Customer portal
Articles Tagged with

sosintelligence flash alert

"Flash
Flash Alert

Flash Alert – Exploitation of vulnerabilities in SharePoint – update now

In recent months, several vulnerabilities in SharePoint have been identified and documented, including CVE-2023-29357 and CVE-2023-24955.  Security researchers at STAR Labs in Singapore have demonstrated the use of these vulnerabilities to achieve pre-auth remote code execution on a SharePoint server.  You can review their research here.

Exploiting these vulnerabilities allows a potential threat actor to bypass authentication by impersonating a legitimate user.  They can then inject code into root directories which is then executed by SharePoint.

CVE-2023-29357

CVE-2023-29357 was published in June 2023.  It details a vulnerability in Microsoft SharePoint which allows for a threat actor to elevate their privilege on a vulnerable server to administrator level.

The vulnerability affects Microsoft SharePoint Server 2019.

A threat actor, with access to spoofed JWT authentication tokens, is able to undertake a network attack which can bypass authentication.  This allows them to gain access to a server, with the privileges of a legitimate, authenticated user.

Microsoft has issued several security updates to combat the vulnerability and these should be installed and implemented as soon as possible.  Those who have enabled AMSI integration and use Microsoft Defender are protected.

Python scripts have been identified within online repositories which seek to exploit this vulnerability, and further suggest combining it with CVE-2023-24955 to achieve Remote Code Execution.  An example can be found here.

CVE-2023-24955

CVE-2023-24955 was published in May 2023.  It concerns a vulnerability in Microsoft SharePoint which allows for the remote execution of code on a SharePoint server by an authenticated threat actor.

Microsoft has issued several security updates to combat the vulnerability and these should be installed and implemented as soon as possible.

"SOS
Flash Alert

Flash Alert – CVEs of note being exploited in the wild

We have identified several CVEs of note currently being exploited and representing significant risks to the security of computer networks and systems.

CVE-2023-34478, Apache Shiro

Apache Shiro is an open-source software security structure, that conducts authentication, authorisation, cryptography and session management.

A vulnerability has been identified that increases susceptibility to a path traversal attack. This could result in the bypassing of authentication when used with APIs or similar frameworks. This would therefore put any data stored outside the web root folder at risk of unauthorised access

The vulnerability impacts versions of Apache Shiro before 1.12.0 or 2.0.0-alpha-3. Apache recommends upgrading to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ to resolve this.

CVE-2022-41352, Zimbra ZCS

A Remote Code Execution (RCE) vulnerability identified in Zimbra’s collaborative software suite in October 2022 continues to be exploited.

The exploit targets a vulnerability in Zimbra’s inbuilt antivirus engine, Amavis, as it scans inbound mail. By sending an email containing a .cpio file, attackers can extract the malicious payload while Amavis scans the email. By using cpio an attacker can write to any path on the filesystem that the victim user can access.

ZCS 9.0.0 Patch 27 was released to address this issue. It is recommended to ensure all patches of ZCS are installed to maintain device and network security.

CVE-2023-26360, Adobe ColdFusion

A vulnerability in Adobe ColdFusion (2018 Update 15 (and earlier) and 2021 Update 5 (and earlier)) could allow a threat actor to execute code, in the context of the user of the impacted device, and may also result in memory leak. Such an exploit does not require any user interaction from the victim user.

Adobe has pushed updates for these versions (Update 16 and Update 6 respectively) which address the issue. It is recommended that Coldfusion JDK/JRE is also updated to the latest release in order to secure vulnerable servers. Finally, users should apply Adobe’s Lockdown guidance for Coldfusion.

CVE-2023-35078, Ivanti Endpoint Manager

A new vulnerability has been identified in Ivanti’s Endpoint Manager Mobile (EPMM), AKA MobileIron Core. The vulnerability impacts all current versions of the product, with older versions/releases also being at risk.

When exploited, the vulnerability allows any internet-facing threat actor unauthorised remote access to the victim’s Personally Identifiable Information (PII), and make limited changes to the targeted server.

A patch has been released and can be obtained from Ivanti’s Knowledge Base.

CVE-2023-38408, OpenSSH 9.3p2 and below

A vulnerability has been found in Open SSH. The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)

Remote exploitation requires that the agent was forwarded to an attacker-controlled system. The following could be applied, which may mitigate risks:

Exploitation can be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P ”) or by configuring an allowlist that contains only specific provider libraries.
Disabling agent forwarding or restricting ssh-agent options.
Adjusting the ssh-agent.service file ExecStart to disable PKCS11 modules

"Citrix
Flash Alert

Flash Alert – Citrix vulnerability being exploited in the wildFlash Alert –

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

Cloud-computing company Citrix has begun alerting customers as to a critical vulnerability in its Netscaler ADC and NetScaler gateway applications.  CVE-2023-3519 has been observed being exploited in the wild, and all users of the affected applications are being urged to ensure recent updates and patches are installed.

For a threat actor to utilise this vulnerability, a vulnerable appliance would need to be configured as a gateway (e.g. CVPN, ICA Proxy, RDP Proxy, VPN virtual server) or as an authentication virtual server (AAA server)

Identified through our OSINTSEARCH tool, exploits against Citrix ADC have been discussed, including the sale of a Remote Code Execution (RCE) exploit, on the cybercrime forum XSS:
 

And with translation…

Citrix strongly advises its customers to switch to updated versions that fixes this issue:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

Citrix customers can begin researching any potential compromise by identifying web shells that are newer than the last installation date of Citrix software. HTTP error logs may also reveal anomalies indicative of initial exploitation. SysAdmins should also review shell logs for any unexpected commands, which may be indicative of the post-exploitation phase of an attack.

"Office
Flash Alert

Flash Alert – Office zero-day being actively targeted in the wild

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

This was originally sent out to our Flash Alert Subscribers on July 12th. To sign up for this free service, please click here.

Microsoft is actively investigating CVE-2023-36884, an unpatched zero-day vulnerability in their Windows and Office products, amid concerns it is being utilised by nation-state and cybercriminal threat actors to gain remote code execution (RCE) via malicious Office documents.

The zero-day is exploited via specially crafted Office documents, designed to enable RCE.  The victim would be required to open the document for the malicious code to execute.  However, it is reported that the vulnerability could be exploited without user interaction.

Successful exploitation of this vulnerability could pose a significant risk to data, granting threat actors access to confidential and sensitive information, allowing them to bypass or shut down system protections, and/or deny access to compromised systems

The exploit has been identified to have been utilised in a campaign by APT Storm-0978 (AKA DEV-0978, RomCom), aimed at European and North American government and defence entities.

Microsoft provided the following mitigations for the unpatched zero-day:

  • Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
  • In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
  • Organisations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, they could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1.:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe


The Twitter post below, from @UK_Daniel_Card, provides the GUID references for Attack Service Reduction (ASR) rules which can be utilised to increase protection.

Microsoft is actively investigating CVE-2023-36884, an unpatched zero-day vulnerability in their Windows and Office products
1 2
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound