12/06/2023-12/13/2023 New Critical RCE Vulnerability, SLAM Attack, Atlassian Releases Critical Software Fixes And More.

1. New Critical RCE Vulnerability Discovered in Apache Struts 2 – Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code. Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software:

• Struts 2.3.37 (EOL)
• Struts 2.5.0 – Struts 2.5.32, and
• Struts 6.0.0 – Struts 6.3.0

Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.

2. SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs

A new side-channel attack called SLAM has been disclosed. It could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm. SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data. While LAM is presented as a security feature, the study found that it ironically degrades security and “dramatically” increases the Spectre attack surface, resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via a cache covert channel. Described as the first transient execution attack targeting future CPUs, SLAM takes advantage of a new covert channel based on non-canonical address translation that facilitates the practical exploitation of generic Spectre gadgets to leak valuable information.

It impacts the following CPUs:

• Existing AMD CPUs vulnerable to CVE-2020-12965;
• Future Intel CPUs supporting LAM (both 4- and 5-level paging);
• Future AMD CPUs supporting UAI and 5-level paging;
• Future Arm CPUs supporting TBI and 5-level paging.

3. WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability

WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites. According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor. A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site. If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. In a similar advisory released by Patchstack, the company said an exploitation chain has been made available on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) project. It’s recommended that users manually check their sites to ensure that it’s updated to the latest version. 

4. Sierra:21 – Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks

A total of 21 security flaws, collectively named Sierra:21, have been identified in Sierra Wireless AirLink cellular routers and open-source software like TinyXML and OpenNDS. These vulnerabilities impact more than 86,000 devices in critical sectors worldwide, posing a significant cyber threat. Forescout Vedere Labs reveals that devices in the U.S., Canada, Australia, France, and Thailand are predominantly affected. The vulnerabilities could enable attackers to steal credentials, inject malicious code to take control of routers, persist on devices for unauthorized access, and serve as entry points to critical networks.The vulnerabilities have been addressed in ALEOS 4.17.0 (or ALEOS 4.9.9) and OpenNDS 10.1.3, but the outdated TinyXML requires downstream action by affected vendors. Exploitation of these flaws could lead to network disruption, espionage, lateral movement, and deployment of further malware, emphasizing the critical need for prompt mitigation.

5. Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution

Atlassian has issued software patches to address four critical vulnerabilities, each posing a risk of remote code execution:

• CVE-2022-1471 (CVSS score: 9.8): Deserialization flaw in SnakeYAML library affecting multiple products.
• CVE-2023-22522 (CVSS score: 9.0): Remote code execution vulnerability in Confluence Data Center and Server (versions 4.0.0 and later).
• CVE-2023-22523 (CVSS score: 9.8): Remote code execution flaw in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (versions up to 3.2.0-cloud / 6.2.0).
• CVE-2023-22524 (CVSS score: 9.6): Remote code execution vulnerability in Atlassian Companion app for macOS (versions up to 2.0.0).

Notably, CVE-2023-22522 allows authenticated attackers, even those with anonymous access, to inject unsafe input into Confluence pages for code execution. Additionally, CVE-2023-22524 could enable attackers to execute code by using WebSockets to bypass Atlassian Companion’s blocklist and macOS Gatekeeper protections. Users are strongly advised to apply the provided fixes promptly.

11/29/2023-12/06/2023 Repositories on GitHub Vulnerable, UEFI Vulnerabilities, Cloud Pentest 101 And More.

1.  15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

Recent research identified over 15,000 vulnerable Go module repositories on GitHub at risk of “repojacking.” Jacob Baines, CTO at VulnCheck, highlighted 9,000 repositories vulnerable due to username changes and 6,000 due to account deletion. These repositories encompass at least 800,000 Go module versions. Unlike npm or PyPI, Go modules on GitHub or Bitbucket lack centralized control, making them prone to abuse.
GitHub employs protective measures, like repository namespace retirement, but VulnCheck notes its ineffectiveness for Go modules, as they are cached, allowing potential bypass. 
It’s important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from.

2. CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks

A CACTUS ransomware campaign is leveraging recently disclosed vulnerabilities in the Qlik Sense cloud analytics platform for initial access, marking the first documented instance of such an attack. Arctic Wolf researchers have noted exploitation of three disclosed flaws in the past three months:

• CVE-2023-41265 (CVSS score: 9.9): An HTTP Request Tunneling vulnerability enabling remote privilege escalation.
• CVE-2023-41266 (CVSS score: 6.5): A path traversal flaw allowing unauthorized transmission of HTTP requests.
• CVE-2023-48365 (CVSS score: 9.9): An unauthenticated remote code execution vulnerability stemming from improper validation of HTTP headers.

Arctic Wolf observed attackers exploiting these vulnerabilities to abuse the Qlik Sense Scheduler service, downloading tools for persistence and remote control, including ManageEngine UEMS and AnyDesk. The campaign concludes with CACTUS ransomware deployment and data exfiltration using rclone.

3.  LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks

The Unified Extensible Firmware Interface (UEFI) code from multiple independent firmware vendors is susceptible to high-impact vulnerabilities collectively known as LogoFAIL, as identified by Binarly. Exploiting flaws in embedded image parsing libraries, threat actors can use this to deliver a malicious payload, bypassing security technologies like Secure Boot and Intel Boot Guard. The vulnerabilities, affecting both x86 and ARM devices, allow attackers to inject a malicious logo image into the EFI system partition during the boot phase, delivering persistent malware. Unlike previous exploits, LogoFAIL doesn’t compromise runtime integrity but poses a significant risk, impacting major firmware vendors and numerous devices from Intel, Acer, Lenovo, and others.  

4. Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

 Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under “limited, targeted exploitation” back in October 2023.

The vulnerabilities are as follows –

• CVE-2023-33063 (CVSS score: 7.8) – Memory corruption in DSP Services during a remote call from HLOS to DSP.
• CVE-2023-33106 (CVSS score: 8.4) – Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
• CVE-2023-33107 (CVSS score: 8.4) – Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.

Google’s Threat Analysis Group and Google Project Zero revealed back in October 2023 that the three flaws, along with CVE-2022-22071 (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks. It’s currently not known how these shortcomings have been weaponized, and who are behind the attacks. 

5. DJVU Ransomware’s Latest Variant ‘Xaro’ Disguised as Cracked Software

 A new variant of the DJVU ransomware, dubbed Xaro by cybersecurity firm Cybereason, is spreading through cracked software. Unlike previous DJVU attacks, Xaro appends the .xaro extension to files, demanding a ransom for decryption. It is distributed as an archive file from dubious sources posing as legitimate freeware sites. Upon opening, it executes a fake installer for CutePDF, actually a pay-per-install malware downloader called PrivateLoader. PrivateLoader contacts a command-and-control server, downloading various malware families like RedLine Stealer and Vidar, in addition to dropping Xaro. This approach aims to ensure attack success, even if security software blocks some payloads. Xaro encrypts files, deploys Vidar infostealer, and demands a $980 ransom, reducing to $490 within 72 hours. The incident highlights the risks of downloading from untrusted sources, emphasizing the use of caution for defending against covertly deployed malware.

11/23/2023-11/29/2023 Google Chrome Under Active Attack, Exploiting New Vulnerability, Critical OwnCloud Flaw, Bugs in Routers and NVRs for Massive DDoS Attacks And More.

1. Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability

Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild. Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library. 
Google confirmed the existence of a dangerous exploit (CVE-2023-6345) but didn’t disclose much. Earlier, a similar flaw (CVE-2023-2136) was actively exploited. This new exploit might be linked. Six zero-days in Chrome have been patched this year, including critical vulnerabilities like type confusion and buffer overflows. To stay safe, update to Chrome version 119.0.6045.199/.200 on Windows and 119.0.6045.199 on macOS and Linux.

2. Hackers Can Exploit ‘Forced Authentication’ to Steal Windows NTLM Tokens

Security researchers identified a severe case of “forced authentication,” exploiting Microsoft Access files to leak a user’s NTLM tokens on Windows systems. By tricking victims into opening manipulated .accdb or .mdb files, attackers can automatically expose NTLM tokens to their servers via any TCP port, like port 80. This attack capitalizes on a legitimate feature allowing data source linking in Access to relay these tokens to a malicious server, potentially enabling relay attacks within an organization.
Attackers embed a remote SQL Server link within an .accdb file inside an MS Word document using Object Linking and Embedding (OLE). When victims open this file and interact with the linked table, their client communicates with the attacker’s server, facilitating a relay attack on the organization’s NTLM server. This flaw in NTLM, a protocol for user authentication, has vulnerabilities to brute-force and relay attacks, making such exploits concerning for system security.

3. Hackers Start Exploiting Critical OwnCloud Flaw, Patch Now

 Hackers are exploiting a critical ownCloud vulnerability tracked as CVE-2023-49103 that exposes admin passwords, mail server credentials, and license keys in containerized deployments. Of the three flaws, CVE-2023-49103 received a maximum CVSS severity score of 10.0 as it allows a remote threat actor to execute phpinfo() through the ownCloud ‘graphapi’ app, which reveals the server’s environment variables, including credentials stored within them. A brief description of the other 2 vulnerabilities is as follows:

• CVE-2023-49105 (CVSS score: 9.8) – WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0.
• CVE-2023-49104 (CVSS score: 9.0) – Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1.

4. Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks

An ongoing malware campaign exploits two undisclosed vulnerabilities, enabling remote code execution, to enlist routers and video recorders in a Mirai-based DDoS botnet. Akamai detected this, targeting devices with default credentials to install Mirai variants. Details are withheld to aid forthcoming patches. The attacks surfaced in late October 2023, spotted by Akamai against their honeypots. Named “InfectedSlurs,” the botnet employs racially charged language in its control servers. Akamai linked it to Mirai variants like hailBot and JenX. Additionally, they highlighted a web shell called wso-ng, an advanced tool used for data theft, lateral movement, and persistence, posing significant risks to affected organizations. Off-the-shelf web shells challenge attribution and serve cyber espionage motives.

5. GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

 A critical vulnerability (CVE-2023-46604) in Apache ActiveMQ is actively exploited by threat actors, including the Lazarus Group, to deploy the GoTitan botnet and PrCtrl Rat. The flaw allows remote code execution, scoring 10.0 on CVSS. Once breached, attackers drop payloads, with GoTitan orchestrating DDoS attacks using various protocols. Notably, it’s designed for x64 architectures, creating a debug log (‘c.log’) indicating early development stages. Fortinet also observed attacks deploying Ddostf DDoS botnet, Kinsing cryptojacking malware, and the Sliver command-and-control framework on susceptible Apache ActiveMQ servers. Users are urged to address the Apache ActiveMQ vulnerability promptly to mitigate these threats.