Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Latest Posts

Exploitation of Confluence Server Vulnerability CVE-2023-22527 Leading to C3RB3R Ransomware

On January 4, 2024, Atlassian disclosed CVE-2023-22527, a template injection vulnerability affecting Confluence Data Center and Server versions 8.0.0 to 8.5.3. The vulnerability allows for unauthenticated remote code execution to be achieved on affected versions of the software. Arctic Wolf Labs has observed evidence of C3RB3R ransomware, as well as several other malicious payloads, being deployed following exploitation of CVE-2023-22527. We present our preliminary findings here.

AnyDesk Confirms Unauthorized Access to Production Systems

On February 2, 2024, AnyDesk confirmed a compromise of its production systems in a security advisory, leading the company to revoke all security-related keys, including the cryptographic code-signing certificate used to publish their software. As an additional precaution, AnyDesk also reset user passwords on the AnyDesk web portal. AnyDesk has started using a new code signing certificate as of AnyDesk version 8.0.8.

How to Better Implement a Zero Trust Strategy

Access is everything within a network or system. As organizations race to adopt the cloud, relax rules around permitting workers to use their own devices, and continue to embrace hybrid work models, employees gain unprecedented access to data, allowing them to work from anywhere at any time. But this also creates a vast attack surface that hackers are all too willing to exploit. And helps explain why identity-based attacks are on the rise.

The Importance of Identity and Access Management

The business world has an identity problem. According to Verizon’s 2023 Data Breach Investigations Report, 74% of all breaches involve the human element, with people involved either through error, privilege misuse, social engineering, or stolen credentials — the latter three of which directly involve the management (and mismanagement) of user identities. Moreover, this percentage stands poised to grow.

CVE-2024-21893: New Ivanti Zero-Day Vulnerability Actively Exploited

On January 31, 2024, Ivanti published an article disclosing two high severity vulnerabilities: CVE-2024-21893: A server-side request forgery flaw present in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons. This vulnerability allows an unauthenticated threat actor to access restricted resources. Ivanti reports that a limited number of customers have been affected by this vulnerability.

Understanding Tactics, Techniques, and Procedures

Microsoft PowerShell is a ubiquitous piece of software. It’s also, unfortunately, a major attack vector for threat actors. Once a threat actor has initial access into a network, they can utilize the commands and scripts components of PowerShell to conduct reconnaissance or inject fileless malware into the network. This activity is so common it’s continually listed as one of the top tactics, techniques, and procedures (TTPs).

CVE-2024-0204: Critical Authentication Bypass in Fortra's GoAnywhere MFT

On January 22, 2024, Fortra publicly disclosed a critical vulnerability, CVE-2024-0204, in their GoAnywhere MFT product. This vulnerability, which was responsibly disclosed to Fortra by Spark Engineering Consultants, had been patched on December 7, 2023. CVE-2024-0204 is a severe authentication bypass vulnerability with a CVSS score of 9.8.

Understanding Indicators of Compromise and Their Role in Cybersecurity

Through a known vulnerability, a threat actor gains access to an organization, and begins to alter the network activity, running unusual enumeration commands. Then, to make a lateral move, the threat actor uses stolen credentials to log into various applications within said network. The cybersecurity monitoring solution at work, in this case Arctic Wolf® Managed Detection and Response, then picks up an IP address associated with Finland connecting to the network.

13 Types of Malware Attacks - and How You Can Defend Against Them

If a malware attack is successful, it can result in lost revenue, unexpected down time, stolen data, and more costly consequences. With over 450,000 new malicious programs registered each day by independent IT security institute AV-Test, malware may be the biggest threat to your organization. There are many different types of malware and attackers are continually innovating more complex, harder-to-detect versions. Now is the time to take proactive steps to protect your organization.

CherryLoader: A New Go-based Loader Discovered in Recent Intrusions

Arctic Wolf Labs has been tracking two recent intrusions where threat actors leveraged a new Go-based malware downloader we are calling “CherryLoader” that allowed them to swap exploits without recompiling code. The loader’s icon and name masqueraded as the legitimate CherryTree note taking application to trick the victims.