MITRE’s Security Snafu: A Cybersecurity Giant Falls Victim to Nation-State Attack

Attention cyber defenders: Even MITRE’s armor has chinks! Its NERVE was hit by zero-day exploits, courtesy of a nation-state actor. Patch up, people—this cyber siege is a stark reminder to fortify your digital fortresses. #CybersecurityWakeUpCall

Hot Take:

MITRE might stand for “Masters In The Realm of Encryption,” but even they can’t escape the clutches of cyber villains. As the cyber overlords chuckle in delight, we’re reminded that in the game of digital hide-and-seek, nobody can hide for too long, not even the big brains at MITRE. And in other news, the cyber watchdogs are barking up the Cisco tree again, while Atlassian trips over its Bamboo sticks, and a telehealth firm learns the hard way that sharing isn’t always caring.

Key Points:

  • MITRE, the cyber smarty-pants, got digitally dunked on by a crafty nation-state, proving that no one’s cyber cape is impenetrable.
  • Cisco’s VPN has become the hackers’ favorite playground, thanks to some vintage vulnerabilities still kicking around.
  • Atlassian’s Bamboo has hit the deck with a trio of critical vulnerabilities, but they’ve patched it up faster than you can say “software update.”
  • A smorgasbord of CVSS scores higher than your last game of Jenga is highlighting vulnerabilities in everything from PLCs to health data.
  • Cerebral, the telehealth company, just got a multimillion-dollar slap on the wrist for treating customer data like it’s swapping baseball cards.
Title: Rockwell Automation ControlLogix and GaurdLogix Vulnerable to Major Nonrecoverable Fault Due to Invalid Header Value
Cve id: CVE-2024-3493
Cve state: PUBLISHED
Cve assigner short name: Rockwell
Cve date updated: 04/15/2024
Cve description: A specific malformed fragmented packet type (fragmented packets may be generated automatically by devices that send large amounts of data) can cause a major nonrecoverable fault (MNRF) Rockwell Automation's ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product will become unavailable and require a manual restart to recover it. Additionally, an MNRF could result in a loss of view and/or control of connected devices.

Cve id: CVE-2024-20356
Cve state: PUBLISHED
Cve assigner short name: cisco
Cve date updated: 04/24/2024
Cve description: A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with Administrator-level privileges to perform command injection attacks on an affected system and elevate their privileges to root. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to elevate their privileges to root.

Title: CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)
Cve id: CVE-2024-22259
Cve state: PUBLISHED
Cve assigner short name: vmware
Cve date updated: 03/16/2024
Cve description: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Title: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability
Cve id: CVE-2020-3259
Cve state: PUBLISHED
Cve assigner short name: cisco
Cve date updated: 05/06/2020
Cve description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

Title: CVE-2024-22243: Spring Framework URL Parsing with Host Validation
Cve id: CVE-2024-22243
Cve state: PUBLISHED
Cve assigner short name: vmware
Cve date updated: 02/23/2024
Cve description: Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

Title: Unitronics Vision Standard Unauthenticated Password Retrieval
Cve id: CVE-2024-1480
Cve state: PUBLISHED
Cve assigner short name: Dragos
Cve date updated: 04/19/2024
Cve description: Unitronics Vision Standard line of controllers allow the Information Mode password to be retrieved without authentication.

Cve id: CVE-2021-20599
Cve state: PUBLISHED
Cve assigner short name: Mitsubishi
Cve date updated: 04/18/2024
Cve description: Cleartext Transmission of Sensitive InformationCleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU firmware versions "11" and prior allows a remote unauthenticated attacker to login to a target CPU module by obtaining credentials other than password.

Cve id: CVE-2023-20269
Cve state: PUBLISHED
Cve assigner short name: cisco
Cve date updated: 01/25/2024
Cve description: A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.

Cve id: CVE-2024-22257
Cve state: PUBLISHED
Cve assigner short name: vmware
Cve date updated: 03/18/2024
Cve description: In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Cve id: CVE-2024-20295
Cve state: PUBLISHED
Cve assigner short name: cisco
Cve date updated: 04/24/2024
Cve description: A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.

Need to know more?

When MITRE Met Hacker

MITRE's NERVE got pinched by a nation-state cyber ninja using zero-days in Ivanti's VPN. While their core networks stayed as untouched as a slice of fruitcake at a bake sale, the breach sent a clear "up your cybersecurity game" message to the tech world. They're taking one for the team by going public and promise to dish the deets on their cyber oopsie to help others avoid a digital faceplant.

Cisco's Security Siesta

Heads up, folks! The cyber SWAT team, consisting of CISA, FBI, and international cybercrime busters, is waving red flags about some seriously overworked Cisco vulnerabilities. Akira ransomware, courtesy of our Russian-linked digital misfits, is still partying hard with these old-school Cisco flaws. It's like leaving your car unlocked in the bad part of the internet; you're practically inviting trouble. The lesson? Patch your systems, people, or you'll be the next cautionary Twitter thread.

Atlassian's Bamboo Bamboozle

Over at Atlassian, it's been a bit of a facepalm moment with not one, not two, but three vulnerabilities in their Bamboo product. Thankfully, they've patched them up quicker than a pirate with a leaky ship. But the takeaway is clear: keep an eye on your software updates, or you'll end up playing cybersecurity whack-a-mole.

Vulnerability Variety Hour

It's a buffet of critical vulnerabilities this week, with a spread that includes Rockwell PLCs, Mitsubishi Electric's MELSEC series, and Cisco's Integrated Management Controller, among others. These CVSS scores are so high they're giving mountain goats vertigo, and it's all hands on deck to patch up these gaping digital potholes.

Telehealth's Tenuous Trust

Last but not least, Cerebral has been caught with its hand in the cookie jar of customer data, sharing sensitive info with social media sites for ads. The FTC's response? A whopping $7 million fine and a stern "don't do it again." After all, when it comes to personal health info, the only thing customers want going viral is their cat videos, not their data.

Tags: Akira ransomware, Atlassian vulnerabilities, Cisco security advisory, Ivanti VPN flaw, MITRE breach, Online Privacy Breaches., zero-day vulnerabilities