Schedule a Demo

BLOG

Threat Bulletin | September 22

In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.

Threat 1: Vulnerabilities in Apache SuperSet Expose Servers to Remote Code Execution Attacks

Sources:

 

Affected Entities: Apache SuperSet

 

Attack Vector: Remote code execution through Superset’s metadata database

 

Risk Impact: These vulnerabilities could lead to unauthorized control of Apache SuperSet systems, potentially resulting in data breaches or malicious code execution.

 

Detailed Description: 

  • Apache SuperSet has released patches to address critical vulnerabilities (CVE-2023-39265 and CVE-2023-37941) that could allow attackers to achieve remote code execution by exploiting the metadata database.
  • In addition, another issue (CVE-2023-36388) allowing low-privilege users to carry out server-side request forgery (SSRF) attacks has been remediated in the latest version. 
  • CVE-2023-39265 involves a URI bypass when connecting to the SQLite database used for the metastore, enabling attackers to execute data manipulation commands. It also includes a lack of validation when importing SQLite database connection information from a file, which could be abused to import a maliciously crafted ZIP archive file. 
  • CVE-2023-37941 involves an attacker gaining write access to the Apache Superset metadata database. They could then introduce a specifically crafted Python object that may lead to remote code execution on Superset’s web backend. 
  • These vulnerabilities could lead to significant security risks if not promptly addressed. 

 

Recommendations:

  • Organizations using Apache SuperSet should update to version 2.1.1 or later to mitigate these vulnerabilities. 
  • Additionally, users should review and secure their configuration settings, ensuring that default or weak credentials are not in use. 
Threat 2: Mac Users Cautioned: Malvertising Campaign Spreads Atomic Stealer macOS Malware

Sources:

 

Affected Entities: Mac Users, Atomic Stealer Malware, Malvertising Campaign

 

Attack Vectors: Malvertising via Google Ads, Fake TradingView website

 

Risk Impact: Mac users risk falling victim to malvertising campaigns, potentially leading to the theft of sensitive data and the compromise of macOS systems.

 

Detailed Description: 

  • A malvertising campaign actively distributes an updated version of the macOS stealer malware, Atomic Stealer (AMOS).  
  • Mac users are at risk as they may be exposed to fake ads when searching for popular software, potentially compromising their systems and data theft. 
  • Users are redirected to rogue websites hosting malicious installers. 
  • For example, a fraudulent TradingView website features download buttons for Windows, macOS, and Linux software versions. While the Windows and Linux buttons lead to an MSIX installer dropping NetSupport RAT, the macOS button leads to the macOS payload (“TradingView.dmg”), a new version of Atomic Stealer.

 

Recommendations:

  • Mac users should exercise caution when encountering ads for software downloads and ensure they only download software from official sources.  
  • Keeping macOS and security software up to date is essential for protection against such threats. 

 

SOC Response: The SOC has created a custom ATH rule for all customers based on the currently known IoC’s related to this threat.

Threat 3: Apple Zero-Click iMessage Exploit Deploys Spyware on iPhones

Sources:

 

Affected Entities: iPhone users 

 

Attack Vector: Zero-click exploit chain via iMessage with malicious images.

 

Risk Impact: iPhone users compromised with spyware.

 

Detailed Description: 

  • Apple’s emergency security updates were prompted by discovering two zero-day vulnerabilities, CVE-2023-41064 and CVE-2023-41061, found in the Image I/O and Wallet frameworks.  
  • These vulnerabilities allowed attackers to execute arbitrary code on fully-patched iPhones running iOS 16.6 when victims received PassKit attachments containing malicious images via iMessage.  
  • This zero-click attack posed a significant threat to the security and privacy of iPhone users. 

 

 Recommendations:

  • Update Immediately: Apple users are strongly advised to update their devices promptly to the latest available versions of iOS, iPadOS, macOS, and watchOS to patch these vulnerabilities. 
  • https://support.apple.com/en-us/HT201222 
  • Enable Lockdown Mode: Individuals at risk of targeted attacks, especially those based on their identity or profession, should consider enabling Lockdown Mode for added security. 
Threat 4: Cisco Issues Patch for Authentication Bypass Bug Affecting BroadWorks Platform

Sources:

 

Affected Entities: Cisco, BroadWorks Application Delivery Platform

 

Attack Vectors: Remote authentication bypass.

 

Risk Impact: Unauthorized system access, Denial of Service (DoS), Information exposure.

 

Detailed Description: 

  • Cisco has urgently addressed multiple security flaws, including a critical authentication bypass (CVE-2023-20238) in BroadWorks platforms, enabling unauthorized access.  
  • It’s described as an authentication bypass flaw in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. 
  • Successful exploitation of the vulnerability — a weakness in the single sign-on (SSO) implementation discovered during internal testing — could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system.

 

Recommendations:

Threat 5: Google Releases Patch for Chrome Zero-Day Bug Exploited in the Wild

Sources:

 

Affected Entities: Google, Chrome Browsers, Zero-day

 

Risk Impact: Impact ranges from browser Crashes to arbitrary code execution.

 

Detailed Description: 

  • Google has released an emergency security update to address a critical zero-day vulnerability, CVE-2023-4863, in the Chrome web browser.  
  • The vulnerability, caused by a WebP heap buffer overflow, can result in various consequences, including browser crashes and the potential execution of arbitrary code.  
  • Although actively exploited in the wild, specific details about the attacks remain undisclosed by Google. 

 

Recommendations:

  • Update Chrome: Users are strongly advised to update their Google Chrome web browsers to version 116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) immediately to patch the CVE-2023-4863 vulnerability. 
Threat 6: Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws Severity: Critical

Sources:

 

Affected Entities: Microsoft Patch

 

Attack Vectors: Exploitation of Microsoft Word and Streaming Service Proxy vulnerabilities. 

 

Risk Impact: Disclosure of NTLM hashes, Disclosure of sensitive information, Elevation of Privilege to SYSTEM.

 

Detailed Description: 

  • Microsoft’s latest software update addresses 59 vulnerabilities across its product portfolio, with five rated as Critical, 55 as Important, and one as Moderate in severity.  
  • Notably, two zero-day vulnerabilities are actively being exploited by unknown threat actors: 
    • CVE-2023-36761 (CVSS score: 6.2) – Microsoft Word Information Disclosure Vulnerability: This vulnerability could allow the disclosure of NTLM hashes, even by merely previewing a malicious Word document. 
    • CVE-2023-36802 (CVSS score: 7.8) – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability: Exploiting this vulnerability could grant an attacker SYSTEM privileges. 
  • In addition to these zero-days, other noteworthy vulnerabilities include remote code execution flaws in Internet Connection Sharing, Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server. Elevation of privilege issues affects Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others. 

 

Recommendations:

Threat 7: Users urged to update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability

Sources:

 

Affected Entities: Adobe Acrobat and Reader

 

Attack Vector: Exploitation of critical vulnerabilities in Adobe Acrobat and Reader and cross-site scripting flaws in Adobe Connect and Adobe Experience Manager.

 

Risk Impact: Execution of malicious code on susceptible systems

 

Detailed Description: 

  • Adobe’s September 2023 update includes critical patches to address actively exploited vulnerabilities in its Acrobat and Reader software.
  • The main concern is CVE-2023-26369, a critical vulnerability rated at 7.8 in severity, affecting various versions of Acrobat and Reader on both Windows and macOS.  
  • Successful exploitation of this flaw could enable attackers to execute malicious code through specially crafted PDF documents. 
  • Adobe has confirmed limited attacks exploiting this vulnerability. 
  • Additionally, Adobe has patched two cross-site scripting vulnerabilities in Adobe Connect and Adobe Experience Manager, which could potentially lead to arbitrary code execution. 

 

Recommendations:

Threat 8: Mozilla Rushes to Fix Critical Zero-Day Exploit in Firefox and Thunderbird's WebP Vulnerability

Sources:

 

Affected Entities: Mozilla, Firefox and Thunderbird

 

Attack Vector: Exploitation of a critical heap buffer overflow flaw in the WebP image format in Firefox and Thunderbird Risk

 

Risk Impact: Arbitrary code execution

 

Detailed Description: 

  • Mozilla has urgently patched a critical zero-day vulnerability (CVE-2023-4863) in Firefox and Thunderbird, which was actively exploited in the wild.  
  • The flaw is a heap buffer overflow issue in the WebP image format, potentially leading to arbitrary code execution when processing maliciously crafted images.  
  • This poses a significant security threat, allowing remote attackers to perform out-of-bounds memory writes through crafted HTML pages.  
  • The vulnerability has been addressed in various Mozilla products. 

 

Recommendations:

Threat 9: Numerous Juniper Devices Susceptible to an Unauthenticated RCE Bug

Sources:

 

Affected Entities: Juniper devices

 

Attack Vector: Exploitation of unauthenticated RCE vulnerability.

 

Risk Impact: Remote code execution, exposure of sensitive data, network compromise.

 

Detailed Description: 

  • An estimated 12,000 Juniper SRX firewalls and EX switches are exposed to a critical remote code execution (RCE) vulnerability.  
  • Initially categorized as medium severity when disclosed by Juniper, this vulnerability (CVE-2023-36845) has now been demonstrated to allow attackers to achieve RCE without uploading files.  
  • Chained with other vulnerabilities (‘PHP environment variant manipulation’ (CVE-2023-36844/CVE-2023-36845) and ‘Missing Authentication for Critical Function’ (CVE-2023-36846/CVE-2023-36847)), it can have a significant impact, with a CVSS rating of 9.8. 
  • Security researcher Jacob Baines recently released a proof of concept (PoC) that exploits CVE-2023-36845, highlighting its potential severity.  
  • A free scanner on GitHub has identified thousands of vulnerable devices on the internet, indicating the widespread risk. 
  • The impact of this security issue is more severe than initially assessed, and immediate remediation is essential to prevent unauthorized remote code execution. 

 

Recommendations:

21 Goodway Drive, Suite L4
Rochester, NY 14623
P: 877.729.3527
E: [email protected]

Facebook-f Linkedin Youtube

Channel Futures MSP 501 Winner| MSSP Alert Top 250 MSSP Winner| Inc. Regionals Northeast Winner| Inc. 5000 Winner

© 2024 CyFlare
| All Rights Reserved | Legal | Accessibility

Website Developed by Mason Digital