Threat Bulletin | April 26

Sources: 

• https://thehackernews.com/2024/03/cisco-issues-patch-for-high-severity.html    
• https://nvd.nist.gov/vuln/detail/CVE-2024-20337 
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7  

Entities:  

• Cisco, users of Cisco Secure Client software 

Attack Vectors:  

• Trick a user into clicking on a specially crafted link while establishing a VPN session, Carriage returns line feed (CRLF) injection attack. 

Impact:  

• Unauthorized access to VPN sessions, potential execution of arbitrary script code 

Detailed Description: 

• Cisco has released patches to address a high-severity vulnerability (CVE-2024-20337) in its Secure Client software, allowing remote attackers to hijack VPN sessions and potentially execute arbitrary script code in the browser. 
• The vulnerability arises due to insufficient validation of user-supplied input, enabling attackers to trick users into clicking on malicious links and establish VPN sessions with the privileges of the affected user.  

Vulnerable Products: 

• This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco Secure Client and the VPN headend is configured with the SAML External Browser feature: 
  • Secure Client for Linux 
  • Secure Client for macOS 
  • Secure Client for Windows 

Products Confirmed Not Vulnerable: 

• Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. 
• Cisco has confirmed that this vulnerability does not affect the following Cisco products: 
  • Secure Client AnyConnect for Android 
  • Secure Client (including AnyConnect) for Universal Windows Platform 
  • Secure Client AnyConnect VPN for iOS 

Recommendation: 

• Users should apply the relevant patches provided by Cisco immediately to mitigate the risk of exploitation. 

Sources: 

• https://www.bleepingcomputer.com/news/security/critical-fortinet-flaw-may-impact-150-000-exposed-devices/  
• https://nvd.nist.gov/vuln/detail/CVE-2024-21762  
• https://www.fortiguard.com/psirt/FG-IR-24-015 

Entities:  

• Fortinet FortiOS and FortiProxy secure web gateway systems 

Attack Vectors:  

• Remote exploitation via specially crafted HTTP requests 

Impact:  

• Potential unauthorized execution of code on vulnerable devices, compromising network security and data integrity. 

Detailed Description: 

• Approximately 150,000 Fortinet FortiOS and FortiProxy devices worldwide are vulnerable to CVE-2024-21762, a critical security issue allowing remote code execution without authentication.  
• A remote attacker could exploit CVE-2024-21762 (9.8 severity score as per NIST) by sending specially crafted HTTP requests to vulnerable machines. 
• The flaw has been actively exploited by threat actors, prompting CISA to include it in its Known Exploited Vulnerabilities catalogue.  
• Most affected devices are in the United States, followed by India, Brazil, and Canada. 

Recommendation: 

• Follow the recommended upgrade path using the upgrade-tool provided by FortiGuard. 

Sources: 

• https://thehackernews.com/2024/03/alert-cybercriminals-deploying-vcurms.html  
• https://www.hivepro.com/threat-advisory/vcurms-and-strrat-trojans-using-aws-and-github-as-launchpads/  

Entities:  

• Cybercriminals, VCURMS Trojan, STRRAT Trojan, AWS, GitHub 

Indicators of Compromise:  

Attack Vectors:  

• Phishing emails, malicious Java-based downloader 

Impact:  

• Compromise of sensitive data, remote access to systems, potential financial loss, unauthorized access 

Detailed Description: 

• A recent phishing campaign has been observed distributing remote access trojans (RATs), including VCURMS and STRRAT, using a malicious Java-based downloader (“Payment-Advice.jar”).  
• Cybercriminals are leveraging public services like Amazon Web Services (AWS) and GitHub to host malware, employing commercial protectors to evade detection.  
• Notably, VCURMS RAT communicates with a command-and-control server via a Proton Mail email address (“sacriliage@proton[.]me”).  
• The trojans possess various capabilities, including command execution, data theft from applications and web browsers, keylogging, and system information gathering. 

Recommendation: 

• Organizations should educate users about phishing threats and encourage them to scrutinize email links and attachments before clicking.  
• Implementing robust email filtering solutions and endpoint protection mechanisms can help detect and block phishing attempts. 
• Regularly update security software and promptly applying patches can mitigate the risk of exploitation. 

Sources: 

• https://thehackernews.com/2024/03/fortinet-warns-of-severe-sqli.html   
• https://nvd.nist.gov/vuln/detail/CVE-2023-48788  
• https://www.fortiguard.com/psirt/FG-IR-24-007  

Entities:  

• Fortinet, SQL Injection Vulnerability, FortiClientEMS 

Indicators of Compromise: 

• CVE-2023-48788 

Attack Vectors:  

• SQL Command (‘SQL Injection’) vulnerability 

Impact:  

• Allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests 

Detailed Description: 

• Fortinet has warned of a critical security flaw impacting its FortiClientEMS software. 
• The vulnerability is described as an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS which may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. 
• Tracked as CVE-2023-48788, it carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions – 
  • FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above) 
  • FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above) 
• Also fixed by the company are two other critical bugs in FortiOS and FortiProxy (CVE-2023-42789 and CVE-2023-42790, CVSS scores: 9.3) that could permit an attacker with access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests. 

Recommendation:  

• Virtual Patch named “FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection” is available in FMWP db update 27.750 
• Note that production FortiSASE was patched with a fix on 2024-03-05 

Sources: 

• https://www.bleepingcomputer.com/news/security/ivanti-fixes-critical-standalone-sentry-bug-reported-by-nato/  

Entities:  

• Ivanti, Standalone Sentry vulnerability 

Attack Vectors:  

• Remote execution of arbitrary commands, Vulnerabilities in Ivanti products 

Impact:  

• Unauthorized execution of commands, Potential compromise of sensitive systems and data, Exploitation by threat actors 

Detailed Description: 

• The critical vulnerability in Standalone Sentry (CVE-2023-41724) enables unauthenticated attackers on the same network to execute arbitrary commands.  
• Additionally, a second critical flaw (CVE-2023-46808) in Neurons for ITSM allows remote threat actors with low-privileged accounts to execute commands within the web application’s user context.  
• Ivanti has released a patch for these vulnerabilities and urges customers to apply the available patches. 

Recommendation:  

• Organizations utilizing Ivanti products should immediately apply the provided patches to mitigate the risk of exploitation.  

Sources: 

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spraying-attacks-targeting-vpn-services/  

Entities:  

• Password Spraying, VPN 

Attack Vectors:  

• Password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. 

Impact:  

• The attacks aim to gain unauthorized access to VPN services, potentially compromising sensitive corporate networks and data. 

Detailed Description: 

• Cisco has issued recommendations to mitigate password-spraying attacks on VPN services, including enabling logging, securing default VPN profiles, and using certificate-based authentication. 
• The attack is likely orchestrated by an undocumented malware botnet named ‘Brutus.’  
• The botnet employs rotating IPs and specific usernames, indicating a sophisticated approach to evade detection and blocklisting. 

Recommendation: 

• Organizations should implement Cisco’s mitigation recommendations which include: 
  • Enabling logging to a remote syslog server to improve incident analysis and correlation. 
  • Securing default remote access VPN profiles by pointing unused default connection profiles to a sinkhole AAA server to prevent unauthorized access. 
  • Leveraging TCP shun to manually block malicious IPs. 
  • Configuring control-plane ACLs to filter out unauthorized public IP addresses from initiating VPN sessions. 
  • Using certificate-based authentication for RAVPN, which provides a more secure authentication method than traditional credentials. 

SOC Response: 

• Please monitor the SOC Changelog (https://cyflare.com/soc-change-log/) for any additional rules while we evaluate custom detections against brute force detections towards various VPN products. 

Sources: 

• https://thehackernews.com/2024/04/ivanti-rushes-patches-for-4-new-flaw-in.html  
• https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US  

Entities:  

• Ivanti Vulnerability, Connect Secure, Policy Secure Gateways 

Attack Vectors:  

• Remote exploitation of vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. 

Impact:  

• Potential for code execution, denial-of-service (DoS) attacks, and memory read access 

Detailed Description: 

• Ivanti has released urgent security updates to address four critical vulnerabilities affecting its Connect Secure and Policy Secure Gateways.  
• These flaws could allow unauthenticated attackers to execute arbitrary code, crash services, or read contents from memory, posing significant risks to affected systems. 
• The list of flaws is as follows:
  • CVE-2024-21894 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. In certain conditions, this may lead to execution of arbitrary code. 
  • CVE-2024-22052 (CVSS score: 7.5) – A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack. 
  • CVE-2024-22053 (CVSS score: 8.2) – A heap overflow vulnerability in the IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in order to crash the service thereby causing a DoS attack or in certain conditions read contents from memory. 
  • CVE-2024-22023 (CVSS score: 5.3) – An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in order to temporarily cause resource exhaustion thereby resulting in a limited-time DoS. 

Recommendation:  

• Promptly apply the security updates provided by Ivanti to mitigate the risks associated with these vulnerabilities.  
• In the absence of patches, consider implementing additional security measures or workarounds to reduce exposure.

Sources: 

• https://thehackernews.com/2024/04/critical-atlassian-flaw-exploited-to.html  
• https://nvd.nist.gov/vuln/detail/CVE-2023-22518  
• https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html  

Entities:  

• Atlassian Vulnerability, Cerber ransomware 

Attack Vectors:  

• Exploitation of CVE-2023-22518 in Atlassian Confluence Data Center and Server, deployment of Cerber ransomware via web shell plugin 

Impact:  

• Full loss of confidentiality, integrity, and availability of affected systems, encryption of files with .L0CK3D extension. 

Detailed Description: 

• The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. 
• Exploiting CVE-2023-22518, threat actors gain unauthorized access to Atlassian Confluence servers and deploy Cerber ransomware via a web shell plugin.  
• The ransomware encrypts files with a .L0CK3D extension but is constrained to files owned by the Confluence user.  
• Financially motivated cybercrime groups are leveraging this vulnerability to deploy ransomware and demand payment from victims. 

Recommendation:  

• Immediately patch unpatched Atlassian Confluence servers to mitigate CVE-2023-22518 to one of the fixed versions listed in the following security advisory by Atlassian.  
• Regularly back up critical data and ensure that backup systems are isolated from potential ransomware attacks.  

Sources: 

• https://thehackernews.com/2024/04/palo-alto-networks-releases-urgent.html  
• https://thehackernews.com/2024/04/zero-day-alert-critical-palo-alto.html  

Entities:  

• Palo Alto Networks, PAN-OS Software, GlobalProtect  

Attack Vectors:  

• Command injection vulnerability in GlobalProtect feature of PAN-OS software exploited by threat actors to execute arbitrary code with root privileges on firewalls. 

Impact:  

• Potential unauthorized access to firewalls, execution of arbitrary commands, data exfiltration, and deployment of additional malicious payloads. 

Detailed Description: 

• The vulnerabilities, tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall. 
• This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled 
• Threat actors exploit the flaw to gain unauthorized access and execute arbitrary code with root privileges. 
• Palo Alto Networks has released additional patches to remediate CVE-2024-3400:
  • PAN-OS 10.2.8-h3 
  • PAN-OS 10.2.7-h8 
  • PAN-OS 10.2.6-h3
  • PAN-OS 11.0.3-h10 
  • PAN-OS 11.0.2-h4 
  • PAN-OS 11.1.1-h1, and 
  • PAN-OS 11.1.0-h3 
• The company has also provided a CLI command that users can run to hunt signs of potential compromise: “grep pattern “failed to unmarshal session(.\+.\/” mp-log gpsvc.log*” 
• “If the value between ‘session(‘ and ‘)’ does not look like a GUID [e.g., 01234567-89ab-cdef-1234-567890abcdef], but instead contains a file system path, this indicates the need for further investigation and the log entry could be related to the successful or unsuccessful exploitation of CVE-2024-3400,” Palo Alto Networks reports. 

Recommendation:  

• Organizations should promptly apply available patches, please follow the recommendations by Palo Alto in the following security advisory.

Sources: 

• https://thehackernews.com/2024/04/fortinet-has-released-patches-to.html  

Entities:  

• Fortinet Patches, FortiClientLinux Vulnerability 

Attack Vectors:  

• The vulnerability (CVE-2023-45590) in FortiClientLinux versions 7.0.3 through 7.0.4 and 7.0.6 through 7.0.10, as well as version 7.2.0, allows unauthenticated attackers to execute arbitrary code via a malicious website. 

Impact:  

• The vulnerability in FortiClientLinux poses a high risk of arbitrary code execution, potentially allowing attackers to take control of affected systems.  

Detailed Description: 

• The vulnerability in FortiClientLinux could allow unauthenticated attackers to execute arbitrary code by tricking users into visiting a malicious website.  
• Fortinet has released patches for FortiClientLinux versions 7.0.3 through 7.0.10 and version 7.2.0 to mitigate this risk.  
• Additionally, issues with FortiClientMac installer and FortiOS/FortiProxy have also been addressed to prevent potential code execution and cookie leakage. 

Recommendation: 

• Users of FortiClientLinux, FortiClientMac, FortiOS, and FortiProxy are advised to apply the security patches provided by Fortinet immediately to mitigate the risks associated with these vulnerabilities.