11/23/2023-11/29/2023 Google Chrome Under Active Attack, Exploiting New Vulnerability, Critical OwnCloud Flaw, Bugs in Routers and NVRs for Massive DDoS Attacks And More.

1. Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability

Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild. Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library. 
Google confirmed the existence of a dangerous exploit (CVE-2023-6345) but didn’t disclose much. Earlier, a similar flaw (CVE-2023-2136) was actively exploited. This new exploit might be linked. Six zero-days in Chrome have been patched this year, including critical vulnerabilities like type confusion and buffer overflows. To stay safe, update to Chrome version 119.0.6045.199/.200 on Windows and 119.0.6045.199 on macOS and Linux.

2. Hackers Can Exploit ‘Forced Authentication’ to Steal Windows NTLM Tokens

Security researchers identified a severe case of “forced authentication,” exploiting Microsoft Access files to leak a user’s NTLM tokens on Windows systems. By tricking victims into opening manipulated .accdb or .mdb files, attackers can automatically expose NTLM tokens to their servers via any TCP port, like port 80. This attack capitalizes on a legitimate feature allowing data source linking in Access to relay these tokens to a malicious server, potentially enabling relay attacks within an organization.
Attackers embed a remote SQL Server link within an .accdb file inside an MS Word document using Object Linking and Embedding (OLE). When victims open this file and interact with the linked table, their client communicates with the attacker’s server, facilitating a relay attack on the organization’s NTLM server. This flaw in NTLM, a protocol for user authentication, has vulnerabilities to brute-force and relay attacks, making such exploits concerning for system security.

3. Hackers Start Exploiting Critical OwnCloud Flaw, Patch Now

 Hackers are exploiting a critical ownCloud vulnerability tracked as CVE-2023-49103 that exposes admin passwords, mail server credentials, and license keys in containerized deployments. Of the three flaws, CVE-2023-49103 received a maximum CVSS severity score of 10.0 as it allows a remote threat actor to execute phpinfo() through the ownCloud ‘graphapi’ app, which reveals the server’s environment variables, including credentials stored within them. A brief description of the other 2 vulnerabilities is as follows:

• CVE-2023-49105 (CVSS score: 9.8) – WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0.
• CVE-2023-49104 (CVSS score: 9.0) – Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1.

4. Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks

An ongoing malware campaign exploits two undisclosed vulnerabilities, enabling remote code execution, to enlist routers and video recorders in a Mirai-based DDoS botnet. Akamai detected this, targeting devices with default credentials to install Mirai variants. Details are withheld to aid forthcoming patches. The attacks surfaced in late October 2023, spotted by Akamai against their honeypots. Named “InfectedSlurs,” the botnet employs racially charged language in its control servers. Akamai linked it to Mirai variants like hailBot and JenX. Additionally, they highlighted a web shell called wso-ng, an advanced tool used for data theft, lateral movement, and persistence, posing significant risks to affected organizations. Off-the-shelf web shells challenge attribution and serve cyber espionage motives.

5. GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

 A critical vulnerability (CVE-2023-46604) in Apache ActiveMQ is actively exploited by threat actors, including the Lazarus Group, to deploy the GoTitan botnet and PrCtrl Rat. The flaw allows remote code execution, scoring 10.0 on CVSS. Once breached, attackers drop payloads, with GoTitan orchestrating DDoS attacks using various protocols. Notably, it’s designed for x64 architectures, creating a debug log (‘c.log’) indicating early development stages. Fortinet also observed attacks deploying Ddostf DDoS botnet, Kinsing cryptojacking malware, and the Sliver command-and-control framework on susceptible Apache ActiveMQ servers. Users are urged to address the Apache ActiveMQ vulnerability promptly to mitigate these threats.