Hey there, welcome to Cyber Writes’ weekly publication – the Threat and Vulnerability Roundup! Get ready to dive into the latest and greatest in cybersecurity, as we bring you the most up-to-date information each week.
We have highlighted recent attack tactics, exploits, and critical vulnerabilities. We also provide the latest software updates to ensure the security of your devices.
This provides a roadmap for improving security strategy and understanding the specific technology-related threats faced by your organization. Stay informed with our comprehensive coverage.
Cyber Attack
Boeing, the aerospace industry leader, has recently reported a cyberattack on its systems. The attack primarily targeted the company’s parts and distribution business.
While this breach has not affected flight safety, it has raised concerns about the security of the company’s supply chain and the potential for further attacks.
“We are aware of a cyber incident impacting element of our parts and distribution business,” Boeing told The Cyber Security News.
IIS-based Backdoors to Compromise Windows servers
A new threat actor who is found to be associated with Iran’s Ministry of Intelligence and Security (MOIS) IIS has been discovered to be conducting cyberespionage campaigns. Their targets are government, military, financial, and telecommunication sectors in the Middle East.
This threat actor has been tracked under the name Scarred Manticore and closely overlaps two other threat actors, Storm-0861 and OilRig. Moreover, their victims have been reported in several countries, such as Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.
Knight Ransomware Attacking Windows Computer
Knight ransomware, a relatively new ransomware gang that first appeared in August 2023, targets Windows computers to steal sensitive data.
Several industrial sectors have been attacked by the Knight ransomware organization, which includes retail and healthcare organizations, such as dentist offices, physicians’ clinics, and hospitals.
According to Fortinet’s classification of victim organizations by nation, the United States leads by a wide margin.
Recent reports indicate that a new campaign under the name EleKtra-Leak has been identified to target AWS IAM (Identity and Access Management) credentials within minutes of their public exposure on GitHub.
This is done to perform cryptojacking activities through compromised AWS accounts.
Threat actors were using multiple Amazon EC2 instances to keep the scope wider and maintain persistence in their cryptojacking attack. This operation has been reported to be active since 2020 and specifically targets the mining of Monero.
Vulnerability
At the end of October, AssetNote released a proof-of-concept for the CVE-2023–4966 associated with sensitive information disclosure for Citrix Netscaler ADC devices and was given a severity rating of 9.4 (Critical).
After the release of PoC, there seems to be a mass exploitation of this vulnerability by threat actors. However, the technical details of this vulnerability were already obtained by threat actors and are currently being exploited in the wild.
Active BIG-IP SQL Injection Attacks
F5 Networks has issued a security alert about a severe vulnerability in its BIG-IP Configuration utility, identified as CVE-2023-46748.
This vulnerability is an authenticated SQL injection flaw that allows attackers with network access to execute arbitrary system commands.
F5 Networks has categorized this issue under CWE-89, indicating an ‘Improper Neutralization of Special Elements used in an SQL Command’ (SQL Injection) problem.
Atlassian has been reported with a critical vulnerability in their Confluence Software, which several organizations have widely adopted.
The CVE for this vulnerability has been assigned as CVE-2023-22518, and the severity has been given as 9.1 (Critical).
Atlassian has addressed this vulnerability in its recent security advisory and fixed it on its latest version. Additionally, they have also released affected versions of Confluence for this vulnerability.
A new OAuth vulnerability has been discovered in three of the major extensions such as Grammarly, Vidio, and Bukalapak. These applications use the OAuth protocol for their authentication, which is vulnerable to an authentication token-stealing attack.
OAuth is an authentication protocol that was introduced in 2006 and acts as a passwordless signing-in for many applications through social media accounts such as Facebook, Twitter, or Google.
This particular flaw could affect millions of users as all of these affected vendors have combined to have more than 100M users. However, all of the affected vendors acted swiftly upon the reported issues and fixed them accordingly.
3,000+ Apache ActiveMQ Open to Attack
More than 3,000 Apache ActiveMQ servers exposed to the internet are at risk due to a critical remote code execution (RCE) vulnerability identified as CVE-2023-46604.
The most widely used open-source, multi-protocol, Java-based message broker is called Apache ActiveMQ. It is compatible with industry-standard protocols, allowing users to take advantage of client choices on a variety of languages and platforms.
Connect from clients written in JavaScript, C, C++, Python,.Net, and other languages. It is compatible with several protocols, including STOMP, AMQP, MQTT, and OpenWire. With its strength and adaptability, ActiveMQ can handle every messaging use case.
Recent reports indicate that the Remote Desktop Manager and Devolutions Server have been affected by improper access control and Remote code execution vulnerabilities.
The CVEs of these vulnerabilities have been assigned as CVE-2023-5766, CVE-2023-5765, and CVE-2023-5358. The severity of these vulnerabilities ranges between 4.3 (Medium) and 8.8 (High).
Remote Desktop Manager is used by sysadmins to remotely access a host of systems using a variety of software, services, and applications.
Three new vulnerabilities have been discovered in Microsoft Edge (Chromium-based) associated with Remote Code execution and Spoofing. The CVEs of these vulnerabilities have been assigned as CVE-2023-36022, CVE-2023-36029, and CVE-2023-36034.
The severity of these vulnerabilities ranges between 4.3 (Medium) and 6.6 (Medium). However, Microsoft has released patches for fixing these vulnerabilities and recommended its users upgrade them accordingly.
Cisco has warned about a serious security issue in the Web Bridge feature of the Cisco Meeting Server. The flaw (CVE-2023-20255) could let someone who is not authorized attack the system and cause a DoS condition.
Insufficient request verification by the system causes the issue when processing web requests.
Sending malicious requests to the system could cause it to crash, which has the potential to impact the video calls that utilize the Web Bridge functionality.
Google has released Chrome 119 to the stable channel for Windows, Mac, and Linux, along with 15 security patches.
Version 119.0.6045.105 for Linux and macOS and version 119.0.6045.105/.106 for Windows are the most recent versions of Chrome currently available to users. Over the coming days and weeks, the update will be implemented. Google Report says.
CVSS Common Vulnerability Scoring System
FIRST, the Forum of Incident Response and Security Teams has recently unveiled the latest version of their Common Vulnerability Scoring System (CVSS).
The new CVSS 4.0 is the replacement of CVSS 3.0 and provides security experts with a powerful tool to better assess the severity of security vulnerabilities, taking into account both the technical aspects of the vulnerability and the potential impact on business operations.
With enhanced metrics and a wider range of possible scores, CVSS 4.0 offers a more granular and accurate approach to vulnerability assessment, enabling organizations to prioritize their security efforts more effectively.
An open redirect vulnerability in the VMware Workspace ONE UEM console has been identified as CVE-2023-20886, which has a CVSS score of 8.8 and is classified as ‘Important’ in severity.
By using this vulnerability, an attacker could redirect a victim to a malicious website where their SAML response is intended to be stolen.
The victim’s Workspace ONE UEM console would then be accessible to the attacker using the victim user’s login credentials.
Kubernetes Privilege Escalation Flaw
A new privilege escalation vulnerability has been discovered in Kubernetes, which allows threat actors to gain administrative privileges on affected pods. The CVE for this vulnerability has been assigned as CVE-2023-3676, and the severity has been given as 8.8 (High).
However, Kubernetes has addressed this vulnerability and fixed this issue on their latest version of Kubelet. Moreover, affected products have also been published.
Exploit Released for Cisco IOS Zero-day
Cisco was reported with a critical vulnerability last week, which has been actively exploited by threat actors in the wild. The vulnerability was assigned with the CVE-2023-20198 and was given a severity rating of 10.0 (Critical).
This particular vulnerability affects Cisco IOS XE software installed in thousands of Cisco devices, including routers, switches, and many other networking devices. However, Cisco has patched this vulnerability and has released a security advisory.
Three vulnerabilities have been discovered in NGINX ingress controllers, which were associated with arbitrary command execution, code injection, and sanitization bypass. The severity of these vulnerabilities ranges between 7.6 (High) and 10.0 (Critical).
NGINX Ingress Controller can be used to manage the routing mechanism using the widely known NGINX reverse proxy server. However, Kubernetes is an API object that provides HTTP and HTTPS routing to services depending on a set of rules, including hostnames or URL paths.
Malware
Hackers Attacking Blockchain Engineers
The frequency of hackers exploiting macOS flaws varies over time, but Apple continuously releases security updates to patch vulnerabilities.
While macOS is generally considered more secure than some other operating systems but, it is not immune to exploitation, and hackers may target it, especially if they discover new vulnerabilities.
Recently, cybersecurity researchers at Elastic Security Labs identified that hackers are actively attacking blockchain engineers of a crypto exchange platform with a new macOS malware.
Hackers Weaponize HWP Docs for National Defense & Press Attacks
HWP documents are primarily associated with the Hangul Word Processor software used in South Korea.
Hackers may opt for HWP documents to target National Defense and Press Sectors because they exploit vulnerabilities in this specific file format and software, which may not be as widely monitored or protected as more common document formats like PDF or Microsoft Word.
Hackers use Google Ads To Deploy Bonanza Malware
Cybercriminals are resorting to unscrupulous tactics to deploy Bonanza malware by exploiting Google Search Ads.
The hackers are taking advantage of the search engine’s advertising mechanism to spread the malicious software, putting unsuspecting users at risk of cyber attacks.
This underhanded technique highlights the need for increased vigilance and caution when browsing the internet, particularly when clicking on ads.
The NuGet package manager, which .NET developers widely use, has been under attack by a series of malicious activities, according to a report by cybersecurity firm ReversingLabs.
The intrusion, which follows previous investigations on npm, PyPI, and RubyGems ecosystems, shows that NuGet is also vulnerable to software supply chain attacks by threat actors.
The coordinated campaign that started in August involved attackers exploiting NuGet’s MSBuild integrations feature, demonstrating a more sophisticated and stealthy method of compromising the open-source ecosystem.
XWorm is a RAT (Remote Access Trojan), a malware-as-a-service. It was first discovered in July 2022 and is known to have originated from the ex-USSR.
The malware is capable of multiple things, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and ransomware deployment.
This malware has gone through several updates ever since its emergence in 2022, and the latest version is known to be 5.0 version as of August 2023.
Kill Switch Disrupts Mozi IoT Botnet
As of August 2023, one of the most notorious IoT Botnets called “Mozi” vanished from their activities. Mozi Botnet had been exploiting hundreds of thousands of IoT devices.
In the year 2023, a strange phenomenon occurred where a certain type of object began to disappear without explanation. The disappearance started in India on August 8th and then spread to China on August 16th. The sudden vanishing of these objects left many people puzzled and concerned.
Analyzing further, a Kill Switch was discovered with a user datagram protocol (UDP) message. The person responsible for this takedown used the kill switch eight times, instructing the bot to download and install an update via HTTP.
Hackers Weaponized MSIX to Infect Windows Users
MSIX helps developers package Windows apps for easy installation. While it’s user-friendly, it demands access to code signing certificates, making it an attractive target for resourceful threat actors.
Additionally, MSIX packages can be distributed and installed without administrative privileges, potentially allowing malicious software to evade traditional security controls.
Cybersecurity researchers at Elastic Security Labs recently discovered a campaign using signed MSIX apps for initial access with a stealthy loader called GHOSTPULSE.
Acquisition
Proofpoint, an enterprise security company, has entered into a definitive agreement to acquire Tessian, a leading provider of email security solutions.
The acquisition is aimed at enhancing the existing email security offerings of Proofpoint and preventing misdirected emails and data exfiltration, which are major concerns for businesses in today’s digital age.
Proofpoint, Inc. is a leading cybersecurity company that provides comprehensive cloud-based solutions to businesses worldwide.
Security Tools
Raven Vulnerability Scanner Tool
Cycode is excited to introduce Raven, a state-of-the-art security scanner for CI/CD pipelines.
Raven stands for Risk Analysis and Vulnerability Enumeration for CI/CD Pipeline Security, and it is now available as an open-source tool on GitHub.
This innovative solution will be presented at the upcoming Black Hat Arsenal – SecTor Toronto event.
The Kopeechka service, which refers to “penny” in Russian, is a new tool criminals use to quickly and easily generate hundreds of fake social media accounts.
The service, operational since the start of 2019, offers simple account registration services for several well-known social media networks, such as Facebook, Instagram, Telegram, and X (previously Twitter). Specifically, Kopeechka allowed access to minors’ chat site registrations.
Data Breach
A massive data breach has occurred, resulting in the leak of personal information belonging to 815 million Indian citizens on the dark web.
The compromised data includes personally identifiable information, which can pose a serious threat to the privacy and security of the affected individuals.
Millions of Indians have had their personal information compromised, including their Aadhaar and passport details, names, phone numbers, and temporary and permanent addresses.
.webp "Critical OpenVPN Zero-Day Flaws Affecting Millions of Endpoints Across the Globe")
%20(1).webp "Critical MailCleaner Vulnerabilities Let Attackers Execute arbitrary command"){kind=small}
