UPDATE July 7, 2021*** Microsoft has issued a patch as of Tuesday, July 6, 2021. KB5005010 addresses the remote code execution exploit. Microsoft is urging customers to immediately install the patch. The update also recommends configuring RestrictDriverInstallationToAdministrators registr

Summary A ransomware attack against a major IT firm has crippled operations globally for businesses that use the company. A statement from the firm states the attack has been limited to on-premise customers only. Threat Type Ransomware Overview On July 2, 2021, a ransomware attack against IT firm Kaseya, was reported. The company serves more than 40,000 customers via its Virtual System Administrator (VSA) software. The company immediately shut down its SaaS servers and contacted on-premises customers to sh

Summary JBS, the largest meat supplier in the United States, has published a media statement indicating they have fallen victim to a cyber security attack. Threat Type Breach Overview JBS, a major US meat supplier, published a media statement regarding a cyber security attack against their networks. The servers impacted were those that support their North American and Australian IT networks. In order to prevent the attack from continuing and spreading, JBS shut down affected systems, impacting operations an

Summary The actors behind the SolarWinds attack have leveraged a well-known contact management email site in a phishing campaign. Several news outlets and Microsoft's Threat Intelligence Center have provided details on the campaign. Threat Type Malware, Phishing Overview According to several news outlets and Microsoft's Threat Intelligence Center (MSTIC), the actors behind the SolarWinds attack have struck again, this time leveraging Constant Contact in order to carry out a phishing and malware campaign. Th

Summary Cisco has published one security advisory. The advisory is rated as Medium and deals with twelve vulnerabilities in the 802.11 standard, which were disclosed in the research paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation." Threat Type Vulnerability Overview Cisco has published one security advisory. The advisory is rated as Medium and deals with twelve vulnerabilities in the 802.11 standard, which were disclosed in the research paper "Fragment and Forge: Breaki

Summary Following the DarkSide ransomware attack on Colonial Pipeline, IBM Security X-Force has released a report providing a summary of the ransomware family, its tactics, techniques, and procedures (TTPs), and attribution. Threat Type Ransomware Overview IBM Security X-Force has published a report providing an overview of the DarkSide ransomware. The ransomware first appeared in August 2020 and is capable of encrypting Windows and Linux systems. DarkSide uses a "ransomware-as-a-service" (RaaS) model where

Summary SAP has released its May 2021 security patches for a variety of products. Each product and a link to details on the vulnerability are listed below. In all, 6 security notes were released. Of these, 3 are rated high, 2 are rated as medium, and 1 is rated as low. Additionally, there 5 are updates to previously released patches. The potential impact from successful exploitation of the most serious vulnerability is code injection. In addition, information disclosure, malicious redirection, and other nef

Summary The ICS-CERT has published fifteen advisories that affect Omron CX-One, Mitsubishi Electric GOT and Tension Controller, and a number of Siemens products. Threat Type Vulnerability Overview The ICS-CERT has published fifteen advisories that affect Omron CX-One, Mitsubishi Electric GOT and Tension Controller, and a number of Siemens products. Further information is available from the advisories which are summarized below. ICS Advisory ICSA-21-131-01 - Omron CX-One CVE-2021-27413 - The affected product