![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
![When is multiple validation layers of protection necessary? [duplicate]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
23 Vulnerabilities in Black Basta’s Chat Logs Exploited in the Wild, Including PAN-OS, Cisco IOS, & Exchange
GreyNoise has confirmed active exploitation of 23 out of 62 vulnerabilities referenced in internal chat logs attributed to the Black Basta ransomware group. These vulnerabilities span enterprise software, security appliances, and widely deployed web applications, with several critical flaws exploited as recently as the past 24 hours. The findings underscore the persistent targeting of known […] The post 23 Vulnerabilities in Black Basta’s Chat Logs Exploited in the Wild, Including PAN-OS, Cisco IOS, & Exchange appeared first on Cyber Security News.
GreyNoise has confirmed active exploitation of 23 out of 62 vulnerabilities referenced in internal chat logs attributed to the Black Basta ransomware group.
These vulnerabilities span enterprise software, security appliances, and widely deployed web applications, with several critical flaws exploited as recently as the past 24 hours.
The findings underscore the persistent targeting of known vulnerabilities, even those absent from government advisories like CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The leaked logs, initially compiled by cybersecurity firm VulnCheck, provided a rare window into the vulnerabilities prioritized by ransomware operators.
Actively Exploited vulnerabilities:
CVE ID Description Vendor/Product Exploitation Status CVE-2024-3400 PAN-OS Command Injection Palo Alto Networks Active (Last 24h) CVE-2024-27198 JetBrains TeamCity Authentication Bypass JetBrains Active (Last 24h) CVE-2024-24919 Check Point Quantum Security Gateways Info Disclosure Check Point Active (Last 24h) CVE-2024-23897 Jenkins CLI Path Traversal Jenkins Confirmed Active CVE-2024-1709 ConnectWise ScreenConnect Auth Bypass ConnectWise Active (Last 24h) CVE-2023-6875 WordPress Post SMTP Mailer Missing Authorization WPExperts Active (Not in KEV) CVE-2023-4966 Citrix NetScaler ADC Buffer Overflow (Citrix Bleed) Citrix Active (Last 24h) CVE-2023-42793 JetBrains TeamCity Auth Bypass JetBrains Confirmed Active CVE-2023-36845 Juniper Junos OS PHP Variable Control Juniper Active (Last 24h) CVE-2023-36844 Juniper Junos EX PHP Variable Modification Juniper Confirmed Active CVE-2023-29357 Microsoft SharePoint Privilege Escalation Microsoft Confirmed Active CVE-2023-22515 Atlassian Confluence Access Control Bypass Atlassian Active (Last 24h) CVE-2023-20198 Cisco IOS XE Web UI Privilege Escalation Cisco Active (Last 24h) CVE-2022-41082 Microsoft Exchange Remote Code Execution Microsoft Active (Last 24h) CVE-2022-41040 Microsoft Exchange Server-Side Request Forgery Microsoft Confirmed Active CVE-2022-37042 Zimbra Collaboration Suite Auth Bypass Synacor Confirmed Active CVE-2022-30525 Zyxel Firewall OS Command Injection Zyxel Active (Last 24h) CVE-2022-27925 Zimbra Arbitrary File Upload Synacor Confirmed Active CVE-2022-26134 Atlassian Confluence Remote Code Execution Atlassian Confirmed Active CVE-2022-22965 Spring Framework RCE (Spring4Shell) VMware Confirmed Active CVE-2022-1388 F5 BIG-IP Missing Authentication F5 Networks Confirmed Active CVE-2021-44228 Apache Log4j RCE (Log4Shell) Apache Active (Last 24h) CVE-2021-26855 Microsoft Exchange RCE (ProxyLogon) Microsoft Active (Last 24h)
Recent Surge in Zero-Day Exploitation
GreyNoise’s internet-wide telemetry identified exploitation activity for 23 CVEs, including high-severity flaws in Palo Alto Networks PAN-OS, Cisco IOS XE, and Microsoft Exchange Server. Notably, CVE-2023-6875, a missing authorization vulnerability in the WordPress plugin “Post SMTP Mailer,” has seen exploitation despite lacking KEV designation, highlighting the limitations of static vulnerability lists.
The operational tempo of attackers remains alarming, with 12 CVEs exploited within the past 24 hours alone. These include:
- CVE-2024-3400 (Palo Alto PAN-OS command injection)
- CVE-2024-27198 (JetBrains TeamCity authentication bypass)
- CVE-2023-20198 (Cisco IOS XE privilege escalation)
- CVE-2022-41082 (Microsoft Exchange Remote Code Execution)
Network appliances from Palo Alto, Cisco, and Juniper dominate the exploited vulnerabilities list. CVE-2024-3400, a command injection flaw in Palo Alto’s PAN-OS, enables unauthenticated attackers to execute arbitrary code with root privileges. Similarly, CVE-2023-20198 in Cisco IOS XE’s web UI has resurfaced as a prime target, allowing attackers to create privileged accounts and deploy malicious implants.
Juniper’s Junos OS vulnerabilities (CVE-2023-36845 and CVE-2023-36844) continue to be exploited through PHP variable manipulation, enabling remote code execution on EX Series switches. These attacks often precede lateral movement attempts within corporate networks.
High-traffic web platforms remain vulnerable, with CVE-2023-22515 (Atlassian Confluence access control bypass) and CVE-2022-26134 (Confluence Server remote code execution) actively exploited. Microsoft Exchange Server vulnerabilities CVE-2021-26855 (ProxyLogon) and CVE-2022-41082 persist in attacker playbooks, enabling mailbox infiltration and server compromise.
The reappearance of CVE-2021-44228 (Log4Shell) in exploitation attempts underscores the challenge of eradicating this ubiquitous logging library vulnerability.
GreyNoise observed renewed scanning for Log4j instances, particularly in unpatched IoT and enterprise systems.
GreyNoise’s 24-hour activity snapshot reveals intensified targeting of:
- CVE-2024-24919: Check Point Quantum Security Gateways information disclosure
- CVE-2023-4966: Citrix NetScaler ADC buffer overflow (Citrix Bleed)
- CVE-2022-30525: Zyxel firewall OS command injection
These exploits frequently precede ransomware deployment, with attackers leveraging initial access to disable security tools and exfiltrate data. The ConnectWise ScreenConnect flaw (CVE-2024-1709) has become particularly prevalent, with attackers exploiting authentication bypasses to implant remote access trojans.
While patching remains critical, the absence of CVE-2023-6875 from the KEV catalog demonstrates the need for real-time threat intelligence. GreyNoise recommends:
- Network Segmentation: Isolate internet-facing systems like Exchange servers and VPN gateways.
- Behavioral Monitoring: Detect anomalous process creation and suspicious authentication patterns.
- Compromise Assessments: Hunt for indicators of exploitation across the 23 CVEs using IoCs from GreyNoise’s dataset.
With ransomware groups increasingly automating vulnerability exploitation, continuous monitoring, and infrastructure hardening have become non-negotiable components of modern cybersecurity programs.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
The post 23 Vulnerabilities in Black Basta’s Chat Logs Exploited in the Wild, Including PAN-OS, Cisco IOS, & Exchange appeared first on Cyber Security News.
