Sony has disclosed a cybersecurity incident where over 6,000 current and former employees' data was exposed due to a cyberattack earlier this year. The breach was attributed to a vulnerability in Progress Software’s MOVEit Transfer, marking another instance of a widely used file transfer platform being exploited. The Russian ransomware group Cl0p, known for targeting global enterprises, leveraged this flaw. Sony's disclosure follows a separate alleged cyberattack by the Ransomedvc gang.
In a notification to affected individuals, Sony detailed the breach's specifics and measures taken for mitigation. The breach was confined to MOVEit Transfer, and there's uncertainty about the data's appearance on the dark web. Sony is offering complimentary credit monitoring and identity restoration services to affected individuals.
The MOVEit Transfer vulnerability has affected over 62 million people across 2,000 organisations globally. Victims include Siemens Energy, PwC, Discovery Channel, Vitesco Technologies, and Sneider Electric. Ransomedvc, claiming responsibility, threatened to release stolen data on the dark web. The incident underscores the importance of timely updates and mitigations for vulnerabilities in widely-used platforms.
Risks and Recommendations Summary:
Atlassian, a prominent software services provider, has urgently released fixes for a critical zero-day vulnerability affecting publicly accessible Confluence Data Center and Server instances. Tracked as CVE-2023-22515, this remotely exploitable flaw allows external attackers to create unauthorised Confluence administrator accounts and gain access to Confluence servers. While this vulnerability does not impact versions of Confluence prior to 8.0.0 and Confluence sites accessed via atlassian.net domains, it poses a significant risk to vulnerable instances.
Atlassian became aware of the issue through reports from a few customers. The vulnerability has been addressed in Confluence Data Center and Server versions 8.3.3 or later, 8.4.3 or later, and 8.5.2 (Long Term Support release) or later. The company, however, has not disclosed specific details about the nature and scale of the exploitation.
For those unable to apply the updates immediately, Atlassian recommends restricting external network access to affected instances. Additionally, known attack vectors for this vulnerability can be mitigated by blocking access to the /setup/* endpoints on Confluence instances.
Atlassian provides indicators of compromise (IoCs) to identify potential breaches, including unexpected changes to administrator groups, newly created user accounts, and specific requests in network access logs. If compromise is confirmed, immediate isolation of the affected server is advised.
Risks and Recommendations Summary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalogue due to active exploitation. The newly listed vulnerabilities are:
CVE-2023-42793 (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability:
CVE-2023-28229 (CVSS score: 7.0) - Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability:
CISA emphasises the critical nature of these vulnerabilities, with active exploitation attempts observed. While details about the attacks remain undisclosed, CVE-2023-42793 has seen remote code execution attempts. CVE-2023-28229, assessed as "Exploitation Less Likely" by Microsoft, still requires immediate attention.
Recommendations Summary: