Known PHP Flaw Actively Exploited for RCE; Fortra: Malicious Use of Cobalt Strike Down 80 Percent

There is a critical OS command injection vulnerability (CVE-2024-4577) in PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 that can be exploited to achieve remote code execution. Researchers from Cisco Talos have detected a campaign exploiting this vulnerability, ongoing since at least January of this year, targeting organizations in Japan. The Talos researchers note that 'the attacker utilizes plugins of the publicly available Cobalt Strike kit 'TaoWu' for-post exploitation activities.' Researchers from GreyNoise now 'confirm that exploitation of CVE-2024-4577 extends far beyond initial reports.' There are nearly 80 known exploits for the vulnerability; a patch was made available last year.

Cobalt Strike is a legitimate offensive security tool that has been used by threat actors to conduct malicious activity. Fortra, which purchased Cobalt Strike in 2020, notes in a recent blog post that 'over the past two years, the number of unauthorized copies of Cobalt Strike observed in the wild has decreased by 80%.' The decline is being attributed to a collaborative effort between Fortra, Microsoft's Digital Crimes Unit (DCU), and the Health Information Sharing and Analysis Center (Health-ISAC). In March 2023, the three entities obtained a court order allowing them to take down the 'malicious infrastructure' used by threat actors exploiting Cobalt Strike for malicious purposes.

Critical infrastructure operators in Switzerland will soon be required to report cyberattacks within 24 hours. The mandate, which comes in the form of an amendment to the country's Information Security Act, will take effect on April 1, 2025. Covered organizations will be required to report cyberattacks to Switzerland's National Cybersecurity Centre (NCSC) when 'the functionality of the affected critical infrastructure is endangered; [the incident] has resulted in manipulation or leakage of information remained undetected for a long period of time, especially if there are indications that it was carried out in preparation for further cyberattacks, or involves blackmail, threats or coercion.' Following a six-month grace period, organizations failing to comply with the requirement will face fines of up to CHF 100,000 ($113,500).

Last year, researchers from Palo Alto Networks Unit 42 identified five high-severity vulnerabilities affecting Mitsubishi Electric and ICONICS Suite Supervisory Control and Data Acquisition (SCADA) system. The flaws could be exploited to attain elevated privileges, create denial-of-service (DoS) conditions, and in certain cases, completely compromise unpatched systems. Unit 42 notified ICONICS of their findings and ICONICS released patches, advisories, and workarounds to address the issues.

The US Federal Bureau of Investigation's (FBI's) Internet Crime Complaint Center (IC3) has published an alert warning that threat actors have been sending letters to C-suite executives, claiming that the targeted organization's network has been infiltrated by ransomware actors. The letters claim the threat actors have stolen data and threaten to publish the information unless a ransom is paid.

Four recently-disclosed breaches affecting healthcare organizations affect amore than 560,000 individuals in total. Kansas-based Sunflower Medical Group became aware of anomalous activity on its network in early January; an investigation revealed that intruders had had access to Sunflower's systems since mid-December 2024. According to a filing with Maine's Attorney General, the breach affects nearly 221,000 people. Gastroenterology Associates of Central Florida reported a breach affecting more than 122,000 people; Community Care Alliance in Rhode Island reported a breach affecting nearly 115,000 people; and Hillcrest Convalescent Center in North Carolina reported a breach affecting just over 106,000 people.

Late last year, researchers from Microsoft Threat Intelligence detected a malvertising campaign that targeted nearly one million Windows-based devices and attempted to exfiltrate sensitive data. In a detailed blog post, Microsoft Threat Intelligence writes, 'The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms.' The blog offers their analysis of the malvertising campaign and details findings about the payloads used in the attack.

A US federal jury has convicted Davis Lu on the charge of causing intentional damage to protected computers, for sabotaging systems at his former place of employment. Lu worked as a software developer for an Ohio company from November 2007 until October 2019. 'Following a 2018 corporate realignment that reduced his responsibilities and system access, Lu began sabotaging his employer's systems, creat[ing] 'infinite loops' (in this case, code designed to exhaust Java threads by repeatedly creating new threads without proper termination and resulting in server crashes or hangs), deleted coworker profile files, and implemented a 'kill switch' that would lock out all users if his credentials in the company's active directory were disabled.' The charge carries a maximum prison sentence of 10 years.

The city of Mission, Texas has asked the governor to declare a state of emergency following a cyberattack that compromised city government computer systems. According to a letter from Mission Mayor Norie Gonzalez Garza to Texas Governor Greg Abbott, the incident 'could release protected personal information, protected health information, civil and criminal records, and/or any and all other data held by the City of Mission and all departments within the City.' Mission city systems have been taken offline, but emergency services are reportedly operational.