02/02/2023-02/08/2023. Vulnerabilities in Sunlogin, Atlassian’s Jira Service Management Found Vulnerable, OpenSSH Releases Patch And More

1. Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework

Threat actors are leveraging known flaws in Sunlogin software to deploy the Sliver command-and-control (C2) framework for carrying out post-exploitation activities. Not only did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable Driver) malware to incapacitate security products and install reverse shells. 

The mechanism of the attack 

Attack chains commence with the exploitation of two remote code execution bugs in Sunlogin versions prior to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), followed by delivering Sliver or other malware such as Gh0st RAT and XMRig crypto coin miner. In one instance, the threat actor is said to have weaponized the Sunlogin flaws to install a PowerShell script that, in turn, employs the BYOVD technique to incapacitate security software installed in the system and drop a reverse shell using Powercat.
The BYOVD method abuses a legitimate but vulnerable Windows driver, mhyprot2.sys, that’s signed with a valid certificate to gain elevated permissions and terminate antivirus processes.

2. OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability

The maintainers of OpenSSH have released OpenSSH 9.2 to address a number of security bugs, including a memory safety vulnerability in the OpenSSH server (sshd). Tracked as CVE-2023-25136, the shortcoming has been classified as a pre-authentication double free vulnerability that was introduced in version 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms.The exposure occurs in the chunk of memory freed twice, the ‘options.kex_algorithms. Double free flaws arise when a vulnerable piece of code calls the free() function – which is used to deallocate memory blocks – twice, leading to memory corruption, which, in turn, could lead to a crash or execution of arbitrary code. Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code. 

3. Atlassian’s Jira Service Management Found Vulnerable to Critical Vulnerability

An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. The vulnerability is tracked as CVE-2023-22501 (CVSS score: 9.4) and has been described as a case of broken authentication with low attack complexity. With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. 
The tokens, Atlassian noted, can be obtained in either of the two scenarios –

• If the attacker is included on Jira issues or requests with these users, or
• If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users

4. CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack

The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product. Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.  The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022. Not much is known about the nature of the attacks exploiting the vulnerability, but the development follows the publication of a proof-of-concept (PoC) by cybersecurity firm Viettel on January 16, 2023. 
The second security flaw to be added to the KEV catalog is CVE-2023-22952 (CVSS score: 8.8), which relates to a case of missing input validation in SugarCRM that could result in the injection of arbitrary PHP code. The bug has been fixed in SugarCRM versions 11.0.5 and 12.0.2.

5. Actively Exploited GoAnywhere MFT Zero-Day Gets Emergency Patch

Fortra has released an emergency patch to address an actively exploited zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. The vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT instances whose administrative console is exposed online. The flaw is being exploited in attacks and has provided indicators of compromise for potentially affected customers, including a specific stack trace that would show up in the logs on compromised systems. If this stacktrace is in the logs, it is very likely this system has been the target of attack. Now, it has added an update to its customer dashboard tagged as “time sensitive” and urging customers to patch their instances “as soon as possible.”

6. New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021. VMware described the issue as an OpenSLP heap-overflow vulnerability that could lead to the execution of arbitrary code. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution. 
Recommendation 
Users are recommended to upgrade to the latest version of ESXi to mitigate potential threats as well as restrict access to the OpenSLP service to trusted IP addresses.