In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.
Sources:
Affected Entities: Google, libwebp
Attack Vectors: Code execution via specially crafted WebP images.
Impact: Attackers can execute malicious code when users view a manipulated webp image
Detailed Description:
- Google has taken corrective action regarding a critical code-execution vulnerability related to the libwebp code library.
- Initially, Google’s disclosure, identified as CVE-2023-4863, inaccurately indicated that only the Chrome browser was affected, while in reality, any software utilizing libwebp was potentially at risk.
- This incomplete disclosure led to concerns about delays in addressing the vulnerability, which could be exploited by attackers when users viewed manipulated WebP images.
- In response to this incomplete disclosure, Google has resubmitted a new disclosure, CVE-2023-5129, which accurately identifies libwebp as the affected vendor and software.
- The severity rating of the vulnerability has been raised to 10, highlighting its critical nature.
- The vulnerability allows attackers to execute malicious code through manipulated WebP images.
Recommendation:
- Users and organizations should verify the versions of Electron they are using and ensure they are on v22.3.24, v24.8.3, or v25.8.1 to mitigate the risk associated with this vulnerability.
- Additionally, promptly apply patches and updates provided by software vendors to address this critical issue.
Sources:
- https://www.darkreading.com/application-security/gitlab-users-advised-to-patch-critical-flaw-immediately
- https://nvd.nist.gov/vuln/detail/CVE-2023-5009
Affected Entities: GitLab Patch, Threat Actors
Attack Vectors: Bypass of scheduled security scan policies
Impact: Unauthorized users can compromise private repositories.
Detailed Description:
- GitLab users are advised to take immediate action to update their servers due to a critical flaw, CVE-2023-5009, which can enable unauthorized users to manipulate pipelines and compromise private repositories.
- This vulnerability is associated with scheduled security scan policies and represents a bypass of a previously patched bug from July (CVE-2023-3932).
- Users are strongly advised to promptly upgrade their installations to the latest version to mitigate this security risk.
Recommendation:
- GitLab users should update their servers to version 16.3.4 and 16.2.7 as soon as possible.
- For older versions before 16.2 that are no longer supported, users can mitigate exposure by disabling either both or one of the features of direct file transfers and security policies.
Sources:
Affected Entities: iPhone and Mac Users
Attack Vectors: Exploitation via malicious apps, crafted webpages, and local privilege escalation
Impact: Significant – Potential for arbitrary code execution and privilege escalation, active exploitation observed
Detailed Description:
- Apple has issued emergency security updates to mitigate three zero-day vulnerabilities exploited in attacks targeting its iPhone and Mac users.
- These vulnerabilities, reported by reputable security researchers, have raised concerns due to their potential for malicious activities.
- GitLab users are advised to take immediate action to update their servers due to a critical flaw, CVE-2023-5009, which can enable unauthorized users to manipulate pipelines and compromise private repositories.
- The identified vulnerabilities include two in the WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991), allowing attackers to bypass signature validation and execute arbitrary code.
- The third vulnerability (CVE-2023-41992) resides in the Kernel Framework, enabling local attackers to escalate privileges.
Recommendation:
- Immediately apply the security updates provided by Apple to all affected devices to address these vulnerabilities.
- Encourage users to exercise caution when downloading and installing apps or visiting websites, especially from untrusted sources.
Sources:
- https://thehackernews.com/2023/09/critical-jetbrains-teamcity-flaw-could.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-42793
Affected Entities: JetBrains TeamCity Flaw, CVE-2023-42793
Attack Vectors: Remote code execution vulnerability in JetBrains TeamCity
Impact: Exploiting this vulnerability could lead to unauthorized access to source code, service secrets, private keys, control over build agents, and potential integrity breaches in build pipelines.
Detailed Description:
- The critical vulnerability in JetBrains TeamCity, CVE-2023-42793, has been discovered and responsibly disclosed. This flaw carries a high CVSS score of 9.8.
- Exploiting the vulnerability could grant attackers unauthorized access to sensitive information, such as source code and private keys. It also allows attackers to take control of build agents and inject arbitrary code into build pipelines, potentially leading to integrity breaches and supply chain compromises.
- The severity of the vulnerability is highlighted by the fact that it is considered trivial to exploit, raising concerns that threat actors may attempt to exploit it in the wild.
- JetBrains has promptly addressed this issue in TeamCity version 2023.05.4 and recommends users upgrade to this version as soon as possible.
- A security patch plugin has been released for TeamCity versions 8.0 and above to address this vulnerability specifically.
4.5 – Recommendation:
- Users of JetBrains TeamCity should upgrade to version 2023.05.4 or later to mitigate the vulnerability.
- Consider applying the security patch plugin for TeamCity versions 8.0 and above.
- Versions prior to 2018.1: https://download.jetbrains.com/teamcity/plugins/internal/CVE-2023-42793-fix-2018-1.zip.
Sources:
Affected Entities: Google Chrome
Attack Vectors: Exploited vulnerability in Google Chrome
Impact: Potential compromise of user systems through arbitrary code execution, particularly targeting high-risk individuals
Detailed Description:
- Google has taken swift action to patch the CVE-2023-5217 zero-day vulnerability in Google Chrome, which has been exploited in real-world attacks.
- The vulnerability is characterized by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library.
- This flaw can result in various impacts, including application crashes and arbitrary code execution.
- Google Threat Analysis Group (TAG) sources has confirmed that this particular zero-day was used for the installation of spyware. However, specific details about the incidents and threat actors behind them have not been disclosed by Google.
- This is the fifth actively exploited Chrome zero-day vulnerability patched by Google in 2023, emphasizing the importance of prompt updates to ensure user security.
Recommendation:
- Google Chrome users should update their browsers immediately to the patched version (117.0.5938.132) to address the CVE-2023-5217 vulnerability.
Sources:
- https://www.bleepingcomputer.com/news/security/cisco-catalyst-sd-wan-manager-flaw-allows-remote-server-access/
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z
Affected Entities: Cisco Catalyst SD-WAN Manager
Attack Vectors: Exploited vulnerability in Google Chrome
Impact: Unauthorized access, user impersonation, data access/modification/deletion, service disruption (CVE-2023-20252); Configuration rollback, information disclosure, authorization bypass, Denial of Service (DoS) attacks (Other CVEs)
Detailed Description:
- Cisco has disclosed five vulnerabilities in its Catalyst SD-WAN Manager product.
- The most severe of these is CVE-2023-20252, which allows unauthenticated, remote access to the server through specially crafted requests targeting SAML APIs.
- Exploiting this vulnerability can result in unauthorized access to the application and pose significant risks, including user impersonation, unauthorized data manipulation, and service disruption.
- Additionally, there are four other vulnerabilities, CVE-2023-20253, CVE-2023-20034, CVE-2023-20254, and CVE-2023-20262, with varying degrees of severity.
- These vulnerabilities relate to unauthorized configuration rollback, information disclosure in Elasticsearch access control, authorization bypass in the session management system, and a Denial of Service (DoS) vulnerability in the SSH service.
Recommendation:
- Urgent Action Required: Immediately upgrade to the patched release versions provided by Cisco to mitigate the risks associated with these vulnerabilities.
Sources:
Affected Entities: Cisco, IOS Software, IOS XE Software
Attack Vectors: Authenticated remote attacker, Group Domain of Interpretation (GDOI), G-IKEv2 protocols
Impact: Remote code execution, device crash.
Detailed Description:
- Cisco has identified a medium-severity vulnerability, CVE-2023-20109, affecting all versions of its IOS Software and IOS XE Software that have the GDOI or G-IKEv2 protocol enabled.
- This vulnerability permits an authenticated remote attacker with administrative control to potentially achieve remote code execution on the affected systems.
- Alternatively, it could lead to a complete device crash.
- The root cause of this vulnerability lies in the insufficient validation of attributes within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols, specifically within the GET VPN feature.
- Threat actors can exploit this weakness by compromising an installed key server or modifying the configuration of a group member to point to a key server under their control.
- Cisco discovered this vulnerability during an internal investigation prompted by an attempted exploitation of the GET VPN feature.
Recommendation:
- Immediate Patching: Organizations using affected versions of IOS Software and IOS XE Software with the GDOI or G-IKEv2 protocol enabled should promptly apply the provided patches to mitigate the risk of exploitation.
- Customers should determine their exposure to these vulnerabilities by using the provided Cisco Software Checker.
Sources:
Affected Entities: Microsoft Edge, Teams, Skype, WebP, libwebp
Attack Vector: Heap buffer overflow weaknesses in WebP and VP8 encoding libraries, exploited in the wild
Risk Impact: The vulnerabilities could lead to crashes and arbitrary code execution, impacting Microsoft Edge, Teams, Skype, and associated extensions and apps. Potential for espionage and data breaches.
Detailed Description:
- Microsoft has released emergency security updates to fix two critical zero-day vulnerabilities in open-source libraries utilized by Microsoft Edge, Teams, Skype, and associated extensions.
- These vulnerabilities, CVE-2023-4863 and CVE-2023-5217, both involve heap buffer overflow weaknesses in the libwebp and libvpx libraries, respectively.
- These flaws have already been exploited in the wild, highlighting the urgency of patching affected products.
Recommendations:
- Apply the provided security updates immediately for Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop, and Webp Image Extensions.
- Ensure that automatic updates are enabled in the Microsoft Store to receive the necessary security patches.
Sources:
- https://thehackernews.com/2023/10/atlassian-confluence-hit-by-newly.html
- https://jira.atlassian.com/browse/CONFSERVER-92475
Affected Entities: Atlassian Confluence Zero-Day Vulnerability
IOCs:
- unexpected members of the confluence-administrator group
- unexpected newly created user accounts
- requests to /setup/*.action in network access logs
- presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
Attack Vector: Remote exploitation leading to unauthorized Confluence administrator account creation and server access.
Risk Impact: The vulnerability affects publicly accessible Confluence Data Center and Server instances, allowing external attackers to compromise systems. It does not impact versions before 8.0.0 or Confluence sites accessed via an atlassian.net domain.
Detailed Description:
Atlassian has urgently addressed a zero-day vulnerability impacting Confluence Data Center and Server instances, allowing remote attackers to create unauthorized administrator accounts and access servers.
The affected versions are 8.0.0 and later.
Confluence sites accessed via atlassian.net domains are not vulnerable.
Atlassian has provided patches for affected versions 8.3.3 or later, 8.4.3 or later, and 8.5.2 (Long Term Support release) or later.
Recommendations:
- Immediately apply the provided security patches if using affected versions of Confluence.
- If unable to apply patches, restrict external network access to affected instances.
- Mitigate known attack vectors by blocking access to /setup/* endpoints on Confluence instances, either at the network layer or by adjusting Confluence configuration files.
Sources:
- https://www.bleepingcomputer.com/news/security/cisco-fixes-hard-coded-root-credentials-in-emergency-responder/
- https://nvd.nist.gov/vuln/detail/CVE-2023-20101
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cer-priv-esc-B9t3hqk9
Affected Entities: Cisco Emergency Responder (CER) Vulnerability
Attack Vector: Unauthenticated attackers exploit hard-coded root credentials to gain unauthorized access.
Risk Impact: The vulnerability allows attackers to log into unpatched CER systems with root privileges, potentially executing arbitrary commands. It affects CER version 12.5(1)SU4.
Detailed Description:
- The CVE-2023-20101 vulnerability in Cisco Emergency Responder (CER) impacts version 12.5(1)SU4.
- It allows unauthenticated attackers to log in with hard-coded root credentials, potentially executing arbitrary commands.
- Cisco’s internal security testing identified this flaw, and there is no evidence of public disclosures or malicious exploitation at this time.
- No temporary workarounds are available, making immediate patching crucial.
Recommendations:
- Admins should apply the provided security update to Cisco Emergency Responder version 12.5(1)SU4.
- Perform a thorough review of CER configurations and user accounts to ensure security best practices are followed.
Sources:
- https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of-malicious-pypi-and-npm-packages/
- https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi/
Affected Entities: Malicious PyPI and npm packages
IOCs: Malicious npm and PyPI packages mentioned in Phylum’s report
Attack Vectors: Unauthenticated attackers exploit hard-coded root credentials to gain unauthorized access.
Risk Impact: Developers using npm and PyPI are at risk of having sensitive information stolen, including SSH keys, machine details, and Kubernetes configurations. This information could lead to unauthorized access, data breaches, or even ransomware attacks.
Detailed Description:
- A continuous stream of malicious npm and PyPI packages has been identified, posing a significant threat to software developers.
- These packages initially imitated legitimate ones and have evolved rapidly, with code modifications to enhance stealth.
- The attackers have conducted multiple waves of attacks, each with specific enhancements.
- The stolen information comprises machine and user details, SSH keys, and Kubernetes configurations.
- This data could potentially provide unauthorized access to systems and infrastructure, enabling attackers to launch further attacks or data breaches.
Recommendations:
- Exercise Caution: Developers should exercise caution when downloading and installing packages from npm and PyPI. Verify the authenticity and legitimacy of packages, especially those that resemble popular ones.
- Update Packages: Regularly update packages to ensure you use the latest, secure versions. Check for any unusual behavior or unexpected data collection by packages.
