Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
On 24th of July, a Reuters dispatch reported an attack on government institutions in Norway. This could have been routine news, given the current tensions linked to the conflict in Eastern Europe. However, the scale of the event, which affected 12 Norwegian ministries, is far less trivial.
With investigations still underway, little information has been released about the initial intrusion vector. A few hours after the attack, Ivanti published a security alert intended exclusively for its customers. Very promptly, news of a critical vulnerability in the Ivanti EPMM product (formerly MobileIron core) was leaked on social networks.
Even if the link is not obvious at first sight, there is a connection between these two events.. Indeed, a few hours later, it was revealed that the Norwegian ministries had been compromised by exploiting the vulnerability affecting Ivanti’s EPMM product.
At the end of the day on 24 July, Ivanti’s security warning was made public, and this helps to explain why there was so little information. The vulnerability is rated 10 according to the CVSSv3 system, its qualification: “Remote Unauthenticated API Access Vulnerability”, and it is being actively exploited.
Although details of the vulnerability are still under embargo, and contrary to the Ivanti press release, which states that the impact of the vulnerability is the disclosure of personal information and the possibility of making limited changes to the server, the CISA alert is far less reassuring, indicating that exploitation of this vulnerability does indeed allow the disclosure of personal information, but also the creation of accounts with administrative privileges on the solution.
DEFINITION OF THE MONTH
Common Vulnerability Scoring System (CVSS) is a standardised system used to assess the severity of computer vulnerabilities. Developed in 2005 by FIRST (Forum of Incident Response and Security Teams), it is intended to provide a common methodology for screening vulnerabilities and easing communication in the field of IT security.
The CVSS assigns a numerical score from 0 to 10 to each vulnerability, where 10 is the maximum score. This score is calculated by considering several criteria, such as the impact on the confidentiality, integrity and availability of the data and systems affected, the complexity of exploitation and the vulnerability’s scope.
Software vendors, incident response teams and IT security professionals use CVSS to monitor vulnerabilities and determine the security measures to be taken. By prioritising patches and actions based on the CVSS score, organisations can more effectively mitigate the risks associated with vulnerabilities.
Since its inception, CVSS has undergone significant development, particularly with version 3, which offers a more robust and granular methodology. Available since 28 May 2015, this latest version was designed to address the limitations of CVSSv2 previous version and to adapt to the new challenges of cybersecurity. CVSSv3 incorporates additional criteria such as the vulnerability’s scope and environmental metrics, enabling a more accurate assessment of the vulnerability’s impact in the specific context of each organisation.
The cybersecurity industry is also eagerly awaiting the arrival of CVSSv4, which will offer a major overhaul of its rating system, taking into account user feedback and experience over the past decade. The release date is scheduled for 1 October 2023, and should offer an even more comprehensive approach to assessing and prioritising vulnerabilities.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.