Hot Zeroday Sunner continues with Ivanti Sentry CVE-2023-38035 affecting a limited number of users https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US
Citrix https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
The takeaway: The GRU has followed the same five phase disruptive playbook throughout the war. Alternatives have existed, but the GRU has opted for the same tradecraft on repeat. We assess that these choices are calculated adaptations to a wartime operating environment.
GRU’s playbook on cyber disruption and infoops
Notable Storm-0875 tradecraft
1. Initial Access: Sms phishing + AITM or purchase infostealer logs (bypasses most defenses)
2. Privilege escalation via SIM swapping or call number forwarding global admin’s personal phone
3. Time from initial access to global admin often occurs within hours
If you haven’t turned on non sms/push 2FA and are a tech/bpo, retail, or telco org, they will find a weak spot and ruin your summer.
US holidays are perfect for tagging attribution on 25k events without getting any cpu usage complaints.
Happy Canada Day! 🇨🇦 Careful out there! 🌪️⛈️
Hello world!
