At a glance.
- Initial access broker targets Africa's financial sector.
- Critical Citrix flaw can allow attackers to impersonate authenticated users.
- Patches issued for vulnerabilities affecting hundreds of printer models.
Initial access broker targets Africa's financial sector.
A cybercriminal threat actor is abusing open-source tools to target organizations in Africa's financial sector, according to researchers at Palo Alto Networks' Unit 42. The threat actor appears to be an initial access broker, establishing footholds within organizations to be sold on darknet markets. The threat actor abuses the legitimate penetration testing and remote administration tools PoshC2, Chisel, and Classroom Spy. Unit 42 notes, "The threat actor copies signatures from legitimate applications to forge file signatures, to disguise their tool set and mask their malicious activities. Threat actors often spoof legitimate products for malicious purposes. This does not imply a vulnerability in the organization’s products or services."
Critical Citrix flaw can allow attackers to impersonate authenticated users.
Citrix has patched a critical vulnerability in its NetScaler ADC and NetScaler Gateway products that can allow unauthenticated attackers to glean session tokens and other information from the devices, the Register reports. Citrix issued a patch last week, but updated the vulnerability's description Monday night to clarify that the flaw affects the products when "NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."
Security researcher Kevin Beaumont is calling the vulnerability "CitrixBleed 2," comparing it to 2023's CitrixBleed flaw (CVE-2023-4966) that was exploited by ransomware actors to bypass Citrix authentication measures. Beaumont explains, "The vulnerability allows an attacker to read memory from the Netscaler when configured as a Gateway or AAA virtual server — think remote access via Citrix, RDP etc. It’s an extremely common setup in large organisations....The memory may include sensitive information. Session tokens can be replayed to steal Citrix sessions, bypassing MFA. That was the problem with CitrixBleed."
There's no evidence of exploitation yet, but users are urged to apply the patches as soon as possible.
Patches issued for vulnerabilities affecting hundreds of printer models.
Rapid7 discovered eight vulnerabilities affecting over seven hundred printer models, most of which are manufactured by Brother, SecurityWeek reports. The most serious of the flaws (CVE-2024-51978) can allow an unauthenticated attacker to generate the default administrator password for the device if they know the target device's serial number. The threat actor can discover the serial number via another one of the flaws (CVE-2024-51977).
The vulnerabilities affect 689 models from Brother, as well as 46 from Fujifilm Business Innovation, five from Ricoh, six from Konica Minolta, and two from Toshiba. Patches and mitigations are available for the flaws, although Brother says CVE-2024-51978 can only be fully fixed via a new manufacturing process. The flaw can be mitigated by changing the default password.
