This week’s Threat and Vulnerability Roundup is here! Cyber Writes pride ourselves in delivering a weekly roundup of the most up-to-date cybersecurity news.
Our goal is to bring attention to noteworthy vulnerabilities and exploits, innovative attack methodologies, and essential software patches.
By highlighting crucial behavioral features and sharing security insights, both individuals and organizations can make informed decisions about the most effective defense solutions.
Weekly Cyber Security Roundup
Ivanti Zero-day Flaw
The actively exploited zero-day vulnerability impacted Ivanti ‘s mobile device management software EPMM(Endpoint manager mobile), aka Mobile iron core version lower than 220.127.116.11.
If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to access users’ personally identifiable information and make limited changes to the server.
The company recommends its users upgrade to EPMM 18.104.22.168, 22.214.171.124, and 126.96.36.199.
Analysis Of ChatGPT for Software Security
ChatGPT captivates researchers and users with its versatile domain expertise, but it’s evolving applications and potential risks deserve closer inspection.
ChatGPT’s limitations persist, challenging to address due to plausible but incorrect answers and the lack of a definitive truth source during RL training.
It excels in source code analysis, enabling security experts to discover and fix vulnerabilities efficiently.
Large language models like ChatGPT revolutionizes security source code analysis, efficiently learning high-level semantics from well-renowned source code.
OWASP ModSecurity Core Rule 3.3.5 Release
The CRS v3.3.5 release has been announced by the OWASP ModSecurity Core Rule Set (CRS) team.
This security release fixes the recently announced CVE-2023-38199, whereby it is possible to cause an impedance mismatch on some platforms running CRS v3.3.4 and earlier by submitting a request with multiple Content-Type headers.
SolarWinds Platform 2023.3 Release
SolarWinds announces the release of SolarWinds Platform 2023.3, which includes new features and platform upgrades. The company announced end-of-life plans for modules based on Orion Platform 2020.2.6 and earlier.
The Buffer Overflow Vulnerability tracked as CVE-2022-37434 with a ‘Critical’ Severity Range, and the Cross-Site Scripting Vulnerability tracked as CVE-2020-7656 with a ‘High’ severity range has been specifically included in this release.
Metabase Critical Flaw
A Critical Remote Code Execution (RCE) vulnerability has been discovered in Metabase which could allow hackers to infiltrate servers and execute unauthorized commands.
More than 20,000 instances of Metabase were exposed to the internet, which also exposes sensitive data sources that are connected to these Metabase instances.
The developers of Metabase have released patches to address this vulnerability.
Apache Tomcat Servers
Researchers found a new campaign exploiting misconfigured Apache Tomcat servers to deliver Mirai botnet malware and cryptocurrency miners.
Over two years, it has been identified that 800+ attacks on its Tomcat server honeypots, 96% linked to the Mirai botnet.
The threat actor launched a brute force attack against the scanned Tomcat servers to access the web application manager through various credential combinations.
A new AMD Zen2 CPU vulnerability enables data theft at 30KB/sec per core, risking passwords and encryption keys has been found.
The AMD’s Zen2 processor vulnerability has been tracked as “CVE-2023-20593,” this results from mishandling ‘vzeroupper’ instruction, impacting modern processors’ speculative execution.
The flaw allowed optimized data leakage from various system operations, even in virtual machines, isolated sandboxes, and containers.
Zyxel Firewall Injection Flaw
Increased botnet activity targeting vulnerability(CVE-2023-28771) in Zyxel devices has become a major concern to its users.
This vulnerability lets the unauthorized attacker execute the arbitrary code by sending a specifically crafted packet to the targeted device.
Threat actors specifically target the command injection vulnerability in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices.
ModSecurity WAF Flaw
Trustwave’s open-source Web Application Firewall (WAF) engine, ModSecurity, faces DoS risk due to four transformation actions vulnerability.
The vulnerability was tracked as CVE-2023-38285. The security developers at the ModSecurity team fixed this flaw by releasing the fixes in v3.0.10, while the v2 of ModSecurity is not affected.
ModSecurity offers numerous transformation actions to alter value representation for improved processing convenience and reduced rule evasion risks.
Atlassian & Bamboo
Atlassian discovered critical and high vulnerabilities through bug bounty programs, third-party library scans, and penetration testing.
In their security bulletin, they have addressed three high vulnerabilities which were detected on their confluence data center, server, and bamboo center.
Atlassian has confirmed that these vulnerabilities were fixed in their new version of products.
Encrypted Police and Military Radios
Global radios rely on the TETRA (Terrestrial Trunked Radio) standard, but various vulnerabilities and multiple flaws have been uncovered, impacting its usage in Europe, the UK, and other nations, affecting Government agencies, Law enforcement, and much more.
All these vulnerabilities were identified in the cryptography and its implementation that enables traffic decryption.
Multiple flaws enable historical decryption and deanonymization, impacting users like national police, emergency services, military, and critical infrastructure providers globally.
Microsoft Message Queuing Service
There have been three critical flaws, including DDoS and Remote code execution, discovered in the Microsoft Message Queuing Service (MMQS).
These vulnerabilities existed in the message parser header that allowed unsanitized crafted message-headed inputs in one of the message header fields.
Microsoft has released patches for these vulnerabilities.
A privilege escalation vulnerability has been found in Ubuntu systems within the OverlayFS module.
The vulnerable versions of the Ubuntu Operating system have been the default systems provided by most of the Cloud Security Providers (CSPs).
Ubuntu has released a security notice which patches several vulnerabilities and credited the researchers.
Exploiting ChatGPT’s popularity, threat actors create a copycat hacker tool to facilitate malicious activities using deceptive chatbot services.
Researchers at the Netenrich threat research team recently uncovered “FraudGPT,” an AI bot exclusively designed for offensive activities, available on Dark Web markets and Telegram.
FraudGPT uses a chat box to craft SMS phishing messages, effectively impersonating banks. Moreover, the developer highlighted the 3,000+ confirmed sales and reviews for FraudGPT on the forum and Telegram to lure threat actors.
Exploit Windows Search Feature to Execute Malware
To easily locate all the available files, folders, and other items on your Windows system, Microsoft Windows OS offers an outstanding powerful tool known as the Windows search feature.
Purple Fox rootkit is an active malware campaign that has been distributed using a fake malicious Telegram installer since early 2022.
The threat actors target poorly managed MS SQL servers and execute PowerShell commands to install malicious MSI files and conceal themselves as a rootkit.
Hacker Deliver Weaponized IT Tools
It has been discovered that malvertising campaigns abuse Google and Bing ads to target users seeking certain IT tools and deploying ransomware.
This campaign targets several organizations in the technology and non-profit sectors in North America.
It exhibits similar features of the infection chain that are related to the BlackCat (aka ALPHV) ransomware infection.
Rust Infostealer Malware
Recently, it was uncovered that a type of malware capable of stealing crypto wallets, passwords, and browser data is affecting both Windows and macOS platforms.
This new variant of malware is found to be written in Rust programming language, which was named “realst.” This malware is capable of targeting Apple’s upcoming macOS version “Sonoma.”