08/02/2023-08/09/2023 Citrix NetScaler ADC and Gateway Servers Hacked, Microsoft Releases Patches for 74 New Vulnerabilities, New SkidMap Linux Malware Variant And More.

1. Microsoft Releases Patches for 74 New Vulnerabilities in August Update

Microsoft has addressed 74 software flaws in its August 2023 Patch Tuesday, down from 132 last month. The update includes six Critical, 67 Important, and one Moderate severity vulnerabilities. Also released are defense-in-depth updates for Microsoft Office and the Memory Integrity System Readiness Scan Tool. Notably, the update addresses CVE-2023-36884, an actively exploited remote code execution flaw by the RomCom threat actor in attacks on Ukraine and pro-Ukraine targets. Additionally, Microsoft patched remote code execution and spoofing vulnerabilities in various services including Microsoft Message Queuing, Microsoft Teams, and Azure components. The update also covers denial-of-service and information disclosure flaws, alongside Exchange Server vulnerabilities, requiring adjacent attack vectors for exploitation.

2. Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining

Malicious actors are exploiting exposed Kubernetes (K8s) clusters for crypto mining and backdoor deployment. Cloud security firm Aqua’s report reveals these attacks, primarily targeting small to medium-sized organizations and some larger companies in finance, aerospace, and more. Over 350 Kubernetes clusters were found, with 60% hit by active crypto mining. Misconfigurations, like granting anonymous high privileges and improper kubectl proxy settings, allow unauthorized access. These clusters can hold sensitive data, making them enticing targets. Security researchers identified ongoing campaigns, including Dero cryptojacking, RBAC Buster, and TeamTNT’s Silentbob. Despite the risk, these misconfigurations persist, underlining a broader Kubernetes security understanding and management gap.

3. New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers

Vulnerable Redis services are under attack by an evolved malware named SkidMap, targeting various Linux distributions including Alibaba, CentOS, RedHat, and more. The malware adapts to the system it infects, making detection difficult. Originally a crypto mining botnet, SkidMap deploys kernel modules to obscure its actions, conceals its C2 IP address in the Bitcoin blockchain, and fetches real-time data for rapid pivoting. Trustwave details the latest attack chain, beginning with breaching Redis servers to distribute an ELF binary posing as a GIF image. This binary adds SSH keys, establishes reverse shells, downloads distribution-specific packages, deploys rootkits, and launches a botnet for further attacks. The malware’s sophistication makes detection challenging, primarily noticeable through increased fan activity or case temperature.

4. Researchers Uncover New High-Severity Vulnerability in PaperCut Software

A significant security flaw (CVE-2023-39143, CVSS score: 8.4) has been found in PaperCut print management software for Windows. It can lead to remote code execution when combined with path traversal and file upload vulnerabilities. The flaw affects PaperCut NG/MF versions earlier than 22.1.3. Attackers, particularly when the external device integration setting is enabled, could upload files and execute code. This exploit is more intricate than previous vulnerabilities (CVE-2023-27350) and doesn’t demand prior privileges. Iranian state actors have been involved in exploiting related vulnerabilities. PaperCut version 22.1.3 also fixes another flaw allowing unauthorized file uploads and potential denial-of-service (CVE-2023-3486, CVSS score: 7.4).

5. Malicious npm Packages Found Exfiltrating Sensitive Data from Developers

Researchers have identified malicious npm packages aimed at extracting sensitive developer information. Software supply chain company Phylum discovered these “test” packages on the npm registry and noted they were quickly removed and re-uploaded under different names. Although the motive behind this campaign isn’t fully clear, the references to modules like “rocketrefer” and “binarium” suggest a possible focus on the cryptocurrency sector. Published by the npm user “malikrukd4732,” these modules execute JavaScript code to exfiltrate data to a remote server during installation. This approach allows for potential theft of credentials and intellectual property. This incident joins the growing trend of open-source repositories being used to propagate malicious code.

6. Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack

Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The exploitation of CVE-2023-3519 to deploy web shells was previously disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which said the attack was directed against an unnamed critical infrastructure organization in June 2023. The disclosure comes as GreyNoise said it detected three IP addresses attempting to exploit CVE-2023-24489 (CVSS score: 9.1), another critical flaw in Citrix ShareFile software that allows for unauthenticated arbitrary file upload and remote code execution. The issue has been addressed in ShareFile storage zones controller version 5.11.24 and later.The Shadowserver Foundation, in an update said it identified close to 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances online and that CVE-2023-3519 is being exploited to drop PHP web shells on vulnerable servers for remote access.

07/26/2023-08/02/2023 Recently Patched Critical Ivanti EPMM Vulnerability, New P2PInfect Worm Targets Redis Servers, Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users And More.

1. Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability

Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM). Tracked as CVE-2023-35082 (CVSS score: 10.0) and discovered by Rapid7, the issue “allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below).”  If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server. It also comes as cybersecurity agencies from Norway and the U.S. revealed that CVE-2023-35078 and CVE-2023-35081 have been exploited by unnamed nation-state groups at least since April 2023 to drop web shells and gain persistent remote access to compromised systems.

• CVE-2023-35078 (CVSS score: 10.0) – An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
• (CVSS score: 7.2) – A path traversal vulnerability is discovered in Ivanti EPMM that allows an attacker to write arbitrary files onto the appliance.
  While there is no evidence of active exploitation of CVE-2023-35082 in the wild, it’s recommended that users upgrade to the latest supported version to secure against potential threats.

2. Researchers Uncover AWS SSM Agent Misuse as a Covert Remote Access Trojan

Researchers have unveiled a new post-exploitation method within Amazon Web Services (AWS) that repurposes the AWS Systems Manager Agent (SSM Agent) as a remote access trojan for Windows and Linux systems. With high privilege access to an endpoint running SSM Agent, attackers can engage in sustained malicious activities. As a legitimate admin tool, SSM Agent can be exploited to perform nefarious actions, leveraging its trusted status to avoid security solution detection and the need for additional malware. The technique allows attackers to remotely control compromised SSM Agents and potentially infiltrate endpoints. While AWS states no immediate action is required, vigilance, removing SSM binaries from antivirus allow lists, and securing EC2 instances are recommended by experts.

3. New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods

The P2PInfect worm has expanded its tactics to compromise vulnerable Redis servers, using multiple initial access methods. Researchers discovered that the malware infiltrates exposed Redis instances by exploiting the replication feature. Another technique involves registering a malicious cron job on the Redis host to download the malware from a remote server upon execution. The worm is Rust-based and has been observed to alter iptables firewall rules, self-upgrade, and potentially deploy cryptocurrency miners. P2PInfect forms a peer-to-peer botnet, with each infected server as a node connecting to others, allowing it to communicate without a centralized command-and-control server. The identity of the threat actors and the malware’s purpose remain uncertain.

4. Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable

Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.
The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites.
A brief description of each of the vulnerabilities is below:

• CVE-2023-37979 (CVSS score: 7.1) – A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website.
• CVE-2023-38386 and CVE-2023-38393 – Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site.
  Users of the plugin are recommended to update to version 3.6.26 to mitigate potential threats.

5. Hackers Deploy “SUBMARINE” Backdoor in Barracuda Email Security Gateway Attacks

The U.S. CISA has revealed details about the SUBMARINE backdoor, linked to the Barracuda Email Security Gateway (ESG) appliance hack. This backdoor includes artifacts such as shell scripts, a loaded library for a Linux daemon, and a SQL trigger, enabling root privilege execution, persistence, command and control, and cleanup. The backdoor emerged from an analysis of malware samples acquired from a compromised organization that fell victim to threat actors exploiting the CVE-2023-2868 flaw in ESG devices. The attackers, suspected to have a China nexus, employed SUBMARINE as part of their persistent access strategy, leveraging it to evade remediation efforts and establish control over the compromised environment. Barracuda recommends discontinuing use of compromised ESG appliances and seeking replacements.

6. GameOver(lay): Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users

Cybersecurity researchers have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks. Cloud security firm Wiz, in a report shared with The Hacker News, said the easy-to-exploit shortcomings have the potential to impact 40% of Ubuntu users. The vulnerabilities – tracked as CVE-2023-2640 and CVE-2023-32629 (CVSS scores: 7.8) and dubbed GameOver(lay) – are present in a module called OverlayFS and arise as a result of inadequate permissions checks in certain scenarios, enabling a local attacker to gain elevated privileges. Overlay Filesystem refers to a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unified file system. 

A brief description of the two flaws is below

• CVE-2023-2640 – On Ubuntu kernels carrying both c914c0e27eb0 and “UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs,” an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
• CVE-2023-32629 – Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels.
  In a nutshell, GameOver(lay) makes it possible to “craft an executable file with scoped file capabilities and trick the Ubuntu Kernel into copying it to a different location with unscoped capabilities, granting anyone who executes it root-like privileges.”

7. Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required

A critical vulnerability (CVE-2023-38646) in Metabase, a popular business intelligence software, could lead to pre-authenticated remote code execution. Users of versions prior to 0.46.6.1 for open-source editions and Metabase Enterprise versions before 1.46.6.1 are advised to update immediately. The flaw enables unauthenticated attackers to execute arbitrary commands with the same privileges as the Metabase server. Although no exploitation evidence exists, over 5,000 out of 6,936 instances were found vulnerable as of July 26, 2023. The issue arises from a JDBC connection problem in the API endpoint “/api/setup/validate,” allowing attackers to gain a reverse shell through an SQL injection flaw in the H2 database driver.

07/13/2023-07/19/2023 Vulnerabilities in SonicWall and Fortinet Network, Fake PoC for Linux Kernel Vulnerability on GitHub, Microsoft Word Vulnerabilities And More.

1. New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products

SonicWall urged customers of Global Management System (GMS) firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information. Of the 15 shortcomings (tracked from CVE-2023-34123 through CVE-2023-34137), four are rated Critical, four are rated High, and seven are rated Medium in severity. The flaws impact on-premise versions of GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before. Fixes are available in versions GMS 9.3.3 and Analytics 2.5.2. The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

The disclosure comes as Fortinet revealed a critical flaw affecting FortiOS and FortiProxy (CVE-2023-33308, CVSS score: 9.8) that could enable an adversary to achieve remote code execution under certain circumstances. It said the issue was resolved in a previous release, without an advisory.

Recommendation 

For customers who cannot apply the updates immediately, Fortinet is recommending that they disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.

2. Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware

Cybersecurity researchers have detected a proof-of-concept (PoC) on GitHub containing a concealed backdoor using a clever persistence method. The PoC pretends to be a harmless learning tool but actually operates as a downloader, surreptitiously executing a Linux bash script while disguising its activities as a kernel-level process. Disguised as a PoC for a high-severity flaw in the Linux kernel (CVE-2023-35829), the repository was taken down after being forked 25 times. Additionally, a second GitHub profile harbored a fake PoC for CVE-2023-35829, still available and forked 19 times. The backdoor has extensive capabilities, enabling data theft and remote access via the addition of malicious SSH keys to the .ssh/authorized_keys file.

Recommendation 

To mitigate risks, users who downloaded and executed these PoCs should remove unauthorized SSH keys, delete the kworker file, eliminate the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.

# 3. Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services
Multiple security vulnerabilities have been found in various services, including Honeywell Experion DCS and QuickBlox, that could lead to severe compromises. Dubbed Crit.IX, the nine flaws in Honeywell Experion DCS enable unauthorized remote code execution, allowing attackers to take over devices and alter DCS controller operations while concealing changes from the engineering workstation. The flaws stem from encryption and authentication issues in the Control Data Access (CDA) protocol. Similarly, QuickBlox, used in telemedicine and IoT, was found to have major vulnerabilities, allowing attackers to leak user databases and perform account takeover attacks.

Additional disclosed flaws affect Aerohive/Extreme Networks access points, the Ghostscript library, Owncast, EaseProbe, and Technicolor TG670 DSL gateway routers, exposing various attack vectors.

4. Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. The cybersecurity company said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot. The injector also features evasion techniques to check for the presence of debuggers and determine if it’s running in a virtualized environment. 

An alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the “Auto_Open” and “Document_Open” functions.
The macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.

5. Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway

Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild.
Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297, and
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

The company did not give further details on the flaw tied to CVE-2023-3519 other than to say that exploits for the flaw have been observed on “unmitigated appliances.” However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.

The development comes amid active exploitation of security flaws discovered in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121).

6. Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation

A privilege escalation vulnerability, named Bad.Build, has been discovered in Google Cloud’s Build service, posing a supply chain attack risk. The flaw allows attackers to manipulate images in the Google Artifact Registry and inject malicious code, impacting applications built from those images. Google has released a partial fix but acknowledges that the privilege escalation vector remains, categorizing it as a low-severity issue. The vulnerability stems from excessive permissions granted to the default service account created by Cloud Build, which can facilitate lateral movement and privilege escalation. Attackers can impersonate the Cloud Build service account, exfiltrate and modify images, and execute code on Docker containers with root access. Users should monitor the service account’s behavior and apply the principle of least privilege to minimize potential risks.