Cyber Threat Weekly – #9

Another busy news cycle last week.  Let’s start with potential remote code execution in over 178,000 SonicWall firewalls.  This is not good, Ivanti Connect Secure VPN now under mass exploitation.  CISA releases advisory on Androxgh0st malware. 

Critical flaw in older versions of Atlassian Confluence Datacenter and Server.  First actively exploited Google Chrome zero-day of 2024.  Citrix Netscaler zero-day vulnerabilities actively exploited.  Credential exposing flaw in GitHub.

Interesting Go-based stealer using Slack for data exfiltration.  MacOS stealer malware getting stealthy.  It appears Iran is stepping up its game.  Theat actor returned from a 9-month hiatus with a large email campaign.  Two payloads deployed on exploited Docker hosts.

Russia backed threat actors using new malware strain.  CISA adds Ivanti EPPM CVE-2023-35082 to the known exploited vulnerability (KEV) catalog.  VMware critical vCenter bug exploited.  Fake iCloud storage alert email scam.

Remote code execution possible in Apache Struts 2 installations.  3AM ransomware linked to Conti and Royal cybercrime gangs.  Notable increase Apache ActiveMQ critical vulnerability exploitation.

Broken Record Alert:  Patch management prioritization is critical!!!

Known exploited vulnerabilities continue to be abused by threat actors.  Even this week we share vulnerabilities with patches available being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is those with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

Let’s remove some of the lower hanging fruit threat actors continue to target.

CISA Known Exploited Vulnerabilities for January 15^th to January 21^st:

CVE-2018-15133 – Laravel Deserialization of Untrusted Data Vulnerability

Allowing for remote command execution, this vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).

CVE-2024-0519 – Google Chromium V8 Out-of-Bounds Memory Access Vulnerability

CVE-2023-6549 – Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability

A buffer overflow vulnerability that allows for a denial-of-service when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
 

CVE-2023-6548 – Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability

Allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.
 

CVE-2023-35082 – Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability

An authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.

SonicWall Firewalls Vulnerable to DoS, Possibly Remote Code Execution

Firewall and VPN appliances are a favorite target of nation states and cyber criminals.  With over 178,000 devices vulnerable, this is a big target.  Even if a threat actor can’t execute code, they can disable the edge firewalls and VPN access.  These vulnerabilities affect the management interface, it’s a terrible idea to expose the management interface to the Internet.

https://www.bleepingcomputer.com/news/security/over-178k-sonicwall-firewalls-vulnerable-to-dos-potential-rce-attacks/

https://bishopfox.com/blog/its-2024-and-over-178-000-sonicwall-firewalls-are-publicly-exploitable

Mass Exploitation of Ivanti Connect Secure VPN

Multiple threat actors, now including cyber criminals, are involved in widespread exploitation.  Patches still are not available.  If you use Ivanti Connect Secure VPN, apply the mitigation immediately.  There were over 1,700 compromised devices on January 15^th, 2024, scanning a day later, it’s now over 2,100.  And that is just the GIFTEDVISITOR webshell.

Cryptominers and malware are also being deployed on these devices.  At least one threat actor is modifying the external Integrity Checker Tool to reporting no new or mismatched files.

https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/

CISA Cybersecurity Advisory - Androxgh0st Malware

Androxgh0st malware targets websites using the Laravel Web application framework with known bugs.  The threat actors are after credentials for high profile applications such as AWS, Microsoft Office 365, SendGrid, and Twilio.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

https://www.cisa.gov/sites/default/files/2024-01/aa24-016a-known-indicators-of-compromise-associated-with-adroxgh0st-malware_0.pdf

Atlassian Confluence Remote Code Execution Vulnerability

The critical (CVSS 10.0) CVE-2023-22527 flaw affects all versions before December 5^th,2023 including out-of-support versions.  Confluence is targeted by nation states and cybercriminals alike.  The fix is to update to the latest versions.

https://www.bleepingcomputer.com/news/security/atlassian-warns-of-critical-rce-flaw-in-older-confluence-versions/

https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html

https://confluence.atlassian.com/security/security-bulletin-january-16-2024-1333335615.html

Google Chrome Zero-day Actively Exploited

CVE-2024-0519 is being actively exploited in the wild, Google has released a fix.  This CVE could be used to access out-of-bounds memory but also exploited to bypass protection mechanisms such as ASLR.

https://www.bleepingcomputer.com/news/security/google-fixes-first-actively-exploited-chrome-zero-day-of-2024/

Two Zero-day Vulnerabilities on Citrix Netscaler

Only customer managed appliances are impacted.  One zero-day affects the management interface and can lead to remote code execution the other affects gateway services and can lead to DoS.

https://www.bleepingcomputer.com/news/security/citrix-warns-of-new-netscaler-zero-days-exploited-in-attacks/

https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

GitHub Credential Exposing Flaw

GitHub.com fixed the bug CVE-2024-0200 the same day it was reported via bug bounty.  Also patched GitHub Enterprise Server versions January 16^th, 2024, urging customers to update ASAP. 

https://www.bleepingcomputer.com/news/security/github-rotates-keys-to-mitigate-impact-of-credential-exposing-flaw/

https://github.blog/2024-01-16-rotating-credentials-for-github-com-and-new-ghes-patches/

Go-Based Stealer Abusing Slack for Covert Data Theft

The most interesting thing here, the stealer is focused on web browser credential theft.  Targeting Firefox, Google Chrome, Edge. And Brave browsers.  While not novel, data exfiltration via Slack is rare.  We’ll keep an eye out for a larger campaign.

https://cyble.com/blog/cyber-espionage-attack-on-the-indian-air-force-go-based-infostealer-exploits-slack-for-data-theft/

Infostealers Bypass MacOS Malware Protection

Infostealers evading XProtect, macOS’s built-in malware prevention based on signatures.  Malware developers are continuing to evolve their malware targeting macOS.

https://www.darkreading.com/endpoint-security/sophisticated-macos-infostealers-apple-built-in-detection

https://www.sentinelone.com/blog/the-many-faces-of-undetected-macos-infostealers-keysteal-atomic-cherrypie-continue-to-adapt/

Iran’s APT35 Targeting Individuals Focused on Middle Eastern Affairs

Microsoft shared new observed behavior from the threat actor they track as Mint Sandstorm.  Sophisticated social engineering techniques and a new malware MediaPI.

https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

Proofpoint Observes TA866 Email Campaign

This treat actor returned with an evolved multi-step attack chain and variants of custom tools.  There are indicators TA866 has been using other delivery methods. 

https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta866-returns-large-email-campaign

Docker Hosts Abused for Cryptomining and Web Traffic

Researchers observed an interesting campaign abusing Docker resources with two different payloads. 

https://www.bleepingcomputer.com/news/security/docker-hosts-hacked-in-ongoing-website-traffic-theft-scheme/

https://www.cadosecurity.com/containerised-clicks-malicious-use-of-9hits-on-vulnerable-docker-hosts/

Google Observes New Russia Threat Actor Campaign

Threat actors are pushing a new backdoor malware called Spica.  Starting with a benign encrypted PDF document, once a target replies, a decryptor is sent, which backdoors the target.

https://www.bleepingcomputer.com/news/security/google-russian-fsb-hackers-deploy-new-spica-backdoor-malware/

https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

Ivanti EPMM Bug Added to CISA KEV Catalog

CVE-2023-35082, an older August 2023 vulnerability is now under active exploitation.

https://www.bleepingcomputer.com/news/security/cisa-critical-ivanti-auth-bypass-bug-now-actively-exploited/

VMware vCenter Vulnerability Actively Exploited

Patched in October 2023, CVE-2023-34048 has been actively exploited and may have been exploited by Chinese threat actors for two years.

https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vcenter-flaw-now-exploited-in-attacks/

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

https://www.bleepingcomputer.com/news/security/chinese-hackers-exploit-vmware-bug-as-zero-day-for-two-years/

https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021

Email Phishing Campaign With iCloud Fake Storage Alert Lure

Threat actors are going after iCloud, hoping targets provide sensitive information and potentially login credentials.

https://cybersecuritynews.com/fake-icloud-storage-alert/

Apache Struts 2 Remote Code Execution Vulnerability

Researchers find 1.718+ million vulnerable to CVE-2023-50164.  A critical bug allowing unauthenticated access, arbitrary code execution, and file upload.  Apache Struts 2 is heavily targeted by threat actors, chances are high this one will be actively exploited sooner rather than later.

https://cybersecuritynews.com/apache-struts-2-rce-attacks/

https://www.cyfirma.com/outofband/apache-struts-rce-cve-2023-50164-vulnerability-analysis-and-exploitation/

3AM Ransomware Group Tied to Conti

Researchers found 3AM tied to Royal ransomware and Conti cybercrime clowns.  This sucks, Conti ran like a large business, aggressive, and made a ton of money.  3AM is also trying a new extortion tactic. 

https://www.bleepingcomputer.com/news/security/researchers-link-3am-ransomware-to-conti-royal-cybercrime-gangs/

https://www.intrinsec.com/wp-content/uploads/2024/01/TLP-CLEAR-2024-01-09-ThreeAM-EN-Information-report.pdf

Apache ActiveMQ Bug Exploitation on the Rise

Godzilla webshell is being deployed after exploiting the now patched Apache ActiveMQ flaw.  Researchers are seeing an increase in activity.

https://thehackernews.com/2024/01/apache-activemq-flaw-exploited-in-new.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/apache-activemq-vulnerability-leads-to-stealthy-godzilla-webshell/