Welcome to Safety Sunday – 4. Week. our weekly round-up of the world of cyber security (22 Jan – 28 Jan 2024).

We’re collecting notable incidents and vulnerability reports from the past week.

Ukrainian hacktivists deleted 2 PT of data from Russian research centre

The main intelligence directorate of Ukraine’s Defense Ministry says pro-Ukrainian hacktivists have penetrated a Russian Space Hydrometeorology Center called Planeta and deleted 2 petabytes of data.

Planet is a government research centre that uses data from space satellites and ground-based sources such as radars and stations to provide information and accurate forecasts on weather, climate, natural disasters, extreme events and volcano monitoring.

The agency is affiliated to the Russian space agency Roskosmos and supports sectors such as the military, civil aviation, agriculture and maritime transport.

While the Ukrainian government has not said whether it was involved in the attack, it claims that hackers destroyed 280 servers used by the research centre, which contained 2 petabytes of data (2,000 terabytes).

Ukrainian intelligence reports that the damage caused by the data loss is estimated at $10,000,000, impacting the operation of the supercomputer clusters as well as years of research.

Critical Jenkins vulnerability exposes servers to RCE attacks

The maintainers of the open-source automation software, Jenkins, have resolved nine security vulnerabilities, including a critical flaw that could lead to remote code execution (RCE) if successfully exploited.

The vulnerability, tracked as CVE-2024-23897, was described as a vulnerability involving arbitrary file reading via the built-in command-line interface (CLI).

“Jenkins uses the args4j library to parse arguments and command selections on the Jenkins controller when processing CLI commands,” the administrators said in a Wednesday document.

“This command parser has a function that replaces the @ character followed by the file path in the argument with the contents of the file (expandAtFiles). This function is enabled by default and is not disabled by Jenkins 2.441 and earlier, LTS 2.426.2 and earlier.”

An attacker can exploit the flaw to read arbitrary files in the file system.

SonarSource security researcher Yaniv Nizry was instrumental in discovering and reporting vulnerability 13. November 2023 and the bug was fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature.

As a short-term solution until a fix can be applied, it is recommended to disable access to the CLI.

Apache ActiveMQ vulnerability exploited in new Godzilla Web Shell attacks

Cybersecurity researchers warn of a “remarkable increase” in activity from attackers actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell to compromised hosts.

“Web shells are hidden in an unknown binary format and are designed to evade security and signature-based scanners,” Trustwave said. “Remarkably, despite the unknown binary file format, the JSP ActiveMQ engine continues to compile and run the web shell.”

A web shell called Godzilla is a feature-rich backdoor capable of parsing incoming HTTP POST requests, executing their contents, and returning the results as an HTTP response.

Closer examination of the attack chain shows that the web shell code is converted to Java code before being executed by the Jetty Servlet Engine.

Apache ActiveMQ users are strongly advised to upgrade to the latest version as soon as possible to mitigate potential threats.

40,000 attacks in 3 days: critical Confluence RCE vulnerability is actively exploited by attackers

The CVE-2023-22527 vulnerability, which we informed you about in a previous episode of Security Sunday, allows unauthenticated attackers to achieve remote code execution.

The bug affects versions of Confluence Data Center and Server 8 released before 5. December 2023 and also version 8.4.5.

Just days after the bug became public, it was already 19, according to the Shadowserver Foundation. On January 1, nearly 40,000 abuse attempts were recorded from more than 600 unique IP addresses.

Most of the attackers’ IP addresses originated in Russia (22,674), followed by Singapore, Hong Kong, the US, China, India, Brazil, Taiwan, Japan and Ecuador.

It was found that as of 21. January 2024, more than 11,000 instances were accessible via the Internet

More than 5300 GITLAB servers are vulnerable to ZERO-CLICK ACCOUNT TAKEOVER attack

GitLab recently released security updates that address two critical vulnerabilities affecting both Community and Enterprise versions.

The most critical vulnerability, tracked as CVE-2023-7028 (CVSS score 10), is an account takeover via password reset. This bug can be exploited to take over the account without any user interaction.

GitLab has fixed this bug in versions 16.7.2, 16.5.6 and 16.6.4.

Tesla hacked, 24 zero-days abused at Pwn2Own Tokyo

During the Pwn2Own Automotive 2024 hacking competition, security researchers hacked into Tesla’s infotainment system and presented 24 zero-day vulnerabilities.

The Synacktiv team took home $100,000 after chaining two zero-day sandbox leaks and hacking Tesla’s infotainment system.

Synacktiv also gained an additional $295,000 after gaining root on a Tesla modem and using three strings to hack into Ubiquiti Connect EV and JuiceBox 40 smart charging stations, exploiting a total of seven zero-day vulnerabilities.

The Pwn2Own Automotive 2024 hacking competition will take place in Tokyo, Japan, during the Automotive World automotive conference from 24. to 26. January and is focused on automotive technology.

After the Pwn2Own competition ends, vendors have 90 days to release security patches before TrendMicro’s Zero Day initiative discloses the vulnerabilities.

Apple releases patch for critical zero-day vulnerability in iPhones and Macs

Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS and the Safari web browser that address a zero-day vulnerability that was being actively exploited.

The issue, tracked as CVE-2024-23222, is a type-change vulnerability in the WebKit browser kernel that an attacker can exploit to execute arbitrary code. The tech giant said the issue has been fixed with improved controls.

This is the first actively exploited vulnerability Apple has patched this year. Last year, the iPhone maker dealt with 20 zero-days that were used in real attacks.

Critical Cisco vulnerability allows hackers to remotely control Unified systems Comms

Cisco has released updates that address a critical security flaw in its Unified Communications and Contact Center Solutions products that could allow an unauthenticated remote attacker to execute arbitrary code.

The issue, tracked as CVE-2024-20253 (CVSS score: 9.9), stems from improper processing of user-provided data, which can be exploited by an attacker to send a specially crafted message to a listening device port.

“Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system with the privileges of a Web services user,” Cisco said in an advisory. “With access to the underlying operating system, an attacker could also gain root access on the compromised device.”

Interested in cyber security? Check out the next episodes of our weekly magazine Safety Sunday.