VULNERA Pulse

CVE-2024-27198

CRITICAL CVSS 9.80 EPSS Score 97.05 EPSS Percentile 99.74

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: March 4, 2024

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

Vendor Impacted: Jetbrains

Product Impacted: Teamcity

Quotes

• At the most basic level, AI has given malicious attackers superpowers
• Began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's Go backdoor
• The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server
• As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities. This behavior aligns with what GRIT has assessed and hypothesized in our 2024 ransomware report, and we expect this type of behavior to continue to grow, especially for groups that leverage a data-exfiltration-only approach to ransomware

Headlines

• March 11, 2024 - BianLian Threat Actor Shifts Focus to Extortion-Only Tactics
• March 11, 2024 - Recent TeamCity Vulnerability Exploited in Ransomware Attacks
• March 11, 2024 - BianLian group exploits JetBrains TeamCity bugs in ransomware attacks
• March 11, 2024 - BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks
• March 11, 2024 - Security Alert: BianLian Deploys New PowerShell Weapon
• March 10, 2024 - Week in review: Attackers use phishing emails to steal NTLM hashes, Patch Tuesday forecast
• March 10, 2024 - newsletter Round 462 by Pierluigi Paganini
• March 9, 2024 - CISA adds JetBrains TeamCity bug to its Known Exploited Vulnerabilities catalog

CVE-2023-42793

CRITICAL CVSS 9.80 EPSS Score 97.34 EPSS Percentile 99.88

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Sept. 19, 2023

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible

Vendor Impacted: Jetbrains

Product Impacted: Teamcity

Quotes

• Began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's Go backdoor
• As we have seen throughout 2023 and into 2024, BianLian continues to prove how they can adapt to a changing environment, especially in regards to the exploitation of emerging vulnerabilities. This behavior aligns with what GRIT has assessed and hypothesized in our 2024 ransomware report, and we expect this type of behavior to continue to grow, especially for groups that leverage a data-exfiltration-only approach to ransomware

Headlines

• March 11, 2024 - BianLian Threat Actor Shifts Focus to Extortion-Only Tactics
• March 11, 2024 - BianLian group exploits JetBrains TeamCity bugs in ransomware attacks
• March 11, 2024 - BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks
• March 11, 2024 - Security Alert: BianLian Deploys New PowerShell Weapon

CVE-2024-21762

CRITICAL CVSS 9.80 EPSS Score 2.29 EPSS Percentile 89.36

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 9, 2024

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

Vendor Impacted: Fortinet

Products Impacted: Fortiproxy, Fortios

Quotes

• A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests

Headlines

• March 10, 2024 - newsletter Round 462 by Pierluigi Paganini
• March 9, 2024 - Critical Fortinet FortiOS bug CVE-2024-21762 potentially impact 150,000 internet-facing devices

CVE-2022-24086

CRITICAL CVSS 9.80 EPSS Score 28.86 EPSS Percentile 96.74

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 16, 2022

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

Vendors Impacted: Adobe, Magento

Products Impacted: Commerce, Magento, Commerce And Magento Open Source

Quotes

• Barely has any protective measures

Headlines

• March 12, 2024 - Hackers leverage 1-day vulnerabilities to deliver custom Linux malware
• March 9, 2024 - Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

CVE-2024-22252

CRITICAL CVSS 9.30 EPSS Score 0.04 EPSS Percentile 7.08

Public Exploits Available

Published: March 5, 2024

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Quotes

• At the most basic level, AI has given malicious attackers superpowers

Headlines

• March 11, 2024 - Thousands of VMware ESXi Instances Exposed to Critical CVE-2024-22252 Vulnerability
• March 10, 2024 - Week in review: Attackers use phishing emails to steal NTLM hashes, Patch Tuesday forecast

CVE-2024-21887

CRITICAL CVSS 9.10 EPSS Score 97.30 EPSS Percentile 99.86

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure And Policy Secure, Policy Secure, Connect Secure

Quotes

• This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience
• The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time
• While tracking the recent waves of Ivanti exploitation, we identified a number of activities leading to the download and deployment of an ELF file which turned out to be a Linux version of NerbianRAT. This cluster of activity, also described in a Darktrace report, was characterized by the download of a variety of payloads from an attacker-controlled infrastructure

Headlines

• March 11, 2024 - Ivanti Breach Prompts CISA to Take Systems Offline
• March 11, 2024 - Magnet Goblin group used a new Linux variant of NerbianRAT malware
• March 9, 2024 - Threat actors breached two crucial systems of the US CISA
• March 9, 2024 - Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

CVE-2023-46805

HIGH CVSS 8.20 EPSS Score 96.27 EPSS Percentile 99.49

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Jan. 12, 2024

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure And Policy Secure, Policy Secure, Connect Secure

Quotes

• This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience
• The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time
• Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian

Headlines

• March 11, 2024 - Ivanti Breach Prompts CISA to Take Systems Offline
• March 11, 2024 - Magnet Goblin Exploits 1-Day Ivanti Vulnerabilities
• March 9, 2024 - Threat actors breached two crucial systems of the US CISA
• March 9, 2024 - Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

CVE-2024-21893

HIGH CVSS 8.20 EPSS Score 96.25 EPSS Percentile 99.48

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 31, 2024

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Vendor Impacted: Ivanti

Products Impacted: Connect Secure, Policy Secure, And Neurons, Policy Secure, Neurons For Zero-Trust Access, Connect Secure

Quotes

• This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience
• The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time

Headlines

• March 11, 2024 - Ivanti Breach Prompts CISA to Take Systems Offline
• March 9, 2024 - Threat actors breached two crucial systems of the US CISA
• March 9, 2024 - Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

CVE-2024-27199

HIGH CVSS 7.30 EPSS Score 0.05 EPSS Percentile 19.45

Risk Context N/A

Published: March 4, 2024

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

Quotes

• At the most basic level, AI has given malicious attackers superpowers
• The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server

Headlines

• March 11, 2024 - Recent TeamCity Vulnerability Exploited in Ransomware Attacks
• March 10, 2024 - Week in review: Attackers use phishing emails to steal NTLM hashes, Patch Tuesday forecast
• March 10, 2024 - newsletter Round 462 by Pierluigi Paganini
• March 9, 2024 - CISA adds JetBrains TeamCity bug to its Known Exploited Vulnerabilities catalog

CVE-2023-6000

MEDIUM CVSS 6.10 EPSS Score 0.05 EPSS Percentile 14.15

Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 1, 2024

The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

Vendor Impacted: Sygnoos

Product Impacted: Popup Builder

Quotes

• These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024
• These injections serve as handlers for various Popup Builder events such as sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, sgpb-DidClose. The events fire at different stages of the legitimate site’s popup display process

Headlines

• March 12, 2024 - Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites
• March 11, 2024 - Hackers exploited WordPress Popup Builder plugin flaw to compromise 3,300 sites
• March 10, 2024 - Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware