Top cybersecurity threats for August 2023
Author: Phil Muncaster
On the third Wednesday of every month, the Verizon Threat Research Advisory Center (VTRAC) holds a Monthly Intelligence Briefing (MIB) to discuss the current cybersecurity threat landscape. Below is the summary of their most recent briefing and here is the August recording of the briefing.
August 2023 cyber threat intelligence briefing
At a glance, this MIB covered:
1. Ivanti released patches for a zero-day vulnerability and other bugs used in an attack on the Norwegian government
2. Researchers warned of a malicious campaign exploiting Citrix NetScaler zero-day
3. MOVEit organization victim count rose to over 1,100 with 56 million individuals impacted as Deloitte joined the list of affected firms
Top cybersecurity news
August 2023 cybersecurity and threat intelligence news you should know about.
- Infamous info-stealer malware Raccoon Stealer returned after a six-month break
- Bulletproof hosting service Lolek Hosted was dismantled and five individuals arrested
- The White House held the Back to School Safely Summit to strengthen cybersecurity in K-12 schools
- CISA revealed details about a backdoor malware variant used in attacks on Barracuda appliances earlier this year
Ivanti patches zero-day vulnerability and other bugs used in an attack on the Norwegian government
- The Norwegian National Cyber Security Centre announced a state-sponsored threat actor exploited an Ivanti zero-day vulnerability in an attack on the Norwegian government
- Researchers at Ivanti and Rapid7 discovered two more Ivanti vulnerabilities, and warned that the three could be chained in attacks
- The VTRAC has no intelligence about other victims of the zero-day bug
According to SecurityWeek.com, the Norwegian government announced that a zero-day vulnerability in cybersecurity vendor Ivanti's Endpoint Manager (EPMM) product (also known as MobileIron Core) enabled threat actors to compromise 12 government departments. The Cybersecurity and Infrastructure Security Agency (CISA) said the campaign, revealed in late July, dated as far back as April at least, with possible chaining observed between the zero-day (CVE-2023-35078) and another Ivanti vulnerability (CVE-2023-35081). The former allowed remote attackers to obtain Personally Identifiable Information (PII), add an administrative account, and change the configuration because of an authentication bypass. The latter enabled actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Both have been patched.
Ivanti and Rapid7 labeled the chained vulnerability CVE-2023-35082 and —described it as a remote unauthenticated API access vulnerability in MobileIron Core 11.1 and older. Researchers warned that it could allow an attacker to write malicious webshell files to the appliance, which could then be executed by an attacker. Some affected products are now out of support so no new patches will be released. The VTRAC has not identified additional victims of the original zero-day attack.
Researchers warn of malicious campaign exploiting Citrix NetScaler zero-day
- NCC Group claimed over 1,900 Citrix appliances have been backdoored in a new campaign
- The campaign exploits the former zero-day vulnerability CVE-2023-3519
Security researchers at NCC Group revealed that over 1,900 Citrix appliances were compromised in a new campaign exploiting the former zero-day vulnerability CVE-2023-3519. Citrix posted an advisory about the critical bug—which enables unauthenticated remote code execution—and two others on July 18. It impacts NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).
NCC Group said that 31,000 devices were vulnerable to the zero-day at the time of the campaign. An automated process placed webshells on vulnerable NetScalers to gain persistent access and allow for execution of arbitrary commands. It's unclear what the end goal of the attackers is, but 1,828 appliances remained backdoored as of August 14. Of those, 1,248 are actually patched for CVE-2023-3519. NCC Group warned a patched appliance can still contain a backdoor.
MOVEit organization victim count rose to over 1,100 with 56 million individuals impacted as Deloitte joined the list of affected firms
- The MOVEit campaign has now impacted over 56 million individuals
- Deloitte, a large global auditing and accounting firm, became the third of the "Big Four" accounting firms to be caught out by the campaign
- This brings the total of known corporate victims close to 1,100
The Verizon Threat Research Advisory Center (VTRAC) estimates that over 56 million individuals around the world have been impacted by the MOVEit data theft campaign. That means their Protected Health Information (PHI) or PII could have been taken in the large-scale attack, which targeted the popular MOVEit managed file transfer software with a zero-day exploit. VTRAC assesses the number of organizations caught in the campaign at 1,100, as of the end of July. This includes Deloitte, the third of the Big Four accounting firms to be impacted, although Deloitte has made claims to have seen no evidence of an impact on client data.
According to Verizon’s experts, these figures brought the total number of organizations known to have been victimized by ransomware this year to 2,776, including 472 in July. That makes July the worst month this year. This count is based on victims that appear on leak sites and/or publicly disclose themselves, so the real figure is likely to be even higher.
Verizon Business Internet Security
Qualified Verizon Business Internet customers have access to powerful internet security solutions designed to help protect your business from cyber threats.
Verizon Mobile Device Management (MDM)
MDM provides powerful resources to mitigate mobile risk and help protect against cyberattacks that target corporate, education and business data and personal information.
Let's get started.
Choose your country to view contact details.
- Select Country...
- United States
- Costa Rica
- Hong Kong
- New Zealand
- United Kingdom
- United States
Call for Sales.
Or we'll call you.