1. Forum
  2. FidoNet
  3. POLITICS

  • Hackers are hijacking gov

    From Mike Powell@1:2320/105 to All on Tue Feb 11 11:01:00 2025
    Hackers are hijacking government software to access sensitive servers

    Date:
    Mon, 10 Feb 2025 15:17:00 +0000

    Description:
    A bug in Trimble Cityworks is being used to run remote code execution attacks against Microsoft IIS'.

    FULL STORY ======================================================================
    - Trimble warns Cityworks is being abused in RCE attacks
    - The company released a patch to address the issue
    - CISA warns users to apply patch as soon as possible

    Hackers are hijacking government software to access sensitive servers,
    experts have warned.

    The warning comes from software vendor Trimble, whose product seems to have been used in the attack. In a letter sent to its customers and partners, Trimble said it observed cybercriminals abusing a deserialization
    vulnerability in its Cityworks product to engage in Remote Code Execution
    (RCE) and deploy Cobalt Strike beacons on Microsoft Internet Information Services (IIS) servers.

    Trimble Cityworks is a Geographic Information System (GIS) asset management
    and permitting software designed to help local governments and utilities
    manage infrastructure, maintenance, and operations efficiently. It was found
    to have been vulnerable to CVE-2025-0994, a high-severity deserialization bug allowing for RCE, given a severity score of 8.6 (high).

    Patching the flaw

    Following our investigations of reports of unauthorized attempts to gain
    access to specific customers Cityworks deployments, we have three updates to provide you, the company said in the letter. To tackle the threat, Trimble updated Cityworks 15.x to version 15.8.9, and 23.x to 23.10. It also warned about discovering some on-prem deployments having overprivileged IIS identity permissions, and added that some deployments haid incorrect attachment directory configurations.

    All of these should be addressed at the same time, to mitigate the threat and resume normal operations with Cityworks.

    We dont know how big the attack is, or if any organizations were compromised
    as a result, but the US Cybersecurity and Infrastructure Security Agency
    (CISA) has released a coordinated advisory, urging customers to apply the patches as soon as possible, BleepingComputer has found. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures, it was said in the advisory.

    Organizations observing suspected malicious activity should follow
    established internal procedures and report findings to CISA for tracking and correlation against other incidents.

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/hackers-are-hijacking-government-softwa re-to-access-sensitive-servers

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)