Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts warn of a coordinated surge in the exploitation attempts of SSRF vulnerabilities

Researchers warn of a “coordinated surge” in the exploitation attempts of SSRF vulnerabilities in multiple platforms. Threat intelligence firm GreyNoise observed Grafana path traversal exploitation attempts before the Server-Side Request Forgery (SSRF) surge on March 9, suggesting the attackers may be leveraging Grafana as an initial entry point for deeper exploitation. The experts believe the […]

SSRF vulnerabilities

Researchers warn of a “coordinated surge” in the exploitation attempts of SSRF vulnerabilities in multiple platforms.

Threat intelligence firm GreyNoise observed Grafana path traversal exploitation attempts before the Server-Side Request Forgery (SSRF) surge on March 9, suggesting the attackers may be leveraging Grafana as an initial entry point for deeper exploitation.

The experts believe the attempts are the result of a coordinated attack, threat actors first scan exposed infrastructure before escalating their efforts. In past attacks, attackers exploited Grafana vulnerabilities to access configuration files and internal network details, reinforcing the possibility of reconnaissance-driven targeting.

“On March 9, GreyNoise observed a coordinated surge in SSRF exploitation, affecting multiple widely used platforms.” reads the advisory published by GreyNoise. “At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts. “

Most Server-Side Request Forgery exploitation attempts targeted entities in the United States, Germany, Singapore, India, Lithuania, Japan, and Israel.

The experts warn that attackers leverage SSRF for pivoting and reconnaissance and cloud exploitation.

GreyNoise observed a significant rise in SSRF exploitation on March 9, with around 400 unique IPs actively targeting 10 SSRF vulnerabilities. Many of these IPs are attempting to exploit multiple vulnerabilities simultaneously rather than targeting a single flaw. This pattern suggests an automation or pre-compromise reconnaissance, rather than typical botnet activity.

Below is the list of SSRF vulnerabilities being exploited in the attacks observed by the experts:

Tag/CVE (Block Malicious IPs at Link)Targeted Software
CVE-2020-7796Zimbra Collaboration Suite
CVE-2021-22214GitLab CE/EE
CVE-2021-39935GitLab CE/EE
CVE-2021-22175GitLab CE/EE
CVE-2017-0929DotNetNuke
CVE-2021-22054VMware Workspace ONE UEM
CVE-2021-21973VMware vCenter
CVE-2023-5830ColumbiaSoft DocumentLocator
CVE-2024-21893Ivanti Connect Secure
CVE-2024-6587BerriAI LiteLLM
(No CVE Assigned; See Right Link)OpenBMCS 2.4 Authenticated SSRF Attempt
(No CVE Assigned; See Right Link)Zimbra Collaboration Suite SSRF Attempt
SSRF vulnerabilities

Organizations should promptly patch and secure affected systems, apply mitigations for targeted CVEs, and restrict outbound access to necessary endpoints. Additionally, they should monitor for suspicious outbound requests by setting up alerts for any unexpected activity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)