01/31/2024-02/07/2024 Critical JetBrains Security Flaw, New Flaws in Azure, Cloudflare Breach And More.

1. Critical JetBrains TeamCity On-Premises Flaw Exposes Servers to Takeover – Patch Now

JetBrains warns of a critical security flaw (CVE-2024-23917) in its TeamCity On-Premises software, scoring 9.8 out of 10 on the CVSS scale. This flaw could allow threat actors to seize control of vulnerable instances. Attackers with HTTP(S) access might bypass authentication and gain administrative control. The vulnerability affects versions from 2017.1 to 2023.11.2, fixed in 2023.11.3. Discovered by an external researcher on January 19, 2024, users can apply a security patch plugin if unable to update. JetBrains suggests temporarily blocking public access for servers unable to update immediately. While there’s no known exploitation, a similar flaw (CVE-2023-42793) saw active exploitation by ransomware gangs and state-sponsored groups after disclosure last year.

2. Experts Detail New Flaws in Azure HDInsight Spark, Kafka, and Hadoop Services

Three security vulnerabilities in Azure HDInsight’s Apache Hadoop, Kafka, and Spark services allow privilege escalation and a regular expression denial-of-service (ReDoS).

Orca security researcher Lidor Ben Shitrit reported the flaws, including:

• CVE-2023-36419 (CVSS: 8.8) – Apache Oozie XXE Injection Elevation of Privilege;
• CVE-2023-38156 (CVSS: 7.2) – Apache Ambari JDBC Injection Elevation of Privilege;
• Apache Oozie ReDoS Vulnerability.

Attackers could exploit privilege escalation flaws to gain administrator privileges by crafting network requests. The XXE flaw permits root-level file reading and privilege escalation, while the JDBC injection flaw facilitates obtaining a reverse shell as root. The ReDoS vulnerability arises from inadequate input validation, enabling attackers to trigger a denial-of-service by causing an intensive loop operation. Microsoft has released fixes on October 26, 2023, following responsible disclosure. Exploitation could disrupt system operations, degrade performance, and impact service availability and reliability.

3. Recent SSRF Flaw in Ivanti VPN Products Undergoes Mass Exploitation

The Ivanti Connect Secure and Policy Secure products face mass exploitation of a disclosed SSRF vulnerability (CVE-2024-21893, CVSS: 8.2), allowing unauthorized access to restricted resources. Shadowserver Foundation noted over 170 IP addresses attempting to establish a reverse shell. The flaw, also affecting Neurons for ZTA, enables attackers to bypass authentication. Exploitation has surged since a proof-of-concept (PoC) exploit by Rapid7. Combining it with a previously patched command injection flaw (CVE-2024-21887), unauthenticated remote code execution is achieved. Notably, CVE-2024-21893 (alias CVE-2023-36661) is in the Shibboleth XMLTooling library, fixed in June 2023. Additionally, Ivanti VPN appliances use outdated open-source components, exposing vulnerabilities. Ivanti has released a second mitigation and begun patching officially. Threat actors exploit CVE-2023-46805 and CVE-2024-21887 for deploying custom web shells named BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, as revealed by Mandiant.

4. Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs

Cloudflare discloses a likely nation-state attack, revealing unauthorized access to its Atlassian server, leading to document and source code exposure between November 14 and 24, 2023. The sophisticated actor aimed to persistently infiltrate Cloudflare’s network. In response, Cloudflare rotated over 5,000 production credentials, segmented systems, and conducted forensic triage on 4,893 systems. During the four-day reconnaissance period, the attacker accessed Atlassian Confluence and Jira portals, then established persistent access, ultimately accessing 120 code repositories, of which 76 were exfiltrated. Repositories pertained to backups, network configuration, identity management, remote access, and infrastructure management tools. The attacker unsuccessfully tried to breach a console server in São Paulo. Stolen credentials from Okta’s support system, including AWS and Atlassian, facilitated the intrusion. Cloudflare failed to rotate these credentials promptly but terminated malicious connections on November 24, 2023, and engaged CrowdStrike for an independent assessment.

5. FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network

The FritzFrog threat actor has reemerged with a new variant utilizing the Log4Shell vulnerability to spread within compromised networks. Akamai reports brute-force exploitation targeting vulnerable Java applications. Initially focusing on weak SSH credentials, FritzFrog has expanded its targets to healthcare, education, and government sectors, deploying cryptocurrency miners. Unlike prior versions, the latest version targets internal hosts, leveraging unpatched systems. This shift exploits neglected internal machines, increasing infection risks. FritzFrog enhances its SSH brute-force tactic and utilizes CVE-2021-4034 for local privilege escalation. To evade detection, it avoids dropping files to disk, utilizing /dev/shm and memfd_create for memory-resident payloads. This strategy mirrors techniques used by other Linux-based malware.

6. Exposed Docker APIs Under Attack in ‘Commando Cat’ Cryptojacking Campaign

Docker API endpoints face a cryptojacking campaign named Commando Cat, deploying benign containers via the Commando project. Active since 2024, it’s the second such campaign within months. Targeting Docker hosts, it deploys XMRig and 9Hits Viewer. Commando Cat breaches Docker instances to execute payloads, including backdoors and miners. It checks for specific active services before proceeding. Payloads are delivered from the C2 server, adding SSH keys, creating rogue users, and exfiltrating credentials. Using curl or wget, payloads are fetched and executed, with /dev/shm used for evasion. Forensics are complicated as artifacts avoid disk touch. The attack concludes with a Base64-encoded script deploying XMRig after eliminating competing miners.