07/26/2023-08/02/2023 Recently Patched Critical Ivanti EPMM Vulnerability, New P2PInfect Worm Targets Redis Servers, Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users And More.

1. Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability

Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM). Tracked as CVE-2023-35082 (CVSS score: 10.0) and discovered by Rapid7, the issue “allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below).”  If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server. It also comes as cybersecurity agencies from Norway and the U.S. revealed that CVE-2023-35078 and CVE-2023-35081 have been exploited by unnamed nation-state groups at least since April 2023 to drop web shells and gain persistent remote access to compromised systems.

• CVE-2023-35078 (CVSS score: 10.0) – An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
• (CVSS score: 7.2) – A path traversal vulnerability is discovered in Ivanti EPMM that allows an attacker to write arbitrary files onto the appliance.
  While there is no evidence of active exploitation of CVE-2023-35082 in the wild, it’s recommended that users upgrade to the latest supported version to secure against potential threats.

2. Researchers Uncover AWS SSM Agent Misuse as a Covert Remote Access Trojan

Researchers have unveiled a new post-exploitation method within Amazon Web Services (AWS) that repurposes the AWS Systems Manager Agent (SSM Agent) as a remote access trojan for Windows and Linux systems. With high privilege access to an endpoint running SSM Agent, attackers can engage in sustained malicious activities. As a legitimate admin tool, SSM Agent can be exploited to perform nefarious actions, leveraging its trusted status to avoid security solution detection and the need for additional malware. The technique allows attackers to remotely control compromised SSM Agents and potentially infiltrate endpoints. While AWS states no immediate action is required, vigilance, removing SSM binaries from antivirus allow lists, and securing EC2 instances are recommended by experts.

3. New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods

The P2PInfect worm has expanded its tactics to compromise vulnerable Redis servers, using multiple initial access methods. Researchers discovered that the malware infiltrates exposed Redis instances by exploiting the replication feature. Another technique involves registering a malicious cron job on the Redis host to download the malware from a remote server upon execution. The worm is Rust-based and has been observed to alter iptables firewall rules, self-upgrade, and potentially deploy cryptocurrency miners. P2PInfect forms a peer-to-peer botnet, with each infected server as a node connecting to others, allowing it to communicate without a centralized command-and-control server. The identity of the threat actors and the malware’s purpose remain uncertain.

4. Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable

Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.
The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites.
A brief description of each of the vulnerabilities is below:

• CVE-2023-37979 (CVSS score: 7.1) – A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website.
• CVE-2023-38386 and CVE-2023-38393 – Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site.
  Users of the plugin are recommended to update to version 3.6.26 to mitigate potential threats.

5. Hackers Deploy “SUBMARINE” Backdoor in Barracuda Email Security Gateway Attacks

The U.S. CISA has revealed details about the SUBMARINE backdoor, linked to the Barracuda Email Security Gateway (ESG) appliance hack. This backdoor includes artifacts such as shell scripts, a loaded library for a Linux daemon, and a SQL trigger, enabling root privilege execution, persistence, command and control, and cleanup. The backdoor emerged from an analysis of malware samples acquired from a compromised organization that fell victim to threat actors exploiting the CVE-2023-2868 flaw in ESG devices. The attackers, suspected to have a China nexus, employed SUBMARINE as part of their persistent access strategy, leveraging it to evade remediation efforts and establish control over the compromised environment. Barracuda recommends discontinuing use of compromised ESG appliances and seeking replacements.

6. GameOver(lay): Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users

Cybersecurity researchers have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks. Cloud security firm Wiz, in a report shared with The Hacker News, said the easy-to-exploit shortcomings have the potential to impact 40% of Ubuntu users. The vulnerabilities – tracked as CVE-2023-2640 and CVE-2023-32629 (CVSS scores: 7.8) and dubbed GameOver(lay) – are present in a module called OverlayFS and arise as a result of inadequate permissions checks in certain scenarios, enabling a local attacker to gain elevated privileges. Overlay Filesystem refers to a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unified file system. 

A brief description of the two flaws is below

• CVE-2023-2640 – On Ubuntu kernels carrying both c914c0e27eb0 and “UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs,” an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
• CVE-2023-32629 – Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels.
  In a nutshell, GameOver(lay) makes it possible to “craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different location with unscoped capabilities, granting anyone who executes it root-like privileges.”

7. Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required

A critical vulnerability (CVE-2023-38646) in Metabase, a popular business intelligence software, could lead to pre-authenticated remote code execution. Users of versions prior to 0.46.6.1 for open-source editions and Metabase Enterprise versions before 1.46.6.1 are advised to update immediately. The flaw enables unauthenticated attackers to execute arbitrary commands with the same privileges as the Metabase server. Although no exploitation evidence exists, over 5,000 out of 6,936 instances were found vulnerable as of July 26, 2023. The issue arises from a JDBC connection problem in the API endpoint “/api/setup/validate,” allowing attackers to gain a reverse shell through an SQL injection flaw in the H2 database driver.

07/13/2023-07/19/2023 Vulnerabilities in SonicWall and Fortinet Network, Fake PoC for Linux Kernel Vulnerability on GitHub, Microsoft Word Vulnerabilities And More.

1. New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products

SonicWall urged customers of Global Management System (GMS) firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information. Of the 15 shortcomings (tracked from CVE-2023-34123 through CVE-2023-34137), four are rated Critical, four are rated High, and seven are rated Medium in severity. The flaws impact on-premise versions of GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before. Fixes are available in versions GMS 9.3.3 and Analytics 2.5.2. The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

The disclosure comes as Fortinet revealed a critical flaw affecting FortiOS and FortiProxy (CVE-2023-33308, CVSS score: 9.8) that could enable an adversary to achieve remote code execution under certain circumstances. It said the issue was resolved in a previous release, without an advisory.

Recommendation 

For customers who cannot apply the updates immediately, Fortinet is recommending that they disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.

2. Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware

Cybersecurity researchers have detected a proof-of-concept (PoC) on GitHub containing a concealed backdoor using a clever persistence method. The PoC pretends to be a harmless learning tool but actually operates as a downloader, surreptitiously executing a Linux bash script while disguising its activities as a kernel-level process. Disguised as a PoC for a high-severity flaw in the Linux kernel (CVE-2023-35829), the repository was taken down after being forked 25 times. Additionally, a second GitHub profile harbored a fake PoC for CVE-2023-35829, still available and forked 19 times. The backdoor has extensive capabilities, enabling data theft and remote access via the addition of malicious SSH keys to the .ssh/authorized_keys file.

Recommendation 

To mitigate risks, users who downloaded and executed these PoCs should remove unauthorized SSH keys, delete the kworker file, eliminate the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.

# 3. Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services
Multiple security vulnerabilities have been found in various services, including Honeywell Experion DCS and QuickBlox, that could lead to severe compromises. Dubbed Crit.IX, the nine flaws in Honeywell Experion DCS enable unauthorized remote code execution, allowing attackers to take over devices and alter DCS controller operations while concealing changes from the engineering workstation. The flaws stem from encryption and authentication issues in the Control Data Access (CDA) protocol. Similarly, QuickBlox, used in telemedicine and IoT, was found to have major vulnerabilities, allowing attackers to leak user databases and perform account takeover attacks.

Additional disclosed flaws affect Aerohive/Extreme Networks access points, the Ghostscript library, Owncast, EaseProbe, and Technicolor TG670 DSL gateway routers, exposing various attack vectors.

4. Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. The cybersecurity company said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot. The injector also features evasion techniques to check for the presence of debuggers and determine if it’s running in a virtualized environment. 

An alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the “Auto_Open” and “Document_Open” functions.
The macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.

5. Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway

Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild.
Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297, and
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

The company did not give further details on the flaw tied to CVE-2023-3519 other than to say that exploits for the flaw have been observed on “unmitigated appliances.” However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.

The development comes amid active exploitation of security flaws discovered in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121).

6. Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation

A privilege escalation vulnerability, named Bad.Build, has been discovered in Google Cloud’s Build service, posing a supply chain attack risk. The flaw allows attackers to manipulate images in the Google Artifact Registry and inject malicious code, impacting applications built from those images. Google has released a partial fix but acknowledges that the privilege escalation vector remains, categorizing it as a low-severity issue. The vulnerability stems from excessive permissions granted to the default service account created by Cloud Build, which can facilitate lateral movement and privilege escalation. Attackers can impersonate the Cloud Build service account, exfiltrate and modify images, and execute code on Docker containers with root access. Users should monitor the service account’s behavior and apply the principle of least privilege to minimize potential risks.

07/06/2023-07/12/2023 Python-Based PyLoose Fileless Attack, New Linux Kernel ‘StackRot’ Privilege Escalation Vulnerability, Microsoft Releases Patches for 132 Vulnerabilities And More.

1. Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining

A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner. The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique.The cloud security firm said it found nearly 200 instances where the attack method was employed for cryptocurrency mining. No other details about the threat actor are currently known other than the fact that they possess sophisticated capabilities. In the infection chain documented by Wiz, initial access is achieved through the exploitation of a publicly accessible Jupyter Notebook service that allowed for the execution of system commands using Python modules.

2. Researchers Uncover New Linux Kernel ‘StackRot’ Privilege Escalation Vulnerability

A new security flaw in the Linux kernel, called StackRot (CVE-2023-3269, CVSS score: 7.8), has been discovered. It affects Linux versions 6.1 to 6.4 but has not been exploited in the wild. The vulnerability exists in the memory management subsystem, making it widespread and requiring minimal capabilities to trigger. However, exploiting it is considered challenging due to delayed memory deallocation. The flaw was responsibly disclosed on June 15, 2023, and has been patched in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023. A proof-of-concept (PoC) exploit and more technical details will be released soon. The vulnerability stems from a data structure called maple tree, introduced in Linux kernel 6.1 to manage virtual memory areas (VMAs). It is described as a use-after-free bug that can be exploited by a local user to gain elevated privileges.

3. Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack

Microsoft has released updates addressing 132 new security flaws, including six zero-day vulnerabilities actively exploited in the wild. Among the vulnerabilities, nine are rated Critical and 122 are rated Important.
The list of issues that have come under active exploitation is as follows –

• CVE-2023-32046 (CVSS score: 7.8) – Windows MSHTML Platform Elevation of Privilege Vulnerability
• CVE-2023-32049 (CVSS score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability
• CVE-2023-35311 (CVSS score: 8.8) – Microsoft Outlook Security Feature Bypass Vulnerability
• CVE-2023-36874 (CVSS score: 7.8) – Windows Error Reporting Service Elevation of Privilege Vulnerability
• CVE-2023-36884 (CVSS score: 8.3) – Office and Windows HTML Remote Code Execution Vulnerability (Also publicly known at the time of the release)
• ADV230001 – Malicious use of Microsoft-signed drivers for post-exploitation activity (no CVE assigned).

One flaw, CVE-2023-36884, is being actively exploited through specially-crafted Microsoft Office documents related to the Ukrainian World Congress. Microsoft has identified the intrusion campaign as the work of the Russian cybercriminal group Storm-0978, also known as RomCom. The group is deploying Underground ransomware and a backdoor similar to RomCom RAT.

4. Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures

A Windows policy loophole is being exploited by threat actors, primarily native Chinese speakers, to forge signatures on kernel-mode drivers. By altering the signing date of drivers, malicious and unverified drivers can be loaded, bypassing Windows certificate policies. Cisco Talos discovered open-source tools like HookSignTool and FuckCertVerifyTimeValidity being used to forge signatures and bypass security measures. These tools manipulate the signing timestamp and remove the need for valid certificates, enabling the deployment of thousands of malicious signed drivers without Microsoft verification. Threat actors have gained administrative privileges on compromised systems prior to using these drivers. Microsoft has taken steps to block the certificates and suspend developer program accounts involved. The use of rogue kernel-mode drivers allows threat actors to establish persistence and interfere with security software.

5. Revolut Faces $20 Million Loss as Attackers Exploit Payment System Weakness

Malicious actors exploited an unknown flaw in Revolut’s payment systems to steal more than $20 million of the company’s funds in early 2022. The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly. The fault stemmed from discrepancies between Revolut’s U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined. The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by “encouraging individuals to try to make expensive purchases that would go on to be declined.” The refunded amounts would then be withdrawn from ATMs. The exact technical details associated with the flaw are currently unclear.

6. Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software

Progress Software has patched a critical SQL injection vulnerability (CVE-2023-36934) in its popular MOVEit Transfer software, which enables secure file transfer. The flaw could allow unauthenticated attackers to gain unauthorized access to the software’s database. This vulnerability is particularly severe because it can be exploited without valid credentials. However, there have been no reports of active exploitation yet. Progress Software also addressed two other high-severity vulnerabilities: CVE-2023-36932, a SQL injection flaw allowing unauthorized access for logged-in attackers, and CVE-2023-36933, a vulnerability that allows unexpected shutdowns of MOVEit Transfer. These vulnerabilities affect multiple versions of MOVEit Transfer, including 12.1.10 and earlier.

7. JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident

JumpCloud, a cloud-based identity and access management provider, has taken swift action in response to a cybersecurity incident affecting some of its clients. As a precautionary measure, JumpCloud has reset the API keys of affected customers to protect their data. While this reset may cause disruptions to certain functionalities, such as AD import and HRIS integrations, the company emphasizes that it is for the benefit of its clients’ security. JumpCloud is offering support to those needing assistance with resetting or re-establishing their API keys. The incident underscores the importance of API security and the need for robust protective measures. The specifics and scale of the incident, as well as the cause, are currently unknown as JumpCloud actively investigates the matter.