01/19/2023-01/25/2023. New Microsoft Azure Vulnerability, Git Users Urged to Update Software, Fortinet Flaw, 75k WordPress Sites Impacted By Critical Online Course Plugin Flaws, And More

1. Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks

The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that’s designed to be used by security professionals in their red team operations. Its myriad features for adversary simulation – including dynamic code generation, in-memory payload execution, and process injection – have also made it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold. A hypothetical attack sequence detailed by the Israeli cybersecurity company shows that Sliver could be leveraged for privilege escalation, following it up by credential theft and lateral movement to ultimately take over the domain controller for exfiltration of sensitive data. Sliver has been weaponized in recent years by the Russia-linked APT29 group (aka Cozy Bear) as well as cybercrime operators like Shathak (aka TA551) and Exotic Lily (aka Projector Libra), the latter of which is attributed to the Bumblebee malware loader.

2. New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks

A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application. The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu. By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim’s Azure application. It could further enable the theft of sensitive data and lateral movement to other Azure services. Microsoft has since fixed the vulnerability as of December 6, 2022, following responsible disclosure on October 26, 2022, in addition to awarding a bug bounty of $30,000. In a hypothetical attack chain devised by Ermetic, an adversary could exploit the CSRF vulnerability in the Kudu SCM panel to defeat safeguards put in place to thwart cross-origin attacks by issuing a specially crafted request to the “/api/zipdeploy” endpoint to deliver a malicious archive (e. g., web shell) and gain remote access.

3. Git Users Urged to Update Software to Prevent Remote Code Execution Attacks

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0. Patched versions include v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1. The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. CVE-2022-41903, also a critical vulnerability, is triggered during an archive operation, leading to code execution by way of an integer overflow flaw that arises when formatting the commit logs. 
Recommendation 
While there are no workarounds for CVE-2022-23521, Git is recommending that users disable “git archive” in untrusted repositories as a mitigation for CVE-2022-41903 in scenarios where updating to the latest version is not an option.

4. GoTo Says Hackers Stole Customers’ Backups And Encryption Key

GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data. At the time, the impact on the client data had yet to become known as the company’s investigation into the incident with the help of cybersecurity firm Mandiant had just begun. The attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility.
The information present in the exfiltrated backups includes the following:

• Central and Pro account usernames
• Central and Pro account passwords (salted and hashed)
• Deployment and provisioning information
• One-to-Many scripts (Central only)
• Multi-factor authentication information
• Licensing and purchasing data like emails, phone numbers, billing address, and last four digits of credit card numbers.
  In response to the situation, GoTo is resetting Central and Pro passwords for impacted customers and automatically migrates accounts to GoTo’s enhanced Identity Management Platform.

5. VMware Fixes Critical Security Bugs In vRealize Log Analysis Tool

VMware released security patches to address vRealize Log Insight vulnerabilities that could enable attackers to gain remote execution on unpatched appliances. The first critical bug patched today is tracked as CVE-2022-31703 and is described as a directory traversal vulnerability that malicious actors can exploit to inject files into the operating system of impacted appliances to achieve remote code execution. The second one (tracked as CVE-2022-31704) is a broken access control flaw that can also be abused to gain remote code execution on vulnerable appliances by injecting maliciously crafted files. Both vulnerabilities are tagged as critical severity with CVSS base scores of 9.8/10 and can be exploited by unauthenticated threat actors in low-complexity attacks that don’t require user interaction. The company said the vulnerabilities were addressed with VMware vRealize Log Insight 8.10.2. None of the security bugs addressed today were tagged as being exploited in the wild.

6.  75k WordPress Sites Impacted By Critical Online Course Plugin Flaws

The WordPress online course plugin ‘LearnPress’ was vulnerable to multiple critical-severity flaws, including pre-auth SQL injection and local file inclusion. The vulnerabilities in the plugin, used in over 100,000 active sites, were discovered by PatchStack between November 30 and December 2, 2022, and reported to the software vendor. The issues were fixed on December 20, 2022, with the release of LearnPress version 4.2.0. However, according to WordPress.org stats, only about 25% have applied the update. This means that roughly 75,000 websites could be using a vulnerable version of LearnPress, exposing themselves to severe security flaws, the exploitation of which can have serious repercussions.