Media room

Tenable Once Again Named One of the Top 20 Cloud Security Companies by CRN

"What's unique about Volt Typhoon is the post-exploitation activity," Tenable research engineer Scott Caveza told The Register. It doesn't use custom malware, which can be more easily spotted by antivirus software, but instead uses legitimate software products and credentials to snoop around and avoid detection.

Two vulnerabilities in Mozilla products and Windows are being actively exploited by RomCom, a Kremlin-linked cybercriminal group known for targeting businesses and conducting espionage, warn security researchers from Eset.

Satnam Narang, senior research engineer at Tenable, said the attack underscores both the persistence of threat actors and the increasing difficulty of breaching browser defenses.

"With the adoption of sandbox technology in modern browsers, threat actors need to do more than just exploit a browser vulnerability alone," Narang said in a statement. "By combining a browser-based exploit along with a privilege escalation flaw, the RomCom threat actor was able to bypass the Firefox sandbox."

The macOS Sequoia vulnerabilities are the latest to be targeted and exploited by threat actors as cybersecurity vendors report a shift in the landscape.

Satnam Narang, senior staff research engineer at Tenable, told TechTarget Editorial that Apple is known for providing limited technical details in their advisories. However, he highlighted one aspect of Apple's advisory.

"The one interesting aspect about these two zero days is that the advisories called out exploitation specifically for Intel-based Mac systems, which are now considered legacy products for Apple. Apple switched over to their own Apple silicon in late 2020," Narang said. "Typically, zero-day exploitation of vulnerabilities is part of limited, targeted attacks. When you add that these were attributed to researchers at Google's Threat Analysis Group, which are often tasked with investigating targeted attacks, it supports that hypothesis. Until Googles Threat Analysis Group publishes their own research into the attacks, we won’t know more than what's in the advisories."

While zero-day exploitation surged throughout 2023, CISA said threat actors continue to exploit known vulnerabilities that were disclosed and patched as far back as 2017.

Satnam Narang, senior staff research engineer at Tenable, told TechTarget Editorial that the inclusion of vulnerabilities in VPNs and internet-exposed services was a common thread among many of the flaws highlighted in the advisory. Narang added that there's a strong correlation between internet-facing systems that utilize software containing known vulnerabilities and the likelihood of exploitation.

Narang also said CVE-2017-6742 exploitation has been connected to the Russian state-sponsored advanced persistent threat group known as Fancy Bear. The group exploited another vulnerability, tracked as CVE-2023-23397, on CISA's advisory to target Microsoft Exchange accounts.

Russia's premiere advanced persistent threat group–APT29–has been phishing thousands of targets in militaries, public authorities, and enterprises.

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" says Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations."

That APT29 would go after sensitive credentials from geopolitically prominent and diverse organizations is no surprise, Narang notes, though he adds that "the one thing that does kind of stray from the path would be its broad targeting, versus [its typical more] narrowly focused attacks."