March 3, 2024 at 10:20PM
LockBit ransomware gang continues operations despite law enforcement takedown, claiming to possess sensitive data. Analyst suggests gang’s posturing to reassure affiliates, while CISA warns Ivanti vulnerabilities could persist even after factory resets. Security researchers raise concerns about potential cloud-based SAML token forgery vulnerability, advising organizations to safeguard certificates against potential attacks. Cisco also releases patches for two high-severity vulnerabilities in NX-OS.
Based on the meeting notes, here are the key takeaways:
1. LockBit Ransomware Gang: Despite a law enforcement takedown, the LockBit gang appears to have continued its operations, though potentially with reduced capabilities. There are indications that their attempt to extort ransom from Fulton County, Georgia, by threatening to expose sensitive data related to former President Donald Trump’s ongoing court cases might not have succeeded. Law enforcement seizure of the data is suspected, and it is suggested that LockBit’s claims could be an attempt to reassure its affiliates. However, Brett Callow from Emsisoft cautioned against trusting an organization that has been compromised to such an extent.
2. Critical Vulnerabilities: Two critical vulnerabilities in Cisco’s NX-OS datacenter operating system (CVE-2024-20267 and CVE-2024-20321) have been identified with a CVSS rating of 8.6. Patches are available and immediate installation is recommended to prevent potential exploitation.
3. Ivanti Vulnerabilities: Concerns have been raised by CISA and partner agencies regarding the effectiveness of Ivanti’s Integrity Checker Tool in detecting and mitigating vulnerabilities. While Ivanti states that it is not aware of any instances of a threat actor gaining persistence following installation of security updates and a factory reset, CISA recommends that Ivanti users consider its latest warning when deciding whether to continue operating these devices.
4. Cloud-based Threat: Following the SolarWinds compromise, researchers have identified a potential vulnerability, dubbed Silver SAML, which could allow attackers to forge SAML tokens even in cloud-based identity provider environments. The vulnerability poses a significant threat, and organizations are advised to take decisive steps to protect their certificates and close potential security gaps.
These key takeaways summarize the high-level points from the meeting notes for your records. If you need additional details on any specific topic, feel free to ask.