December 2, 2023

A number of new vulnerabilities with important severity scores are inflicting alarm amongst specialists and cyber officers.

Zero-day bugs affecting merchandise from Citrix and Apache have not too long ago been added to the Cybersecurity and Infrastructure Safety Company’s (CISA) identified exploited vulnerability (KEV) checklist.

Incident responders on the cybersecurity firm Rapid7 warned of hackers linked to the HelloKitty ransomware exploiting a vulnerability affecting Apache ActiveMQ, categorised as CVE-2023-46604. Apache ActiveMQ is a Java-language open supply message dealer that facilitates communication between servers.

The incident responders mentioned they’ve handled two conditions during which HelloKitty ransomware was used after exploitation of the bug. The proof of idea exploit code is offered and resembles what they noticed within the two incidents they responded to, Rapid7 mentioned.

CISA added the vulnerability to its catalog of identified exploited bugs on Thursday night, giving federal civilian businesses till November 23 to handle the difficulty. The company didn’t affirm if ransomware actors have been exploiting the bug.

Apache disclosed the vulnerability and launched new variations of ActiveMQ on October 25.

Specialists from Huntress confirmed that they too have seen hackers exploit the vulnerability and try and deploy the HelloKitty ransomware.

The vulnerability carries the very best CVSS severity rating of 10 out of 10.

“Exploitation for this assault is trivial,” they mentioned, including that the module utilized in assaults “works like a attraction towards susceptible situations of ActiveMQ.”

Mandiant warns of ‘Citrix Bleed’

A vulnerability dubbed ‘Citrix Bleed’ is being exploited in assaults on authorities organizations in addition to corporations within the skilled providers and know-how industries. The vulnerability permits hackers to realize entry to delicate data, based on a safety bulletin from Citrix.

On October 10, Citrix mentioned the bug — CVE-2023-4966 — impacts NetScaler ADC and NetScaler Gateway home equipment.

Researchers from the cybersecurity firm AssetNote have since launched a proof-of-concept (PoC) exploit. The bug was rated a 9.4 out of 10 on the CVSS severity scale.

Mandiant has recognized zero-day exploitation of this vulnerability within the wild starting in late August.

The Google-owned cybersecurity big is at present investigating a number of situations of profitable exploitation that allowed hackers to take over NetScaler ADC and Gateway home equipment.

“The Netscaler exploitation is at giant scale proper now,” mentioned Timothy Morris, a safety adviser on the cyber agency Tanium.

CISA added the bug to its catalog of exploited bugs final month, giving federal civilian businesses till November 8 to patch the difficulty.

However a number of cybersecurity specialists warned that it was not sufficient to easily patch the vulnerability. These utilizing the merchandise want to research indicators of compromise. Hoxhunt CEO Mika Aalto advised Recorded Future Information that it’s seemingly there are various organizations who use the affected merchandise and haven’t carried out the really helpful mitigations.

The analysis device ShadowServer reveals that hundreds of situations the place the device is used are nonetheless susceptible to the difficulty as of November 2, with almost 2,000 in North America alone. Cybersecurity knowledgeable Kevin Beaumont mentioned at the least two ransomware gangs are actually trying to take advantage of the vulnerability in assaults, whereas Mandiant discovered 4 completely different teams trying exploitation.

Beaumont referred to as for presidency cyber businesses to “begin banging loud drums about getting orgs to patch #CitrixBleed” on the social media web site Mastodon.

“Individuals are going wild with it — it’s level and click on easy entry to Distant Desktop inside orgs firewalls with out producing any alerts or logs,” he wrote.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Be taught extra.

No earlier article

No new articles

Jonathan Greig

Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than transferring again to New York Metropolis, he labored for information retailers in South Africa, Jordan and Cambodia. He beforehand coated cybersecurity at ZDNet and TechRepublic.