Customer portal
Category

Flash Alert

"Flash
Flash Alert

Flash Alert – Exploitation of vulnerabilities in SharePoint – update now

In recent months, several vulnerabilities in SharePoint have been identified and documented, including CVE-2023-29357 and CVE-2023-24955.  Security researchers at STAR Labs in Singapore have demonstrated the use of these vulnerabilities to achieve pre-auth remote code execution on a SharePoint server.  You can review their research here.

Exploiting these vulnerabilities allows a potential threat actor to bypass authentication by impersonating a legitimate user.  They can then inject code into root directories which is then executed by SharePoint.

CVE-2023-29357

CVE-2023-29357 was published in June 2023.  It details a vulnerability in Microsoft SharePoint which allows for a threat actor to elevate their privilege on a vulnerable server to administrator level.

The vulnerability affects Microsoft SharePoint Server 2019.

A threat actor, with access to spoofed JWT authentication tokens, is able to undertake a network attack which can bypass authentication.  This allows them to gain access to a server, with the privileges of a legitimate, authenticated user.

Microsoft has issued several security updates to combat the vulnerability and these should be installed and implemented as soon as possible.  Those who have enabled AMSI integration and use Microsoft Defender are protected.

Python scripts have been identified within online repositories which seek to exploit this vulnerability, and further suggest combining it with CVE-2023-24955 to achieve Remote Code Execution.  An example can be found here.

CVE-2023-24955

CVE-2023-24955 was published in May 2023.  It concerns a vulnerability in Microsoft SharePoint which allows for the remote execution of code on a SharePoint server by an authenticated threat actor.

Microsoft has issued several security updates to combat the vulnerability and these should be installed and implemented as soon as possible.

"SOS
Flash Alert

Flash Alert – CVEs of note being exploited in the wild

We have identified several CVEs of note currently being exploited and representing significant risks to the security of computer networks and systems.

CVE-2023-34478, Apache Shiro

Apache Shiro is an open-source software security structure, that conducts authentication, authorisation, cryptography and session management.

A vulnerability has been identified that increases susceptibility to a path traversal attack. This could result in the bypassing of authentication when used with APIs or similar frameworks. This would therefore put any data stored outside the web root folder at risk of unauthorised access

The vulnerability impacts versions of Apache Shiro before 1.12.0 or 2.0.0-alpha-3. Apache recommends upgrading to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ to resolve this.

CVE-2022-41352, Zimbra ZCS

A Remote Code Execution (RCE) vulnerability identified in Zimbra’s collaborative software suite in October 2022 continues to be exploited.

The exploit targets a vulnerability in Zimbra’s inbuilt antivirus engine, Amavis, as it scans inbound mail. By sending an email containing a .cpio file, attackers can extract the malicious payload while Amavis scans the email. By using cpio an attacker can write to any path on the filesystem that the victim user can access.

ZCS 9.0.0 Patch 27 was released to address this issue. It is recommended to ensure all patches of ZCS are installed to maintain device and network security.

CVE-2023-26360, Adobe ColdFusion

A vulnerability in Adobe ColdFusion (2018 Update 15 (and earlier) and 2021 Update 5 (and earlier)) could allow a threat actor to execute code, in the context of the user of the impacted device, and may also result in memory leak. Such an exploit does not require any user interaction from the victim user.

Adobe has pushed updates for these versions (Update 16 and Update 6 respectively) which address the issue. It is recommended that Coldfusion JDK/JRE is also updated to the latest release in order to secure vulnerable servers. Finally, users should apply Adobe’s Lockdown guidance for Coldfusion.

CVE-2023-35078, Ivanti Endpoint Manager

A new vulnerability has been identified in Ivanti’s Endpoint Manager Mobile (EPMM), AKA MobileIron Core. The vulnerability impacts all current versions of the product, with older versions/releases also being at risk.

When exploited, the vulnerability allows any internet-facing threat actor unauthorised remote access to the victim’s Personally Identifiable Information (PII), and make limited changes to the targeted server.

A patch has been released and can be obtained from Ivanti’s Knowledge Base.

CVE-2023-38408, OpenSSH 9.3p2 and below

A vulnerability has been found in Open SSH. The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)

Remote exploitation requires that the agent was forwarded to an attacker-controlled system. The following could be applied, which may mitigate risks:

Exploitation can be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P ”) or by configuring an allowlist that contains only specific provider libraries.
Disabling agent forwarding or restricting ssh-agent options.
Adjusting the ssh-agent.service file ExecStart to disable PKCS11 modules

"Citrix
Flash Alert

Flash Alert – Citrix vulnerability being exploited in the wildFlash Alert –

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

Cloud-computing company Citrix has begun alerting customers as to a critical vulnerability in its Netscaler ADC and NetScaler gateway applications.  CVE-2023-3519 has been observed being exploited in the wild, and all users of the affected applications are being urged to ensure recent updates and patches are installed.

For a threat actor to utilise this vulnerability, a vulnerable appliance would need to be configured as a gateway (e.g. CVPN, ICA Proxy, RDP Proxy, VPN virtual server) or as an authentication virtual server (AAA server)

Identified through our OSINTSEARCH tool, exploits against Citrix ADC have been discussed, including the sale of a Remote Code Execution (RCE) exploit, on the cybercrime forum XSS:
 

And with translation…

Citrix strongly advises its customers to switch to updated versions that fixes this issue:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

Citrix customers can begin researching any potential compromise by identifying web shells that are newer than the last installation date of Citrix software. HTTP error logs may also reveal anomalies indicative of initial exploitation. SysAdmins should also review shell logs for any unexpected commands, which may be indicative of the post-exploitation phase of an attack.

"Office
Flash Alert

Flash Alert – Office zero-day being actively targeted in the wild

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

This was originally sent out to our Flash Alert Subscribers on July 12th. To sign up for this free service, please click here.

Microsoft is actively investigating CVE-2023-36884, an unpatched zero-day vulnerability in their Windows and Office products, amid concerns it is being utilised by nation-state and cybercriminal threat actors to gain remote code execution (RCE) via malicious Office documents.

The zero-day is exploited via specially crafted Office documents, designed to enable RCE.  The victim would be required to open the document for the malicious code to execute.  However, it is reported that the vulnerability could be exploited without user interaction.

Successful exploitation of this vulnerability could pose a significant risk to data, granting threat actors access to confidential and sensitive information, allowing them to bypass or shut down system protections, and/or deny access to compromised systems

The exploit has been identified to have been utilised in a campaign by APT Storm-0978 (AKA DEV-0978, RomCom), aimed at European and North American government and defence entities.

Microsoft provided the following mitigations for the unpatched zero-day:

  • Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
  • In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
  • Organisations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, they could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1.:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe


The Twitter post below, from @UK_Daniel_Card, provides the GUID references for Attack Service Reduction (ASR) rules which can be utilised to increase protection.

Microsoft is actively investigating CVE-2023-36884, an unpatched zero-day vulnerability in their Windows and Office products
"Critical
Flash Alert

Flash Alert – Critical vulnerability in MOVEit Transfer

Flash Alert – Critical vulnerability in MOVEit Transfer

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

We have been made aware of a critical, zero-day vulnerability in MOVEit Transfer which is being actively targeted by threat actors to facilitate data theft.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch.  It allows the users to securely transfer files between consumers and partners using SFTP, SCP, and HTTP-based uploads.

The exploit, as yet unassigned a CVE, is being utilised by as-yet-unknown threat actors to facilitate mass downloads of victim company data.  

Ipswitch’s parent company Progress Software Corporation have released mitigation advice here, but as of writing, no patches have been released.  We recommend taking necessary precautions to safeguard data until suitable patches have been released.

Key recommendations have been to block traffic across HTTP ports (80 and 443).  This would have the effect of inhibiting certain functions of MOVEit, however, (S)FTP protocols can remain in use for file transfers.  This would seemingly indicate the vulnerability to be web-facing.  It is further recommended to monitor the “c:\MOVEit Transfer\wwwroot\” folder for indications of unexpected files, backups or downloads.

Rapid7 has identified the flaw as an SQL injection vulnerability, leading to remote code execution.  By querying the web shell within exposed MOVEit Transfer servers, and providing the necessary, password-like data within the headers, attackers can leverage access to the services MySQL servers.  This would allow access to perform various actions, such as:

  • Retrieve a list of stored files and relevant metadata
  • Create and remove randomly-named MOVEit Transfer users with the login name ‘Health Check Service’ and create new MySQL sessions.
  • Retrieve information about the configured Azure Blob Storage account, including various settings.  This can then be leveraged to steal data directly from Azure Blob Storage containers.  
  • Download files from the server

Industry reporting has suggested that this incident began on or around 27 May 2023, to coincide with lax monitoring over the US’s Memorial Day weekend.

IOCs

138.197.152[.]201

209.97.137[.]33

5.252.191[.]0/24

148.113.152[.]144 (reported by the community)

89.39.105[.]108

App_Web_<random>.dll (Normally, there will be one of these files.  Presence of more would indicate a breach)

"SOS
Flash Alert

Flash Alert – Brute-Force scanning of VPNs

SOS Intelligence has recently seen indications of brute-force login activity against VPN services associated with a customer.  

Our research has linked this activity to an Initial Access Broker (IAB), who has recently released access to a brute force scanning tool through their profile on a high-profile cyber-crime forum. 

Thanks to Daniel, our new Threat Intelligence Analyst who has been investigating this. Future flash alerts and intelligence reports will come from Daniel via email. If you would like to get these, you can sign up here.

The IAB has shared information with our Intelligence Team, showing statistics relating to successful logins they have found whilst scanning VPN networks.

This has highlighted a concerning amount of networks accessible using commonly known default login credentials.  However, the IAB has acknowledged that some of these may represent honeypots.

Source: SOS Intelligence discussion with Bassterlord

Initial Access Brokerage is a common feature of cyber-crime forums.  The individuals concerned involve themselves with the compromise of computer networks. 

Once persistence within the network has been maintained, they monetize that access by selling it within forums, often to actors with access to destructive malware.  Therefore, IAB activity can often be a precursor to Ransomware and/or Data-exfiltration attacks.

Other Discussions identified by the SOS Intelligence Platform related to VPN Provider Scanning

Recommendation

We recommend reviewing any VPN services in use to ensure all default account passwords have been changed, and any built-in accounts have been disabled, in accordance with the best practices of your provider.

At SOS Intelligence we can provide bespoke intelligence feeds to help monitor your data to help you identify when credentials have been leaked and are appearing online, helping you to stay ahead of the attackers and keep your networks safe.

Photo by Kevin Ku on Unsplash

1 2
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound