10/25/2023-11/01/2023 F5 Issues Warning, Malicious NuGet Packages, Critical Confluence Vulnerability And More.

1. F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.  This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10. As mitigations, F5 has also made available a shell script for users of BIG-IP versions 14.1.0 and later. The cybersecurity company, in a technical report of its own, described CVE-2023-46747 as an authentication bypass issue that can lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system, noting it’s “closely related to CVE-2022-26377.”

2. Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. These packages, which span several versions, imitate popular packages and exploit NuGet’s MSBuild integrations feature in order to implant malicious code on their victims, a feature called inline tasks to achieve code execution.
This is the first known example of malware published to the NuGet repository exploiting this inline tasks feature to execute malware. The now-removed packages exhibit similar characteristics in that the threat actors behind the operation attempted to conceal the malicious code by making use of spaces and tabs to move it out of view of the default screen width. As previously disclosed by Phylum, the packages also have artificially inflated downloaded counts to make them appear more legitimate. The ultimate goal of the decoy packages is to act as a conduit for retrieving a second-stage .NET payload hosted on a throwaway GitHub repository.

3. Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss

Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in “significant data loss if exploited by an unauthenticated attacker.” Tracked as CVE-2023-22518, the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of “improper authorization vulnerability.” All versions of Confluence Data Center and Server are susceptible to the bug, and it has been addressed in the following versions: 7.19.16 or later; 8.3.4 or later; 8.4.4 or later; 8.5.3 or later, and 8.6.1 or later. Atlassian is also urging customers to take immediate action to secure their instances, recommending those that are accessible to the public internet be disconnected until a patch can be applied. What’s more, users who are running versions that are outside of the support window are advised to upgrade to a fixed version. Atlassian Cloud sites are not affected by the issue.

4. Alert: PoC Exploits Released for Citrix and VMware Vulnerabilities

Virtualization services provider VMware has alerted customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs. Tracked as CVE-2023-34051 (CVSS score: 8.1), the high-severity vulnerability relates to a case of authentication bypass that could lead to remote code execution. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution. It’s worth noting that CVE-2023-34051 is a patch bypass for a set of critical flaws that were addressed by VMware earlier this January that could expose users to remote code execution attacks. The disclosure comes as Citrix released an advisory of its own, urging customers to apply fixes for CVE-2023-4966 (CVSS score: 9.4), a critical security vulnerability affecting NetScaler ADC and NetScaler Gateway that has come under active exploitation in the wild. 

5. Exploit Released For Critical Cisco IOS XE Flaw, Many Hosts Still Hacked

Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198 that was leveraged as a zero-day to hack tens of thousands of devices. Cisco released patches for most releases of its IOS XE software but thousands of systems continue to be compromised, internet scans show. The creation of the exploit was possible using information captured from a honeypot set up by SECUINFRA’s team for digital forensics and incident response engagements. Horizon3.ai explains that an attacker can encode an HTTP request to the Web Services Management Agent (WMSA) service in iosd – a powerful binary in Cisco’s IOS XE that can generate the configuration file for OpenResty (an Nginx-based server with support Lua scripting) used by the webui service vulnerable to CVE-2023-20198. The WSMA allows executing commands through SOAP requests, including ones that give access to the configuration feature that enables creating a user with full privileges on the system. The researchers note that from this point an attacker has full control over the device and could write malicious implants to disk without needing to exploit another vulnerability. Cisco has updated its security bulletin for CVE-2023-20198 on October 30, announcing updates for IOS XE that address the vulnerability.

6. EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations. The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023. A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are programmatically cloning and scanning the repositories to capture the exposed keys. The adversary has also been observed blocklisting AWS accounts that publicize IAM credentials in what’s likely seen as an effort to prevent further analysis. 
To mitigate the attacks, organizations that accidentally expose AWS IAM credentials are recommended to immediately revoke any API connections using the keys, remove them from the GitHub repository, and audit GitHub repository cloning events for any suspicious operations.

10/18/2023-10/25/2023 Critical Citrix NetScaler Flaw, Vulnerability in Synology’s DiskStation Manager, vRealize RCE flaw And More.

1. Critical Citrix NetScaler Flaw Exploited to Target from Government, Tech Firms

Citrix is warning of a critical security flaw (CVE-2023-4966, CVSS 9.4) in NetScaler ADC and Gateway appliances. Exploitation has been observed, and Google-owned Mandiant detected zero-day exploitation starting in late August 2023. The flaw impacts specific versions and requires the device to be configured as a Gateway or authorization and accounting virtual server. While patches were released on October 10, 2023, Citrix reports active abuse of unmitigated appliances. Successful exploitation can hijack authenticated sessions, bypassing multi-factor authentication and potentially leading to further access. The threat actor responsible remains unidentified but has targeted professional services, technology, and government organizations. To mitigate these threats, users must promptly update their instances and terminate all active sessions, even though this isn’t a remote code execution vulnerability.

2. New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager

A medium-severity flaw (CVE-2023-2729) in Synology’s DiskStation Manager (DSM) could potentially reveal an administrator’s password, leading to a remote account hijack. The issue was addressed in June 2023. The vulnerability stems from the use of a weak random number generator that relies on the JavaScript Math.random() method to construct the admin password. This “insecure randomness” can allow an attacker to predict the password. However, successful exploitation depends on the attacker extracting certain GUIDs generated during the setup process to reconstruct the seed for the pseudorandom number generator. While the attack requires multiple steps, users should promptly apply the update to mitigate the risk, especially considering the potential account takeover.

3. Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection

 A backdoor on Cisco devices, created through two zero-day flaws in IOS XE software, has been altered by the threat actor to evade detection. The modified backdoor only responds if the correct Authorization HTTP header is set, making it harder to detect. The attacker uses CVE-2023-20198 and CVE-2023-20273 to compromise devices, create privileged accounts, and install a Lua-based implant. Cisco is releasing security updates to address the vulnerabilities. The threat actor remains unidentified, but the attack has affected thousands of devices. Although the number of compromised devices decreased significantly, hidden changes to the implant explain this drop, as more than 37,000 devices still contain the backdoor. Cisco confirmed the change in behavior and provided a method to check for the implant’s presence.

4. Cross-site Scripting and how to fix it

Cross-site scripting (XSS) is a severe vulnerability enabling attackers to inject malicious code into web applications. It’s a major security concern, affecting websites lacking user input control. Various XSS exploits, such as injecting scripts via HTML forms or email, can compromise websites and servers. To prevent XSS, you should sanitize input and never output data directly to the browser without checking for malicious code. Filtering for XSS is a security feature that blocks malicious content, preventing server-side code execution and thwarting remote attacks. It eliminates risky elements like the <script> tag, JavaScript commands, CSS styles, and hazardous HTML markups, typically done via server-side code or safer library usage.  If you are using Java, then a good place to go is the OWASP Java Encoder Project. For PHP, there is a comprehensive library called HTML Purifier, which boasts strict standards compliance and better features than other filters. Restrict the type of input a user can submit in your form through validation. For instance, if you have an input field for an email, only allow input with the email format. This way, you minimize the chances of attackers submitting bad data. You can also use the validator package for this. This can be done on the backend still using the validator package.

check('username', 'Username must be an email address').isEmail()

The above code makes it paramount that the username the user is submitting is an email, else it displays an error message(“Username must be an email address”). Secure your cookies by implementing the httpOnly and secure flags. These settings are crucial for preventing session hijacking and unauthorized access.

5. VMware warns admins of public exploit for vRealize RCE flaw

VMware has issued a warning regarding a PoC exploit for an authentication bypass vulnerability (CVE-2023-34051) in vRealize Log Insight, now known as VMware Aria Operations for Logs. This flaw enables unauthenticated attackers to remotely execute code with root permissions if specific conditions are met. To exploit it, the attacker must compromise a host in the targeted environment and have permissions to add an extra interface or static IP address. Horizon3 security researchers, who discovered the bug, released a PoC exploit and indicators of compromise (IOCs) to detect exploitation attempts. This vulnerability also acts as a bypass for a chain of critical flaws patched by VMware in January, allowing attackers to gain remote code execution. While it requires some infrastructure setup, it poses a significant threat to previously compromised networks.

10/11/2023-10/18/2023 New Admin Takeover Vulnerability, Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software, Malicious NuGet Package And More.

1. New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager

A medium-severity flaw has been discovered in Synology’s DiskStation Manager (DSM) that could be exploited to decipher an administrator’s password and remotely hijack the account. The flaw, assigned the identifier CVE-2023-2729, is rated 5.9 for severity on the CVSS scoring scale. The problem is rooted in the fact that the software uses a weak random number generator that relies on the JavaScript Math.random() method to programmatically construct the admin password for the network-attached storage (NAS) device. Referred to as insecure randomness, it arises when a function that can produce predictable values, or doesn’t have enough entropy, is used as a source of randomness in a security context, enabling an attacker to crack the encryption and defeat the integrity of sensitive information and systems. Successful exploitation of such flaws, therefore, could allow the threat actor to predict the generated password and gain access to otherwise restricted functionality.

2. Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software

Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. A brief description of the two flaws is as follows –

• CVE-2023-37265 – Incorrect identification of the source IP address, allowing unauthenticated attackers to execute arbitrary commands as root on CasaOS instances
• CVE-2023-37265 – Unauthenticated attackers can craft arbitrary JSON Web Tokens (JWTs) and access features that require authentication and execute arbitrary commands as root on CasaOS instances.

A consequence of successful exploitation of the aforementioned flaws could allow attackers to get around authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.

3. Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers

A severe flaw in Milesight industrial cellular routers, tracked as CVE-2023-43261 with a CVSS score of 7.5, has been discovered and may have been exploited in real-world attacks. This vulnerability, affecting several router models, allows unauthorized access to sensitive information and could lead to the configuration of VPN servers and firewall protection removal. Evidence suggests that the flaw has been used on a small scale in the wild, with the attacker successfully authenticating on some systems using credentials extracted from httpd.log. Around 5% of internet-exposed Milesight routers are vulnerable to this issue, and the advice is to assume all credentials have been compromised and generate new ones while ensuring no interfaces are accessible from the internet to mitigate the risk.

4. Malicious NuGet Package Targeting .NET Developers with SeroXen RAT

 A malicious NuGet package, mimicking a legitimate one, has been discovered delivering the SeroXen RAT. While the genuine package had nearly 79,000 downloads, the malicious version artificially inflated its download count to over 100,000. The threat actor published six other packages, with four posing as crypto service libraries for Kraken, KuCoin, Solana, and Monero but actually deploying SeroXen RAT. The attack occurs during installation through a PowerShell script that exploits deprecated behavior, allowing arbitrary commands. SeroXen RAT, available for $60, is a fileless RAT combining the functions of Quasar RAT, r77 rootkit, and NirCmd. The discovery highlights the exploitation of open-source ecosystems by attackers.

5. Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

In its October 2023 Patch Tuesday updates, Microsoft addressed 103 software vulnerabilities, including 13 Critical and 90 Important flaws, along with 18 in its Chromium-based Edge browser since September. Two zero-day vulnerabilities are of particular concern:

• CVE-2023-36563 (CVSS score: 6.5) – An information disclosure flaw in Microsoft WordPad, potentially leaking NTLM hashes.
• CVE-2023-41763 (CVSS score: 5.3) – A privilege escalation vulnerability in Skype for Business that could expose sensitive data, such as IP addresses and port numbers, granting access to internal networks.

Additionally, multiple vulnerabilities affecting Microsoft Message Queuing and Layer 2 Tunneling Protocol were fixed, which could lead to remote code execution and denial-of-service. A privilege escalation bug in Windows IIS Server (CVE-2023-36434) was addressed. An update for CVE-2023-44487 was released to mitigate HTTP/2 Rapid Reset attacks. Microsoft also deprecated Visual Basic Script, which has been exploited for malware distribution, and it will be removed from future Windows releases.

6. ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers

Threat actors behind ShellBot are infiltrating poorly managed Linux SSH servers using hexadecimal IP addresses. They have altered their method of deploying ShellBot from a regular IP address to a hexadecimal value, aiming to avoid URL-based detection. ShellBot, also known as PerlBot, exploits servers with weak SSH credentials through dictionary attacks, serving as a conduit for DDoS attacks and cryptocurrency miners. The malware communicates with a command-and-control (C2) server via the IRC protocol. This change indicates ShellBot’s continued use for Linux system attacks. To counter this, users are advised to employ strong, regularly changed passwords to resist brute-force and dictionary attacks. Additionally, attackers are using abnormal certificates with exceptionally long strings in an attempt to distribute information-stealing malware. These malicious pages, often linked to illegal software, pose a threat to a wide range of users.