10/25/2023-11/01/2023 F5 Issues Warning, Malicious NuGet Packages, Critical Confluence Vulnerability And More.

1. F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.  This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10. As mitigations, F5 has also made available a shell script for users of BIG-IP versions 14.1.0 and later. The cybersecurity company, in a technical report of its own, described CVE-2023-46747 as an authentication bypass issue that can lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system, noting it’s “closely related to CVE-2022-26377.”

2. Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. These packages, which span several versions, imitate popular packages and exploit NuGet’s MSBuild integrations feature in order to implant malicious code on their victims, a feature called inline tasks to achieve code execution.
This is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware. The now-removed packages exhibit similar characteristics in that the threat actors behind the operation attempted to conceal the malicious code by making use of spaces and tabs to move it out of view of the default screen width. As previously disclosed by Phylum, the packages also have artificially inflated downloaded counts to make them appear more legitimate. The ultimate goal of the decoy packages is to act as a conduit for retrieving a second-stage .NET payload hosted on a throwaway GitHub repository.

3. Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss

Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in “significant data loss if exploited by an unauthenticated attacker.” Tracked as CVE-2023-22518, the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of “improper authorization vulnerability.” All versions of Confluence Data Center and Server are susceptible to the bug, and it has been addressed in the following versions: 7.19.16 or later; 8.3.4 or later; 8.4.4 or later; 8.5.3 or later, and 8.6.1 or later. Atlassian is also urging customers to take immediate action to secure their instances, recommending those that are accessible to the public internet be disconnected until a patch can be applied. What’s more, users who are running versions that are outside of the support window are advised to upgrade to a fixed version. Atlassian Cloud sites are not affected by the issue.

4. Alert: PoC Exploits Released for Citrix and VMware Vulnerabilities

Virtualization services provider VMware has alerted customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs. Tracked as CVE-2023-34051 (CVSS score: 8.1), the high-severity vulnerability relates to a case of authentication bypass that could lead to remote code execution. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution. It’s worth noting that CVE-2023-34051 is a patch bypass for a set of critical flaws that were addressed by VMware earlier this January that could expose users to remote code execution attacks. The disclosure comes as Citrix released an advisory of its own, urging customers to apply fixes for CVE-2023-4966 (CVSS score: 9.4), a critical security vulnerability affecting NetScaler ADC and NetScaler Gateway that has come under active exploitation in the wild. 

5. Exploit Released For Critical Cisco IOS XE Flaw, Many Hosts Still Hacked

Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198 that was leveraged as a zero-day to hack tens of thousands of devices. Cisco released patches for most releases of its IOS XE software but thousands of systems continue to be compromised, internet scans show. The creation of the exploit was possible using information captured from a honeypot set up by SECUINFRA’s team for digital forensics and incident response engagements. Horizon3.ai explains that an attacker can encode an HTTP request to the Web Services Management Agent (WMSA) service in iosd – a powerful binary in Cisco’s IOS XE that can generate the configuration file for OpenResty (an Nginx-based server with support Lua scripting) used by the webui service vulnerable to CVE-2023-20198. The WSMA allows executing commands through SOAP requests, including ones that give access to the configuration feature that enables creating a user with full privileges on the system. The researchers note that from this point an attacker has full control over the device and could write malicious implants to disk without needing to exploit another vulnerability. Cisco has updated its security bulletin for CVE-2023-20198 on October 30, announcing updates for IOS XE that address the vulnerability.

6. EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations. The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023. A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are programmatically cloning and scanning the repositories to capture the exposed keys. The adversary has also been observed blocklisting AWS accounts that publicize IAM credentials in what’s likely seen as an effort to prevent further analysis. 
To mitigate the attacks, organizations that accidentally expose AWS IAM credentials are recommended to immediately revoke any API connections using the keys, remove them from the GitHub repository, and audit GitHub repository cloning events for any suspicious operations.