Welcome to our monthly Threat Highlight Report for November 2023

November report covers

• Exploitation of Vulnerabilities
• SolarWinds Lawsuit
• Ransomware Trends and Notable Reports

1. Exploited Vulnerabilities:

• Apache ActiveMQ (CVE-2023-46604): This vulnerability allows a remote attacker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. It is being actively targeted by ransomware groups including HelloKitty.
• Atlassian Confluence (CVE-2023-22518): This vulnerability can result in significant data loss when exploited by an unauthenticated attacker. It is being actively targeted by threat actors including ransomware groups.
• SysAid Server (CVE-2023-47246): This vulnerability is a path traversal vulnerability that leads to code execution. It was publicly disclosed on November 8, 2023, and was targeted by the Lace Tempest group on November 2, 2023.
• F5 BIG-IP (CVE-2023-46747): Threat actors are exploiting this vulnerability together with CVE-2023-46748 as part of an exploit chain in observed attacks in the wild. Patches are available to fix this issue, and F5 have released relevant advice.
• WinRAR (CVE-2023-38831): This vulnerability has been targeted by numerous threat actors since April 2023. In a recent campaign, it is alleged that Russia is using the vulnerability to target Azerbaijan, Greece, Romania, and Italy for the purposes of espionage.

2. SolarWinds Lawsuit:

The SEC has filed a lawsuit against SolarWinds and its CISO, Timothy Brown, alleging that the defendants' attitude and behaviors led to poor cybersecurity practices. The lawsuit alleges that SolarWinds' public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the company's cybersecurity policy violations, vulnerabilities, and cyberattacks.

3. Ransomware Trends and Notable Reports:

• Increase in ransomware activity: There has been a 25% increase in ransomware activity compared to October 2023, which is a return to "normal" figures.
• LockBit’s CitrixBleed Campaign: This campaign highlights the danger associated with CVE-2023-4966 "Citrix Bleed," a vulnerability in Citrix NetScaler ADC and Gateway which has allowed attackers to steal session cookies/tokens and therefore gain initial access into networks.

Stay informed about the latest cybersecurity threats and trends.