An authentication bypass vulnerability, tracked as CVE-2024-0204, was discovered in Fortra's GoAnywhere MFT versions prior to 7.4.1 and allows an unauthorized user to create an admin user via the administration portal. This vulnerability has a CVSS score of 9.8 with a high potential for exploitation, which we expect to see in the short term due to a proof of concept (PoC) being available. Fortra informed customers on December 4, 2023, of the flaw via an internal forum post.

Two vulnerabilities have been detected in in Citrix NetScaler ADC and NetScaler Gateway. These vulnerabilities are being tracked as CVE-2023-6549 and CVE-2023-6548 with CVSS scores of 8.2 and 5.5 respectively. They are under active exploitation, affecting the following product versions.

DARKGATE is Windows-based malware that is sold on the dark web. DARKGATE is a fully functional backdoor that can steal browser information, drop additional payloads, and steal keystrokes. Kroll previously noted DARKGATE’s distribution via Teams. When the DARKGATE payload runs on a victim system, it creates a randomly named folder within C:\ProgramData that contains encoded files. Within the randomly named folder is a short configuration file and the output of keystrokes logged on the system.

GitLab has addressed two critical vulnerabilities in the GitLab Community Edition and Enterprise Edition that require immediate attention.

Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog. Two zero-day vulnerabilities have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways.

Ivanti released a patch for a critical vulnerability discovered in Ivanti Endpoint Manager (EPM) that could allow for remote code execution (RCE). This vulnerability is being tracked as CVE-2023-39336 with a CVSS score of 9.6 (Critical), which is not yet actively exploited. All versions of Ivanti EPM prior to Service Update 5 are impacted. Ivanti credits security researcher hir0t for the responsible disclosure.

Kroll forensic examiners and threat intelligence analysts identified a new phishing tactic targeting individuals using QR codes. Victims receive phishing emails impersonating Microsoft, letting them know that additional security measures are required and asking victims to scan the QR code in the body of the email or the email attachment.

Apache has released an advisory for a critical vulnerability discovered in Struts versions 2.0.0-2.3.37(EOL), 6.0.0-6.3.0.1 and 2.0.0-2.5.32. This vulnerability is being tracked as CVE-2023-50164 with a CVSS score of 9.8 (Critical) and is reportedly being actively exploited. Impacted versions are affected by a file upload and directory traversal vulnerability that can lead to remote code execution.

Effective threat detection is critical to achieving a mature cybersecurity posture. Yet with so many threat detection options on the market, from managed detection and response (MDR) to managed security service providers (MSSPs) to security information and event management (SIEM), choosing the most effective one for your organization can be challenging.

The threat landscape has evolved rapidly in recent years due to major changes in the way organizations operate and adopt new technologies. Cloud services such as Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) have seen massive growth over the last decade. With accelerated digital transformation, increased remote working and cloud adoption, the attack surface has increased for most organizations.