Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

February 2024

CVE-2024-1709 & CVE-2024-1708: Follow-Up: Active Exploitation and PoCs Observed for Critical ScreenConnect Vulnerabilities

On February 20, 2024, we published a security bulletin detailing newly disclosed authentication bypass and path traversal vulnerabilities in ConnectWise ScreenConnect. Shortly after the bulletin was sent, ConnectWise updated their security bulletin with IOCs from observed active exploitation of these vulnerabilities. On February 21, 2024, the vulnerabilities were assigned the following CVE numbers.

Operation Cronos: The Takedown of LockBit Ransomware Group

On February 20, 2024, the National Crime Agency (NCA) of Britain and the Federal Bureau of Investigation (FBI) announced the successful disruption of the Lockbit ransomware gang, marking a significant milestone in the fight against cybercrime. This operation, known as Operation Cronos, was a collaborative effort involving law enforcement agencies from the UK, the US, and several other countries, with support from private sector partners.

Understanding and Responding to Ransomware

As cybercrime evolves, one avenue for attack has risen to prominence across the world: Ransomware. According to Arctic Wolf’s State of Cybersecurity 2023 Trends Report, 48% of organizations view ransomware as the top attack vector concern. A concern comes with just cause, as the Arctic Wolf Labs 2024 Threats Report showed 48.6% of incidents investigated by Arctic Wolf were ransomware attacks.

CVE-2024-21410, CVE-2024-21413, and CVE-2024-21401 Lead the list of Critical & Actively Exploited Vulnerabilities in Microsoft's February 2024 Patch Tuesday

On February 13, 2024, Microsoft published their February 2024 security update with patches for 73 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted 5 vulnerabilities in this bulletin that were categorized as critical or zero-day vulnerabilities. Two of these vulnerabilities have been reported to be exploited in the wild.

Critical Vulnerabilities in ConnectWise ScreenConnect Patched

On February 19, 2024, ConnectWise published a security bulletin detailing two critical vulnerabilities within their on-premises ScreenConnect software. At the time of writing, these vulnerabilities do not have CVE numbers assigned to them. ConnectWise has stated that the vulnerabilities have the potential to result in remote code execution (RCE). Vulnerability #1 (CVSS: 10): Allows a threat actor to achieve authentication bypass by leveraging an alternate path/channel.

Understanding Identity Threat Detection and Response

When it comes to modern systems and networks, identities are the new perimeter. Long gone are the days of singular office-bound systems with a set server room and endpoints that stayed on desks. With the rise of hybrid work models, cloud computing, and rapid digitization in industries like healthcare and manufacturing, it’s a user’s identity that holds increasing power over a network’s function and security.

Always Ahead: Arctic Wolf on Artificial Intelligence

In this episode of Always Ahead, our Chief Product Officer Dan Schiappa explains how Arctic Wolf is incorporating the efficiency and speed of artificial intelligence into our security journey, empowering our world-class security concierge team to deliver comprehensive protection at the speed of data.

The Howler - Episode 6: Mark Manglicmot, Senior Vice President, Security Services

In this episode, our hosts sit down with Mark Manglicmot, Senior Vice President of Security Services at Arctic Wolf, who brings his fun, energetic personality to the podcast while sweating it out over hot sauce! Interested in running with the pack? Explore careers at Arctic Wolf — one of the fastest-growing and exciting cybersecurity companies in the world, to learn about how you can join our Pack, create impact, and influence what’s next in security operations.

How K-12 Organizations Can Better Protect Students' Digital Identities

The education industry isn’t just in the business of teaching students, it’s also responsible for a lot of data, primarily personally identifiable information (PII), making these organizations a major target for threat actors. In March of 2023, Minneapolis Public Schools saw ransomware group Medusa publish current and former students “former student records, parent contacts, home addresses and IDs with pictures.” Unfortunately, this instance isn’t an outlier.

CVE-2024-22024: New High-severity Ivanti Authentication Bypass Vulnerability

On February 8, 2024, Ivanti publicly disclosed a high-severity authentication bypass vulnerability (CVE-2024-22024) impacting Ivanti Connect Secure, Policy Secure, and ZTA products. CVE-2024-22024 is an XML external entity (XXE) flaw in the SAML component and could allow threat actors to bypass authentication and access certain restricted resources if successfully exploited.

CVE-2024-21762 and CVE-2024-23113: Multiple Critical Vulnerabilities in Fortinet, One Likely Under Active Exploitation

On February 8, 2024, Fortinet’s FortiGuard disclosed two critical vulnerabilities affecting FortiOS. CVE-2024-23113, a format string vulnerability, and CVE-2024-21762, an out-of-bounds write vulnerability, could allow unauthenticated threat actors to execute arbitrary code or commands. FortiGuard has stated they are aware of potential exploitation of CVE-2024-21762.

PRC State-Sponsored Threat Actors (Volt Typhoon) Target Critical Infrastructure Entities

On February 7, 2024, CISA issued an advisory detailing their discoveries concerning state-sponsored cyber actors linked to the People’s Republic of China (PRC). Notably, the PRC-affiliated threat actor, Volt Typhoon, is actively engaged in efforts to infiltrate IT networks, with the potential aim of launching cyber attacks on vital U.S. infrastructure in the event of a substantial crisis or conflict with the United States.

Exploitation of Confluence Server Vulnerability CVE-2023-22527 Leading to C3RB3R Ransomware

On January 4, 2024, Atlassian disclosed CVE-2023-22527, a template injection vulnerability affecting Confluence Data Center and Server versions 8.0.0 to 8.5.3. The vulnerability allows for unauthenticated remote code execution to be achieved on affected versions of the software. Arctic Wolf Labs has observed evidence of C3RB3R ransomware, as well as several other malicious payloads, being deployed following exploitation of CVE-2023-22527. We present our preliminary findings here.

Arctic Wolf's 24x7 Monitoring Secures Parramatta's Fans and Members Valuable Data

As two of the most recognizable brands in Western Sydney, Parramatta Eels and Parramatta Leagues Club know that cyber threats are always lurking. Thanks to a comprehensive partnership with Arctic Wolf, the club is able to to focus on a full digital transformation to become a club of the future, providing fans and members with customized experiences while expanding the breadth and depth of their cybersecurity.

AnyDesk Confirms Unauthorized Access to Production Systems

On February 2, 2024, AnyDesk confirmed a compromise of its production systems in a security advisory, leading the company to revoke all security-related keys, including the cryptographic code-signing certificate used to publish their software. As an additional precaution, AnyDesk also reset user passwords on the AnyDesk web portal. AnyDesk has started using a new code signing certificate as of AnyDesk version 8.0.8.

How to Better Implement a Zero Trust Strategy

Access is everything within a network or system. As organizations race to adopt the cloud, relax rules around permitting workers to use their own devices, and continue to embrace hybrid work models, employees gain unprecedented access to data, allowing them to work from anywhere at any time. But this also creates a vast attack surface that hackers are all too willing to exploit. And helps explain why identity-based attacks are on the rise.

The Importance of Identity and Access Management

The business world has an identity problem. According to Verizon’s 2023 Data Breach Investigations Report, 74% of all breaches involve the human element, with people involved either through error, privilege misuse, social engineering, or stolen credentials — the latter three of which directly involve the management (and mismanagement) of user identities. Moreover, this percentage stands poised to grow.

CVE-2024-21893: New Ivanti Zero-Day Vulnerability Actively Exploited

On January 31, 2024, Ivanti published an article disclosing two high severity vulnerabilities: CVE-2024-21893: A server-side request forgery flaw present in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons. This vulnerability allows an unauthenticated threat actor to access restricted resources. Ivanti reports that a limited number of customers have been affected by this vulnerability.