03/30/2023-04/05/2023 Azure AD Vulnerability Fixed, Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities, “Super FabriXss” Vulnerability in Microsoft Azure SFX And More

1. Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps

Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several “high-impact” applications to unauthorized access. One of these apps is a content management system (CMS) that powers Bing.com and allowed to not only modify search results, but also launch high-impact XSS attacks on Bing users. The crux of the vulnerability stems from what’s called “Shared Responsibility confusion,” wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access. A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users.

2. Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation

Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems.This entails the abuse of CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot). CVE-2022-46169 relates to a critical authentication bypass and command injection flaw in Cacti servers that allows an unauthenticated user to execute arbitrary code. CVE-2021-35394 also concerns an arbitrary command injection vulnerability impacting the Realtek Jungle SDK that was patched in 2021. At least three different versions of ShellBot have been detected – viz. PowerBots (C) GohacK, LiGhT’s Modded perlbot v2, and B0tchZ 0.2a. All three variants are capable of orchestrating distributed denial-of-service (DDoS) attacks. PowerBots (C) GohacK and B0tchZ 0.2a also feature backdoor capabilities to carry out file uploads/downloads and launch a reverse shell. Compromised victims can be controlled and used as DDoS bots after receiving a command from a C2 server.

3. Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled. This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges. After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site.
The flaw is currently being abused in the wild from several IP addresses intending to upload arbitrary PHP and ZIP archive files.

Recommendation
Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.

4. Researchers Detail Severe “Super FabriXss” Vulnerability in Microsoft Azure SFX

Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution. Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed “Super FabriXss” by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication. XSS refers to a kind of client-side code injection attack that makes it possible to upload malicious scripts into otherwise trusted websites. The scripts then get executed every time a victim visits the compromised website, thereby leading to unintended consequences.
This attack takes advantage of the Cluster Type Toggle options under the Events Tab in the Service Fabric platform that allows an attacker to overwrite an existing Compose deployment by triggering an upgrade with a specially crafted URL from XSS Vulnerability.

5. AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

A new “comprehensive toolset” called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns. The primary use of AlienFox is to enumerate misconfigured hosts via scanning platforms like LeakIX and SecurityTrails, and subsequently leverage various scripts in the toolkit to extract credentials from configuration files exposed on the servers. Specifically, it entails searching for susceptible servers associated with popular web frameworks, including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. Attacks involving AlienFox are said to be opportunistic, with the scripts capable of gathering sensitive data pertaining to AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho.

6. ALPHV Ransomware Exploits Veritas Backup Exec Bugs Ror Initial Access

An ALPHV/BlackCat ransomware affiliate was observed exploiting three vulnerabilities impacting the Veritas Backup product for initial access to the target network. Mandiant tracks the ALPHV affiliate as ‘UNC4466’ and notes that the method is a deviation from the typical intrusion that relies on stolen credentials.
The high-severity flaws targeted by UNC4466 are:

• CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
• CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
• CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
  All three flaws impact the Veritas Backup software. The vendor disclosed them in March 2021 and released a fix with version 21.2. However, despite over two years having passed since then, many endpoints remain vulnerable as they have not updated to a safe version.

7. Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions

Microsoft has announced plans to automatically block embedded files with “dangerous extensions” in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files. That’s going to change going forward. Microsoft said it intends to prevent users from directly opening an embedded file with a dangerous extension and display the message: “Your administrator has blocked your ability to open this file type in OneNote.” The update is expected to start rolling out with Version 2304 later this month and only impacts OneNote for Microsoft 365 on devices running Windows. Users who opt to still open the embedded file can do so by first saving the file locally to their device and then opening it from there.