In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.
Sources:
Entities:
- OpenSSH, CVE-2024-6387
Indicators of Compromise:
- Increased “Timeout before authentication” log entries
Attack Vector:
- Exploits a signal handler race condition
- glibc-based Linux systems running vulnerable OpenSSH versions (8.5p1 through 9.7p1)
Risk Impact:
- Allow attackers to execute arbitrary code with root privileges.
- Potentially exposes sensitive organizational data to unauthorized access.
- Compromised systems could serve as a springboard for lateral movements, further compromising the network.
- Could lead to loss of trust among users and clients if the vulnerability is exploited.
Detailed Description:
- The “regreSSHion” flaw in OpenSSH is a critical vulnerability allowing remote unauthenticated code execution.
- It exploits a signal handler race condition that was previously addressed but reintroduced due to a regression in recent patches.
- Successful exploitation is non-trivial, as it involves bypassing modern security mechanisms like ASLR and exploiting memory corruption vulnerabilities.
- If exploited, an attacker can gain root access to the affected system, leading to full system compromise.
- This vulnerability underscores the challenges in maintaining legacy code and the importance of rigorous regression testing in software development.
Recommendations:
- Apply the latest patches for OpenSSH.
- Adjust ‘LoginGraceTime’ to ‘0’ to mitigate risks if immediate patching isn’t feasible.
Source:
Entities:
- MSI (Micro-Star International), Carsonchan12345
Indicators of Compromise:
- MSI Center versions 2.0.36.0 and earlier ones
Attack Vector:
- Exploitation of a local privilege escalation vulnerability in MSI Center versions 2.0.36.0 and earlier.
- Manipulation of file operations within MSI Center to escalate privileges on Windows systems.
Risk Impact:
- Enables attackers to elevate privileges to SYSTEM level.
- Potential to overwrite or delete critical system files.
- Allows installation of programs without administrator rights.
- Malicious payloads can execute upon administrator login, leading to full system compromise.
Detailed Description:
- Vulnerability CVE (CVE-2024-37726): Insecure file operations by MSI Center with elevated privileges.
- Exploitation Steps:
- Create directory and set OpLock on a file.
- Triggers file write operation via “Export System Info” function.
- Move original file, create junction to target file.
- Exploit SYSTEM-level privileges to overwrite or delete files.
Recommendations:
- Update MSI Center: Upgrade to version 2.0.38.0 or later to mitigate the vulnerability.
- Verification: Check MSI Center version across systems to identify vulnerable instances.
- Temporary Measures: Disable or uninstall MSI Center if immediate update isn’t feasible.
- Stay Informed: Monitor MSI’s security advisories for future updates and apply promptly.
Sources:
- https://thehackernews.com/2024/07/microsoft-uncovers-critical-flaws-in.html
- https://thehackernews.com/2024/07/radius-protocol-vulnerability-exposes.html
Entities:
- BlastRADIUS
- RADIUS protocol
- FreeRADIUS Project
Attack Vector:
- Exploitation of the BlastRADIUS vulnerability in the RADIUS network authentication protocol.
- Modification of Access-Request messages that lack integrity or authentication checks.
Risk Impact:
- Mallory-in-the-middle (MitM) attacks.
- Bypass of integrity checks.
- Unauthorized user authentication and authorization (e.g., VLAN assignments).
Detailed Description:
- The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks, enabling undetectable packet modification by attackers.
- Attackers can force user authentication and grant any authorization to that user.
- RADIUS relies on the MD5 algorithm, which is susceptible to collision attacks, allowing chosen prefix attacks to modify response packets and pass integrity checks.
- For the attack to succeed, adversaries need the ability to modify RADIUS packets in transit between the RADIUS client and server.
- Organizations sending RADIUS packets over the internet are particularly at risk.
- Mitigation factors include using TLS for RADIUS traffic and increased packet security via the Message-Authenticator attribute.
- BlastRADIUS impacts all standards-compliant RADIUS clients and servers, necessitating updates by ISPs and organizations.
- PAP, CHAP, and MS-CHAPv2 authentication methods are especially vulnerable.
- MAC address authentication and RADIUS for administrator logins to switches are also vulnerable.
- Enterprises need to manage access to the management VLAN to mitigate risk.
- The vulnerability has a CVSS score of 9.0 and predominantly affects networks sending RADIUS/UDP traffic over the internet.
- No evidence suggests the vulnerability is being exploited in the wild.
Recommendations:
- Update RADIUS clients and servers to the latest versions.
- Ensure the use of TLS or IPSec for transmitting RADIUS traffic.
- Avoid using vulnerable authentication methods like PAP, CHAP, and MS-CHAPv2.
- Implement the Message-Authenticator attribute to increase packet security.
- Verify the use of secure authentication methods and restrict access to management VLANs.
Sources:
- https://www.bleepingcomputer.com/news/security/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year/
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38112
Entities:
- Microsoft Windows, MSHTML (Trident) Engine
Indicators of Compromise:
- Malicious .url files
- MHTML URI handler
- HTA files masquerading as PDFs
Attack Vector:
- Exploitation of CVE-2024-6409 in OpenSSH.
- Initial access via race condition in signal handling.
- Versions 8.7p1 and 8.8p1 of OpenSSH affected.
- Privilege escalation within the privsep child process
Risk Impact:
- Remote code execution (RCE).
- Installation of password-stealing malware.
- Exfiltration of sensitive data (credentials, cookies, cryptocurrency wallets).
- Exploitation in both Windows 10 and Windows 11 environments
Detailed Description:
- CVE-2024-38112 is a high-severity MHTML spoofing issue.
- Threat actors distribute Internet Shortcut (.url) files that open URLs using the mhtml: URI handler.
- This forces Windows to use Internet Explorer, bypassing security warnings.
- The URL opens and downloads an HTA file, disguised as a PDF.
- Unicode character padding hides the .hta extension.
- Once opened, the HTA file installs password-stealing malware (Atlantida Stealer).
- This method allows attackers to steal browser credentials, cookies, browser history, cryptocurrency wallets, and other sensitive data.
Recommendations:
- Apply the latest security patches from Microsoft.
- Unregister the ‘mhtml:’ URI handler to prevent automatic use by Internet Explorer.
- Educate users on the risks of opening unknown files and links.
Sources:
Entities:
- Netgear, XR1000 Nighthawk gaming router, CAX30 Nighthawk AX6 6-Stream cable modem routers, PSV-2023-0122, PSV-2023-0138
Attack Vector:
- Stored XSS vulnerability allows attackers to hijack user sessions, redirect users to malicious sites, display fake login forms, and steal sensitive information.
- Authentication bypass vulnerability grants unauthorized access to the administrative interface, potentially leading to complete device takeover.
Risk Impact:
- Compromised user sessions and theft of sensitive data due to XSS exploitation.
- Unauthorized access to administrative controls, posing risks of device takeover and malicious configuration changes.
Detailed Description:
- Netgear has identified and patched critical security vulnerabilities in several WiFi 6 router models through firmware updates.
- PSV-2023-0122 affects the XR1000 Nighthawk gaming router, addressing a stored XSS flaw that could enable session hijacking and information theft.
- PSV-2023-0138 impacts CAX30 Nighthawk AX6 6-Stream cable modem routers, mitigating an authentication bypass vulnerability that allows unauthorized administrative access.
- Exploitation of these vulnerabilities could result in attackers gaining control over affected devices, potentially compromising user data and network security.
- Netgear urges customers to promptly update their router firmware to the latest available versions to mitigate these risks.
- Security advisories emphasize the severity of these vulnerabilities, emphasizing the need for immediate action to secure affected devices.
- The company provides detailed instructions on how users can update their router firmware through the Netgear Support portal.
Recommendations:
- Immediately update Netgear routers affected by PSV-2023-0122 and PSV-2023-0138 to firmware versions 1.0.0.72 and 2.2.2.2, respectively.
- Visit NETGEAR Support.
- Start by entering your model number in the search box. Then, choose your model from the drop-down menu when it appears.
- If you do not see a drop-down menu, make sure you have entered your model number correctly or select a product category to browse for your product model.
- Click Downloads.
- Under Current Versions, select the first download whose title begins with Firmware Version.
- Click Download.
- To install the new firmware, follow the instructions in your product’s user manual, firmware release notes, or product support page.
Sources:
Entities:
- AT&T, third-party cloud platform
Attack Vector:
- Illegal download of customer data from AT&T’s workspace on a third-party cloud platform.
- Exploitation of vulnerabilities in cloud platform security controls leading to unauthorized data access.
Risk Impact:
- Exposure of sensitive call and text records, potentially compromising customer privacy.
- Risk of unauthorized access to communications metadata, facilitating targeted phishing or fraud attempts.
Detailed Description:
- AT&T detected unauthorized access to customer data stored on a third-party cloud platform.
- The accessed data includes call and text records detailing interactions with AT&T cellular and landline services during specific periods.
- Although the accessed data does not include call/text content, timestamps, Social Security numbers, or other sensitive personal details, it may still pose privacy risks due to potential linkage with publicly available information.
- Law enforcement collaboration initiated to apprehend involved parties; one individual has been arrested.
Recommendations:
- Strengthen data encryption and access controls to mitigate risks of unauthorized data extraction and exposure.
- Conduct regular security audits and assessments of third-party cloud service providers to ensure compliance with security standards and protocols.
Sources:
Entities:
- O365, Axios, ProofPoint, FieldEffect
Indicators of Compromise:
- User Agents:
- axios/1.7.2
- axios/1.7.1
- axios/1.6.8
- axios/1.6.7
- agentaxios/1.7.2
- Hosting Providers:
- Hostinger International Limited (AS47583)
- Global Internet Solutions LLC (AS207713)
Attack Vector:
- Adversary-in-the-middle campaign
Risk Impact:
- Account compromise
Detailed Description:
- An ongoing adversary-in-the-middle campaign has recently been discovered targeting Microsoft Azure accounts
- Noted originally by Field Effect, currently unknown threat actors have been observed in account compromises with an Axios user agent string from two ISP’s: Hostinger International Limited and Global Internet Solutions LLC.
- Axios is an HTTP client for browsers and node.js, this is used to intercept, transform and cancel request and response data which is being utilized by these threat actors
- At this time, it is assumed that the attack starts with a target receiving a phishing email from a legitimate but compromised account linking to a fake login page.
- Once the target inputs their credentials (including MFA) the threat actor utilizes Axios captures these credentials to compromise the account
Recommendations:
- Rotate credentials for any suspected compromised account
- Require MFA for all accounts
- Additional Phishing Awareness training for the organization
SOC Response:
- The SOC has created an ATH rule to detect the known IoC’s at this time. Additionally, we will begin threat hunting for any activity that matches these indicators for accounts prior to the creation of this rule. If seen, the SOC will reach out to notify any suspected account(s) and it is recommended to take immediate action to prevent any further compromise.
Sources:
Entities:
- SolarWinds ARM
Attack Vector:
- Remote Code Execution, Directory Traversal, Authentication Bypass
Risk Impact:
- Unauthenticated attackers can gain SYSTEM privileges, perform arbitrary file deletions, and access sensitive information.
Detailed Description:
- SolarWinds has patched eight critical vulnerabilities in its Access Rights Manager (ARM) software.
- Six of these vulnerabilities allow for remote code execution (RCE) on unpatched systems, while three involve directory traversal flaws enabling file deletion and information disclosure.
- An additional high-severity authentication bypass vulnerability could allow unauthenticated attackers to gain domain admin access.
- These flaws were identified and reported by Trend Micro’s Zero Day Initiative. The vulnerabilities have severity scores of 9.6/10, highlighting their critical nature.
CVEs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Recommendations:
- Update SolarWinds Access Rights Manager to version 2024.3 immediately.
Sources:
Entities:
- Docker Engine (affected versions up to v27.1.0)
- Docker Desktop (up to version 4.32.0)
Attack Vector:
- Exploiting a specially crafted API request with Content-Length set to 0, which bypasses authorization plugins (AuthZ) in Docker Engine.
Risk Impact:
- Severity: Critical (CVSS score: 10.0)
- Allows unauthorized access and potential privilege escalation in Docker environments utilizing AuthZ plugins.
- Attackers could gain control over Docker instances, leading to data compromise or disruption of services.
Detailed Description:
- Initially fixed in Docker Engine v18.09.1 but reintroduced in subsequent versions, impacting versions up to v27.1.0.
- Identified in April 2024 after a 5-year period of potential exposure.
- The vulnerability arises from mishandling API requests with a zero-length body, which fails to properly enforce access controls through AuthZ plugins.
- Exploitation can lead to unauthorized actions within Docker containers or hosts, potentially compromising sensitive data or system integrity.
Recommendations:
- Immediate Action: Upgrade Docker Engine to patched versions 23.0.14 or 27.1.0, released on July 23, 2024.
- For Docker Desktop users, update to version 4.33.0 upon release, expected to resolve the vulnerability.
- Disable AuthZ plugins and restrict Docker API access to trusted entities if immediate update is not feasible.
Sources:
Entities:
- Okta Browser Plugin
- CVE-2024-0981
- Okta Personal
- Okta Workforce Identity Cloud
- Cross-site Scripting (XSS)
Attack Vector:
- Cross-site scripting vulnerability (XSS)
Risk Impact:
- Credential Theft: Exploitation of this vulnerability could lead to the theft of user credentials that are stored within Okta Personal. This includes potentially sensitive information such as usernames, passwords, and other authentication tokens.
- Cross-Site Scripting (XSS) Attacks: As a type of XSS vulnerability, attackers could inject malicious scripts into web pages viewed by users who have the vulnerable Okta Browser Plugin installed. This can lead to session hijacking, unauthorized actions on behalf of the user, or other malicious activities.
- User Privacy Violation: Users’ privacy can be compromised as their personal information stored within Okta Personal could be accessed and exfiltrated by malicious actors.
Detailed Description:
- The vulnerability allows malicious actors to execute scripts in the context of the Okta Browser Plugin, potentially compromising user credentials and sensitive data.
- This issue occurs when the plugin prompts the user to save these credentials within Okta Personal.
- If Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue.
Recommendations:
- Okta mitigated the issue in version 6.32.0 by implementing proper input validation and escaping mechanisms.
- Okta Admins can query for outdated plugin versions and prompt users to update to version 6.32.0 or newer to prevent exploitation.
Sources:
Entities:
- VMware ESXi, Active Directory
Attack Vector:
- Privilege Escalation
Risk Impact:
- Exploitation of this CVE allows attacker to elevate privileges to full administrative access on domain joined ESXI hypervisor.
Detailed Description:
- On July 29, 2024 Microsoft published threat intelligence on observed exploitation of a new post-compromise technique, CVE-2024-37085.
- This is an authentication bypass vulnerability affecting VMware ESXi hypervisors, which has been identified in zero-day attacks by various ransomware operations to gain full administrative permissions.
- The technique for this attack includes running the following commands that result in the creation of a group named “ESX Admins” in the domain
- net group “ESX Admins” /domain /add
- net group “ESX Admins” username /domain /add
- Microsoft researchers have identified three methods for exploiting this vulnerability:
- Adding the “ESX Admins” group to the domain and adding a user to it
- Renaming any group in the domain to “ESX Admins” and adding a user to the group or use an existing group member
- ESXi hypervisor privileges refresh
- Successful exploitation leads to full administrative access, which could allow threat actors to encrypt file systems of the hypervisor, or access hosted VM’s for lateral movement or data exfiltration.
Recommendations:
- Install latest updates released by VMWare on all domain joined ESXi hypervisors
- If installing the software updates is not possible please follow the following guidance provided by Microsoft:
- Validate the group “ESX Admins” exists in the domain and is hardened.
- Manually deny access by this group by changing settings in the ESXi hypervisor itself. If full admin access for the Active Directory ESX admins group is not desired, you can disable this behavior using the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd’.
- Change the admin group to a different group in the ESXi hypervisor.
- Add custom detections in XDR/SIEM for the new group name.
- Configure sending ESXi logs to a SIEM system and monitor suspicious full administrative access.
SOC Response:
- The SOC has created an ATH rule to detect the known indicators related to the exploitation of CVE-2024-37085 that will be implemented globally for all XDR customers.