Media room

One of the critical security flaws exploited by China's Salt Typhoon to breach US telecom and government networks has had a patch available for nearly four years - yet despite repeated warnings from law enforcement and private-sector security firms, nearly all public-facing Microsoft Exchange Server instances with this vulnerability remain unpatched.

According to cyber-risk management firm Tenable, 91 percent of the nearly 30,000 openly reachable instances of Exchange vulnerable to CVE-2021-26855, aka ProxyLogon, have not been updated to close the hole.

SonicWall released a hotfix for a critical pre-authentication remote code execution vulnerability in Secure Mobile Access 1000 products amidst reports of zero-day exploitation.
 

While information is currently limited, Scott Caveza, staff research engineer at Tenable, told Informa TechTarget that SonicWall's security advisory implies that the vulnerability was potentially exploited in the wild. Tenable cannot confirm the activity, but it is monitoring the situation for further developments, he added.

"Microsoft's Threat Intelligence Center reported the issue to SonicWall, which suggests there have been observations of exploitation," Caveza said in an email. "Despite the uncertainty around exploitation, threat actors have targeted SonicWall devices in the past and several SonicWall vulnerabilities have been featured on the Known Exploited Vulnerabilities (KEV) catalog from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Patching of impacted SonicWall devices should take priority to ensure this threat is mitigated as soon as possible."

Tenable Once Again Named One of the Top 20 Cloud Security Companies by CRN

"What's unique about Volt Typhoon is the post-exploitation activity," Tenable research engineer Scott Caveza told The Register. It doesn't use custom malware, which can be more easily spotted by antivirus software, but instead uses legitimate software products and credentials to snoop around and avoid detection.

Two vulnerabilities in Mozilla products and Windows are being actively exploited by RomCom, a Kremlin-linked cybercriminal group known for targeting businesses and conducting espionage, warn security researchers from Eset.

Satnam Narang, senior research engineer at Tenable, said the attack underscores both the persistence of threat actors and the increasing difficulty of breaching browser defenses.

"With the adoption of sandbox technology in modern browsers, threat actors need to do more than just exploit a browser vulnerability alone," Narang said in a statement. "By combining a browser-based exploit along with a privilege escalation flaw, the RomCom threat actor was able to bypass the Firefox sandbox."

The macOS Sequoia vulnerabilities are the latest to be targeted and exploited by threat actors as cybersecurity vendors report a shift in the landscape.

Satnam Narang, senior staff research engineer at Tenable, told TechTarget Editorial that Apple is known for providing limited technical details in their advisories. However, he highlighted one aspect of Apple's advisory.

"The one interesting aspect about these two zero days is that the advisories called out exploitation specifically for Intel-based Mac systems, which are now considered legacy products for Apple. Apple switched over to their own Apple silicon in late 2020," Narang said. "Typically, zero-day exploitation of vulnerabilities is part of limited, targeted attacks. When you add that these were attributed to researchers at Google's Threat Analysis Group, which are often tasked with investigating targeted attacks, it supports that hypothesis. Until Googles Threat Analysis Group publishes their own research into the attacks, we won’t know more than what's in the advisories."