02/07/2024-02/14/2024 Ivanti Vulnerability, CISA and OpenSSF Release Framework, New Ivanti Auth Bypass Flaw And More.

1. Ivanti Vulnerability Exploited to Install ‘DSLog’ Backdoor on 670+ IT Infrastructures

Threat actors are exploiting a recent security flaw in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor named DSLog. Orange Cyberdefense noted the exploitation of CVE-2024-21893 shortly after the proof-of-concept code was released. This vulnerability, disclosed alongside CVE-2024-21888, allows server-side request forgery (SSRF), potentially granting unauthorized access to restricted resources. Ivanti confirmed limited targeted attacks, but the scale remains uncertain. Shadowserver Foundation reported a surge in exploitation attempts from over 170 IP addresses. Compromises have been detected since February 3, with attackers injecting DSLog into a Perl file for persistent remote access. DSLog uses unique hashes per appliance, complicating detection. Attackers use the hash in HTTP requests to execute commands. They also erase “.access” logs to evade detection. Orange Cyberdefense identified 670 compromised assets initially, decreasing to 524 by February 7, by analyzing artifacts triggered by the SSRF vulnerability.

2. CISA and OpenSSF Release Framework for Package Repository Security

CISA is collaborating with the Open Source Security Foundation (OpenSSF) to release a framework named Principles for Package Repository Security. This framework, developed by OpenSSF’s Securing Software Repositories Working Group, aims to fortify package repositories and enhance security in open-source software ecosystems. It introduces four security maturity levels covering authentication, authorization, general capabilities, and command-line interface (CLI) tooling. The levels range from basic security measures like multi-factor authentication (MFA) to advanced protocols such as requiring MFA for all maintainers and supporting package build provenance. All package management ecosystems should strive for at least Level 1 security. The framework enables package repositories to assess their security maturity and implement necessary improvements over time to combat evolving security threats effectively. 

3. Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Ivanti warns of a critical security flaw (CVE-2024-22024) affecting Connect Secure, Policy Secure, and ZTA gateway devices, potentially enabling authentication bypass. The vulnerability, rated 8.3 out of 10 on the CVSS scale, stems from an XML external entity (XXE) issue in the SAML component. Versions affected include Connect Secure 9.x, 22.x, Policy Secure 9.x, 22.x, and ZTA 22.x. Patch updates are available for affected versions. While there’s no evidence of active exploitation, given the recent abuse of similar vulnerabilities, users are urged to apply patches promptly. The flaw was brought to Ivanti’s attention by cybersecurity firm watchTowr, highlighting potential impacts such as denial of service (DOS), local file read, and server-side request forgery (SSRF), contingent on available protocols.

4. Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products

Cisco, Fortinet, and VMware have issued security patches for various vulnerabilities, including critical ones enabling arbitrary actions on affected devices. Cisco disclosed three flaws (CVE-2024-20252, CVE-2024-20254, CVE-2024-20255) in Expressway Series, allowing CSRF attacks. Exploitation could lead to unauthorized actions, including modifying configurations. Fortinet addressed bypasses for a critical FortiSIEM supervisor flaw (CVE-2023-34992) with two new vulnerabilities (CVE-2024-23108, CVE-2024-23109), allowing remote code execution. VMware reported five moderate-to-important flaws in Aria Operations for Networks, involving local privilege escalation and cross-site scripting vulnerabilities. Upgrading to specified versions mitigates risks across all platforms.

5. DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability

A zero-day vulnerability in Microsoft Defender SmartScreen has been exploited by an advanced persistent threat group known as Water Hydra (aka DarkCasino), targeting financial traders. Trend Micro discovered the campaign in December 2023, involving CVE-2024-21412, a security bypass flaw in Internet Shortcut Files (.URL). This flaw bypasses SmartScreen to deliver the DarkMe malware. Microsoft patched it in February. The attack requires convincing the victim to click on a booby-trapped URL to download a malicious installer. The technique abuses the search: application protocol, delivering malware via layered internet shortcut files to evade SmartScreen. The end goal is to deploy DarkMe, a Visual Basic trojan, allowing remote control and data exfiltration. This trend of cybercrime groups exploiting zero-days reflects their increasing sophistication. Water Hydra demonstrates the capability to discover and exploit zero-days, indicating a merging of cybercrime and nation-state hacking tactics.

6.  Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Microsoft’s February Patch Tuesday addresses 73 security flaws, including two zero-days exploited by Water Hydra targeting financial traders. Notably, CVE-2024-21351 and CVE-2024-21412 allow code injection into SmartScreen and bypassing security checks, respectively. Successful exploitation requires convincing users to open malicious files. Water Hydra exploits CVE-2024-21412 in a zero-day attack chain. The update also covers five critical flaws, including remote code execution vulnerabilities in Microsoft Exchange Server and Outlook. CVE-2023-50387, a 24-year-old design flaw in DNSSEC, is also patched, named KeyTrap, capable of causing denial-of-service attacks. Users are urged to apply patches promptly to mitigate risks.

.