In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.
Entities: VMware users, VMware vCenter Server and VMware Cloud Foundation
IOCs: CVE-2023-34048, CVE-2023-34056
Attack Vectors: A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.
Impact: Remote code execution via authentication bypass and exploitation of directory traversal, broken access control, and information disclosure flaws.
- On October 24, 2023, VMware released a Critical security advisory, VMSA-2023-0023, addressing security vulnerabilities found and resolved in VMware vCenter Server, which is present in VMware vSphere and Cloud Foundation products.
- VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048) – vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
- VMware vCenter Server Partial Information Disclosure Vulnerability (CVE-2023-34056) – vCenter Server contains a partial information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.
- Promptly apply the provided security patches for vCenter Server to mitigate these vulnerabilities.
Entities: NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway)
Impact: This vulnerability allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.
- A recent proof-of-concept exploit was released for the ‘Citrix Bleed’ vulnerability (CVE-2023-4966), this vulnerability would allow attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.
- CVE-2023-4966 was patched by Citrix on October 10, 2023, however little details were provided in the Security Bulletin that addressed these vulnerabilities
- Researchers at Assetnote recently shared additional details about the exploitation method and published a PoC exploit on GitHub for those who want to test their exposure.
- The ‘Citrix Bleed’ flaw is an unauthenticated buffer-related vulnerability, unpatched versions of NetScaler ADC and NetScaler Gateway are vulnerable to a buff over-read due to the return value of the ‘snprintf’ function.
- By exploiting this vulnerability researchers at Assetnote were able to consistently locate a 32-65 byte long hex string that is a session cookie, retrieving this cookie makes it possible for attackers to gain access to vulnerable appliances.
- Following the publication of Assetnote’s PoC threat monitoring services have reported spikes of exploitation attempts for this vulnerability.
- Please review the attached Security Bulletin by Citrix support and ensure that the patches are deployed immediately to resolve this flaw.
- The SOC has gone through and searched for the relevant CVEs through our record of assets via XDR and MDR where possible. If we find a match, we will reach out promptly to get this addressed.
- Please note if we do not have the relevant data to compile reliable CVEs based on your environment and connectors integrated with us, you may be vulnerable, but we do not have the capacity to inform you.
Entities: Cisco, threat actor, network administrators
- Cisco has provided a curl command to check for the presence of the implant. The curl command is:
- curl -k -H “Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb” -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1
- If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present.
Attack Vectors: Threat actor exploits zero-day flaws to gain device access, create privileged accounts, and deploy a Lua-based implant on Cisco devices.
Impact: Thousands of compromised Cisco devices; unauthorized access, data exfiltration, lateral movement within the network.
- Cisco devices have been targeted by a threat actor using a combination of zero-day exploits – CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2).
- The attacker gains unauthorized access to the devices, creates privileged accounts, and deploys a Lua-based implant.
- Recent updates to the implant have made it more challenging to detect, resulting in a decrease in compromised devices.
- Administrators are advised to apply Cisco’s security updates and perform thorough security assessments of their network.
Entities: GNU C Library, Linux distributions (Debian, Ubuntu, Fedora)
Attack Vectors: Local attackers can exploit a buffer overflow vulnerability (CVE-2023-4911) in GNU C Library’s dynamic loader by using a malicious GLIBC_TUNABLES environment variable to gain root privileges when launching binaries with SUID permission.
Impact: The CVE-2023-4911 vulnerability poses a significant threat to Linux systems running major distributions like Fedora, Ubuntu, and Debian. Proof-of-concept exploits are already available, and the ease of exploitation highlights the severity and widespread nature of the flaw.
- A critical buffer overflow vulnerability known as ‘Looney Tunables,’ in GNU C Library’s dynamic loader allows local attackers to gain root privileges on major Linux distributions.
- Proof-of-concept exploits have surfaced, emphasizing the urgent need for administrators to patch affected systems.
- The vulnerability affects widely used Linux platforms, including Fedora, Ubuntu, and Debian.
- System administrators must promptly apply security updates and patches to mitigate the CVE-2023-4911 vulnerability.
- Prioritize patching systems running affected Linux distributions (Debian 12 and 13, Ubuntu 22.04 and 23.04, Fedora 37 and 38).
Entities: Citrix NetScaler Login Pages
Impact: This large-scale campaign poses a significant risk to organizations, potentially leading to unauthorized access and data breaches.
- This campaign has been ongoing since September and poses a severe threat to organizations.
- Attackers use the vulnerability to inject PHP web shells and manipulate login pages to steal user credentials.
- Organizations using Citrix NetScaler devices should apply the necessary patches and updates immediately.
Entities: Microsoft Exchange, Exchange Team, Windows Team
Attack Vectors: Remote unauthenticated attackers escalating privileges on unpatched Exchange servers
Impact: Unauthenticated attackers could compromise Exchange servers
- CVE-2023-21709 posed a severe security risk to Microsoft Exchange Server, enabling unauthorized users to escalate privileges without the need for user interaction.
- Microsoft initially released patches to address this vulnerability in August but also advised administrators to manually remove the vulnerable Windows IIS Token Cache module or use a PowerShell script.
- In October 2023, a new security update (CVE-2023-36434) has been issued, simplifying the mitigation process.
- Exchange administrators who had previously removed the Windows IIS Token Cache module as part of the August mitigation process should now install the new security update and re-enable the module using a provided script or PowerShell command.
- Administrators who haven’t yet addressed the CVE-2023-21709 vulnerability are advised to install the October 2023 security updates for Windows Server.
Entities: Curl data transfer library vulnerability
Attack Vectors: Heap-based buffer overflow in SOCKS5 handshake (CVE-2023-38545), Cookie injection into running program (CVE-2023-38546).
Impact: Remote code execution, unauthorized data manipulation.
- CVE-2023-38545 in the Curl library is a critical security flaw that could lead to code execution, with an overflow triggered by a malicious HTTPS server performing a redirect to a specially crafted URL.
- This vulnerability is especially concerning because it is widely used and could be exploited in the wild.
- However, exploiting it requires specific pre-conditions, making it less likely to be used in attacks.
- A valid exploit would require an attacker to make the web application execute malicious code by, for example, entering a hostname that triggers Curl to run malicious code. Additionally, the exploit only works if Curl is used to connect to a SOCKS5 proxy. This is another requirement that makes the exploit less likely to be successful.
- The second flaw, CVE-2023-38546, allows attackers to insert cookies into running programs using libcurl in certain circumstances.
- Developers and system administrators should promptly update to Curl version 8.4.0, which addresses these vulnerabilities.
- This update prevents Curl from switching to local resolve mode when encountering a too-long hostname, mitigating the risk of heap-based buffer overflows.
Entities: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
Attack Vectors: Ransomware attacks targeting critical infrastructure organizations
Impact: Increased risk of ransomware attacks on critical infrastructure
- CISA’s Ransomware Vulnerability Warning Pilot (RVWP) program, launched in March, has introduced two new resources to assist organizations in identifying and addressing security weaknesses often targeted by ransomware attackers.
- The first resource is an expansion of the Known Exploited Vulnerabilities catalog, which now includes a section dedicated to vulnerabilities frequently exploited in ransomware campaigns. CISA maintains a list of over 1,000 vulnerabilities with proven in-the-wild exploitation, many of which have been leveraged in ransomware incidents.
- The second resource is a table on the StopRansomware project’s website, outlining the misconfigurations and weaknesses observed as common targets by ransomware operators. The table also provides information on Cyber Performance Goal (CPG) actions that organizations can take for mitigation and compensation efforts.
- CISA encourages all organizations to utilize these new resources to enhance their cybersecurity posture and reduce the risk of falling victim to ransomware attacks.
- Critical infrastructure entities are specifically encouraged to enroll in CISA’s vulnerability scanning.