09/13/2023-09/20/2023 GitLab Releases Urgent Security Patches, Trend Micro Releases Urgent Fix, Nearly 12,000 Juniper Firewalls Found Vulnerable And More.

1. GitLab Releases Urgent Security Patches for Critical Vulnerability

GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user. The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4. It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. This was a bypass of CVE-2023-3932 showing additional impact. Successful exploitation of CVE-2023-5009 could allow a threat actor to access sensitive information or leverage the elevated permissions of the impersonated user to modify source code or run arbitrary code on the system, leading to severe consequences.

2. Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability

Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks.
Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that’s bundled along with the software. The complete list of impacted products is as follows –

• Apex One – version 2019 (on-premise), fixed in SP1 Patch 1 (B12380)
• Apex One as a Service – fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637
• Worry-Free Business Security – version 10.0 SP1, fixed in 10.0 SP1 Patch 2495
• Worry-Free Business Security Services – fixed in July 31, 2023, Monthly Maintenance Release

A successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. However, it requires that the adversary already has administrative console access on the target system. As a workaround, it’s recommending that customers limit access to the product’s administration console to trusted networks.

3. Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability

Close to 12,000 Juniper firewalls exposed on the internet are vulnerable to a recently discovered remote code execution flaw (CVE-2023-36845). Exploitable by an unauthenticated remote attacker, it allows arbitrary code execution without creating a system file. This medium-severity flaw in Junos OS’ J-Web component could be exploited to control vital environment variables. Juniper Networks released a patch last month in an out-of-cycle update, addressing this along with other vulnerabilities. A proof-of-concept exploit combines CVE-2023-36846 and CVE-2023-36845 to achieve code execution. The new exploit impacts older systems and requires just a single cURL command. It manipulates the PHPRC environment variable through a crafted HTTP request, enabling the leak of sensitive information and executing arbitrary code using PHP’s options.

4. Microsoft Uncovers Flaws in ncurses Library Affecting Linux and macOS Systems

Memory corruption flaws found in the ncurses programming library pose a threat to Linux and macOS systems. Threat actors could exploit these vulnerabilities, collectively known as CVE-2023-29491, with a CVSS score of 7.8, to execute malicious code and elevate privileges through environment variable poisoning. Microsoft Threat Intelligence researchers identified and remedied these issues in April 2023, collaborating with Apple to address macOS-specific concerns. Environment variables can influence how programs behave, and manipulating them can lead to unauthorized actions. By poisoning variables like TERMINFO, the ncurses library could be leveraged for privilege escalation. The vulnerabilities involve stack information leaks, parameterized string type confusion, off-by-one errors, heap out-of-bounds issues during terminfo database parsing, and denial-of-service with canceled strings. While these flaws had the potential for privilege escalation and code execution, a multi-stage attack would be required to gain control over a program.

5. Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints

Three high-severity security flaws (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955) discovered in Kubernetes pose a risk of remote code execution with elevated privileges on Windows endpoints in Kubernetes clusters. These vulnerabilities affect all Kubernetes environments with Windows nodes and were responsibly disclosed by Akamai on July 13, 2023, with fixes released on August 23, 2023. Attackers can achieve remote code execution with SYSTEM privileges by applying a malicious YAML file to the cluster, targeting kubelet versions below v1.28.1, v1.27.5, v1.26.8, v1.25.13, and v1.24.17. CVE-2023-3676 requires low privileges, making it accessible to attackers with node access and apply privileges. CVE-2023-3955 results from input sanitization issues, enabling command execution via a specially crafted path string. CVE-2023-3893 involves privilege escalation in the Container Storage Interface (CSI) proxy, granting malicious actors administrator access on the node. These vulnerabilities highlight input sanitization lapses in Windows-specific porting of Kubelet.

09/06/2023-09/13/2023 Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws, Critical GitHub Vulnerability, Apache Superset Vulnerabilities And More.

1. Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month’s Patch Tuesday edition, which also encompasses a fix for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.
The two Microsoft vulnerabilities that have come under active exploitation in real-world attacks are listed below:

• CVE-2023-36761 (CVSS score: 6.2) – Microsoft Word Information Disclosure Vulnerability;
  CVE-2023-36802 (CVSS score: 7.8) – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability.

Exploiting this vulnerability could allow the disclosure of NTLM hashes. Exact details surrounding the nature of the exploitation or the identity of the threat actors behind the attacks are currently unknown.

2. Update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability

Adobe’s September 2023 Patch Tuesday addresses a critical security flaw, CVE-2023-26369, in Acrobat and Reader. This vulnerability, with a severity rating of 7.8, affects Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. It enables attackers to execute malicious code via specially crafted PDF documents. Adobe confirmed limited real-world exploitation and released updates to fix the issue:

• Acrobat DC (v23.003.20284 and earlier): Fixed in v23.006.20320;
• Acrobat Reader DC (v23.003.20284 and earlier): Fixed in v23.006.20320;
• Acrobat 2020 (Windows and macOS): Fixed in v20.005.30524;
• Acrobat Reader 2020 (Windows and macOS): Fixed in v20.005.30524.

Additionally, Adobe patched two cross-site scripting flaws in Adobe Connect (CVE-2023-29305 and CVE-2023-29306) and Adobe Experience Manager (CVE-2023-38214 and CVE-2023-38215), both of which could lead to arbitrary code execution.

3. Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack

A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks. The flaw could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations. Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions.

Repojacking, or repository hijacking, bypasses a security measure known as namespace retirement, gaining control of a repository. This defense prevents duplicate repository names after a user’s account is renamed, making the combination “retired” if over 100 clones exist. Exploiting this could let threat actors create new accounts with the same name, potentially leading to supply chain attacks. Checkmarx’s method exploits a race condition:

• Victim owns “victim_user/repo”;
• Victim changes to “renamed_user”;
• “victim_user/repo” is retired;
• Attacker creates “repo” and renames to “victim_user”.

This involves API requests for repository creation and username renaming interception. This flaw echoes a previous GitHub patch.

4. Navigating the Dark Corners of the Internet with a Beacon of Hope

At #CivoNavigate, Oliver Pinson-Roxburgh emphasized internet security risks, including unsecured systems and compromised Kubernetes clusters. Third-party software patches were flagged as a major vulnerability source. The open-source community, however, holds potential for timely, secure patches. Platforms like Mintycode offer hope, enabling businesses to sponsor dedicated patches promptly. This collaborative approach not only reduces third-party patch risks but also fosters a secure ecosystem. The conference highlighted both risks and the open-source community’s potential for positive impact. In this journey, platforms like Mintycode and collective efforts in open source can guide us towards a safer digital future. 

5. Alert: Apache Superset Vulnerabilities Expose Servers to Remote Code Execution Attacks

Apache Superset released version 2.1.1 to address two critical security vulnerabilities: CVE-2023-39265 and CVE-2023-37941. These flaws can lead to remote code execution when an attacker gains control of Superset’s metadata database. Additionally, CVE-2023-36388, an improper REST API permission issue, enables SSRF attacks for low-privilege users.
CVE-2023-39265 involves URI bypass when connecting to the SQLite database, allowing data manipulation commands. The same CVE includes a lack of validation for importing SQLite database connection information from a file.
CVE-2023-37941 allows attackers to insert malicious payloads into the metadata database, leading to remote code execution.
Other fixed issues include MySQL arbitrary file read, abuse of Superset load_examples, default credentials access, and database credential leaks.
This disclosure follows a previous high-severity vulnerability (CVE-2023-27524) that allowed unauthorized admin access due to a default SECRET_KEY. Many installations still use weak or default keys, highlighting the need for automatic key generation.

6. CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities

CISA has issued a warning about nation-state actors exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. They exploited CVE-2022-47966 to access Zoho ManageEngine ServiceDesk Plus, gaining persistence and lateral network movement. The threat groups’ identities remain undisclosed, but U.S. Cyber Command hinted at Iranian involvement. CISA discovered this during an incident response engagement in an aeronautical sector organization between February and April 2023. The attackers also leveraged CVE-2022-42475 to access Fortinet FortiOS SSL-VPN. To protect against such threats, organizations should update, monitor remote access software, and eliminate unnecessary accounts and groups.

7.Cisco Issues Urgent Fix for Authentication Bypass Bug Affecting BroadWorks Platform

Cisco has issued security fixes for various vulnerabilities, including a critical authentication bypass flaw, CVE-2023-20238, in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. The flaw could enable an attacker to forge credentials, potentially leading to toll fraud or executing commands at the forged account’s privilege level. Cisco has also resolved a high-severity issue in the RADIUS message processing feature of Cisco Identity Services Engine (CVE-2023-20243), and an unpatched medium-severity flaw in Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software (CVE-2023-20269), which could allow unauthorized remote access. Additionally, Juniper Networks addressed a severe BGP flaw (CVE-2023-4481) in Junos OS, and an authentication bypass vulnerability (CVE-2023-4498) was reported in Tenda’s N300 Wireless N VDSL2 Modem Router. Organizations should apply updates and remain vigilant.

08/29/2023-09/06/2023 Hackers Exploit MinIO Storage System Vulnerabilities, GitLab Outage vs. Continuous Code Development, Threat Actors Targeting Microsoft SQL Servers And More.

1. New Python Variant of Chaes Malware Targets Banking and Logistics Industries

The banking and logistics sectors face a renewed malware threat known as Chaes, which has undergone significant updates. Originally written in Python to evade detection, Chaes now features enhanced communication protocols. Lucifer, the group behind Chaes, breached over 800 WordPress websites in early 2022. The latest variant, Chae$ 4, exhibits substantial improvements, including broader service targeting for credential theft. Despite these changes, the malware’s delivery method remains consistent. Victims visiting compromised websites are prompted to download software, initiating the ChaesCore module, responsible for connecting to a command-and-control server.Chaes maintains persistence through scheduled tasks and communicates via WebSockets. The malware’s emphasis on cryptocurrency theft underscores its financial motivation, using tactics like Module Packer to modify browser shortcuts. It leverages Google’s DevTools Protocol for extensive control over web browsers.

2. Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

An unknown threat actor has targeted the MinIO high-performance object storage system, exploiting critical vulnerabilities (CVE-2023-28432 and CVE-2023-28434) to gain unauthorized access and execute code on affected servers. The attacker used a publicly available exploit chain to backdoor the MinIO instance. These vulnerabilities, with CVSS scores of 7.5 and 8.8, can expose sensitive data and enable remote code execution on the compromised system. The attacker leveraged the flaws to obtain admin credentials, replace the MinIO client with a trojanized version, and create a deceptive update. This trojanized binary establishes a backdoor, receiving and executing commands via HTTP requests. A downloader script, compatible with both Windows and Linux, profiles compromised hosts to determine subsequent actions, reflecting the attacker’s advanced capabilities. 

3. PoC Exploit Released for Critical VMware Aria’s SSH Auth Bypass Vulnerability

Proof-of-concept (PoC) exploit code has emerged for a recently patched critical vulnerability (CVE-2023-34039) in VMware Aria Operations for Networks. This flaw allows an attacker to bypass SSH authentication, rated at 9.8 in severity. It stems from a lack of unique cryptographic key generation, with hardcoded keys present in versions 6.0 to 6.10.

Additionally, VMware addressed CVE-2023-20890, an arbitrary file write vulnerability, which could grant administrative access to write files in arbitrary locations, enabling remote code execution. This PoC release coincides with VMware fixing a high-severity SAML token signature bypass flaw (CVE-2023-20900), impacting Windows and Linux versions of VMware Tools. It allows attackers with man-in-the-middle network access to bypass SAML token signature verification for VMware Tools Guest Operations.
Simultaneously, Fortinet FortiGuard Labs warned of ongoing exploitation of Adobe ColdFusion vulnerabilities by threat actors to deploy cryptocurrency miners and hybrid bots like Satan DDoS and RudeMiner, capable of cryptojacking and DDoS attacks. Users are urged to apply updates promptly for security.

4. GitLab Outage vs. Continuous Code Development

GitLab as a hosting service has shown to be a very solid option, but it is not without flaws. It is widely recommended to use third-party backup software. Please keep in mind that your source code, projects, Intellectual Property, hours of labor, and thousands of dollars are on the line. Every company’s disaster recovery and business continuity strategy should include a backup strategy suited for their needs. One of the biggest GitLab outages occurred in 2017 and lasted for six hours. It happened because of human error – the unintentional deletion of data from major database servers. Unfortunately, GitLab erased some production data and was unable to retrieve it in the end. Database and data modifications, including projects, comments, user accounts, issues, and snippets were lost.

To prepare for gaps in continuous code development, the company needs to come up with a sufficient backup strategy. First, you must specify the two most crucial parameters: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). The highest volume of data that may be lost following a recovery from a disaster, failure, or equivalent event before data loss exceeds what is acceptable to a business is described as RPO. RTO refers to the amount of time and service level required to restore a business process following a disaster to prevent the unacceptably negative effects of a loss of continuity.

GitProtect for GitLab provides a comprehensive set of data recovery tools. It’s adaptable, with point-in-time recovery to any location – whether a local device or a remote repository is preferred.

5. Five Open-Source Projects to Secure Access to Your Applications

If you are like most devs, then securing your applications is one of those things that you do not want to (and should not) handle yourself.

• Authentication. Authentication is your app’s first line of defense. The process focuses on securing access to your application by verifying that the user is who they claim to be prior to logging them in.
• Keycloak is a Java-based open-source application authentication project. It provides SSO, user management, and user federation capabilities.
• Dex is a Go-based open-source service that uses OpenID Connect to authenticate users for other applications. It is a CNCF sandbox project that works with any application that supports OIDC. It adds an array of protocols for querying the authentication platforms and identity providers it is connected to.
• Open Policy Agent (OPA) provides a general purpose decision engine for enforcing authorization logic, along with a domain specific language for writing that logic as authorization policies (Rego). These policies are stored and versioned in their own repos and treated like any other code.
• OpenFGA is a CNCF sandbox project that provides a relationship-based access control (ReBAC) system. In ReBAC systems, permissions are based on relationships between subjects (users/groups) and application resources. They are also graph-based systems, built for scale and speed.

6. Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges

Okta, an identity services provider, has issued a warning about a recent surge in social engineering attacks targeting IT service desk personnel. The attackers aim to convince service desk staff to reset all multi-factor authentication (MFA) factors for highly privileged users. Once successful, they exploit Okta Super Administrator accounts to impersonate individuals within the compromised organization. These attacks occurred between July 29 and August 19, 2023.

The threat actor responsible remains unidentified, but the tactics resemble those associated with Muddled Libra, which shares some similarities with Scattered Spider and Scatter Swine. The attacks center around a commercial phishing kit called 0ktapus, which enables the creation of fake authentication portals to harvest credentials and MFA codes.

To counter these threats, Okta recommends implementing phishing-resistant authentication, enhancing help desk identity verification procedures, enabling end-user notifications for new devices and suspicious activities, and reviewing and limiting Super Administrator role usage.

7. Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

Threat actors are exploiting vulnerable Microsoft SQL (MS SQL) servers to distribute Cobalt Strike and the ransomware strain FreeWorld in a campaign named DB#JAMMER. The attackers use enumeration, RAT payloads, exploitation tools, credential stealers, and ransomware payloads, primarily FreeWorld. They gain initial access through MS SQL server brute-forcing, proceed to enumerate the database, and leverage xp_cmdshell for further reconnaissance. The attackers then establish persistence, disable the system firewall, and transfer malicious tools, including Cobalt Strike, using remote SMB shares. The campaign also involves lateral movement and attempts at RDP persistence through Ngrok. Strong passwords for publicly exposed services are crucial to prevent such attacks.

8. North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Three more malicious Python packages have been discovered on the PyPI repository as part of the VMConnect supply chain attack, which is believed to involve North Korean state-sponsored threat actors. These packages, named tablediter, request-plus, and requestspro, mimic popular Python tools and download an unknown second-stage malware.

The packages are designed to appear trustworthy, using typosquatting to impersonate legitimate packages like prettytable and requests. Tablediter runs a remote server to retrieve and execute a Base64-encoded payload. It now waits until the compromised application imports the package and calls its functions to avoid detection.

Request-plus and requestspro collect information from infected machines and transmit it to a command-and-control (C2) server. The server responds with a token, which the infected host sends back to a different URL on the same C2 server to receive a double-encoded Python module and a download URL. This token-based approach mirrors a previous npm campaign associated with North Korean actors, suggesting a common tactic for delivering second-stage malware.