The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously disclosed an attack using this vulnerability against a critical infrastructure entity in June 2023.

Additionally, GreyNoise observed attempts to exploit another significant Citrix vulnerability, CVE-2023-24489, in the Citrix ShareFile system. This flaw, rated 9.1, allows unauthenticated file uploads and remote code execution, and has been fixed in ShareFile version 5.11.24 onwards.

Assetnote, a company specializing in attack surface management, identified this vulnerability, linking it to a simpler form of a padding oracle attack. Security expert Dylan Pindur highlighted the importance of understanding the behavior of AES encryption in .NET, particularly with Cipher Block Chaining mode and PKCS#7 padding, to identify potential padding oracle attacks.

The Shadowserver Foundation further updated that nearly 7,000 unpatched NetScaler ADC and Gateway instances remain online, with CVE-2023-3519 being actively exploited to install PHP web shells for remote access.

The hackers initially gained access by stealing tokens or using other attack techniques to obtain Microsoft 365 tenant credentials. They then sent fake support messages from these compromised accounts to trick recipients into revealing their credentials and MFA codes. A notable strategy included creating new domains under the legitimate Microsoft domain “onmicrosoft.com” to appear trustworthy, facilitating credential theft. Microsoft has notified affected customers and taken steps to prevent further misuse of the exploited domains.

Furthermore, security researchers from Jumpsec reported in June that they bypassed client-side security controls of Microsoft Teams to plant malware in other organizations’ mailboxes. While Microsoft did not see immediate remediation as necessary in this instance, the recent attacks underscore the significance of such vulnerabilities.

The campaign, active since late May 2023, impacted less than 40 organizations globally across various sectors. Midnight Blizzard used token theft, spear-phishing, password spraying, and brute-force attacks for initial access, then exploited on-premises environments to move laterally to the cloud, similar to the SolarWinds hack in 2020. In some attacks, the actor attempted to add devices as managed via Microsoft Entra ID to bypass conditional access policies.

The attacks also involved creating new onmicrosoft.com subdomains and users in previously compromised tenants to start Teams chats, masquerading as technical support or Microsoft’s Identity Protection team, to lure victims. Once the target accepted the chat, they were persuaded to enter a code into their Microsoft Authenticator app, granting the actor a token for account takeover and subsequent activities.

These incidents are part of a broader pattern, including phishing attacks against diplomatic entities in Eastern Europe delivering a new backdoor called GraphicalProton and exploiting Azure AD Connect to create undetectable backdoors and intercept credentials.

The concern centers on the potential exposure of user data, including source IP addresses, to those controlling connectivity check servers or monitoring network traffic. Such data could be exploited by sophisticated entities for further analysis. Mullvad stresses that while most Android users might not object to these checks, the privacy implications are significant for those relying on VPNs for complete security.

Android lacks user-facing options to disable this external traffic, prompting Mullvad to publish a technical guide on how to manually disable these connectivity checks. However, Google has responded to this issue by classifying it as intended behavior, arguing that the data revealed is minimal and the option to disable such traffic might confuse most users. They also point out that some VPNs may utilize this connectivity information.

Mullvad counters by emphasizing the importance of offering users the choice to prevent any potential data leaks. For Android users seeking absolute leak protection, the only current solution is to follow Mullvad’s guide to modify device settings and block these external connections.

However, a new threat has been identified by Aqua’s cybersecurity researchers: attackers are exploiting misconfigured Apache Tomcat servers to distribute Mirai botnet malware and cryptocurrency miners. Over two years, Aqua’s honeypots detected over 800 attacks on Tomcat servers, with 96% linked to the Mirai botnet.

The typical attack involves using the “neww” web shell script, originating from 24 different IP addresses. A brute force attack is launched against Tomcat servers to gain access to the web application manager using various credential combinations. Once inside, attackers deploy a WAR file containing ‘cmd.jsp’ web shell, allowing them to execute commands remotely and compromise the server.

The attack chain includes downloading and executing the “neww” script, which is later removed using the “rm -rf” command. This script downloads 12 binary files tailored to the system’s architecture. The WAR file, crucial for web applications, contains HTML, CSS, Servlets, and Classes, facilitating the deployment of the web app on compromised servers.

The final stage of the malware is a Mirai botnet variant, which uses infected hosts for DDoS attacks. The attackers infiltrate the web app manager with valid credentials, upload a disguised web shell in the WAR file, and execute commands remotely to initiate the attack.

With cryptocurrency mining’s growth (a 399% increase in attacks in the first half of 2023), the findings highlight the growing threat. To mitigate these attacks, cybersecurity analysts recommend proper configuration of environments, regular scans for threats, empowering teams with cloud-native vulnerability scanning tools, and using runtime detection and response solutions.