Threat Alerts

CVE-2024-20353 – Denial of Service Vulnerability: The first vulnerability, CVE-2024-20353, exploits incomplete error checking during the parsing of HTTP headers. This loophole allows attackers to send manipulated HTTP requests to targeted web servers on affected devices, potentially causing a Denial of Service (DoS) condition upon device reload. 

Note: This vulnerability affects Cisco ASA Software and FTD Software if they have one or more vulnerable configurations. These could be found in the following advisory.

CVE-2024-20359 – Privilege Escalation Vulnerability: The second vulnerability, CVE-2024-20359, targets a legacy capability permitting the preloading of VPN clients and plug-ins. Through inadequate validation of files read from system flash memory, threat actors can inject crafted files into the disk0: file system of vulnerable devices, facilitating privilege escalation. Despite requiring admin-level privileges for exploitation, injected code can persist across device reboots, altering system behavior.  

Cisco recommends that customers, upon upgrading to patched releases, thoroughly examine the output of the dir disk0: command via the device CLI for any suspicious .zip files, particularly those such as client_bundle_install.zip. 

CVE-2024-20358 – Command Injection Vulnerability:  It’s essential to note another vulnerability, CVE-2024-20358, which involves the improper sanitisation of backup file contents during restoration. This flaw enables threat actors to execute arbitrary commands by restoring a manipulated backup file to affected devices, again requiring administrator-level privileges for exploitation. 

Note: Cisco FTD Software is affected only when lockdown mode has been enabled to restrict Linux shell access. Lockdown mode is disabled by default.  

Mitigations: Customers are urged to follow Cisco’s advisory meticulously, applying any necessary updates or patches. Notably, the most recent versions include 9.16.4.57, 9.18.4.22, and 9.20.2.10. For unsupported devices nearing End of Life (EoL), organisations should engage with Cisco to explore alternative solutions, as using outdated hardware or software significantly increases vulnerability to cyber threats. 

In response to these critical vulnerabilities, Cisco has provided detailed instructions for supported devices, guiding users through the process of obtaining and applying relevant updates. These steps include navigating Cisco’s Software Download Center and selecting appropriate releases based on hardware platforms. Moreover, Cisco offers guidance on verifying the integrity of ASA or FTD devices to ensure they remain secure against potential exploits. 

Overview: APT44 is a dynamic threat group that engages in a full range of cyber-attacks from espionage to disruptions and influence. The group is highly backed up by various departments within the Russian Federation as its mirroring national interests.

Targets: Main targets are opposing governments, defence departments, transportation, energy, and media. Driven by patriotism, APT44 frequently targets journalists and non-governmental bodies involved in investigations of the Russian government.

Tactics and techniques: Sandworm group is a mature and complex adversary as they are using a range of methods to gain initial access; from phishing to vulnerability exploit and supply chain compromise. Once established foothold, the ATP is using living-off-the-land (LOTL) techniques to establish persistence and exfiltrate data.

Tactics observed:

• Exploit of routers and virtual private networks (VPN)
• Subvert software supply chains.
• Distribute trojan software installers via Torrent forums
• Persistence: deploys lightweight tools that are expandable

Recommendations:

• Ensure that usage of VPN is controlled in the organisation and usage of commercial VPNs monitored if allowed.
• Block connection to Torrent domain.
• Prioritise detection of LOTL techniques

Disabling telemetry to mitigate the threat is no longer an effective mitigation recommendation. Therefore, for customers who applied this workaround without patching, we strongly recommend applying the currently available patches and schedule patching for new releases.

Additionally, Palo Alto has added instructions to the new advisory on how to check if any indicators of exploitation are present on a device. The following command needs to be used from the PAN-OS CLI. Command: grep pattern “failed to unmarshal session(.\+.\/” mp-log gpsvc.log   

Benign output example: “message”:”failed to unmarshal session(1234567-89ab-cdef-1234-567890abcdef)”. However, if instead of the GUID the output contains a file system path then further investigation is required.

MidnightEclipse / UTA0218 

Researchers have released various PoCs as well attributing activity to threat actor groups.  It was demonstrated that an attacker must be able to create arbitrary files before exploiting the command injection vulnerability. This can be achieved by injecting payloads in the SESSID cookie value which is later concatenated into a string and executes as a shell command. Therefore, when the server executes the telemetry transmission, the payload will be executed and removed from the telemetry directory.  

Additionally, researchers observed the zero-day being exploited in the wild as early as 26th March by a threat actor group tracked under UTA0218 by Volexity. The vulnerability was used to backdoor firewalls, create reverse shells, download additional tools, and export configuration data from devices.  

Unit 42 is tracking under the name “Operation MidnightEclipse” and in addition to the behaviour noted by Volexity, it also observed threat actors running cronjobs after exploiting the vulnerability. This was designed to run every minute to access commands hosted on an external server that would execute via bash.  

Additional technical reports:  

https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/  

In an advisory, Palo Alto describes it as “A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall”.

Impacted versions:

• PAN-OS < 11.1.2-h3
• PAN-OS < 11.0.4-h1
• PAN-OS < 10.2.9-h1

It is worth noting that the issue applies only to firewalls that have the configurations for both GlobalProtect and device telemetry enabled. Additionally, Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

For mitigating this threat hot fixes are to be released:

• PAN-OS 10.2.9-h1 (ETA: By 4/14)
• PAN-OS 11.0.4-h1 (ETA: By 4/14)
• PAN-OS 11.1.2-h3 (ETA: By 4/14)

Workarounds have also been presented in the advisory: here

Microsoft

Proxy Driver Spoofing Vulnerability: CVE-2024-26234  (CVSS score: 6.7)    

Microsoft has not disclosed any details about the exploit or scenarios in which this is exploited. However, it is known that this is a proxy spoofing vulnerability and patches have been made available. In summary, an executable signed digitally by a valid vendor contains a backdoor that uses an embedded proxy server to monitor and intercept network traffic. The Modus operandi of the attackers is to sign code with publisher certification so that the OS trusts and allows it. Further, this is bundled with marketing or ad software. More on the technical aspect: here 

SmartScreen Prompt Security Feature Bypass Vulnerability: CVE-2024-29988 (CVSS score: 8.8)     

Just like a previous Smartscreen vulnerability CVE-2024-21412, this allows a threat actor to bypass protection when accessing a specially crafted file. Researchers have observed exploits being sent in zipped files to evade detection.   

Fortinet

Remote code execution in FortiClient for Linux: CVE-2023-45590 (CVSS score: 8.3)  

A successful exploit could allow a remote attacker to execute arbitrary code on the compromised host. The vulnerability is caused by a dangerous node.js configuration in the FortiClient. Vulnerable versions: FortiClient (Linux): 7.0.0 – 7.2.0  

Administrator Cookie Leakage in FortiOS and FortiProxy: CVE-2023-41677 (CVSS score: 6.5)  

Affects both FortiOS and FortiProxy. An attacker may obtain administrator cookies after the victim visits a maliciously crafted domain through the SSL-VPN. It is to be noted that this scenario is rare; however not impossible. Vulnerable versions:  FortiOS: 6.0.0 – 7.4.1 & FortiProxy: 1.0.0 – 7.4.1  

Arbitrary Code Execution in FortiOS: CVE-2023-48784 (CVSS score: 5.8)  

FortiOS command line interface could allow a local attacker with admittedly super-admin privileges and CLI access to execute arbitrary code. Vulnerable versions: FortiOS: 7.0.0 – 7.4.1   

Overview: The XZ Utility is a data compression software included in Linux distributions used for compressing various file formats, software packages, kernel images, and more. Backdoor has been identified by a software engineer during failed SSH logins that used high CPU loads, the delay between the SSH port connections was of 500 ms. This lead further to discovering the root cause. Malicious code may modify or intercept data from other applications that leverage the library.

Threat actor: Over several years, an attacker using the pseudonym “Jia Tan” begins contributing patches to the xz-devel mailing list, building a credible profile as a contributor. September 2022-March 2023, the attacker is given commit access and by March they tag and build a release. February 2024 the attacker merges hidden backdoor code within binary test input files and tags the compromised version 5.6.0. This version includes a malicious build-to-host.m4 file that introduces the backdoor during the build process of deb/rpm packages.

Vulnerability: During the liblzma build process, a prebuilt object file is extracted from a disguised test file within the source code. This file is then utilized to alter specific functions within the liblzma code, effectively modifying the liblzma library. Consequently, the compromise affects OpenSSH when it supports systemd notifications, due to the libsystemd library relying on lzma. Several Linux distributions that use this librabry for SSH could be vulnerable to remote code execution.

Affected systems and mitigations: Particularly vulnerable Systems include those running on Linux x86_64 architectures that utilize the affected versions of xz-utils, especially in configurations that include glibc, systemd, and patched OpenSSH. It is strongly recommended that affected versions be discontinued immediately and downgraded to the more secure xz-5.4.x versions. Businesses using hosts with the following distributions are urged to take the appropriate remediation steps required for mitigation the threat.

List of known affected Linux distributions and links to remediation steps:

• Fedora Linux 40 and Rawhide
• openSUSE
• Kali Linux
• Alpine
• Debian (Unstable)
• Arch

Additionally, HomeBrew is forcing downgrades to 5.4.6; it’s not believed that the builds were compromised however the actions are taken as a precaution.

More information on how the vulnerability was discovered can be found here

A more technical review can be found here

Additionally, more information on advisories, solutions, and tools can be found here

Tactics and Techniques: The group distinguishes itself from the rest through complex tactics and choice tools such as “ruler” (used for brute force email account) or Xdealer malware. Reconnaissance is conducted through continuous scans of the public-facing servers and deploying open-source tools to probe for various vulnerabilities.    

Researchers observed that the group often leverages two vulnerabilities: CVE-2023-32315 (command execution bug in the real-time collaboration server Openfire) & CVE-2022-21587 (command execution issue with the Web Applications Desktop Integrator in Oracle’s E-Business Suite).  

After gaining access to the network, the attacker’s goal is to establish persistence by deploying backdoors onto the compromised servers. Out of all the tools dropped, XDealer is considered the most sophisticated one as it can record keystrokes, intercept clipboards, and take screenshots. Additionally, this is compatible with both Linux and Windows 

For lateral movement, emails of government employees are hijacked and used to send phishing emails to other government officials. These emails are used to drop backdoors on the victim’s host and spread the foothold to other organisations.  

In addition to phishing campaigns, the group was observed building SoftEther VPN servers on compromised public-facing servers to support post-exploitation movement. According to Trend’s report “The SoftEther server executable is renamed to either taskllst.exe, tasklist.exe, or tasklist_32.exe for the Windows executable and curl for the Linux”.

Post-exploitation activities: remote desktop connections, credential dumping, sensitive data exfiltration.  

Recommendations:  

• review and remove public-facing servers, if needed by business – ensure that they are protected  
• raise user awareness on phishing emails and provide training  
• business should review their position on commercial VPN usage; this is often used for anonymisation purposes  
• detection rules set for mail forwarding rules being set and mass email activity
• ensure patches and updates are applied on tools

Tactics and Techniques: The phishing campaign was designed to impersonate business employees chasing the recipient on a previous email. Sender addresses are spoofed so it appears legitimate. The ZIP attachments contain an HTML file that embeds a URL of the structure “ file[:]//IP[.]txt”.   

Objective: Connections to these SMB servers are meant to steal NTLM hashes and additional information such as device name and username.  Stolen NTLM hashes could facilitate “Pass-The-Hash” attacks in which threat actors are not required to provide additional passwords to authenticate sessions. This is further leading to lateral movement into the network.   

Detection and remediation: Attachments, HTML files, and TXT files have unique file hashes and names. This makes the campaign more dynamic, making it challenging to detect and block. Detection rules for the behavior can be set. Additionally, businesses can block outbound SMB connections to prevent exploitation. 

More technical details can be found here

Important: Continuously advise users of ScreenConnect to upgrade to version 23.9.8 as soon as possible. However, to note that for cloud customers, there are no actions to be taken.  

Overview: APLHV Blackcat is a threat actor group that operates a ransomware-as-a-service (RaaS) model written in RUST. In December 2023, the group’s access and server were taken down by authorities. However, they quickly shifted to a new Tor site and updated their ransomware application model. Improvements were made to the evasion and encryption components, it is now capable of encrypting Windows, Linux, and VMWare instances.  

Tactics and Techniques:  BlackCat leverages compromised credentials or launches social engineering attacks impersonating IT or help desk admins to gain initial access. Recent affiliates of the ransomware group deployed RMM (remote management and monitoring) tools such as AnyDesk or ScreenConnect.   

User account “aadmin” gets created and Kerberos token generation is used for domain access. Once established in the network, Cobalt Strike and Brute Ratel are deployed as beacons to C2 (command and control) servers.    

Detection is evaded by using applications such as Metasploit and exfiltrating data via Mega[.]nz or Dropbox. In recent reports, the affiliates are observed using POORTRY and STONESTOP malware to terminate security processes.  

Recommended mitigations:  

• Review the usage of RMM tools on the estate. Detection and blocking rules should be in place if these are not expected.  
• Regularly back-up data, secure it with a password, and ensure that copies are made by following the 3-2-1 backup strategy.   
• Monitor and detect suspicious or unrecognised scheduled tasks  
• Update the ScreenConnect version to the latest

More information on the advisory can be found here

Authentication bypass (CVSS: 10): In this scenario, by using an alternate path of the channel, the authentication mechanism can be bypassed. The attacker is not required to initiate complex attacks, nor there is a need for user interaction   

‘Path Traversal’ (CVSS: 8.4) : The vulnerability involves the improper limitation of a pathname to a restricted directory. High privileges are needed for a threat actor to gain access to files and directories outside of the intended directory.

Mitigations:  Both vulnerabilities impact ScreenConnect versions 23.9.7 and prior. Fixes have been made available from version 23.9.8.  ConnectWise stated that for cloud customers there are no actions to be taken. The servers hosted in the “screenconnect.com” cloud or “hostedrmm.com” have been updated.  

Conclusion: Security agencies have issued a warning in the past month regarding the increase in attacks where legitimate RMM software was used as entry points for malicious actors. Once established a foothold in the network, they could bypass security controls, lateral move in the network and obtain sensitive documents. Businesses are urged to review the need and usage of RMM tools on their estate. Detection rules should be implemented to monitor suspicious activity and applications blocked if not required.

CVE-2024-21412  

The vulnerability focuses on internet shortcuts, as .url files are INI configuration files that have the parameter for pointing to a URL. An unauthenticated attacker could send through phishing emails specially crafted files designed to bypass security checks. 

Researchers were capable to bypass another SmartScreen vulnerability CVE-2023-36025 by exploiting the newly SmartScreen zero-day. During PoC, it was proven that by calling URL from a shortcut within another shortcut it was possible to evade SmartScreen detection.  

Tactics and Techniques

Threat actors were launching spear-phishing attacks containing stock charts redirecting to a compromised trading domain. Their main targets were users on trading and stock forums asking for advice.  

On the compromised .ru domain, internet shortcuts were disguised as JPEG images that direct to a WebDAV share. This furthermore facilitates exploitation and execution of malicious Microsoft Installer File (.msi) on the host.  

Furthermore, compromised domains and DarkMe RAT are used for information gathering and command-and-control (C2) connections.  

Conclusion

Zero-day attacks are a security risk to organisations; therefore, is crucial to identify and mitigate vulnerabilities as soon as possible. Here, at Socura, we are conducting threat hunts on IOCs and deploying custom detection rules. 

 More technical information & IOCs can be found here

Fortinet advises users to upgrade their FortiOS installations to the recommended versions or apply patches as soon as possible. Disabling SSL VPN on affected devices can serve as a temporary mitigation measure for those unable to immediately apply patches.

The company’s advisory also highlights the potential exploitation of the vulnerability in attacks targeting corporate networks. Threat actors, including state-sponsored groups like Volt Typhoon, have a history of leveraging Fortinet vulnerabilities for ransomware attacks and cyber espionage. Recent incidents involving custom malware like COATHANGER underscore the urgency of addressing these security flaws promptly.

The disclosure of CVE-2024-21762 coincides with Fortinet’s release of patches for other vulnerabilities affecting its products, such as CVE-2024-23108 and CVE-2024-23109 impacting FortiSIEM supervisor. These vulnerabilities similarly allow remote unauthenticated attackers to execute unauthorised commands.

Recent reports of Chinese state-sponsored actors infiltrating government networks using exploits in Fortinet FortiGate devices highlight the persistent threat posed by such vulnerabilities. Additionally, the U.S. government has issued advisories regarding groups like Volt Typhoon, emphasising the need for enhanced cybersecurity measures, especially for internet-facing edge devices lacking endpoint detection and response (EDR) support.

In conclusion, organisations using FortiOS SSL VPN should prioritise the application of patches and follow recommended mitigation strategies to protect their networks from exploitation by threat actors. Vigilance and proactive security measures are essential to mitigate the evolving cybersecurity risks associated with such vulnerabilities.

Version                       Affected                         Solution
FortiOS 7.6                 Not affected                 Not Applicable
FortiOS 7.4                 7.4.0 through 7.4.2      Upgrade to 7.4.3 or above
FortiOS 7.2                 7.2.0 through 7.2.6       Upgrade to 7.2.7 or above
FortiOS 7.0                 7.0.0 through 7.0.13     Upgrade to 7.0.14 or above
FortiOS 6.4                 6.4.0 through 6.4.14    Upgrade to 6.4.15 or above
FortiOS 6.2                 6.2.0 through 6.2.15     Upgrade to 6.2.16 or above
FortiOS 6.0 6.0          all versions                     Migrate to a fixed release

We will continuously update this Threat Alert as and when more information becomes available.

AnyDesk has released a public statement here:

https://anydesk.com/en/public-statement

The detailed list of vulnerabilities is as follows:

1. CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation flaw in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x).
2. CVE-2024-21893 (CVSS score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA.

Ivanti stated that there is no evidence of customers being impacted by CVE-2024-21888 so far, but the exploitation of CVE-2024-21893 appears to be targeted. The company anticipates a sharp increase in exploitation once this information becomes public.

In response to the vulnerabilities, Ivanti has released security patches for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1, as well as ZTA version 22.6R1.3. As a precautionary measure, customers are recommended to factory reset their appliances before applying the patch to prevent threat actors from gaining upgrade persistence, with the process expected to take 3-4 hours.

To address CVE-2024-21888 and CVE-2024-21893 temporarily, users are advised to import the “mitigation.release.20240126.5.xml” file.

These revelations come in the wake of two other flaws in the same products (CVE-2023-46805 and CVE-2024-21887) being actively exploited by multiple threat actors to deploy backdoors, cryptocurrency miners, and a Rust-based loader known as KrustyLoader.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an advisory, indicating that adversaries are leveraging the aforementioned flaws to capture credentials and deploy web shells for further compromise of enterprise networks. Some threat actors have developed workarounds to current mitigations and detection methods, allowing them to exploit weaknesses, move laterally, and escalate privileges without detection.

Additionally, Ivanti has released security patches for two more zero-days disclosed in early January—authentication bypass (CVE-2023-46805) and command injection (CVE-2024-21887)—which have been used in widespread attacks to deploy malware on vulnerable ICS, IPS, and ZTA gateways since January 11. CISA issued the first emergency directive (ED 24-01) of 2024, instructing federal agencies to immediately mitigate these zero-day flaws due to mass exploitation by multiple threat actors.

The victims of these extensive attacks include government and military organisations, national telecom companies, defence contractors, banking and finance organisations, as well as aerospace, aviation, and tech firms.

Phishing emails are deployed for initial access, while subsequently remote admin tools are dropped to gain privilege and laterally move within the network.

PsExec is ran to execute specially crafted .bat scripts that checks for the presence of “Martini.exe” file on the host. If found, the script terminates it and downloads the vulnerable ‘Martini.sys”. Following the install, attackers can escalate privileges and terminating processes. Files and folders are transferred from a network share to local directory and encryption script is initiated.

Payload “smartscreen_protected.exe” encrypts the processes using the algorithms ChaCha20 and RSA. Kasseika was observed utilising webutil.exe binary and clear.bat to remove its activity from the System Event Logs. Additionally, Volume Shadow copies have been deleted to remove the recovery option.

A more in depth technical analysis of the group and its activity can be read here . We, at Socura, are conducting threat hunts on the groups activity, IOC and additionally deploying corresponding detection rules.

Recommendations:

• add the driver “Martini.sys”/”viragt64.sys” on the block list
• enable the Microsoft’s vulnerable driver blocklist.
• Ensure that backups are made in multiple different locations.
• monitor large file movements

CVE-2023-6548, a medium-criticality flaw, requires prior access to NetScaler IP (NSIP), Cluster IP (CLIP), or Subnet IP (SNIP) with management interface access. Network segregation is recommended to mitigate this vulnerability. On the other hand, CVE-2023-6549, with a high-criticality score, necessitates the appliances to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy).

Mitigating factors for CVE-2023-6548 involve separating network traffic to the appliance’s management interface and avoiding exposure to the internet. Citrix advises affected customers to immediately update to the latest supported versions, as exploits of these vulnerabilities have been observed on unmitigated appliances.

The affected versions include NetScaler ADC and NetScaler Gateway 14.1 (before 14.1-12.35), 13.1 (before 13.1-51.15), 13.0 (before 13.0-92.21), as well as FIPS compliant versions 13.1 (before 13.1-37.176) and 12.1 (before 12.1-55.302), including 12.1-NDcPP before 12.1-55.302, which is compliant under the Network Device Collaborative Protection Profile.

Notably, NetScaler ADC and NetScaler Gateway version 12.1 have reached End of Life (EOL) and are vulnerable. Customers are strongly urged to upgrade to one of the latest supported versions to address these vulnerabilities.

Capabilities: The Python script is targeting .env files found in several cloud applications such as Amazon Web Service or Microsoft Office 365.  By taking advantage of the SMTP protocol, it deploys malicious webshells and exploiting leaked credentials. Moreover, the malware is capable of self-replicating by using compromised AWS credentials to create new users and expand in the network. Therefore, monitoring for new suspicious accounts is encouraged.

Tactics and Techniques: Botnets have been seen by researchers as far as 2022 scanning hosts for known remote code vulnerabilities or by using compromised AWS credentials to identify targets.

CVE-2021-41773 (Apache HTTP Server ) : The group was observed conducting reconnaissance for vulnerable web servers running Apache HTTP versions 2.4.29 or 2.4.50. In this scenario, files outside the root directory need to be protected by the “request all denied” configuration and have the Common Gateway Interface scripts enabled.

CVE-2017-9841 ( PHPUnit unit testing framework ) : Common technique seen for the group is exploitation of the PHPUnit vulnerability. Webpages with the PHPUnit module that have the “/vendor” folder exposed to the internet are susceptible to remote code execution through HTTP POST requests.

CVE-2018-15133 (Laravel PHP web framework ) : For websites that use Laravel, the malware is establishing if domain’s .env file is exposed and send crafted GET requests for accessing credentials stored in the environment variables. In the Laravel vulnerability, XSRF tokens are subject to un-sanitized calls that allow remote code executions and further file uploads to website.

Recommendations: These instances should be patched to the latest available versions to reduce the likelihood of a security incident. Additionally, companies are recommended to apply security measures and policies on their cloud environments. We, at Socura, are monitoring the cloud environments and conduct regular threat hunts aim to discover weak spots.

IOCs:

Inbound GET and POST requests:

• /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /.env

Inbound POST requests:

• [0x%5B%5D=androxgh0st]
• ImmutableMultiDict([(‘0x[]’, ‘androxgh0st’)])

Zero-Day Vulnerabilities: The first vulnerability, CVE-2023-46805, is an authentication bypass in the gateways’ web component, allowing attackers to access restricted resources by circumventing control checks. The second, CVE-2024-21887, is a command injection flaw that enables authenticated administrators to execute arbitrary commands on vulnerable appliances through specially crafted requests. When combined, these two vulnerabilities facilitate the execution of arbitrary commands on all supported versions of the affected products.

Exploitation and Attribution: The vulnerabilities were initially discovered by Mandiant and Volexity, with evidence suggesting exploitation by a Chinese state-backed threat actor, tracked under the alias UTA0178. Ivanti has confirmed that less than 10 customers have been impacted, emphasising the importance of immediate action.

Attack Techniques: The attacker utilised a combination of techniques, including an authentication bypass, unauthenticated remote code execution, and lateral movement within the network. The exploits allowed the threat actor to manipulate Ivanti’s internal integrity checker, potentially compromising the security of affected systems.

Incident Response and Forensic Analysis: Ivanti conducted an incident response investigation that revealed the attacker’s methods and tools. The attacker, suspected to be UTA0178, leveraged webshells, proxy utilities, and file modifications for credential harvesting. Forensic analysis uncovered two zero-day exploits and showcased the attacker’s ability to execute commands, steal configuration data, and evade security measures.

Detection and Mitigation Strategies: Organisations are urged to employ various strategies for detecting and mitigating the impact of these zero-days. Network traffic analysis, VPN device log analysis, and the execution of Ivanti’s Integrity Checker Tool are essential for identifying signs of compromise. The following blog post details specific indicators to look for in each method, emphasising the need for proactive monitoring and response.

Responding to Compromise: In the event of a compromise, organisations should not only apply available mitigations but also collect logs, system snapshots, and forensic artefacts from affected devices. Password resets and additional investigations are advised to address potential credential compromises.

Conclusion: As cyber threats continue to evolve, organisations must remain vigilant in securing critical infrastructure. The Ivanti zero-days highlight the importance of prompt patching, active monitoring, and a robust incident response plan to mitigate risks effectively. The provided insights and recommendations aim to empower organisations in safeguarding their IT assets against emerging threats.

Kerberos is Window’s default authentication protocol used for authenticating users and devices to the network. Therefore, a bypass would allow an unauthenticated threat actor to spoof a Kerberos server and send authentication messaged to clients. Noted by the vendor is that a successful exploit requires access to restricted network before attempting to execute the attack.    

Windows Hyper-V is popular with IT professionals as its used as virtualisation for software testing on multiple operating systems. Hyper-V is additionally used for creating virtual hard drives, switches, and machines. Not much information is disclosed on the Hyper-V flaw, however it has been noted that a success exploit can be achieved without user interaction or authentication. The threat actor is also required to win a race condition before taking advantage of the vulnerability. More details on the two vulnerabilities are yet to be released by Microsoft. 

SMTP Smuggling Overview:

SMTP is a widely used TCP/IP protocol for sending and receiving email messages over a network. It involves establishing an SMTP connection between the email client and server to transmit the email’s content. SMTP servers rely on mail transfer agents (MTAs) to process and deliver messages. The crux of SMTP smuggling lies in the inconsistencies in handling end-of-data sequences by outbound and inbound SMTP servers, allowing threat actors to “smuggle” arbitrary SMTP commands and send separate emails. This technique draws inspiration from HTTP request smuggling, leveraging discrepancies in the interpretation of specific headers.

Affected Servers and Exploitation:

SMTP smuggling exploits security flaws in messaging servers from major providers, including Microsoft, GMX, Cisco, Postfix, and Sendmail. The vulnerabilities enabled threat actors to send spoofed emails, seemingly originating from legitimate senders, and circumvent authentication checks like DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF).

Vendor Responses and Responsible Disclosure:

Following responsible disclosure procedures, SEC Consult notified affected vendors, including Microsoft and GMX, which promptly addressed the identified vulnerabilities. However, Cisco contested the findings, asserting that the issues were not vulnerabilities but features, and opted not to change the default configuration. Despite Cisco’s stance, inbound SMTP smuggling to Cisco Secure Email instances remains possible with default configurations. To mitigate risks, SEC Consult recommends Cisco users adjust their settings from “Clean” to “Allow” to avoid receiving spoofed emails with valid DMARC checks.

Postfix Remediation and Workaround:

Postfix developers responded promptly to the SMTP smuggling threat, releasing short-term workarounds to address the vulnerability. Administrators are encouraged to implement these fixes to safeguard their email systems.

Conclusion:

SMTP smuggling represents a novel and potent technique for threat actors to exploit vulnerabilities in widely used email servers. The responsible disclosure process highlighted communication challenges and differing interpretations of the impact among vendors. This incident emphasises the need for enhanced collaboration and communication to address potential broader impacts when sharing details with affected vendors. As the email security landscape evolves, vigilance and proactive measures are crucial to thwart emerging threats like SMTP smuggling.

Attack Scenarios:

Cryptomining with OAuth Applications:

Microsoft Threat Intelligence observed a threat actor known as Storm-1283 using compromised accounts to create OAuth applications, deploying virtual machines for cryptomining. The attacker maintained access by cleverly naming virtual machines to avoid detection, resulting in substantial financial losses for targeted organisations.

Business Email Compromise (BEC) and Phishing:

Another attack involved a threat actor leveraging OAuth applications for BEC and phishing activities. By compromising user accounts and employing an adversary-in-the-middle (AiTM) phishing kit, the actor successfully stole session tokens and used them for persistence, launching phishing attacks with varying subject lines.

Spamming via OAuth Applications:

In a large-scale spamming campaign, threat actor Storm-1286 employed OAuth applications created through password spraying attacks. By compromising user accounts and exploiting legacy authentication protocols, the actor sent thousands of emails daily, using both legitimate and non-privileged accounts to avoid detection.

Mitigation Strategies:

To counter these threats, Microsoft recommends several mitigation strategies:

• Strengthen Credential Security:
  • Implement multi-factor authentication (MFA) to reduce the risk of credential guessing attacks.
• Conditional Access Policies:
  • Enable policies for User and Sign-in Risk, device compliance, and trusted IP addresses to protect against stolen credentials.
• Continuous Access Evaluation (CAE):
  • Utilise CAE to revoke access in real time when user conditions change, mitigating risks associated with compromised accounts.
• Security Defaults and Microsoft Defender:
  • Enable security defaults for preconfigured security settings and leverage Microsoft Defender’s automatic attack disruption capabilities.
• Audit Apps and Consent Permissions:
  • Regularly audit and monitor applications and consented permissions to ensure least privilege access.
• Educate Employees:
  • Educate users on application permissions and potential risks associated with malicious apps.
• Secure Azure Cloud Resources:
  • Implement MFA for all users, monitor quota increases, and use Microsoft Defender for Cloud Apps connector for enhanced visibility.
• Email Filtering and Phishing Protection:
  • Configure Office 365 email filtering settings to block spoofed emails, spam, and emails with malware. Use Defender for Office 365 features for enhanced phishing protection.

Detections and Alerts:

Microsoft Defender XDR, Microsoft Defender for Cloud Apps, App Governance, Microsoft Defender for Office 365, Microsoft Defender for Cloud, and Microsoft Entra Identity Protection offer a range of alerts and detections to identify and respond to these threat activities.

By implementing these recommended strategies and leveraging Microsoft’s suite of security solutions, organisations can fortify their defences against OAuth-based attacks, ensuring a more resilient cybersecurity posture.

CVE-2023-22523 – Asses Discovery RCE vulnerability  

Asset Discovery software its a scanning tool that can be used both with or without an agent with Jira Service Management Cloud, Data Centre or Server. This detects and collects information on the assets connected to the local network; and further imports them to Jira for management.  

However, the vulnerability is targeting hosts with an Asset Discovery agent available; between the Asset Discovery application and agent. Vulnerable are all prior to Assets Discovery 3.2.0-cloud / 6.2.0 data center and server.  

CVE-2023-22522 – Confluence Data Center and Server 

Atlassian advisory is describing this vulnerability as a template injection through which threat actors inject unsafe input into the Confluence page. 

It’s recommended to upgrade your instances to the patched versions: 

Confluence Data Center and Server: 

• 7.19.17 (LTS) 
• 8.4.5 
• 8.5.4 (LTS) 

Confluence Data Center: 

• 8.6.2 or later (Data Center Only) 
• 8.7.1 or later (Data Center Only)

Citrix emphasised the need for additional measures beyond patching to thwart ongoing exploitation. Administrators are advised to wipe all previous user sessions and terminate active ones. This critical step is crucial as attackers have been exploiting the vulnerability to steal authentication tokens, allowing unauthorised access even after patching.

Researchers who initially disclosed the active exploitation of Citrix Bleed as a zero-day in late August 2023, issued a warning. Compromised NetScaler sessions persist after patching, enabling lateral movement across networks and compromising other accounts based on permissions associated with compromised accounts.

To address the situation, Citrix reiterated the importance of immediate upgrades and the removal of active or persistent sessions. The company issued the following commands for administrators to execute, emphasising the urgency of these actions:

kill icaconnection -all 

kill rdp connection -all 

kill pcoipConnection -all 

kill aaa session -all 

clear lb persistentSessions 

In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) highlighted that the LockBit ransomware gang is actively exploiting the Citrix Bleed vulnerability. The advisory, also supported by the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the Australian Cyber Security Center (ACSC), shared indicators of compromise and detection methods to assist defenders in thwarting these attacks.

Boeing, a notable target of LockBit, shared insights into how the ransomware gang breached its network using a Citrix Bleed exploit in October. The joint advisory underscored the seriousness of the situation, stating that various organisations had observed similar activities impacting their environments.

Simultaneously, another article disclosed that LockBit 3.0 affiliates are intensifying their attacks on the Citrix Bleed vulnerability. The critical bug, identified as CVE-2023-4966, was patched in late October, but threat actors, particularly LockBit 3.0 users, are leveraging its exploitation for unauthorised access to corporate systems.

CISA warned about the vulnerability’s ease of providing an authentication bypass route, allowing threat actors to hijack legitimate user sessions successfully. The agency, in collaboration with the FBI, MS-ISAC, and ACSC, emphasised the severity of the risk, enabling malicious actors to acquire elevated permissions for credential harvesting, lateral movement, and unauthorised access to data and resources.

Security researcher Kevin Beaumont noted that LockBit 3.0 and its affiliates have formed a specialised “strike team” to exploit Citrix Bleed, raising concerns about the sophistication of attackers involved.

Both CISA and Citrix reiterated that patching alone is insufficient for protecting affected instances. The agencies provided detailed remediation guidance, detection methods, and indicators of compromise. Citrix emphasised the need to reassess an organisation’s ability to identify vulnerabilities at the process/PID level and urged the removal of active or persistent sessions after upgrading.

With the holiday season approaching, the urgency of addressing the Citrix Bleed vulnerability was underscored, with organisations urged to isolate vulnerable appliances if immediate patching and session termination are not feasible. Despite Citrix’s widespread use, the vulnerability remains a prime target for threat actors due to its pre-authentication nature, making it an attractive target for exploitation. The cybersecurity community remains on high alert as organisations work to mitigate the ongoing threat posed by LockBit 3.0’s exploitation of the Citrix Bleed vulnerability.

CVE-2023-38547 had been describes as an improper control of code that can be leveraged to obtain information on the SQL server connections used for accessing the database. This does leads further to RCE on the SQL server.  Additionally, CVE-2023-38548 would enable unprivileged access to Veeam ONE Web Client and consequently, capability to obtaining the NTLM hash of the account used by the Veeam ONE Reporting Service. However, an account that has access to the Web Client is required for the exploitation.  

All versions of Veeam ONE are impacted, up until the last release. Therefore, Veaam company has released several hotfixes alongside the advisory that are recommended to be applied urgently.  

• Veeam ONE 12 P20230314 (12.0.1.2591) 
• Veeam ONE 11a (11.0.1.1880) 
• Veeam ONE 11 (11.0.0.1379)  

For these hotfixes to work, admins are required to perform the following sequence of tasks:

• Stop the Veeam ONE monitoring and reporting services on the impacted servers 
• Replace the files on the disk with the files in the hotfix 
• Restart the services to deploy the hotfix 

Although there are no current reports of active exploitation, Atlassian is urging its customers to take swift measures. The company has promptly released patches for Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1. It is crucial for administrators to upgrade to these fixed versions as soon as possible.

In addition to patching, Atlassian recommends taking the following actions:

1. Backup your Confluence instance. (Instructions can be found here: Backup Instructions)
2. If you are unable to patch immediately, disconnect your instance from the internet. Instances accessible to the public internet, even those with user authentication, should be restricted from external network access until the patch is applied.

It’s important to note that Atlassian Cloud sites accessed via an atlassian.net domain are not affected by this vulnerability.

Furthermore, in a separate security advisory, CISA, FBI, and MS-ISAC recently warned network administrators to urgently patch Atlassian Confluence servers to address an actively exploited privilege escalation flaw, tracked as CVE-2023-22515. This flaw has been actively exploited by the Chinese-backed Storm-0062 threat group, also known as DarkShadow or Oro0lxy, since at least September 14, 2023. The joint advisory expressed concerns about widespread exploitation in government and private networks due to the ease of exploitation. Given that Confluence servers have been targeted in previous attacks involving Linux botnet malware, crypto miners, AvosLocker, and Cerber2021 ransomware, patching these servers promptly is essential to mitigate the risk.

The threat intelligence company VulnCheck identified the extensive exploitation of this vulnerability and scanned internet-facing Cisco IOS XE web interfaces, discovering thousands of infected hosts. They have also released a scanner to detect these implants on affected devices. VulnCheck’s CTO, Jacob Baines, noted that “Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.”

As of now, there is no patch available for this vulnerability. To protect your organisation, VulnCheck recommends disabling the web interface and removing all management interfaces from the internet immediately. They have identified approximately 10,000 implanted systems, with more potential targets listed on Shodan/Censys. A Shodan search for Cisco devices with their Web UI enabled currently shows more than 140,000 Internet-exposed devices.

Cisco first discovered this vulnerability while addressing multiple Technical Assistance Center (TAC) support cases. The flaw allows an attacker to gain administrator privileges and take control of vulnerable routers, as it enables a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. Cisco Talos researchers observed attacks exploiting this flaw, where unauthorised users created local user accounts under usernames like “cisco_tac_admin” and “cisco_support” from suspicious IP addresses. The observed activity included deploying an implant consisting of a configuration file (“cisco_service.conf”).

It is believed that these clusters of activity were likely carried out by the same threat actor. Cisco strongly recommends administrators to disable the HTTP server feature on systems exposed to the internet to mitigate the risk. They provide specific commands to do this and encourage saving the running configuration after disabling the HTTP Server feature to prevent reactivation in case of a system reload. The advisory also includes Indicators of Compromise (IoCs) to aid in identifying potential attacks.

Exploitation and Impact

Citrix strongly urged its customers to install the available update as soon as possible in a security bulletin dated October 10. The vulnerability (CVE-2023-4966) has a CVSS score of 9.4 and impacts specific versions of NetScaler ADC and Gateway devices, including NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50, 13.1 before 13.1-49.15, and 13.0 before 13.0-92.19. The flaw also affects NetScaler ADC 13.1-FIPS before 13.1-37.164 and NetScaler ADC 12.1-FIPS before 12.1-55.300.

To exploit this vulnerability, the device must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorisation and accounting (AAA) virtual server.

Zero-Day Exploitation

Security experts from Mandiant reported that they discovered zero-day exploitation of CVE-2023-4966 in the wild, commencing in late August 2023. Successful exploitation of this vulnerability allows attackers to hijack authenticated sessions, effectively bypassing multi-factor authentication or other strong authentication requirements. Even after applying the security update, hijacked sessions can persist, and attackers can leverage this access for lateral movement or to breach additional accounts.

Mandiant also identified instances of session hijacking where session data was stolen before the patch deployment. Threat actors then used this stolen session data to gain further access based on the permissions and scope of the identity or session. This enabled them to harvest additional credentials, pivot laterally within the environment, and access additional resources.

Targeted Sectors

The threat actor behind these attacks has not been definitively identified, but the campaign appears to have targeted professional services, technology, and government organisations. Given the active abuse of this vulnerability and Citrix’s history of attracting threat actors, organisations are strongly advised to act swiftly to update their instances and mitigate potential threats.

Mitigation and Recommendations

In addition to applying the patch provided by Citrix, Mandiant published a set of recommendations for NetScaler ADC/Gateway administrators:

• If immediate patching isn’t feasible, restrict ingress IP addresses.
• After the update, terminate all active sessions and run the CLI command: clear lb persistentSessions <vServer>.
• Rotate credentials for identities accessing vulnerable appliances.
• In case of suspicious activity, especially with single-factor authentication, rotate a broader scope of credentials.
• If web shells or backdoors are detected, rebuild appliances with the latest clean-source image.
• When restoring from backup, ensure there are no backdoors in the backup configuration.
• Limit external attack exposure by restricting ingress to trusted IP addresses.

It’s crucial for organisations to prioritise upgrading their appliances to specific firmware versions to ensure the utmost security.

Previous Vulnerability

Notably, this is the second zero-day flaw Citrix has addressed in its products in the current year. The first one, identified as CVE-2023-3519, was exploited in the wild in early July and received a fix a few weeks later.

A separate vulnerability, CVE-2023-4967, also high-severity with a CVSS score of 8.2, shares the same prerequisites as CVE-2023-4966. Exploiting this flaw can potentially result in a denial of service (DoS) on compromised devices.

These vulnerabilities affect several versions of Citrix products, including NetScaler ADC and NetScaler Gateway 14.1, 13.1, 13.0, as well as specific FIPS and NDcPP variants. To mitigate these issues, users are strongly advised to upgrade to secure versions of NetScaler ADC and NetScaler Gateway, as recommended by Citrix.

It’s important to note that version 12.1 has reached its end of life (EOL) date and is no longer supported. Therefore, users are strongly encouraged to upgrade to actively supported releases.

It’s worth emphasising that these critical-severity vulnerabilities in Citrix products are highly attractive to hackers, particularly those targeting large organisations with valuable assets. A recent example is CVE-2023-3519, a critical remote code execution flaw that Citrix addressed in July 2023. This flaw is currently under active exploitation by numerous cybercriminals who exploit available exploits to plant backdoors and steal credentials.

In a separate incident related to Citrix, a previously disclosed critical flaw, CVE-2023-3519 (CVSS score: 9.8), is actively exploited by threat actors to conduct a credential harvesting campaign. IBM X-Force discovered this activity, where adversaries leveraged this vulnerability to insert a malicious script into the HTML content of the authentication web page, thereby capturing user credentials. This flaw has been widely abused to infiltrate vulnerable devices and gain persistent access for subsequent attacks.

The attackers behind this campaign exploit CVE-2023-3519 to deploy a PHP-based web shell, allowing them to append custom code to the NetScaler Gateway login page. This custom code references a remote JavaScript file hosted on attacker-controlled infrastructure, which collects and transmits user login credentials to a remote server.

IBM X-Force identified over 600 unique victim IP addresses hosting modified NetScaler Gateway login pages, with most of them situated in the United States and Europe. The attacks appear opportunistic in nature, and the campaign has been ongoing for nearly two months, with no attribution to a specific threat actor or group.

This discovery coincides with Fortinet FortiGuard Labs’ uncovering of an updated version of the IZ1H9 Mirai-based DDoS campaign targeting various flaws in IP cameras and routers from different manufacturers. Vulnerable devices are infected, expanding the botnet through the swift utilisation of recently released exploit code that encompasses numerous CVEs. These infected devices are turned into remote-controlled bots for large-scale brute-force and DDoS attacks.

To mitigate this threat, organisations are strongly recommended to apply patches promptly and change default login credentials for devices. The importance of prompt patching and changing default credentials is further underscored by the discovery of an unpatched remote command injection flaw impacting D-Link DAP-X1860 range extender (CVE-2023-45208), which could be exploited by threat actors to run shell commands.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory highlighting the risk of volumetric DDoS attacks against websites and related web services. Organisations are urged to implement appropriate mitigations to reduce this threat. These attacks aim to exhaust the target system’s resources, making it unreachable and denying users access to the service.

BunnyLoader Overview:

BunnyLoader is a loader written in C/C++ that is actively advertised on various cybercrime forums. It is designed to be fileless, making it a stealthy threat in the digital landscape. Among its key features are the ability to steal and replace the contents of a system clipboard, download and execute payloads, log keystrokes, steal sensitive data and cryptocurrency, and execute remote commands.

Technical Capabilities:

BunnyLoader’s command and control panel offer cybercriminals a range of functionalities, including setting second-stage payloads, enabling keylogging, credential stealing, clipboard manipulation (primarily for cryptocurrency theft), and executing remote commands on compromised devices. Upon execution, BunnyLoader establishes persistence in the Windows Registry, conceals its presence, sets a mutex to prevent multiple instances, and registers the victim on the control panel. It also employs anti-analysis techniques to detect and evade sandbox and simulated environments.

Data Theft:

In addition to its core functions, BunnyLoader is equipped with modules to steal data from web browsers (such as passwords, credit card information, and browsing history), cryptocurrency wallets, VPN clients, messaging apps, and more. All pilfered data is compressed into a ZIP archive before being transmitted to the threat actor’s command and control (C2) server.

Fileless Execution:

BunnyLoader provides the option to write payloads to the disk or execute them directly from system memory using the process hollowing technique, enhancing its stealth and evasion capabilities.

Development Cycle:

Zscaler has closely monitored BunnyLoader’s development and observed multiple updates since its initial release. The malware’s rapid development cycle, coupled with its low price point, makes it an attractive choice for cybercriminals looking for emerging malware projects at competitive rates.

Recent Updates:

The BunnyLoader authors have consistently released updates to enhance their creation’s capabilities. Notable updates include BunnyLoader v1.7 and v1.8, which introduced additional anti-virus evasion techniques, a keylogger functionality, and bug fixes. Furthermore, a critical SQL injection vulnerability in the C2 system was patched on September 27, 2023.

Distribution Channel:

While the distribution channel for BunnyLoader remains undiscovered, researchers have analysed the malware’s behavior upon execution. It establishes persistence in the Windows Registry, employs anti-VM techniques, and communicates with the C2 server to initiate core malicious actions.

Conclusion:

BunnyLoader is an emerging and rapidly evolving MaaS threat with a growing list of sophisticated capabilities. Cybersecurity professionals should remain vigilant and utilize the technical details and indicators of compromise provided in this report to detect and defend against BunnyLoader attacks before they become pervasive in the threat landscape.

Exploiting this vulnerability can lead to a compromise of system integrity and allow malicious actors to gain unauthorised access to resources. This weakness becomes relevant when an attacker can manipulate the resource state between the check and use phases, particularly with shared resources like files, memory, or variables in multithreaded programs.

The specific issue arises from a TOCTOU race condition within the Take Control Agent’s BASupSrvcUpdater.exe. This occurs when logging multiple file deletion events, such as files named aaa.txt and bbb.txt, and performing delete actions within the “C:\ProgramData\GetSupportService_N-Central\PushUpdates” folder. In essence, while BASupSrvcUpdater.exe logs the deletion of aaa.txt, an attacker can swiftly replace bbb.txt with a symbolic link, redirecting the process to an arbitrary file on the system. This action unintentionally causes the process to delete files as NT AUTHORITY\SYSTEM, and even worse, it can be weaponised to gain an elevated Command Prompt by exploiting the Windows installer’s rollback functionality, potentially leading to code execution.

This arbitrary file deletion vulnerability can no longer be viewed as limited to denial-of-service attacks; it can serve as a means to achieve elevated code execution. By leveraging MSI’s rollback functionality, an attacker can introduce arbitrary files into the system. Essentially, what seems like a harmless process of logging and deleting events within an insecure folder can enable attackers to create pseudo-symlinks, deceiving privileged processes into executing actions on unintended files.

To detect and analyse this vulnerability, Microsoft’s Process Monitor (ProcMon) was employed. The insecure file operations conducted by NT AUTHORITY\SYSTEM processes were identified using ProcMon filters. The specific process under scrutiny was BASupSrvcUpdater.exe, associated with Take Control Agent version 7.0.41.1141.BASupSrvcUpdater.exe periodically attempts to access a non-existent folder under “C:\ProgramData\GetSupportService_N-Central\PushUpdates” as an NT AUTHORITY\SYSTEM process. To investigate further, a dummy file named aaa.txt was created within this PushUpdates folder. BASupSrvcUpdater.exe attempted to read the folder’s contents and carried out a deletion action, which was duly logged in the “C:\ProgramData\GetSupportService_N-Central\Logs\BASupSrvcUpdater_[DATE].log” file. This specific sequence of events creates a race condition, as an attacker can exploit the timeframe between the deletion and the logging.

To fully exploit this condition and achieve a complete system compromise, an attacker must replace a file in the PushUpdates folder with a pseudo-symlink. To prevent this attack, it is recommended for organisations using N-able to upgrade to version 7.0.43 to fix this vulnerability.

Cyber threat actors have been observed deploying unfamiliar malware and employing malicious tools to establish reverse shell connections for remote access. Researchers have attributed these activities to a Chinese group identified as UNC4841.

The initial CVE, numbered CVE-2023-2868, pertains to a remote code execution vulnerability. This vulnerability could potentially enable unauthorised execution of commands with administrative privileges on ESG products.

A successful exploit of this vulnerability allows threat actors to send TAR file attachments that, upon scanning, trigger a command injection. Notably, the vulnerability is present exclusively within the scanning process, and consequently, it is essential for emails to be received by the ESG in order for the vulnerability to be activated.

Vulnerable Versions:  

Barracuda ESG (appliance form factor only) versions 5.1.3.001- 9.2.0.006 

Detection Methods:

• Monitoring the network traffic for connections to the latest list of IOCs.
• Revoke and reissue credentials and certificates on the ESG.
• Review network logs for signs of data exfiltration or lateral movement.
• Review email logs.

At Socura, we are engaged in proactive threat hunting for both historical and emerging security threats. By employing recently disseminated Indicators of Compromise (IOCs), we are taking measures to verify that none of our clients are impacted by these threats.

Impacket stands as an open-source assortment of Python classes designed for managing network protocols. It finds utility in acquiring elevated credentials, extracting them, and executing remote codes to implement the Sphinx encryptor.

In conjunction with Impacket, Microsoft has integrated the Remcom hacking tool, which facilitates the remote execution of commands on other devices within the network.

Their actions as a group have been identified in the wild, where they utilised compromised Cisco VPN accounts to infiltrate networks and gain an initial presence. Initially, the group opted for VPN access through single factor authentication, as it presented the least resistance for breaches.

Mitigation & Prevention 

> Ensure that Cisco VPN and other Cisco solutions are patched and updated.

> Enable MFA on accounts.

> Monitor AD auth logs for 4624/4625 from a WIN machine in your user VPN range.

Samples were recompiled for even more architecture than in the first attack.

These are: Arm, Intel 80386, and x86-64 to MIPS, MIPS64, and i386)

Modus operandi for the group to deploy malware through reconnaissance servers that are communicating with the victim’s hosts.

The malware is initially used to install additional payloads and then further convert the compromised hosts into SOCKS5 proxies for C2.

IOCs:

207[.]246[.]80[.]240 

45[.]63[.]70[.]57 

107.189.11[.]105 

101.39.202[.]142   

155.138.213[.]169  

66.135.22[.]245 

Monitoring & Solutions: 

> SASE solution that uses VPN-based access to protect data 

> enable the latest cryptographic protocols for data in transit. 

> monitoring network activity for any malicious/unknown IPs.  

> geoblocking or blocklisting the IP IOC 

> regularly monitor, reboot and install security updates and patches

For more technical details, please read: https://blog.lumen.com/hiatusrat-takes-little-time-off-in-a-return-to-action/

In one of the recent incidents, threat actors were seen using the zero-day to drop web shell on a critical non-production environment of a NetScaler ADC appliance. This further enabled the attackers to perform discovery actions on the active directory, collect and exfiltrate data.

Researchers have discovered that the web shell enabled collection of NetScaler configuration files, decryption keys and AD information that was transmitted through PNG files.

However, a successful exploit requires the appliance to be configured as a Gateway or an authentication virtual server.

Vulnerable versions

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13  

NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13  

NetScaler ADC 13.1-FIPS before 13.1-37.159 

NetScaler ADC 12.1-FIPS before 12.1-55.297 

NetScaler ADC 12.1-NDcPP before 12.1-55.297 

NetScaler ADC and NetScaler Gateway version 12.1 (end of life and vulnerable)  

Mitigations

Customers are urged to install the relevant updated versions:

NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases

NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0

NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS

NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS

NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Since the first exploit in the wild, the community has gathered a handful of IOCs that we are checking against our customer’s environments. Additionally, here at Socura we are monitoring network & firewall activity and any indicators of intrusions, lateral movement, or exfiltration.

IPs:  

216.41.162.172

216.51.171.17 

Network and firewall checks:

Scans of the subnets sent by NetScaler for the protocols HTTP / HTTPS / SMB (Port 80 / 443 / 445)

Spikes in the queries from NetScaler regarding LDAP / LDAPS / DNS / AD (Port 389 / 636 / 53 / 88 / 135 / 137-138 / 464 / 3268-3269) protocols

In the event indicators of compromise are found on the estate, we recommend the following: 

Quarantine & take offline potential compromised hosts

Revoke all compromised SSL certificates and keys, replacing them with newly issued ones 

Re-image the hosts & provide new account credentials

 For more information on this advisory please read:

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Successful exploitation of the vulnerability may allow unauthorised remote threat actor to access users’ personal information and make limited changes to the server without the need of a password.

The Norwegian security authority confirmed that several ministries have been breached by attackers exploiting the zero-day. 

Vulnerable Versions

Version 11.4 release 11.10

Version 11.4 release 11.9

Version 11.4 release 11.8

Any older unsupported versions/releases

Mitigations

Patches have been released by Ivanti and customers are encouraged to install the patches as soon as possible. Patched versions are: 11.8.1.1, 11.9.1.1, and 11.10.0.2

For customers on earlier versions that are no longer supported, Ivanti is aiding remediation with a temporary fix; an RPM script.  The security advisory published by Ivanti is available only for users with an account.

For detecting whether they have been targeted, users can check the logs for the API v2 endpoint in Ivanti EPMM.

https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US

The affected versions include:

• ColdFusion 2023 (Update 2 and earlier versions)
• ColdFusion 2021 (Update 8 and earlier versions)
• ColdFusion 2018 (Update 18 and earlier versions)

Adobe has acknowledged that CVE-2023-38205 has been exploited in limited attacks targeting Adobe ColdFusion.

Additionally, the update also resolves two other flaws. One is a severe deserialisation bug (CVE-2023-38204, CVSS score: 9.8) that could lead to remote code execution. The other is another improper access control flaw (CVE-2023-38206, CVSS score: 5.3), which may also allow a security bypass.

This disclosure comes shortly after Rapid7 cautioned that the fix for CVE-2023-29298 was incomplete and could easily be bypassed by malicious actors. However, the new patch from Adobe has been confirmed to fully address the security issue.

CVE-2023-29298, an access control bypass vulnerability, has been utilised in real-world attacks by combining it with another suspected flaw, possibly CVE-2023-38203, to implant web shells on compromised systems for backdoor access.

Users of Adobe ColdFusion are strongly advised to update their installations to the latest version as a preventive measure against potential threats.

CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability

Several researchers reported the vulnerability being used in an active attack during the NATO Summit. Here, attackers used a deceptive Microsoft Word document that could allow remote code execution if successful. However, for this to be carried out, the user needs to be tricked into opening the malicious file or clicking on the link.

Patches: Currently there are none available now for this CVE, however, Microsoft has advised on several mitigations.

For clients with Microsoft Defender for Office, its recommended to use “Block all Office applications from creating child processes”. Additionally, attack surface reduction tool would protect from malicious attachments.

For users that are not using the above, its recommended to set the following registry key to avoid exploitation:  “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION”

Worth noting that our Palo Alto Networks customers that have Cortex XDR and XSIAM agents installed are receiving protection against post-exploit activities. The tools used are the multiple behavioural threat protection modules and the Cortex Analytics that detects suspicious activities.

Vulnerabilities patched:

CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability successful

SmartScreen filter flaw could allow threat actors to evade warning dialog prompts. Fortunately, this requires user interaction to click on the malicious link/file.

CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability

The vulnerability allows bypass of the Outlook Security Notice Prompt after an URL is clicked. Threat actors are likely to use some other exploit to allow code execution when the file/link is opened.

CVE-2023-36874 – Microsoft Outlook Security Feature Bypass Vulnerability

This elevation of privilege flaw in the Reporting Service, could allow an unauthorized user to gain administrator privileges. However, not all accounts could be used in this case. Attackers need to use a user account that has permission to create folders and perform tasks to elevate to admin.

CVE-2023-32046  – Windows MSHTML Platform Elevation of Privilege Vulnerability

Another elevation of privilege vulnerability in Windows MSHTML platform, could allow an attacker to gain the same rights as the user that is running the application.

For patches, please see the specific Microsoft advisory: https://msrc.microsoft.com/update-guide/vulnerability

For more information on this, please have a read on Palo Alto’s Unit42 blog: https://unit42.paloaltonetworks.com/cve-2023-36884-rce/

Deserialization of untrusted data may allow unauthenticated users to execute malicious code or commands.  For this vulnerability to be successfully exploited, specially crafted request are sent to the services running on TCP port 1050.  Therefore, detection requires network monitoring of unauthorised activity for TCP/1050.  

Due to the level of network access that can be achieved on compromised systems, the severity level given was 9.6. POCs were made available for the CVE

Vulnerable versions: 

• FortiNAC version 9.4.0 through 9.4.2 

• FortiNAC version 9.2.0 through 9.2.7 
• FortiNAC version 9.1.0 through 9.1.9 
• FortiNAC version 7.2.0 through 7.2.1 
• FortiNAC 8.8 all versions 
• FortiNAC 8.7 all versions 
• FortiNAC 8.6 all versions 
• FortiNAC 8.5 all versions, and 
• FortiNAC 8.3 all versions 

 Mitigations: 

Fortinet has made available patches for the vulnerable versions and are encouraging administrators to update to the mentioned versions.  Stable versions are: FortiNAC 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later.  

For the advisory, please read the below: https://www.fortiguard.com/psirt/FG-IR-23-074 

Details of the new CVE are yet to be released but can be tracked under CVE-2023-35036.

A reminder that the vulnerable versions are: MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). Additional vulnerabilities have been discovered in the MOVEit Transfer Web Application.

MOVEit Transfer customers should apply the new patch. Information on how to can be found here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023

Meanwhile MOVEit Cloud user should have a read on the following Progress article https://community.progress.com/s/article/Status-June-2023-security-vulnerabilities-in-MOVEit-Cloud

The SQLi vulnerability tracked under CVE-2023-34362, could enable threat actors to elevate privileges, enumerate files and folders, read configuration information, download files, and create or delete MOVEit server user accounts.

According to researchers, there are a high number of MOVEit servers exposing HTTP/HTTPS traffic over ports 80 and 443. The attack chain starts with an SQL injection in the MOVEit Transfer web app and it evolves into Remote Code Execution.

During their investigations, it was observed that threat actors were utilising the zero-day vulnerability to drop crafted webshells onto servers, allowing them to perform a number of activities including credentials theft for configured Azure Blob Storage containers.

Mitigation guidance has been provided by Progress Software, and customers are strongly advised to follow it. The following actions should be taken:

• Disable all HTTP/HTTPS traffic to the MOVEit Transfer host.
• Review, delete and reset any unauthorized user accounts or files.
• Check the folder ‘C:\MOVEitTransfer\wwwroot\’ & ‘MOVEitDMZ\wwwroot’ for any unexpected files.
• Apply the relevant patches.

Patched Versions

MOVEit Transfer 2023.0.1

MOVEit Transfer 2022.1.5

MOVEit Transfer 2022.0.4

MOVEit Transfer 2021.1.4

MOVEit Transfer 2021.0.6

We at Socura are in process or running threat hunts for all of our customers, continuously monitoring network traffic and endpoint activity for IOCs and behaviours related to the vulnerability. Our XDR customers receive protections from and mitigations for CVE-2023-34362 in the following ways:

• Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the associated web shell.
• Advanced URL Filtering is being used to block known IOCs.
• A Cortex XSOAR response pack and playbook can automate the mitigation process.
• Cortex XDR and XSIAM agents help protect against post-exploitation activities described in the below blog using Behavioral Threat Protection, Anti-Webshell Protection and multiple additional security modules.
• Cortex Analytics has multiple detection models that help detect post-exploitation activities, with other relevant coverage by the Identity Analytics and ITDR modules.
• XQL queries provided in the blog can be used with Cortex XDR to help track attempts to exploit this CVE.

For more information, Unit 42 have released the following article:

https://unit42.paloaltonetworks.com/threat-brief-moveit-cve-2023-34362/

ZIP TLDs and Security Concerns:

Google’s introduction of ZIP TLDs, such as socura.zip, has sparked a debate within the cybersecurity community regarding potential security risks. While some experts downplay the concerns, one major issue is that these TLDs can turn any string ending with “.zip” into a clickable link, making it vulnerable to malware delivery and phishing attacks.

The Anatomy of the Phishing Kit:

The phishing kit used in this technique mimics popular file archiver software, such as WinRAR or Windows File Explorer, within a web browser. Mr.d0x, a security researcher, explains that this toolkit serves a dual purpose: stealing credentials and delivering malware.

Credential Theft:

When a user interacts with the fake WinRAR or Windows File Explorer window, clicking on a file, such as a PDF, may redirect them to a malicious page that prompts them to enter login credentials to view the file properly. This social engineering tactic tricks users into disclosing their credentials unwittingly.

Malware Delivery:

The phishing kit also employs the technique of disguising executable files as harmless documents. For instance, when a user clicks on a seemingly innocent PDF file displayed within the fake archive window, the browser downloads a file with a similar name but an .exe extension. Windows’ default setting of not displaying file extensions can lead users to unknowingly execute malware.

Exploiting Windows File Search:

Windows’ behaviour when searching for files becomes another delivery vector for these attacks. If a user searches for a ZIP domain that matches a common file name and the file does not exist locally, Windows automatically opens the corresponding site in the browser. Exploiting this feature, attackers can trick users into believing they are accessing a legitimate ZIP archive within WinRAR.

Implications and Recommendations:

The abuse of ZIP domains for phishing and malware delivery underscores the need for awareness and preventive measures. Organisations are advised to implement measures to block .zip and .mov domains, as these TLDs are currently being exploited by threat actors and are expected to see increased malicious usage.

Conclusion:

The emergence of the “file archiver in the browser” phishing technique highlights the evolving tactics employed by threat actors to deceive and exploit users. By leveraging ZIP domains, attackers can create convincing fake archive windows, posing risks of credential theft and malware delivery. Staying vigilant and implementing security measures are essential to mitigate these threats effectively.

GitLab is a web-based Git repository designed for developer teams who need to remotely manage their code. It boasts around 30 million registered users and one million paying customers.

The security vulnerability fixed in the latest update was discovered by a security researcher named ‘pwnie,’ who reported it through GitLab’s HackOne bug bounty program.

The issue affects GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, while earlier versions remain unaffected.

The flaw stems from a path traversal problem that permits an unauthenticated attacker to access arbitrary files on the server when an attachment is present in a public project nested within at least five groups.

Exploiting CVE-2023-2825 could potentially expose sensitive data, including proprietary software code, user credentials, tokens, files, and other confidential information.

The nature of the vulnerability suggests that it relates to how GitLab handles or resolves paths for attached files nested within multiple levels of group hierarchy. However, due to the severity of the issue and its recent discovery, the vendor has not disclosed many details at this time.

Instead, GitLab emphasises the importance of promptly installing the latest security update.

“We strongly advise all installations running an affected version to upgrade to the latest version as soon as possible,” states GitLab’s security bulletin.

“When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”

One mitigating factor is that the vulnerability can only be triggered under specific conditions, namely the presence of an attachment in a public project nested within at least five groups. This is not the structure followed in all GitLab projects.

Nevertheless, it is recommended that all users of GitLab 16.0.0 update to version 16.0.1 as soon as possible to mitigate the associated risk. Unfortunately, there are no available workarounds at this time.

To update your GitLab installation, follow the instructions on the project’s update page. For GitLab Runner updates, check out this guide.

KeePass is a widely used open-source password manager that allows users to manage their passwords through a locally stored database, as opposed to cloud-hosted alternatives like LastPass or Bitwarden.

To ensure the security of these local databases, users can encrypt them using a master password, preventing unauthorized access and potential theft of stored passwords.

The newly identified vulnerability, known as CVE-2023-24055, grants threat actors with write access to a target’s system the ability to modify the KeePass XML configuration file and insert a malicious trigger. This trigger facilitates the export of the database, including all usernames and passwords, in clear text.

When the target launches KeePass and enters the master password to open and decrypt the database, the export rule is triggered. Consequently, the database’s contents are saved to a file, which the attackers can later retrieve on a system under their control.

Alarmingly, this export process occurs silently in the background without user notification or KeePass requesting confirmation of the master password before exporting. Consequently, threat actors can discreetly gain access to all stored passwords.

Upon reporting and assignment of the CVE-ID, users urged the KeePass development team to incorporate a confirmation prompt before silent database exports, such as those triggered by a maliciously modified configuration file. Another request involved adding a configurable flag to disable exporting within the KeePass database itself, which would only be alterable with knowledge of the master password.

Since the assignment of CVE-2023-24055, a proof-of-concept exploit has been shared online, potentially facilitating the enhancement of information stealers by malware developers who can now dump and pilfer the contents of compromised KeePass databases.

Although the Dutch and Belgian CERT teams have issued security advisories concerning CVE-2023-24055, the KeePass development team disputes its classification as a vulnerability. Their argument stems from the fact that attackers with write access to a target’s device can obtain information from the KeePass database through alternative methods.

In fact, the KeePass Help Center’s “Security Issues” page has described the “Write Access to Configuration File” problem as “not really a security vulnerability of KeePass” since at least April 2019.

When users install KeePass as a regular program and attackers possess write access, various types of attacks can be executed. Threat actors can also replace the KeePass executable with malware if users run the portable version.

The KeePass developers explain that having write access to the KeePass configuration file allows attackers to perform more potent attacks than merely modifying the file, which can ultimately impact KeePass regardless of configuration file protection. To prevent such attacks, it is crucial to maintain a secure environment through measures like using antivirus software, firewalls, and avoiding opening unknown email attachments. KeePass cannot operate securely in an insecure environment.

Despite the KeePass developers’ decision not to provide an app version addressing the cleartext export via triggers issue, users can still secure their databases by logging in as a system admin and creating an enforced configuration file.

This type of configuration file takes precedence over settings described in global and local configuration files, including new triggers introduced by malicious actors. Consequently, it mitigates the CVE-2023-24055 issue.

Before utilizing an enforced configuration file, it is essential to ensure that regular system users lack write access to any files or folders in KeePass’ application directory.

It is worth noting that attackers can circumvent enforced configurations by launching a KeePass executable from a different folder than the one where the enforced configuration file was saved.

The KeePass development team emphasizes that an enforced configuration file only applies to the KeePass program within the same directory.

Believed to be used for over 2 decades  (2003), Snake infrastructure has been recorded in over 50 countries and used for the collection of sensitive intelligence from high-priority targets.

As clued by it’s name, Snake is highly covert,  achieves a rare level of stealthiness when infecting hosts and remains low profile long term. It’s internal technical architecture allows for easy incorporation while also facilitating further development and interoperability. Furthering it’s stealth capabilities, open source intelligence reporting its behaviours and indicators has led the FSB to develop new methods to avoid detection. This has resulted in the malware becoming near undetectable, with polymorphic attributes.

FSB deploys Snake to external-facing infrastructure nodes and uses several TTPs on the internal network to conduct exploiting operations. Following, they enumerate the network and obtain administrator credentials and ultimately access to domain controllers. From here on, the group deploys a wide array of mechanisms to maintain persistence and move laterally.

The identification of Snake partly lies on its operators making mistakes – CISA outline that the FSB can be seen rushing development and neglecting to use the tool as intended – allowing the discovery of multiple artefacts within its functions.

Mitigation

To detect Snake,  Network and Host based detection methods are detailed for the following:

>Inspecting HTTP/TCP traffic

>Covert Store Detection

>On-Disk Artifact Detection

>Memory analysis

CISA advise should Snake signatures be found, incident response plans should be actioned immediately, with implementation of the following Cross-Sector CyberSecurity Performance Goals (CPGs):

CPG 2.A: Changing Default Passwords

CPG 2.B: Requiring Minimum Password Strength

CPG 2.C: Requiring Unique Credentials

through password spraying or brute force.

CPG 2.E Separating User and Privileged Accounts

CPG 2.F. Network Segmentation

CPG 2.H Implementing Phishing Resistant MFA

CPG 4.C. Deploy Security.txt Files

For further information on the above, please see CISA’s Joint Security Advisory report and have a read on the following articles:

https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware.pdf

https://www.ncsc.gov.uk/news/uk-and-allies-expose-snake-malware-threat-from-russian-cyber-actors

https://therecord.media/turla-snake-russia-malware-takedown-fbi-doj

The security vulnerabilities are as follows:

CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX-21 Command Injection Vulnerability

CVE-2021-45046 (CVSS score: 9.0) – Apache Log4j2 Deserialization of Untrusted Data Vulnerability

CVE-2023-21839 (CVSS score: 7.5) – Oracle WebLogic Server Unspecified Vulnerability

CVE-2023-1389 concerns a case of command injection affecting TP-Link Archer AX-21 routers that could be exploited to achieve remote code execution. According to Trend Micro’s Zero Day Initiative, the vulnerability has been put to use by threat actors associated with the Mirai botnet since April 11, 2023.

The second vulnerability to be added to the KEV catalog is CVE-2021-45046, a remote code execution affecting the Apache Log4j2 logging library that came to light in December 2021. It’s currently not clear how this specific vulnerability is being abused in the wild, although data gathered by GreyNoise shows evidence of exploitation attempts from as many as 74 unique IP addresses over the past 30 days. This, however, also includes CVE-2021-44228 (aka Log4Shell).

Completing the list is a high-severity vulnerability in Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 that could allow unauthorised access to sensitive data. It was patched by the company as part of updates released in January 2023. “Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server,” CISA said.

While there exists proof-of-concept (PoC) exploits for the vulnerability, there do not appear to be any public reports of malicious exploitation.

Federal Civilian Executive Branch (FCEB) agencies are required to apply vendor-provided fixes by May 22, 2023, to secure their networks against these active threats.

The advisory also comes a little over a month after VulnCheck revealed that nearly four dozen security vulnerabilities that have likely been weaponised in the wild in 2022 are missing from the KEV catalog.

Of the 42 vulnerabilities, an overwhelming majority are related to exploitation by Mirai-like botnets (27), followed by ransomware gangs (6) and other threat actors (9).

SPL is a discovery protocol that allows devices to find services present in the local area network. It is noted that there are over 54000 SLP instances currently accessible over the internet.

For a successful exploit, threat actors are looking for any SLP server public facing that have the UDP port 427 open. Further, they begin registering services until SLP is unable to accept more entries and begins denying them. Focus is then turned on repeatedly spoofing a service request from the victim’s IP address in order to overwhelm the service.

Mitigation

To mitigate this threat, users are recommended to disable SLP on systems that are directly connected to the internet. A follow up to this can be that the traffic on UDP and TCP port 427 to be filtered.

Vulnerable versions are found in all SLP implementations that have been tested. This was detected in more than 670 different product types, including VMware ESXi Hypervisor. On that note, Vmware released a statement that states that that the current ESXi release ( ESXi 7.x and 8.x ) are not impacted by this vulnerability. However, previous versions are and they are urging the users to upgrade or take the appropriate actions.

More on the ESXi vulnerable versions to this SLP CVE can be found below:

https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html

The company has received reports from Trend Micro regarding two high and critical severity vulnerabilities affecting PaperCut MF/NG. The first vulnerability impacts all versions of the software, while the second vulnerability impacts versions 15.0 or later for application servers. PaperCut has updated its security bulletin to warn users that the vulnerabilities are now being actively exploited by hackers, particularly the first vulnerability.

PaperCut recommends that impacted versions be upgraded to PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 or later. However, versions older than 19 are no longer supported and will not receive security updates. To mitigate the second vulnerability, users can apply “Allow list” restrictions under “Options > Advanced > Security > Allowed site server IP addresses” and only allow the IP addresses of verified Site Servers on their network.

PaperCut advises administrators to look for suspicious activity in Logs > Application Log, within the PaperCut admin interface, and to watch for updates from a user called [setup wizard], new (suspicious) users being created, or other configuration keys being tampered with. If administrators suspect their servers have been compromised, PaperCut recommends taking backups, wiping the Application Server, and rebuilding everything from a safe backup point.

In conclusion, PaperCut users should update their software as soon as possible to avoid falling prey to hackers who are exploiting these vulnerabilities.

The CLFS security vulnerability was reported to Microsoft by Boris Larin of Kaspersky, Genwei Jiang of Mandiant, and Quan Jin of DBAPPSecurity’s WeBin Lab. It affects all supported Windows server and client versions and can be exploited by local attackers in low-complexity attacks without user interaction. Successful exploitation enables threat actors to gain SYSTEM privileges and fully compromise targeted Windows systems.

Security researchers from Kaspersky’s Global Research and Analysis Team (GReAT) also recently spotted the CVE-2023-28252 vulnerability while being exploited in Nokoyawa ransomware attacks. The Nokoyawa ransomware gang has used at least five more CLFS exploits to target multiple industry verticals, including but not limited to retail and wholesale, energy, manufacturing, healthcare, and software development. Nokoyawa ransomware surfaced in February 2022 as a strain capable of targeting 64-bit Windows-based systems in double extortion attacks, where the threat actors also steal sensitive files from compromised networks and threaten to leak them online unless a ransom is paid.

In light of its ongoing exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems against it by May 2nd. Redmond has patched at least 32 local privilege escalation vulnerabilities in the Windows CLFS driver since 2018, with three of them (CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376) also exploited in the wild as zero-days, according to Kaspersky.

“Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity,” said Satnam Narang, senior staff research engineer at Tenable. Dustin Childs, head of threat awareness at Trend Micro Inc.’s Zero Day Initiative, has posited that the February fix might have been insufficient and that attackers may have found a method to bypass that fix – though there’s not enough information available to confirm this.

Lead security researcher Boris Larin warned that cybercrime groups are becoming increasingly sophisticated, using zero-day exploits in their attacks. “Previously it was primarily a tool of Advanced Persistent Threat actors (APTs), but now cybercriminals have the resources to acquire zero-days and routinely use them in attacks,” he said.

HP announced that it could take up to 90 days to fix the Critical vulnerability in the firmware of certain enterprise-grade printers, which was disclosed in a recent security bulletin.

The exploitation of this flaw could potentially lead to information disclosure, although exploiting it is quite restrictive, as vulnerable devices must run FutureSmart firmware version 5.6 and have IPsec enabled.

HP recommends that users downgrade their firmware version to FS 5.5.0.3, and it is expected to release an updated firmware package to address this issue within 90 days.

The following printer model are affected by CVE-2023-1707:

• HP Color LaserJet Enterprise M455
• HP Color LaserJet Enterprise MFP M480
• HP Color LaserJet Managed E45028
• HP Color LaserJet Managed MFP E47528
• HP Color LaserJet Managed MFP E785dn, HP Color LaserJet Managed MFP E78523, E78528
• HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, HP Color LaserJet Managed MFP E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35
• HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70
• HP LaserJet Enterprise M406
• HP LaserJet Enterprise M407
• HP LaserJet Enterprise MFP M430
• HP LaserJet Enterprise MFP M431
• HP LaserJet Managed E40040
• HP LaserJet Managed MFP E42540
• HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030
• HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40
• HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70

A HP spokesperson gave the following comment to BleepingComputer:

“The exposure period to this potential vulnerability was very small (mid-February 2023 until end of March 2023) and only existed on a specific version of firmware (FutureSmart version 5). Customers can no longer download the version of firmware that had this potential vulnerability.

During this short period, if a customer was using IPsec, the scan job data being sent from the Printer (e.g., scan-to email or scan-to SharePoint) could have potentially been disclosed. Data was only potentially exposed if users were scanning a job and sending it to a remote location (such as email, SharePoint, etc.). Credentials could have been potentially exposed if they were not protected by TLS or other underlying encryption mechanisms.

This issue was discovered by HP during our own testing and acted upon immediately. HP is not aware of any active exploits.“

This supply chain attack starts when the MSI installer is downloaded from 3CX’s website or an update is pushed to an already installed desktop application.

When the MSI or update is installed, it will extract malicious ffmpeg.dll and the d3dcompiler_47.dll DLL files, which are used to perform the next stage of the attack.

Security vendors believe that while the 3CXDesktopApp.exe executable is not malicious, the ffmpeg.dll DLL is and will be sideloaded and used to extract and decrypt an encrypted payload from d3dcompiler_47.dll.

The decrypted shellcode from d3dcompiler_47.dll will be executed to download icon files hosted on GitHub repository – raw.githubusercontent[.]com/IconStorages

Example Icon file:

http[:]//raw.githubusercontent[.]com/IconStorages/images/main/icon13[.]ico

The GitHub repository where these icons are stored shows that the first icon was uploaded on December 7th, 2022. The repository has now been taken offline.

The final piece of malware that is delivered to the compromised machine is capable of harvesting system information and stealing data such as stored credentials from Web Browser user profiles.

Researchers say that the trojanized version of 3CX’s desktop client will connect to one of the following attacker-controlled domains:

In a forum post on Thursday, 3CX CEO Nick Galea acknowledged that the 3CX Desktop application was compromised with malware. Consequently, Galea advised all customers to uninstall the desktop app and instead use the PWA client.

“As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7. It was reported to us yesterday night and we are working on an update to the DesktopApp which we will release in the coming hours”

“The best way to go about this is to uninstall the app (if you are running Windows Defender, its going to do this automatically for you unfortunately) and then install it again.”

“We are going to analyze and issue a full report later on today. Right now we are just focusing on the update.”

According to a blog post by 3CX CISO Pierre Jourdan, the company’s desktop applications were compromised because of an upstream library.

“The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT” “We’re still researching the matter to be able to provide a more in depth response later today. Here’s some information on what we’ve done so far.”

3CX has not yet disclosed the specific library in question and whether it resulted in the compromise of their developer environment.

SHA256 hash values for msi, dmg and DLL files:

dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc – 3cxdesktopapp-18.12.407.msi

fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 – 3cxdesktopapp-18.12.416.msi

92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 – 3CXDesktopApp-18.11.1213.dmg

b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb – 3CXDesktopApp-18.11.1213.dmg

With the newly obtained credentials, the threat actor can elevate privileges and execute code remotely on vulnerable hosts. 

Conditions required for the vulnerability to be exploited:

• Unsupported deployment (V10 or earlier) or unpatched V11/V12
• Veeam.Backup.Service.exe listening on port TCP/9401 (default)

Vulnerable Versions:

It is noted that the vulnerability is affecting all Veeam Backup & Replication and Veeam Backup & Replication Community Edition  

• All builds of V12 prior to build 12.0.0.1420 P20230223 
• All builds of V11 prior to build 11.0.1.1261 P20230227

 Mitigation Actions:

Admins are urged to upgrade from earlier versions to the following builds: 

• 12 (build 12.0.0.1420 P20230223)
• 11a (build 11.0.1.1261 P20230227)

The patch must be installed on the server. Veeam confirms that all new deployments (version 12 and 11a) installed using the ISO images dated 20230223 (V12) and 20230227 (V11a) or later are not vulnerable.  

For businesses that are using an all-in-one Veeam appliance with no remote backup infrastructure components, Veeam suggest blocking external connections to TCP port 9401 on the backup server firewall. It should be noted that this is a temporary remediation until patching installation.   

Detection guidance:

According to technical articles, the exploit targets the API functionality that can be detected by analysing suspicious API calls that require logging level 7 or higher to be set in the registry key: HKLM\Software\Veeam\Veeam Backup and Replication.

For more information about Veeam security advisory, POC or technical detailed articles see: 

https://www.veeam.com/kb4424 

https://github.com/horizon3ai/CVE-2023-27532  

https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/  

Patch Information: 

https://www.veeam.com/kb4245?ad=in-text-link 

https://www.veeam.com/kb4420?ad=in-text-link 

The serious vulnerability in Microsoft Outlook impacts the 32 and 64-bit editions of Microsoft 365 Apps for Enterprise, in addition to Office 2013, 2016, and 2019 (as well as LTSC).

The attack is initiated through a malicious email with extended MAPI properties that induces the victim’s system to connect to an SMB share (TCP 445) under the attackers control. This process reveals the Net-NTLMv2 hash (which is used for authentication in Windows environments) to the attacker. The Net-NTLMv2 hash is then relayed to another service and used to authenticate as the victim.

Microsoft is urging its customers to take immediate action by either patching their systems against CVE-2023-23397 or adding users to the ‘Protected Users’ group in Active Directory, while also blocking outbound SMB (TCP port 445) as a temporary mitigation to minimise the impact of the attacks.

Additionally, Microsoft has released a PowerShell script to assist administrators in identifying whether any users in their Exchange environment have been targeted using this Outlook vulnerability. This script checks messaging items (such as mail, calendar, and tasks) to identify whether a property is populated with a UNC path.

If required, administrators can utilise this script to remove the property for malicious items, or even delete them permanently. The script can also modify or delete potentially malicious messages if they are found on the audited Exchange Server while running in Cleanup mode.

The Vulnerability, tracked under CVE-2023-20011, is impacting the management interface of Cisco Application Policy Infrastructure Controller (APIC). Successful exploitation could facilitate an attacker to conduct cross-site request forgery attacks (CSRF).

Following the attack, threat actors could conduct various activities using the compromised user’s account privileges. If the affected user has administrative privileges or access to sensitive resources, the malicious actors could modify system configuration and create new privileged accounts.

This vulnerability affects Cisco APIC and Cisco Cloud Network Controller.

Affected Versions:

• Cisco APIC version 4.2(6) and later
• Cisco APIC version 5.0
• Cisco APIC version 5.1
• Cisco Cloud Network Controller Release version 4.2(6) and later
• Cisco Cloud Network Controller Release version 5.0
• Cisco Cloud Network Controller Release version 5.1
• Cisco Cloud Network Controller Release version 5.2
• Cisco Cloud Network Controller Release version 25.0
• Cisco Cloud Network Controller Release version 25.1

Mitigations:

Cisco urges administrators to migrate to a fixed release if they are running on any vulnerable versions noted in the above list.

For more information on the Cisco advisory, please see the below:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-csrfv-DMx6KSwV

FortiNAC – CVE-2022-39952

FortiNAC is a network access control solution that offers network visibility, enforce security policies, and mitigate threats. External file name or path input control issues found in the webserver of FortiNAC can possibly allow threat actors to perform arbitrary write on the system.

Affected Versions

• FortiNAC version 9.4.0
• FortiNAC version 9.2.0 through 9.2.5
• FortiNAC version 9.1.0 through 9.1.7
• FortiNAC 8.8 all versions
• FortiNAC 8.7 all versions
• FortiNAC 8.6 all versions
• FortiNAC 8.5 all versions
• FortiNAC 8.3 all versions

Mitigations: Admins using FortiNAC are encouraged to upgrade to FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later.

FortiWeb – CVE-2021-42756

FortiWeb is a web application firewall solution designed to protect web apps and API from various types of threats. Researchers indicate a multiple stack buffer overflow vulnerability in FortiWeb’s proxy daemon. Special malicious HTTP requests could allow unauthenticated remote attackers to achieve arbitrary code execution.

Affected Versions

• FortiWeb versions 5.x all versions
• FortiWeb versions 6.0.7 and below
• FortiWeb versions 6.1.2 and below
• FortiWeb versions 6.2.6 and below
• FortiWeb versions 6.3.16 and below
• FortiWeb versions 6.4 all versions

Mitigations : Admins are urged to upgrade to FortiWeb 7.0.0 or later, 6.3.17 or later, 6.2.7 or later, 6.1.3 or later, and 6.0.8 or later.

For more information, please have a read on the below:

https://www.fortiguard.com/psirt/FG-IR-22-300

https://www.fortiguard.com/psirt/FG-IR-21-186

For a more technical review of the CVE-2022-39952, Horizon3 has published a proof-of-concept that can be found here:

https://github.com/horizon3ai/CVE-2022-39952

https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/

OpenSLL is a widely used software library for applications that contains implementation of the SSL and TLS protocols.   

The vulnerability is a confusion vulnerability relating to X.400 address processing inside the X.509 GeneralName. Due to a public structure definition, the OpenSSL function GENERAL_NAME_cmp is interpreted as an ASN1_TYPE rather than ASN1_STRING.

Threat actors that are successfully exploiting the vulnerability are able to pass arbitrary pointers to a memcmp call. This allows them to read memory contents or enact denial of service. The attack, however, requires attackers to provide the certificate chain and CRL, both having valid signatures.  

Versions  

• OpenSSL versions 3.0
• OpenSSL versions 1.1.1
• OpenSSL versions  1.0.2

Mitigations   

Users are urged to upgrade to OpenSSL based on the versions that they are currently running: 

• Users running 3.0 should upgrade to 3.0.8 
• Users running 1.1.1 should upgrade to 1.1.1t 
• Users running 1.0.2 should upgrade to 1.0.2zg 

OpenSSL Security Advisory:

https://www.openssl.org/news/secadv/20230207.txt 

Researchers are still currently investigating the initial vector of the ransomware attacks. It was initially believed that devices were breached by the threat actors exploiting old VMware SLP vulnerabilities. However, several victims reported being breached while having SLP disabled. Interestingly, some reported compromised servers were running SNMP with public access.

One theory is that the python backdoor discovered in 2021 (vmtools.py) has infected the host and remained dormant until this point in time. Juniper Networks researchers believe that the CVE-2019-5544 and CVE-2020-3992 vulnerabilities facilitated threat actors to use the backdoor vmtools.py. The file was seen maintaining persistence by adding code lines inside to local.sh which is able to survive reboots and is executed at start-up. The script vmtools.py launches a reverse shell to the host and port of choice that allows threat actors to remote into the compromised host.

Another link was made with the leaked source code of Babuk ransomware (2021), whose encryption cipher (Sosemanuk) is used in both events. However, the code structures are slightly different. It is currently unclear if this is a new variant of older ESXi ransomware campaigns or just sharing the codebase with Babuk.

Threat actors may be continuously leveraging known ESXi vulnerabilities that have been disclosed in the past few years. Therefore, it is crucial that the users are upgrading to the latest versions available.

At this point in time, the situation remains fluid as threat actors and the security community alike are updating their scripts to encode or help decode files hosted on ESXi servers.

Recommendations

Adding to our list of mitigations that were released last week.

• Review hosts that are running SNMP with public access.

Regarding the python backdoor the users should take the following actions:

• Check the contents of local.sh ( /etc/rc.local.d/local.sh) has additional lines of code added to it.
• Check for the existence of the scripts “vmtools.py” and “endpoints.conf” (/etc/vmware/rhttpproxy/endpoints.conf). Additional checks can be ran for any suspicious or some other difficult to catch names.
• Check the changes present in all modified persistent system files that survive reboots.
• Review the HTTP proxy configurations to ensure that no malicious connections are present on the hosts.

Indicators of Compromise

encrypt (Linux 64-bit ELF) – 11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66

encrypt.sh (Shell script; believed to be the original file) – 10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459

encrypt.sh (Shell script) – 5a9448964178a7ad3e8ac509c06762e418280c864c1d3c2c4230422df2c66722

encrypt.sh (Shell script)- 87961344f13a452fb4aa46dd22a9aa31c5d411b1d8d37bac7a36f94a5be9fb0d

For more detailed analysis, see the below resources:

https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/

https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers

https://censys.io/esxwhy-a-look-at-esxiargs-ransomware/

A vulnerability for this hypervisor was patched in February 2021 and is tracked under CVE-2021-21974. Threat actors were exploiting a heap-overflow vulnerability, that allowed them to remotely exploit arbitrary code. VMware researchers are indicating that the new ransomware attacks are exploiting this vulnerability.

The primary target for this vulnerability are ESXi servers running versions before 7.0 U3i. Threat actors are using the OpenSLP port 427. It was observed that both TCP and UDP 427 are vulnerable. The ransomware was observed encrypting files with the .vmxf,.vmx,.vmdk,.vmsd, and.nvram extensions and creating a.args file with metadata for each encrypted document.

Vulnerable versions

– ESXi versions 7.x prior to ESXi70U1c-17325551

– ESXi versions 6.7.x prior to ESXi670-202102401-SG

– ESXi versions 6.5.x prior to ESXi650-202102101-SG

Mitigations

VMware is recommending the workaround of disabling the SLP service on ESXi hypervisors that have not yet been updated, and allow access to only trusted IPs. Moreover, users are urged to upgrade to the latest versions. A system full scan is also recommended to ensure that there are no signs of compromise, in the eventuality that the threat actors might’ve already exploited the vulnerability.

In addition, ensure that data is backed up and that only necessary services are active and filtered with ACL. Research indicates that clients using VMware Private Cloud are not impacted by this, as the SSL gateway is blocking external access to port 427. Additionally, for public cloud users, no risk has been identified.

Community based IOCs

• 104[.]152[.]52[.]55

• 43[.]130[.]10[.]173

• 104[.]152[.]52[.]0/24

• 61[.]177[.]173[.]27

For more information on the current attacks, advisory and workarounds, have a read below:

https://kb.vmware.com/s/article/76372

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

Threat actors might achieve success by cross-site request forgery on the ubiquitous SCM service Kudu. By successfully exploiting the vulnerability, malicious actors can take complete control, and deploy malicious ZIP files loaded with a payload to the user’s Azure applications.  

The exploit is considered to be high severity. This is due to the level of control that Kudu has and the impact which enables data exfiltration and lateral movement thorough the client’s Azure services. Kudu is described by threat researchers as the engine that lies behind a number of Azure App Services, supporting the deployment and code management.   

In an attack scenario, the adversary would exploit the cross-site request forgery (CSRF) vulnerability in Kudu SCM panel, by issuing a crafted request to “/api/zipdeploy”. This would deliver the malicious archive, and ultimately gain remote access. The ZIP file is encoded in the body of the HTTP request, and it redirects the user to a malicious domain that hosts malware.  

Services affected

• Azure API Management 
• Azure Functions
• Azure Machine Learning
• Azure Digital Twins

Microsoft confirmed that the issues have been addressed and that there is no need for any actions. 

References and further reading:

https://orca.security/resources/blog/ssrf-vulnerabilities-in-four-azure-services/ 

https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced/ 

A recent Chinese-controlled campaign, tracked by Mandiant, has been exploiting this vulnerability as a zero-day and targeting a European government entity for cyber-espionage.

In December 2022, Fortinet urged users to upgrade to the patched versions, but did not disclose information about the vulnerability being exploited in the wild. To mitigate the risk, Fortinet recommends ensuring the latest versions are in use or disabling SSL-VPN.

Researchers have also identified the usage of a sophisticated Linux-based backdoor, BOLDMOVE, specifically designed to run on FortiGate firewalls, which uses the exploitation of this vulnerability, designated as CVE-2022-42475, for unauthenticated remote code execution.

Affected versions (see references for full outline and patches):

• Windows 8.1 through to 11
• Windows RT 8.1
• Windows Server 2012 through to 2022

As part of patch Tuesday, Microsoft has addressed this CVE as well as 93 other vulnerabilities with new security updates for affected operating systems. It is advised updates are applied immediately, with NIST mandating US companies apply patches by the 31st of January – a 3 week period, demonstrating the severity of the vulnerability.

References and further reading:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674

https://nvd.nist.gov/vuln/detail/CVE-2023-21674

https://www.oreilly.com/library/view/windows-internals-fifth/9780735625303/ch03s06.html

Recently, Unit 42 discovered a vulnerability in the JSON Web Token which is mainly used for authorisation and authentication purposes as it allows you to verify and sign JWTs. The vulnerability was given the severity CVSS 7.6. If an attacker successfully exploits the vulnerability, they could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token request. JWT is an open standard that defines a method of transferring information securely by encoding and signing JSON data. Their structure consists of a string separated in three parts: header, payload and signature. The header indicates the type of token and the signing algorithm. The payload contains the claims and the signature is the secret key used to verify that the token isn’t forged.

The vulnerability lies in the “verify” method of the package that receives the parameters: token, secretOrPublicKey and options. This function verifies the validity of the JWT and returns the decoded payload part. Rather than bypassing the authentication mechanisms, the vulnerability allows the threat actor to gain control over the secretOrPublicKey parameter of the jaw.verify function. Vulnerable versions The vulnerable JsonWebToken packages are versions 8.5.1 or earlier. Mitigations Users that are using JWT, are advised to update to the package version 9.0.0, in which the vulnerability is patched.

More information about the vulnerability and the fix can be found at the here

This vulnerability, which has a CVSS score of 8.6, could potentially allow an attacker with access to the web GUI to execute unauthorised code or commands through specifically crafted HTTP requests. The vulnerability was discovered internally and reported by Gwendal Guégniaud of the Fortinet Product Security team.

The vulnerabilities affects the following versions of FortiADC:

FortiADC version 7.0.0 through 7.0.2
FortiADC version 6.2.0 through 6.2.3
FortiADC version 6.1.0 through 6.1.6
FortiADC version 6.0.0 through 6.0.4
FortiADC version 5.4.0 through 5.4.5

Fortinet has also addressed several high-severity command injection vulnerabilities in FortiTester, known as CVE-2022-35845, which has a CVSS score of 7.6 and could allow an authenticated attacker to execute arbitrary commands in the underlying shell.

The vulnerabilities affect the following versions of FortiTester:

FortiTester version 7.1.0
FortiTester version 7.0 all versions
FortiTester version 4.0.0 through 4.2.0
FortiTester version 2.3.0 through 3.9.1

The vulnerabilities were internally discovered and reported by Wilfried Djettchou of the Fortinet Product Security team. Fortinet has not reported any active exploitation of these vulnerabilities.

Recommended actions: (FortiADC)

Please upgrade to FortiADC 7.0.2 or above
Please upgrade to FortiADC 6.2.4 or above
Please upgrade to upcoming FortiADC 5.4.6 or above

Recommended actions: (FortiTester)

Please upgrade to FortiTester version 7.2.0 or above
Please upgrade to FortiTester version 7.1.1 or above
Please upgrade to FortiTester version 4.2.1 or above
Please upgrade to FortiTester version 3.9.2 or above

The vulnerability, which impacts the SPNEGO Extended Negotiation (NEGOEX) security mechanism, allows a client and server to negotiate the choice of security mechanism to use. It has the potential to be wormable and can be exploited to achieve remote code execution.

The vulnerability could allow attackers to remotely execute arbitrary code by accessing the NEGOEX protocol via any Windows application protocol that authenticates, such as Server Message Block (SMB) or Remote Desktop Protocol (RDP). It may also exist wherever SPNEGO is in use, including in Simple Message Transport Protocol (SMTP) and Hyper Text Transfer Protocol (HTTP) when SPNEGO authentication negotiation is enabled, such as for use with Kerberos or Net-NTLM authentication.

Mitigations:

Microsoft addressed the vulnerability with the release of Patch Tuesday security updates for September 2022.

• Review what services, such as SMB and RDP, are exposed to the internet.
• Continuous monitoring of your attack surface, including Microsoft IIS HTTP web servers that have Windows Authentication enabled.
• Limit Windows authentication providers to Kerberos or Net-NTLM and remove “Negotiate” as a default provider if the patch cannot be applied.

Google Chrome is one of the most widely used web browsers, and like all software, it is subject to potential vulnerabilities. In recent months, several vulnerabilities have been discovered in Chrome that could potentially be exploited by attackers.

Google is keeping the vulnerability details hidden, giving most users the chance to patch before releasing a writeup.

By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process. This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges.

Attackers with high privileges can abuse it in low-complexity attacks that require no user interaction to alter UEFI Secure Boot settings by modifying the BootOrderSecureBootDisable NVRAM variable to disable Secure Boot.

The three vulnerabilities in question are:

CVE-2022-27510: The vulnerability is classified as high as a threat actor could bypass authentication using an alternate path or channel. This is exploitable only if the appliance is configured as a gateway.

CVE-2022-27513: Insufficient verification of data authenticity could allow remote desktop takeover via phishing. This is exploitable only if the appliance is configured as a gateway and the RDP proxy functionality is configured.

CVE-2022-27516: Failing to protect the login brute force mechanism would allow an attacker to bypass it. Similar to the vulnerabilities mentioned above, the appliance is configured as gateway or AAA virtual server, configured with “max login attempts”.

The above flaws impact the following product versions:

* Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47

* Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12

* Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21

* Citrix ADC 12.1-FIPS before 12.1-55.289

* Citrix ADC 12.1-NDcPP before 12.1-55.289

Mitigation Actions:

Users that are managing any of these products themselves are advised to upgrade to the latest available version as soon as possible.

Users who rely on Citrix for cloud-based services do not need to take any action, as patches have already been applied.

For more information on the vulnerabilities and Citrix’s advisory, read more here.

CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow.

OpenSSL also provides mitigation measures requiring admins operating TLS servers to disable TLS client authentication until the patches are applied.

Vulnerable Version:

• OpenSSL 3.0.x

Mitigations:

• Affected users are encouraged to upgrade to version 3.0.7.

CVE-2022-26500, CVE-2022-26501

• Remote Code Execution vulnerability in Veeam Distribution Service
• The Veeam distribution service, which uses TCP 9380 with default settings, allows threat actors who are not authenticated to access internal API functions.
• This component allows threat actors to execute malicious code remotely without authentication.

CVE-2022-26504

• Remote Code Execution vulnerability in Veeam Backup PSManager
• The Veeam process.Backup.PSManager.exe using TCP 8732 with default settings, allows threat actors that are not administrators to authenticate using domain credentials.
• This vulnerability allows domain attackers to execute malicious code remotely by attacking vulnerable components leading to gaining control of the system.

Affected versions:

Veeam Backup & Replication 9.5U3, 9.5U4,10.x and 11.x

Mitigations

Veeam has already released patches for these vulnerability in the version 11.0.1.1261 P20220302. Users are encouraged to update the software to the latest version. 

For more information on the advisory, read more here: https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/

IoCs:

Hashes: 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732

Df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54

78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d

Names: 

Veeamp.exe

vp.exe

9aa1.exe

o_vp.exe

This is of great concern due to the Apache Commons Text library being used very broadly. Apache Commons Text is a Java library described as “a library focused on algorithms working on strings”. We can see it as a general-purpose text manipulation toolkit. At present Apache Commons Text versions 1.5 and onwards are deemed vulnerable to this CVE.

Alvaro Muñoz, a Security Researcher for GHSecurityLab, found that with Apache Commons Text running default configurations, and with malicious input, an unwanted remote code execution could be carried out on the target.

Mitigations Ensure that Apache Commons Text is updated to the most patched version available from usual package managers or a direct download from https://commons.apache.org/proper/commons-text/download_text.cgi

Even though the CVE-2022-42889 is only exploitable under specific conditions, which makes the vulnerability not as popular as the others seen during this year, it is still important to take immediate action.

Read more about this vulnerability below: https://blog.aquasec.com/cve-2022-42889-text2shell-apache-commons-vulnerability

A proof-of-concept (PoC) exploit has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches.

The issue impacts the following versions, and has been addressed in FortiOS versions 7.0.7 and 7.2.2, and FortiProxy versions 7.0.7 and 7.2.1 released this week:

• FortiOS – From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
• FortiProxy – From 7.0.0 to 7.0.6 and 7.2.0

As temporary workarounds, the company is recommending users to disable internet-facing HTTPS Administration until the upgrades can be put in place, or alternatively, enforce a firewall policy to “local-in traffic.”

Read more here.

Microsoft released mitigations to prevent these known attacks on 3rd October. The proposed URL blocking rule was found to be too specific and adversaries could still exploit the Exchange vulnerabilities in new attacks.

Multiple security researchers recommended a less restrictive, temporary mitigation that Microsoft has since used to update the solution until patches become available.

Read more and see URL rewrite instructions here.

Mitigations

Microsoft Exchange Online Customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the URL Rewrite Instructions provided below and block exposed Remote PowerShell ports.

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.

Microsoft has confirmed that the URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.

Read more and see URL rewrite instructions here.

Researchers at Cluster25 analysed one such PowerPoint Presentation, a PPT file that was potentially linked to the Organisation for Economic Co-operation and Development (OECD). The OECD works together with governments, policy makers and citizens in order to establish evidence-based international standards and find solutions to a range of social, economic and environmental challenges.

Vulnerable versions

CVE-2022-34721 affects IKEv1 only. However, all Windows Servers are affected because they accept both V1 and V2 packets.

More Windows vulnerable versions are listed below:

• Microsoft Windows server 2008 r2
• Microsoft Windows server 2012 r2
• Microsoft Windows 10 1607
• Microsoft Windows 8.1
• Microsoft Windows server 2016
• Microsoft Windows server 2008
• Microsoft Windows 7
• Microsoft Windows rt 8.1
• Microsoft Windows server 2012
• Microsoft Windows 10
• Microsoft Windows 10 20h2
• Microsoft Windows 10 21h1
• Microsoft Windows 10 21h2
• Microsoft Windows 10 1809
• Microsoft Windows 11
• Microsoft Windows server 2019
• Microsoft Windows server 2022

Mitigation Actions

Microsoft advises users who use vulnerable versions of Windows to prioritise the patches and mitigate active exploitation attempts. Patched versions are available for download from Microsoft’s website.

For more information on the vulnerability and to apply the relevant patches, see here.

Google has not released significant information yet and is waiting for most users to update their browsers before releasing bug details and links.

Vulnerable versions

The affected versions are anything before the latest release 105.0.5195.102, on all platforms (Windows, Linux and macOS).

Mitigations

Users are recommended to upgrade to version 105.0.5195.102 for Windows, macOS, and Linux to mitigate potential threats.

Additionally, users of Chromium-based browsers (Microsoft Edge, Brave, Vivaldi or Opera) are to apply the fixes and upgrade the version as soon as it becomes available. Microsoft has released an update for Edge (version 105.0.1343.27) that contains a fix for the CVE-2022-3075.

To ensure that you are using the latest version, click on the three dots icon (in the top right) and navigate to “Help” and then “About Google Chrome”. If the version is not the latest one released, click on “Update Google Chrome”.

Important

It is to be noted by the user that they need to relaunch the browser for the update to come into effect.

More about the vulnerability and the latest releases can be read on Google’s website here.

To be misused by an external attacker, the firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface. This configuration is not typical for URL filtering and, if set, is likely unintended by the administrator.

If exploited, this issue would not impact the confidentiality, integrity, or availability of our products. However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack.

Vulnerable Versions

1. PAN-OS 10.2 < 10.2.2-h2
2. PAN-OS 10.1 < 10.1.6-h6
3. PAN-OS 10.0 < 10.0.11-h1
4. PAN-OS 9.1 < 9.1.14-h4
5. PAN-OS 9.0 < 9.0.16-h3
6. PAN-OS 8.1 < 8.1.23-h1

Read more about this vulnerability here: https://security.paloaltonetworks.com/CVE-2022-0028

Vulnerable Versions

The vulnerable versions for CVE-2022-20827 are the following:

• RV160 and RV260 Series Routers – versions earlier than 1.0.01.05
• RV160 and RV260 Series Routers – version 1.0.01.05
• RV340 and RV345 Series Routers – versions earlier than 1.0.03.26
• RV340 and RV345 Series Routers – version 1.0.03.26

Additionally, the vulnerable versions for CVE-2022-20842 are the following:

• RV340 and RV345 Series Routers – versions 1.0.03.26 and earlier

Mitigation Actions

Users are advised to upgrade their router series to the following versions published by Cisco. Cisco announced that there are no workarounds to remove the attack vectors. The first fixed release is as following:

CVE-2022-20827

• RV160 and RV260 Series Routers – not vulnerable
• RV160 and RV260 Series Routers – 1.0.01.09
• RV340 and RV345 Series Routers – not vulnerable
• RV340 and RV345 Series Routers – 1.0.03.28

CVE-2022-20842

• RV340 and RV345 Series Routers – 1.0.03.28

For more information about the vulnerabilities or the fixed releases, have a read here.

Vulnerable Versions
Vulnerable versions include versions 2.7.34, 2.7.35, and 3.0.2 as the user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the Questions For Confluence app.

CISA, the Cybersecurity and Infrastructure Security Agency have added this vulnerability to its list of vulnerabilities abused in the wild, giving US federal agencies three weeks to secure their servers but also encouraging other affected organisations to keep abreast with updates in relation to this vulnerability.

Read more about this vulnerability here
https://www.cve.org/CVERecord?id=CVE-2022-26138

https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-confluence-bug-exploited-in-attacks/

Vulnerable Versions
* Cisco Nexus Dashboard 1.1 (not affected by CVE-2022-20858)
* Cisco Nexus Dashboard 2.0
* Cisco Nexus Dashboard 2.1
* Cisco Nexus Dashboard 2.2

Mitigation Actions
For the version 2.2, Cisco has addressed the flaws in the 2.2(1e) security update while for the rest it advises customers to migrate to a fixed release as soon as possible.

To read more about the vulnerabilities and Cisco’s advisory, see here.

Vulnerable Versions

MiVoice Connect Service Appliances –  R19.2 SP3 (22.20.2300.0) and earlier R14.x and earlier  

SA 100 

SA400 

Virtual SA  

Mitigation Actions

Mitel’s Security Bulletin states that remediations will be included in MiVoice connect R19.3 which has the forecast for June 2022.  

A remediation script for the MiVoice Connect versions 19.2 SP3 and earlier as well as R14.x and earlier was released by Mitel. It is recommended that users are following the instructions and if help is required Mitel’s support team should be contacted.

To read more about the vulnerability and Mitel’s recommended prevention measures, see below.

https://www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/ 

https://www.mitel.com/en-gb/support/security-advisories/mitel-product-security-advisory-22-0002

Vulnerable Versions

Django main branch

Django 4.1 (currently at beta status)

Django 4.0

Django 3.2

Mitigation Actions

On 5th July 2022, the Django team released versions 4.0.6 and 3.2.14 addressing the vulnerability. It is highly recommended that upgrade to these versions are carried out as soon as possible.

Django has also released patches available that can be applied to the affected versions. 

To read more about the vulnerability, see below.

https://www.djangoproject.com/weblog/2022/jul/04/security-releases/

Vulnerable Versions

Any versions of Google Chrome older than 103.0.5060.114 on Windows and MACOS devices and 103.0.5060.71 on Android.

For Microsoft Edge, any versions older than 103.0.1264.49.

Mitigation actions

Ensure that Google Chrome and Microsoft Edge are updated to the latest version.

On Windows and MACOS devices, Chrome does not automatically restart to apply an update to preserve the session. It is recommended to click the three dots, expand Help, and select About Google Chrome to ensure it has updated successfully, or trigger the update if not already installed. Following this, Google Chrome should be restarted (The patch will not be applied until a successful restart of the software).

Microsoft Edge also automatically updates on restart. Please ensure the browser is fully closed before reopening if not done recently.

To read more about this vulnerability, see below.

https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html

The rise in LNK files has been summarised by Lakshya Mathur (security researcher, McAfee), who stated “during the second quarter of 2022, McAfee Labs has seen a rise in malware being delivered using LNK files”.

Most notably, LNK files have recently been used to deliver malware such as Emotet, Qakbot, IcedID, Bazarloaders and others which can have catastrophic impact if executed.

Mitigation actions

As phishing attacks are frequently used to install and interact with malicious LNK files, refresher phishing training is recommended to heighten staff vigilance.

Blacklist known IoCs to reduce most used exploits. For a list of frequently used IoCs, see below.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware

Vulnerable Versions 
Windows 7 through to the latest release; and Windows Server 2008 through to the latest release.

Mitigation actions 
Ensure windows has installed the latest updates. If this is not possible, the MSDT URL Protocol can be disabled as a workaround to prevent this vulnerability.

To read more about this vulnerability, or see full instructions on applying the workaround, see below.
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

An initial patch was released by MSRC in March, followed by a second patch release earlier in April where the Synapse management server certificate was revoked, both patches were bypassed by Orca. A third patch was then released on the 15th of April, fixing the RCE with attack vectors reported. There have been continuous efforts toward more comprehensive tenant isolation and by the end of May 2022, more comprehensive tenant isolation including “ephemeral instances and scoped tokens for the shared Azure Integration Runtimes” was deployed by the team at Microsoft. Read more about mitigation actions below.  

Vulnerable Versions 

This vulnerability can be exploited via command injection that can be found in the Magnitude Simba Amazon Redshift ODBC connector. The vulnerable versions of this are shown below: 

1.4.14 through 1.4.21.1001 

1.4.22 through 1.4.x before 1.4.52 

These versions may allow a remote attacker to execute arbitrary code. Any updates exceeding 1.4.52 are not susceptible to this vulnerability.  

Mitigation actions 

It is recommended that Microsoft integration runtime is updated to the latest version 5.17.8186.1 and Magnitude Simba Amazon Redshift ODBC Driver updated to the last fixed version 1.4.52. Additional recommendations include enabling auto updates to ensure that the software is running the latest version.  

Read more about this vulnerability here.

According to Volexity who discovered the zero-day vulnerability, “Web logs also revealed that the attacker interacted with the BEHINDER implant by making continuous POST requests to the main index page of the Confluence Server system. This appears as “POST / HTTP/1.1” in the log files with “200” status codes”.  Although POST requests to the index page of a Confluence web server can be confirmed legitimate, further analysis of this activity is recommended as it is not a usual common path used for Confluence operations.

As of June 3^rd 2022, Palo Alto reported that about 19,707 instances of Confluence Servers were identified by its attack surface management platform ‘Cortex Xpanse’ as potentially affected by this vulnerability and approximately 1,251 end-of-life versions of the Confluence Server were exposed on the public internet. Although it appears that all versions of the confluence server are affected, end-of-life versions should be totally decommissioned.

At the time of writing, Palo Alto reported several exploitation attempts one of which resulted in the Cerber Ransomware attack. This was however, blocked by Palo Alto’s Cortex XDR agent and was confirmed as related to CVE-2022-26134 due to the observation of a PowerShell execution found within the Confluence Apache access logs.

Vulnerable Versions

At the time of detection, all supported and up-to-date versions of Confluence Server and Data Centre (versions after 1.3.0.) were vulnerable. Atlassian Cloud sites on the other hand, are protected this is because they are hosted by Atlassian.

GreyNoise reports over 200 unique IP addresses attempting to exploit the vulnerability. Some discovered IoC’s can be found in the read more section below.

Mitigation Actions

Atlassian recommends urgent updates for affected users to avoid further attacks such as data theft and ransomware deployment. Fixes have been released within the following versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.

Temporary workarounds have also been provided for users who are unable to upgrade immediately. This involves unique file updates for specific versions.

Read more about this vulnerability here:

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

https://unit42.paloaltonetworks.com/cve-2022-26134-atlassian-code-execution-vulnerability/

Vulnerable Versions

Impacted versions include Microsoft’s Office ProPlus and Office 365 editions as well as Microsoft Office versions Office 2013, 2016, 2019 and 2021.

Mitigation Actions

A patch is yet to be released however, researchers suggested unregistering the ms-msdt protocol while this vulnerability is unpatched.

Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This “prevents troubleshooters being launched as links including links throughout the operating system,” the company wrote in their advisory.

To do this, users must follow these steps: Run “:Command Prompt as Administrator”; Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”; and execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

In the interim, the tech giant ‘Microsoft’ recommends “ensuring cloud-delivered protections and automatic sample submission for Microsoft Defender are enabled.”. and that Defender for Endpoint customers enable the attack surface reduction rule BlockOfficeCreateProcessRule.

Here at Socura, we have implemented custom rules in Microsoft Defender for Endpoint, Google Chronicle, and Palo Alto Networks Cortex XDR to detect IoCs and confirmed malicious process behaviour associated with the vulnerability. Palo Alto have categorised all known samples as malware meaning WildFire and Cortex XDR will triage and take action on any of these known threats. Additionally, all encountered URLs have been flagged as malware within PAN-DB, the Advanced URL Filtering URL database.

These are however, workarounds while we wait for an official permanent patch to be released.

Read more about this vulnerability here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190v

https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-execution-vulnerability/

According to Ramuel Gall, these vulnerable versions register AJAX actions but do not perform cryptographic nonce checks. Thereby allowing any logged in user to elevate their privileges by sending an AJAX request setting the action parameter to abb_uninstall_template. This request invokes the uninstallTemplate function which in turn calls the resetWordpressDatabase function, effectively reinstalling the site making the current logged in user the site owner. In vulnerable versions of JupiterX Core plugin, the same request can be sent but with the action parameter set to jupiterx_core_cp_uninstall_template.

Generally, the bug allows the attacker to reduce the security of sites and damage its functionality.

Vulnerable Versions and Mitigation Actions

Vulnerable versions include Jupiter Theme 6.10.1 or earlier and JupiterX Core Theme 2.0.6 or earlier. It is recommended to update to at least version 6.10.2 of the Jupiter theme, at least version 2.0.7 of the JupiterX Core theme and at least version 2.0.8 of the JupiterX Core plugin, these are the fully patched versions.

On the 5^th of April firewall rules protecting customers of WorldFence Premium, Wordfence Care and Wordfence Response were released and on the 4^th of May similar rules protecting free Wordfence Users was released.

All users of the affected themes are advised to upgrade immediately to the patched versions.

Read more about this vulnerability here.

Similar to other variants, Microsoft Security Intelligence explains that “Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself” which could effectively place the entire network at risk of joining the Sysrv-K botnet.

Mitigation Actions

These vulnerabilities have been addressed with security updates and the researchers urge organisations to ensure that security updates are applied, credentials are protected and internet-facing systems are secure.

Read more about this vulnerability here.

Vulnerable Versions and Mitigation Actions

The new update detects and prevents anonymous connection attempts in LSARPC. Although this vulnerability affects all Windows Server Operating Systems, Microsoft recommends the prioritisation of domain controllers when applying the released patch. This should be applied in a test environment first with risks and impact on production environment considered before roll out.

Additional measures to mitigate NTLM relay attacks against Active Directory Certificate Services should also be considered.

Read more about this vulnerability here

Vulnerable Versions

Affected BIG-IP product versions include:

• 1.0 – 16.1.2 (patch introduced in 16.1.2.2)
• 1.0 – 15.1.5 (patch introduced in 15.1.5.1)
• 1.0 – 14.1.4 (patch introduced in 14.1.4.6)
• 1.0 – 13.1.4 (patch introduced in 13.1.5)
• 1.0 – 12.1.6 (no fix available)
• 6.1 – 11.6.5 (no fix available)

Although not identified as a vulnerable version, a fix has also been introduced in v17.0.0. Any other versions above the ones where a fix is available should already have the fix applied.

Mitigation Actions 

Affected organisations are urged to apply the patches in order to prevent exploitation. F5 recommends the use of the following temporary solutions pending when the fixes can be adapted.

• “Block iControl REST access through the self IP address
• Block iControl REST access through the management interface
• Modify the BIG-IP httpd configuration”

Read more about this vulnerability here

Mitigation actions

Clayton Craft, the maintainer of networkd-dispatcher have now deployed the updates required to fix the Nimbuspwn vulnerabilities for affected endpoints.

For CVE-2022-29800 recommendations on git lab suggests not allowing unknown operational/admin states.

For CVE-2022-29800 recommendations on git lab suggests ensuring that scripts are owned by root and that scripts are not writeable by non-root users. This makes sure that other users can’t write to them.

Read more about these vulnerabilities here.

Amazon have addressed these issues within a new version of the hotpatch, and a new version of Hotdog. They recommend that customers who run Java applications in containers, and use either the hotpatch or Hotdog, update to the latest versions of the software immediately. The latest package names and versions of the hotpatch for Amazon Linux and Amazon Linux 2 are as follows:

• Amazon Linux: log4j-cve-2021-44228-hotpatch-1.1-16.amzn1
• Amazon Linux 2: log4j-cve-2021-44228-hotpatch-1.1-16.amzn2

Read More: https://aws.amazon.com/security/security-bulletins/AWS-2022-006/

This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA.

Read more about this vulnerability here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uva-static-key-6RQTRs4c

Only systems with the NFS role enabled are at risk for exploitation; however, organizations should still apply the patch to all systems to ensure they are protected.

Read more – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24491

Organisations should ensure they apply the available patches as soon as possible. CVE-2022-24481 is another EoP in the CLFS driver that received the same CVSSv3 score of 7.8 and was rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. However, it is not a zero-day.

Impacted Products

• VMware Workspace ONE Access (Access)
• VMware Identity Manager (vIDM)
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation
• vRealize Suite Lifecycle Manager

Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products. More information can be found here: https://www.vmware.com/security/advisories/VMSA-2022-0011.html

Detection

Microsoft recommends configuring some firewall rules to help prevent this vulnerability from being exploited. However, for customers who require this functionality, this guide has limited efficacy. To augment the firewall rules, enterprises should consider security controls that directly monitor and protect core software functionality and behaviour.

The Socura MDR team recommends installing the patch released by Microsoft to address this vulnerability.

Mitigation Actions

1. Block TCP port 445 at the enterprise perimeter firewall

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defence to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

2. Follow Microsoft guidelines to secure SMB traffic

https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-secure-traffic

Detection 

Several methods of detecting exploitation attempts are discussed at the link below. However, these detections can be quite brittle due to the existence of numerous methods of obfuscating the strings used to conduct the exploit.

https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

https://github.com/Neo23x0/log4shell-detector

Vulnerable Systems 

Any Apache log4j versions between 2.0 and 2.15 are vulnerable. 2.16 has a DOS vulnerability.  

Mitigation Actions 

Upgrade instances of Log4j to v2.17.

It is also recommended to explore IPS signatures and application-aware firewall rules for LDAP(S) and RMI to block outbound connections from exploited hosts to attacker-controlled infrastructure. This not only stops the attack but helps identify vulnerable systems.

Vulnerable Systems

All versions of Microsoft Exchange Server 2016 and 2019

Mitigation Actions

The Socura MDR team recommends installing the patch released by Microsoft to address this vulnerability.

The Socura MDR team is in the process of creating detection rules for this vulnerability.

Vulnerable Systems

This impacts all versions of Microsoft Excel.

Mitigation Actions

The Socura MDR team recommends applying the latest security patches released by Microsoft to patch this vulnerability on Windows workstations. No patch currently exists for Excel on Mac so it is advisable to not open any attachments people are not expecting.

The Socura MDR team is in the process of creating detection rules for this vulnerability.

Vulnerable Systems

All versions of Google Chrome older than 94.0.4606.71

Mitigation Actions

The Socura MDR team recommends updating all copies of the Chrome browser to the latest 94.0.4606.71 version for Windows, Mac, and Linux

Vulnerable Systems

This impacts appliances running vCenter server 6.7 and 7.0.

Mitigation Actions

The Socura MDR team highly recommends applying the available security patches at the earliest possible opportunity. We continue to monitor for attempts to exploit this vulnerability.

Further information

https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html

Vulnerable Systems

The Atlassian products vulnerable to CVE-2021-26084 are those using the following versions of Confluence Server and Data Centre:

Mitigation Actions

We recommend that customers update Atlassian Confluence Server and Data Centre to the latest version, 7.13.0 (TLS). You can find the newest release on Atlassian’s download centre.

If you cannot install the latest upgrade, see the Mitigation section on the Atlassian security advisory for information on how to mitigate this vulnerability by running a script for the operating system your Confluence server is hosted on.

The full extent of the attack is currently unknown. Kaseya states that fewer than 40 of its customers are impacted. If those customers include MSPs, many more organisations could have been attacked with the ransomware. Kaseya VSA’s functionality allows administrators to remotely manage systems. If an MSP’s VSA system was compromised, that could allow an attacker to deploy malware into multiple networks managed by that MSP.

There has been much speculation about the nature of this attack on social media and other forums. We have not been able to independently determine how these attacks were conducted.

Multiple sources have stated that the following three files were used to install and execute the ransomware attack on Windows systems:

agent.exe  | d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
mpsvc.dll | e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2
mpsvc.dll  | 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd

As more information becomes available on the nature of this attack, we will update this brief to provide additional details.

Indicators of Compromise

Kaseya Connected REvil Executables

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2

Kaseya-provided IoCs are below:

Source: Incident Overview and Technical Details, Kaseya

35.226.94[.]113
161.35.239[.]148
162.253.124[.]162

Web log IoCs

POST /dl.asp curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
GET /done.asp curl/7.69.1
POST /cgi-bin/KUpload.dll curl/7.69.1
POST /userFilterTableRpt.asp curl/7.69.1

Systems Vulnerable to CVE-2021-34527

All Windows versions are affected by this vulnerability. Domain controllers, clients and member servers running the Print Spooler service on any Windows version are affected by this vulnerability. Microsoft has released an out-of-band update with the fixes for versions other than Windows 10 version 1607, Windows Server 2016 or Windows Server 2012. For these, the security update is expected to be released soon.

Mitigation Actions

Microsoft released an out-of-band security update to address this vulnerability on July 6, 2021. Please see the Security Updates table for the applicable update for your system. Administrators are strongly advised to install these updates. If you are unable to install these updates, see the FAQ and Workarounds sections in the CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Note that the security updates released on and after July 6, 2021, contain protections for CVE-2021-1675 and the additional RCE exploit in the Windows Print Spooler service known as “PrintNightmare,” documented in CVE-2021-34527.