Cyber Threat Weekly – #10
This week’s newsletter is a bit lighter than earlier this month, although news volumes continue to increase. Let’s start with exploit attempts on the critical Atlassian Confluence bug disclosed last week. First zero-day flaw of the year for Apple. Digging deeper into a pair of malicious traffic direction systems.
SEC X account hacked via SIM-swapping. Bring Your Own Vulnerable Driver (BYOVD) is a growing trend. Threat researchers share observations of BianLian ransomware group. New GoAnywhere MFT critical bug. Exposed API leaks private email addresses.
Google Kubernetes loophole could allow threat actors with a Google account to take control of a Kubernetes cluster. Researchers observe a new Go-based loader called CherryLoader. Critical Jenkins bug could lead to remote code execution.
Threat actors targeting WordPress database plugin. Researchers share analysis of SystemBC C2 Server. Cisco communications software critical remote code execution bug. Microsoft shares details of APT29 attack against Microsoft executives email accounts, that went undetected for roughly two months.
Broken Record Alert: Patch management prioritization is a must!!!
Known exploited vulnerabilities continue to be abused by threat actors. We continue to share vulnerabilities with patches available being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is those with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
Let’s remove some of the low hanging fruit threat actors continue to target.
CISA Known Exploited Vulnerabilities for January 22nd to January 28th:
CVE-2023-34048 – VMware vCenter Server Out-of-Bounds Write Vulnerability
Affecting the DCERPC protocol that allows an attacker to conduct remote code execution on VMware vCenter Server.
CVE-2024-23222 – Apple Multiple Products Type Confusion Vulnerability
A type confusion vulnerability that leads to code execution when processing maliciously crafted web content affecting Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit.
CVE-2023-22527 – Atlassian Confluence Data Center and Server Template Injection Vulnerability
An unauthenticated OGNL template injection vulnerability that can lead to remote code execution.
Atlassian Confluence Bug 10,000’s of Exploit Attempts
Researchers are observing callback attempts with ‘whoami’ execution against CVE-2023-22527 disclosed last week. This trend continues, rapid exploit attempts on newly disclosed vulnerabilities.
Apple Zero-Day Bug Fixed
CVE-2024-23222 could be exploited to gain code execution. This bug impacts iOS, macOS, iPadOS, and tvOS.
Parrot and VexTrio Traffic Direction Systems (TDS)
An interesting breakdown of how two different TDSs, how they work, and stay stealthy. Parrot TDS is the newer of the two, being active since October 2021. VexTrio is believed to have been active since at least 2017.
https://thehackernews.com/2024/01/vextrio-uber-of-cybercrime-brokering.html
https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/
SIM-Swapping Responsible for SEC X Account Hack
The industry seems to be taking the easy way out, turning to MFA that is easily socially engineered such as SMS based MFA. While SMS based MFA is better than nothing, it won’t stop a determined threat actor.
https://thecyberexpress.com/sec-x-account-hacked/
Kasseika Ransomware, Latest to Abuse BYOVD
Trend Micro shares the attack chain and finds similarities with the BlackMatter ransomware operation attack chains. In addition, there are source code similarities between Kasseika and BlackMatter.
BianLian Threat Assessment
Threat researchers share observations and analysis of the BianLian threat group. The group recently moved from the double extortion scheme to extortion without encryption. They simply exfiltrate data and threaten to publish it if victims don’t pay the ransom.
https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/
Critical Authentication Bypass Flaw: Forta’s GoAnywhere Managed File Transfer (MFT)
Recently disclosed bug CVE-2024-0204 is rated a CVSS 3.1 score of 9.8, was quietly patched on December 7th, 2023. A technical analysis and exploit code has been released by security researchers.
https://www.fortra.com/security/advisory/fi-2024-001
https://cybersecuritynews.com/goanywhere-mft-bypass/
https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/
Trello API Abused Allowing Links to Account Information
An exposed API allowed a threat actor to query for account information using an email. A list of 500 million emails was fed into the API to ascertain if there was an associated account. Trello offers this API to allow developers to query for public information about a profile, the threat actor found a way to abuse it.
This incident underscores the criticality of API security.
Any Gmail Account Could Control Your Google Kubernetes Cluster
Security researchers discovered a misconfiguration allowing anyone with a Google account to take over Google Kubernetes clusters. The loophole is a permissions issue, default configuration was excessive. This showcases the need to audit permissions and authorization in all systems.
https://thehackernews.com/2024/01/google-kubernetes-misconfig-lets-any.html
https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk/
CherryLoader, a New Go-based Loader
Researchers discovered the tool in two recent intrusions. A multi-stage loader that utilizes different encryption methods and anti-analysis techniques.
https://thehackernews.com/2024/01/new-cherryloader-malware-mimics.html
Jenkins Bug Leads to Remote Code Execution, Exploit Code Released
This bug CVE-2024-23897 affects the command line interface (CLI). A short-term mitigation is to turn off access to the CLI. Exploit code is now available, we may see active exploitation soon.
https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html
https://www.jenkins.io/security/advisory/2024-01-24/
WordPress Database Plugin Actively Targeted
Wordfence is blocking active exploitation on the ‘Better Search Replace’ plugin. The vendor, WP Engine released a fix for a critical bug tracked as CVE-2023-6933, rated 9.8 out of 10. There are over 1 million active installations, although it is unknown how many are vulnerable.
SystemBC C2 Server Exposed by Researchers
Researchers have seen increased activity in Q2 and Q3 2023. SystemBC includes an implant, command and control server, and web administration portal. Designed for post exploitation activities, it can deliver additional payloads, and uses SOCKS5 proxies to hide network traffic to and from its C2 infrastructure.
https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
https://www.kroll.com/en/insights/publications/cyber/inside-the-systembc-malware-server
Cisco Communications Products Vulnerable to CVE-2024-20253
The bug receiving a 9.9 out of 10 base score affects Unified Communications Manager and Contact Center Solutions products. Exploitation could lead to remote code execution. So far, no evidence of available exploit code or targeting the flaw.
APT29 Attack Against Microsoft Executives Email Accounts
Microsoft discovered, on January 12th, 2024, that Russian threat actors had breached their systems in late November 2023. Using a tactic previously shared in depth by Microsoft. The adversary was able to gain access to a non-production test account with access to an Oauth application with elevated access to Microsoft’s corporate environment.
This underscores the necessity for asset inventory, identity and access management, and thorough knowledge of our environments.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.