In our Threat Bulletins, our highly skilled Security Operations Center (SOC) team has meticulously analyzed and summarized the top threats that have been monitored over the past several weeks. Stay one step ahead of the adversaries as we delve into the ever-evolving landscape of cyber threats, uncover their tactics, and equip you with the knowledge to fortify your defenses against them.
Affected Entities: Apache SuperSet
Attack Vector: Remote code execution through Superset’s metadata database
Risk Impact: These vulnerabilities could lead to unauthorized control of Apache SuperSet systems, potentially resulting in data breaches or malicious code execution.
- Apache SuperSet has released patches to address critical vulnerabilities (CVE-2023-39265 and CVE-2023-37941) that could allow attackers to achieve remote code execution by exploiting the metadata database.
- In addition, another issue (CVE-2023-36388) allowing low-privilege users to carry out server-side request forgery (SSRF) attacks has been remediated in the latest version.
- CVE-2023-39265 involves a URI bypass when connecting to the SQLite database used for the metastore, enabling attackers to execute data manipulation commands. It also includes a lack of validation when importing SQLite database connection information from a file, which could be abused to import a maliciously crafted ZIP archive file.
- CVE-2023-37941 involves an attacker gaining write access to the Apache Superset metadata database. They could then introduce a specifically crafted Python object that may lead to remote code execution on Superset’s web backend.
- These vulnerabilities could lead to significant security risks if not promptly addressed.
- Organizations using Apache SuperSet should update to version 2.1.1 or later to mitigate these vulnerabilities.
- Additionally, users should review and secure their configuration settings, ensuring that default or weak credentials are not in use.
Affected Entities: Mac Users, Atomic Stealer Malware, Malvertising Campaign
Attack Vectors: Malvertising via Google Ads, Fake TradingView website
Risk Impact: Mac users risk falling victim to malvertising campaigns, potentially leading to the theft of sensitive data and the compromise of macOS systems.
- A malvertising campaign actively distributes an updated version of the macOS stealer malware, Atomic Stealer (AMOS).
- Mac users are at risk as they may be exposed to fake ads when searching for popular software, potentially compromising their systems and data theft.
- Users are redirected to rogue websites hosting malicious installers.
- For example, a fraudulent TradingView website features download buttons for Windows, macOS, and Linux software versions. While the Windows and Linux buttons lead to an MSIX installer dropping NetSupport RAT, the macOS button leads to the macOS payload (“TradingView.dmg”), a new version of Atomic Stealer.
- Mac users should exercise caution when encountering ads for software downloads and ensure they only download software from official sources.
- Keeping macOS and security software up to date is essential for protection against such threats.
SOC Response: The SOC has created a custom ATH rule for all customers based on the currently known IoC’s related to this threat.
Affected Entities: iPhone users
Attack Vector: Zero-click exploit chain via iMessage with malicious images.
Risk Impact: iPhone users compromised with spyware.
- Apple’s emergency security updates were prompted by discovering two zero-day vulnerabilities, CVE-2023-41064 and CVE-2023-41061, found in the Image I/O and Wallet frameworks.
- These vulnerabilities allowed attackers to execute arbitrary code on fully-patched iPhones running iOS 16.6 when victims received PassKit attachments containing malicious images via iMessage.
- This zero-click attack posed a significant threat to the security and privacy of iPhone users.
- Update Immediately: Apple users are strongly advised to update their devices promptly to the latest available versions of iOS, iPadOS, macOS, and watchOS to patch these vulnerabilities.
- Enable Lockdown Mode: Individuals at risk of targeted attacks, especially those based on their identity or profession, should consider enabling Lockdown Mode for added security.
Affected Entities: Cisco, BroadWorks Application Delivery Platform
Attack Vectors: Remote authentication bypass.
Risk Impact: Unauthorized system access, Denial of Service (DoS), Information exposure.
- Cisco has urgently addressed multiple security flaws, including a critical authentication bypass (CVE-2023-20238) in BroadWorks platforms, enabling unauthorized access.
- It’s described as an authentication bypass flaw in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform.
- Successful exploitation of the vulnerability — a weakness in the single sign-on (SSO) implementation discovered during internal testing — could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system.
- Apply the available security fixes listed in the following security advisory immediately:
Affected Entities: Google, Chrome Browsers, Zero-day
Risk Impact: Impact ranges from browser Crashes to arbitrary code execution.
- Google has released an emergency security update to address a critical zero-day vulnerability, CVE-2023-4863, in the Chrome web browser.
- The vulnerability, caused by a WebP heap buffer overflow, can result in various consequences, including browser crashes and the potential execution of arbitrary code.
- Although actively exploited in the wild, specific details about the attacks remain undisclosed by Google.
- Update Chrome: Users are strongly advised to update their Google Chrome web browsers to version 116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) immediately to patch the CVE-2023-4863 vulnerability.
Affected Entities: Microsoft Patch
Attack Vectors: Exploitation of Microsoft Word and Streaming Service Proxy vulnerabilities.
Risk Impact: Disclosure of NTLM hashes, Disclosure of sensitive information, Elevation of Privilege to SYSTEM.
- Microsoft’s latest software update addresses 59 vulnerabilities across its product portfolio, with five rated as Critical, 55 as Important, and one as Moderate in severity.
- Notably, two zero-day vulnerabilities are actively being exploited by unknown threat actors:
- CVE-2023-36761 (CVSS score: 6.2) – Microsoft Word Information Disclosure Vulnerability: This vulnerability could allow the disclosure of NTLM hashes, even by merely previewing a malicious Word document.
- CVE-2023-36802 (CVSS score: 7.8) – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability: Exploiting this vulnerability could grant an attacker SYSTEM privileges.
- In addition to these zero-days, other noteworthy vulnerabilities include remote code execution flaws in Internet Connection Sharing, Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server. Elevation of privilege issues affects Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others.
- Microsoft users should immediately apply the latest software update provided by Microsoft to mitigate these vulnerabilities. A release of these security updates can be found at the link below:
Affected Entities: Adobe Acrobat and Reader
Attack Vector: Exploitation of critical vulnerabilities in Adobe Acrobat and Reader and cross-site scripting flaws in Adobe Connect and Adobe Experience Manager.
Risk Impact: Execution of malicious code on susceptible systems
- Adobe’s September 2023 update includes critical patches to address actively exploited vulnerabilities in its Acrobat and Reader software.
- The main concern is CVE-2023-26369, a critical vulnerability rated at 7.8 in severity, affecting various versions of Acrobat and Reader on both Windows and macOS.
- Successful exploitation of this flaw could enable attackers to execute malicious code through specially crafted PDF documents.
- Adobe has confirmed limited attacks exploiting this vulnerability.
- Additionally, Adobe has patched two cross-site scripting vulnerabilities in Adobe Connect and Adobe Experience Manager, which could potentially lead to arbitrary code execution.
- Adobe Acrobat and Reader users should immediately update their software to the patched versions mentioned in the advisory to mitigate the risk of exploitation.
Affected Entities: Mozilla, Firefox and Thunderbird
Attack Vector: Exploitation of a critical heap buffer overflow flaw in the WebP image format in Firefox and Thunderbird Risk
Risk Impact: Arbitrary code execution
- Mozilla has urgently patched a critical zero-day vulnerability (CVE-2023-4863) in Firefox and Thunderbird, which was actively exploited in the wild.
- The flaw is a heap buffer overflow issue in the WebP image format, potentially leading to arbitrary code execution when processing maliciously crafted images.
- This poses a significant security threat, allowing remote attackers to perform out-of-bounds memory writes through crafted HTML pages.
- The vulnerability has been addressed in various Mozilla products.
- Users of Firefox and Thunderbird should immediately update their software to the latest versions to mitigate the risk of exploitation.
Affected Entities: Juniper devices
Attack Vector: Exploitation of unauthenticated RCE vulnerability.
Risk Impact: Remote code execution, exposure of sensitive data, network compromise.
- An estimated 12,000 Juniper SRX firewalls and EX switches are exposed to a critical remote code execution (RCE) vulnerability.
- Initially categorized as medium severity when disclosed by Juniper, this vulnerability (CVE-2023-36845) has now been demonstrated to allow attackers to achieve RCE without uploading files.
- Chained with other vulnerabilities (‘PHP environment variant manipulation’ (CVE-2023-36844/CVE-2023-36845) and ‘Missing Authentication for Critical Function’ (CVE-2023-36846/CVE-2023-36847)), it can have a significant impact, with a CVSS rating of 9.8.
- Security researcher Jacob Baines recently released a proof of concept (PoC) that exploits CVE-2023-36845, highlighting its potential severity.
- A free scanner on GitHub has identified thousands of vulnerable devices on the internet, indicating the widespread risk.
- The impact of this security issue is more severe than initially assessed, and immediate remediation is essential to prevent unauthorized remote code execution.
- Juniper administrators should apply the security updates released by the vendor to address CVE-2023-36845.