Customer portal
Category

Flash Alert

"Connectwise_vulnerability"/
Flash Alert

Flash Alert – Critical vulnerabilities in ConnectWise

by Daniel Collyer
February 21, 2024

CVE: TBD

CVSS: 10.00 CRITICAL

CVE: TBD

CVSS: 8.4 HIGH

In the last week, ConnectWise has disclosed vulnerabilities affecting versions 23.9.7 (and older) of its ScreenConnect product.

Two vulnerabilities have been identified and published via a security bulletin on the ConnectWise website.  Few details have been published, but the bulletin does indicate the following:

  • The first vulnerability allows for authentication bypass by utilisation of an alternate path or channel
  • The second vulnerability concerns the improper limitation of a pathname to a restricted directory (AKA “path traversal”)

Utilised together, these vulnerabilities would allow a threat actor to remotely execute code, or directly impact confidential data of critical systems.

ConnectWise is urging all users of ScreenConnect to update to version 23.9.8 to patch these vulnerabilities, but does insist that they have seen no evidence of exploitation in the wild.

"Significant
Flash Alert

Flash Alert – Significant vulnerability in FortiOS

by Daniel Collyer
February 9, 2024

CVE-2024-21762
CVSS: 9.8 CRITICAL

Fortinet has disclosed a significant vulnerability in FortiOS, their network operating system. 

An out-of-bounds write issue is present in multiple versions of the product, potentially allowing any threat actor to remotely execute code and commands without authorisation, by utilising specifically crafted HTTP requests.

The vulnerability impacts the following:

Fortinet FortiOS versions
7.4.0 through 7.4.2
7.2.0 through 7.2.6
7.0.0 through 7.0.13
6.4.0 through 6.4.14
6.2.0 through 6.2.15
6.0.0 through 6.0.17
FortiProxy versions
7.4.0 through 7.4.2
7.2.0 through 7.2.8
7.0.0 through 7.0.14
2.0.0 through 2.0.13
1.2.0 through 1.2.13
1.1.0 through 1.1.6
1.0.0 through 1.0.7

Fortinet has detailed a workaround; disabling SSL VPN, and has provided guidance on ensuring that any affected products are updated. They have further disclosed their belief that this vulnerability is being exploited in the wild. 

This comes soon after the discovery of Chinese APT VOLT TYPHOON actively targeting FortiOS to deploy their custom malware COATHANGER, including against the Dutch Ministry of Defence.

"ivanti"/
Flash Alert

Flash Alert – Further vulnerabilities reported in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA

by Daniel Collyer
February 1, 2024

Two new vulnerabilities have been disclosed by Ivanti, relating to their Connect Secure, Policy Secure and Neurons for ZTA products and services.

Ivanti Connect Secure & Ivanti Policy Secure

CVE-2024-21888

CVSS: 8.8 HIGH

Ivanti has disclosed a further vulnerability affecting their Connect Secure and Policy Secure solutions.  Impacting all currently supported versions (9.x and 22.x), the vulnerability allows a user (malicious or otherwise) to elevate their current privileges to that of an administrator.

Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA

CVE-2024-21893

CVSS: 8.2 HIGH

A server-side vulnerability exists in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure & Ivanti Neurons for ZTA.  When exploited, a threat actor could access certain restricted resources without needing to authenticate.

While no threat actor use of CVE-2024-21888 has yet been discovered, there has been limited, targeted use of CVE-2024-21893. Following the disclosure of these vulnerabilities, exploitation of impacted services is suspected to increase.  Therefore, it is vital that the affected services are fully patched and updated to mitigate any risks.

The release of these vulnerabilities follows Ivanti’s research into vulnerabilities disclosed earlier in the month, CVE-2023-46805 and CVE-2024-21887 (previously reported here).  Given the volume of vulnerabilities coming from Ivanti at this time, it is expected that threat actors will put an increased focus on identifying more in order to exploit vulnerable users.

"Ivanti"/
Flash Alert

Flash Alert – Vulnerabilities reported in Ivanti ICS, Ivanti Policy Secure and Citrix NetScaler

by Daniel Collyer
January 18, 2024

In the past week, the following vulnerabilities have been disclosed, affecting:

  • Ivanti ICS
  • Ivanti Policy Secure
  • Citrix NetScaler ADC
  • Citrix NetScaler Gateway

Ivanti ICS & Ivanti Policy Secure

CVE-2023-46805

CVSS: 8.2 HIGH

CVE-2024-21887

CVSS: 9.1 CRITICAL

Ivanti has disclosed the existence of two significant vulnerabilities affecting their Connect Secure and Policy Secure gateways, specifically versions 9.x and 22.x.

CVE-2023-46805 is an authentication bypass vulnerability, which allows a threat actor to remotely access restricted resources by bypassing control checks.  CVE-2024-21887 is a command injection vulnerability, granting an authenticated user the ability to send specially crafted requests and execute arbitrary commands on the vulnerable device.

When utilised together, a threat actor can compromise a vulnerable device and execute code with admin rights, leaving the victim company open to a significant risk of network intrusion and further criminal activity.

Palo Alto’s Unit 42 has observed over 30,000 vulnerable devices spread across 141 countries. It is actively responding to incidents involving these vulnerabilities, highlighting their use by threat actors in the wild.

Ivanti is currently working on patches to fix these vulnerabilities.  In the meantime, it is recommended that the mitigations they have suggested are implemented to avoid unnecessary risk.  These can be found here.

Citrix NetScaler ADC & Citrix NetScaler Gateway

CVE-2023-6548

CVSS: 5.5 MEDIUM

CVE-2023-6549

CVSS: 8.2 HIGH

Citrix has identified and disclosed further vulnerabilities in its NetScaler ADC and NetScaler Gateway products.  The following supported versions are affected:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302*
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302*

*NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable

CVE-2023-6548 allows a threat actor authenticated, low-privileged access to remotely execute code on the management interface of a compromised device.  This requires them to have access to the NSIP, CLIP or SNIP which itself has management interface access.

CVE-2023-6549 applies to appliances configured as one of the following:

  • VPN virtual servers
  • ICA proxies
  • CVPNs
  • RDP proxies
  • AAA virtual servers

Exploitation of this vulnerability involves a threat actor restricting operations within the memory buffer, thereby causing an unauthenticated Denial of Service attack.

A patch will follow in due course, but in the meantime, Citrix recommends the following:

  • Ensure network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic
  • Ensure the management interface is not exposed to the internet
  • Ensure all previous patches are installed and software is up-to-date

Citrix has noted that these vulnerabilities have been observed in the wild and targeted by threat actors.

"managed
Flash Alert

Flash Alert – CitrixBleed victim with impacts on UK legal sector

by Daniel Collyer
November 27, 2023

CVE-2023-4966

CVSS: 9.4

In October 2023 we reported on an observation of a threat actor exploiting CVE-2023-4966, a vulnerability in Citrix NetScaler since dubbed CitrixBleed.  Further information on that report can be found here.

This vulnerability allows threat actors to hijack existing, authenticated sessions and bypass multi-factor authentication. As a result, they could fully control NetScaler environments, and therefore manage and control application delivery.

We’d previously stated an expectation that this vulnerability would continue to be exploited, banking on a slow patch rate, and this prediction appears to have been correct. In the last week, it has been reported that managed service provider (MSP) CTS has suffered a significant cyberattack as a result of CitrixBleed.

CTS provides IT services for the UK legal sector.  As a result of the attack, it is estimated that up to 200 UK firms and offices have been significantly impacted, resulting in a loss of access to systems and databases crucial for them to function. The incident was first noted on Wednesday (22nd November 2023) and continued into the weekend. This has had a significant impact on property buyers, with Fridays being the busiest days for purchase completions.

There is limited information available regarding the overall scope of the attack against CTS, but it has been suggested that ransomware had been deployed, which we will continue to monitor for. It is unknown whether any sensitive or confidential information has been impacted, but the incident has been reported to the ICO.

The targeting of an MSP at this time is significant. The UK Government has decided to not include an update to the NIS Regulations within the most recent King’s Speech, meaning that these will likely not be considered until after the next general election in 2024. Updating these regulations would treat MSPs as critical infrastructure, and encourage them to focus on and improve their own cybersecurity and defences in order to prevent supply chain attacks.  In the foreword to the UK Government’s “Proposal for legislation to improve the UK’s cyber resilience”,  Julia Lopez MP, Minister of State for Media, Data, and Digital Infrastructure stated:

“an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services,”

This is not the first such attack against an MSP in the UK.  In August 2022, IT supplier Advanced was targeted with ransomware, which had a serious impact on the NHS’s ability to deliver care.  In January 2023 the UK National Cyber Security Centre (NCSC) issued a warning regarding the use of MSP’s, and that use of their services would increase an organisation’s attack surface.  An MSP with access to multiple clients makes them a “juicy target” for threat actors wanting to cause as much disruption as possible.

Photo by Tingey Injury Law Firm on Unsplash.

"SysAid
Flash Alert

Flash Alert – Zero-day vulnerability in SysAid IT support software

by Daniel Collyer
November 9, 2023

CVE-2023-47246

CVSS: TBD

Research by Microsoft Threat Intelligence has identified a vulnerability in SysAid IT On-Premise software, documented as CVE-2023-47246. The vulnerability allows a threat actor to leverage path traversal in order to execute their own code within the target system.

It has been identified that the threat actor Lace Tempest has exploited the vulnerability by uploading a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The full directory path was:

C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\

The deployed WebShell granted the threat actor unauthorised access and control. Once established, they utilised PowerShell scripts to run a malware loader (with filename user.exe). This was in turn used to deploy the GraceWire Trojan, which was injected into one of the following running processes:

  • spoolsv.exe
  • msiexec.exe
  • svchost.exe

Once GraceWire was deployed, a second PowerShell script was executed to erase evidence of the threat actor’s presence from the disk and associated web logs.

Lace Tempest has previously been observed utilising the MOVEit vulnerability in June 2023, and deploying Cl0p ransomware.

Given the severity of the vulnerability, it is recommended that steps are taken immediately to deploy patches issued by SysAid.  Vulnerable users of the software should also review systems for evidence of prior exploitation.  Further details can be found on the SysAid blog here.

For further information on CL0P’s recent activities and other ransomware blogs check out my latest Ransomware statistics article here.

"Flash
Flash Alert

Flash Alert – Further exploitation of Citrix NetScaler

by Daniel Collyer
October 19, 2023

CVE-2023-4966

CVSS: 9.4

Last week, Citrix released a patch for CVE-2023-4966. This vulnerability allows threat actors to hijack existing, authenticated sessions and bypass multi-factor authentication. As a result, they could fully control NetScaler environments, and therefore manage and control application delivery.

The vulnerability impacts the following versions of Citrix NetScaler:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Cybersecurity firm Mandiant has been tracking exploitation of the vulnerability and has seen evidence of use since August 2023 by an as-yet-unknown threat actor. This threat actor appears most concerned with cyberespionage, with targets including professional services, technology and government organisations. Over time, it is anticipated that further threat actors will begin exploiting this vulnerability across wider sectors for financial gain.

Despite the patch being issued, it is anticipated that exploitation of this vulnerability will increase. This is down to a slow uptake of patching undertaken by users of Citrix NetScaler. For example, we previously reported on CVE-2023-3519 which was patched in July 2023 after being exploited as early as June 2023. Research by the Shadowserver Foundation indicates at least 1,300 NetScaler instances are still vulnerable to this exploit.

Citrix recommends updating and patching all instances of NetScaler to the most recently available versions in order to limit the impact of the vulnerability. Further details can be found here.

"Cisco
Flash Alert

Flash Alert – Critical Vulnerability in Cisco IOS XE Software

by Daniel Collyer
October 18, 2023

On 16 October 2023, Cisco reported on a vulnerability affecting Cisco IOS XE.  CVE-2023-20198 is a critical vulnerability apparent in the Web UI of Cisco IOS XE software.  It applies when the IOS is exposed to the internet or other untrusted networks, and impacts both physical and virtual devices with HTTP or HTTPS Server features enabled.

A threat actor can leverage this vulnerability to create an account on an affected device.  This account would benefit from privilege level 15 access, which would grant the malicious user full control of the compromised device.  From here they could freely engage in further unauthorised activity, such as data theft or malware deployment.  They would also be able to monitor network traffic, pivot into protected networks, and perform man-in-the-middle attacks

Research conducted by VulnCheck has identified thousands of hosts already impacted by this vulnerability.  They recommend disabling the web interface and removing all management interfaces from the internet.

At the time of posting, a patch for this vulnerability has yet to be released.  Cisco has recommended disabling the HTTP Server feature.  A compromise of the system can be detected by:

  • Monitoring access logs for any new or unknown users
  • Monitoring system logs for the following message (where filename is an unknown filename that does not correlate with an expected file installation action)
    • %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename
  • Running the following on a suspect device, where systemip is the IP address of the system to check.  An impacted system will return a hexadecimal string:
    • curl -k -X POST “https://systemip/webui/logoutconfirm.html?logon_hash=1″

Further details on their recommendations and IoCs can be found here.

GitHub user ZephrFish https://twitter.com/ZephrFish has produced and shared a simple tool to scan if a host has been impacted by a threat actor using the vulnerability.  This can be found here.

The following Snort rule IDs are also available to detect exploitation:

  • 3:50118:2 – can alert for initial implant injection
  • 3:62527:1 – can alert for implant interaction
  • 3:62528:1 – can alert for implant interaction
  • 3:62529:1 – can alert for implant interaction

Additional ongoing discussions on this vulnerability can be followed on this twitter thread by Daniel Card https://twitter.com/UK_Daniel_Card/thread/1714536315834798314

"Flash
Flash Alert

Flash Alert – Exploitation of vulnerabilities in SharePoint – update now

by Daniel Collyer
September 27, 2023

In recent months, several vulnerabilities in SharePoint have been identified and documented, including CVE-2023-29357 and CVE-2023-24955.  Security researchers at STAR Labs in Singapore have demonstrated the use of these vulnerabilities to achieve pre-auth remote code execution on a SharePoint server.  You can review their research here.

Exploiting these vulnerabilities allows a potential threat actor to bypass authentication by impersonating a legitimate user.  They can then inject code into root directories which is then executed by SharePoint.

CVE-2023-29357

CVE-2023-29357 was published in June 2023.  It details a vulnerability in Microsoft SharePoint which allows for a threat actor to elevate their privilege on a vulnerable server to administrator level.

The vulnerability affects Microsoft SharePoint Server 2019.

A threat actor, with access to spoofed JWT authentication tokens, is able to undertake a network attack which can bypass authentication.  This allows them to gain access to a server, with the privileges of a legitimate, authenticated user.

Microsoft has issued several security updates to combat the vulnerability and these should be installed and implemented as soon as possible.  Those who have enabled AMSI integration and use Microsoft Defender are protected.

Python scripts have been identified within online repositories which seek to exploit this vulnerability, and further suggest combining it with CVE-2023-24955 to achieve Remote Code Execution.  An example can be found here.

CVE-2023-24955

CVE-2023-24955 was published in May 2023.  It concerns a vulnerability in Microsoft SharePoint which allows for the remote execution of code on a SharePoint server by an authenticated threat actor.

Microsoft has issued several security updates to combat the vulnerability and these should be installed and implemented as soon as possible.

"SOS
Flash Alert

Flash Alert – CVEs of note being exploited in the wild

by Daniel Collyer
July 26, 2023

We have identified several CVEs of note currently being exploited and representing significant risks to the security of computer networks and systems.

CVE-2023-34478, Apache Shiro

Apache Shiro is an open-source software security structure, that conducts authentication, authorisation, cryptography and session management.

A vulnerability has been identified that increases susceptibility to a path traversal attack. This could result in the bypassing of authentication when used with APIs or similar frameworks. This would therefore put any data stored outside the web root folder at risk of unauthorised access

The vulnerability impacts versions of Apache Shiro before 1.12.0 or 2.0.0-alpha-3. Apache recommends upgrading to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ to resolve this.

CVE-2022-41352, Zimbra ZCS

A Remote Code Execution (RCE) vulnerability identified in Zimbra’s collaborative software suite in October 2022 continues to be exploited.

The exploit targets a vulnerability in Zimbra’s inbuilt antivirus engine, Amavis, as it scans inbound mail. By sending an email containing a .cpio file, attackers can extract the malicious payload while Amavis scans the email. By using cpio an attacker can write to any path on the filesystem that the victim user can access.

ZCS 9.0.0 Patch 27 was released to address this issue. It is recommended to ensure all patches of ZCS are installed to maintain device and network security.

CVE-2023-26360, Adobe ColdFusion

A vulnerability in Adobe ColdFusion (2018 Update 15 (and earlier) and 2021 Update 5 (and earlier)) could allow a threat actor to execute code, in the context of the user of the impacted device, and may also result in memory leak. Such an exploit does not require any user interaction from the victim user.

Adobe has pushed updates for these versions (Update 16 and Update 6 respectively) which address the issue. It is recommended that Coldfusion JDK/JRE is also updated to the latest release in order to secure vulnerable servers. Finally, users should apply Adobe’s Lockdown guidance for Coldfusion.

CVE-2023-35078, Ivanti Endpoint Manager

A new vulnerability has been identified in Ivanti’s Endpoint Manager Mobile (EPMM), AKA MobileIron Core. The vulnerability impacts all current versions of the product, with older versions/releases also being at risk.

When exploited, the vulnerability allows any internet-facing threat actor unauthorised remote access to the victim’s Personally Identifiable Information (PII), and make limited changes to the targeted server.

A patch has been released and can be obtained from Ivanti’s Knowledge Base.

CVE-2023-38408, OpenSSH 9.3p2 and below

A vulnerability has been found in Open SSH. The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)

Remote exploitation requires that the agent was forwarded to an attacker-controlled system. The following could be applied, which may mitigate risks:

Exploitation can be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P ”) or by configuring an allowlist that contains only specific provider libraries.
Disabling agent forwarding or restricting ssh-agent options.
Adjusting the ssh-agent.service file ExecStart to disable PKCS11 modules

1 2
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save