Mar 26, 2024NewsroomCyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerabilities added are as follows –

• CVE-2023-48788 (CVSS score: 9.3) – Fortinet FortiClient EMS SQL Injection Vulnerability
• CVE-2021-44529 (CVSS score: 9.8) – Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
• CVE-2019-7256 (CVSS score: 10.0) – Nice Linear eMerge E3-Series OS Command Injection Vulnerability

The shortcoming impacting Fortinet FortiClient EMS came to light earlier this month, with the company describing it as a flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Fortinet has since revised its advisory to confirm that it has been exploited in the wild, although no other details regarding the nature of the attacks are currently available.

CVE-2021-44529, on the other hand, concerns a code injection vulnerability in Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) that allows an unauthenticated user to execute malicious code with limited permissions.

Recent research published by security researcher Ron Bowes indicates that the flaw may have been introduced as an intentional backdoor in a now-discontinued open-source project called csrf-magic that existed at least since 2014.

CVE-2019-7256, which permits an attacker to conduct remote code execution on Nice Linear eMerge E3-Series access controllers, has been exploited by threat actors as early as February 2020.

The flaw, alongside 11 other bugs, were addressed by Nice (formerly Nortek) earlier this month. That said, these vulnerabilities were originally disclosed by security researcher Gjoko Krstic in May 2019.

In light of the active exploitation of the three flaws, federal agencies are required to apply the vendor-provided mitigations by April 15, 2024.

The development comes as CISA and the Federal Bureau of Investigation (FBI) released a joint alert, urging software manufacturers to take steps to mitigate SQL injection flaws.

The advisory specifically highlighted the exploitation of CVE-2023-34362, a critical SQL injection vulnerability in Progress Software’s MOVEit Transfer, by the Cl0p ransomware gang (aka Lace Tempest) to breach thousands of organizations.

“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,” the agencies said.

Mar 01, 2024NewsroomRootkit / Threat Intelligence

The Five Eyes (FVEY) intelligence alliance has issued a new cybersecurity advisory warning of cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be deceived to provide a false sense of security.

“Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets,” the agencies said.

To date, Ivanti has disclosed five security vulnerabilities impacting its products since January 10, 2024, out of which four have come under active exploitation by multiple threat actors to deploy malware –

• CVE-2023-46805 (CVSS score: 8.2) – Authentication bypass vulnerability in web component
• CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component
• CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
• CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component
• CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component

Mandiant, in an analysis published this week, described how an encrypted version of malware known as BUSHWALK is placed in a directory excluded by ICT in /data/runtime/cockpit/diskAnalysis.

The directory exclusions were also previously highlighted by Eclypsium this month, stating the tool skips a dozen directories from being scanned, thus allowing an attacker to leave behind backdoors in one of these paths and still pass the integrity check.

“The safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time,” agencies from Australia, Canada, New Zealand, the U.K., and the U.S. said.

They also urged organizations to “consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”

Ivanti, in response to the advisory, said it’s not aware of any instances of successful threat actor persistence following the implementation of security updates and factory resets. It’s also releasing a new version of ICT that it said “provides additional visibility into a customer’s appliance and all files that are present on the system.”

Feb 15, 2024NewsroomThreat Intelligence / Vulnerability

Microsoft on Wednesday acknowledged that a newly disclosed critical security flaw in Exchange Server has been actively exploited in the wild, a day after it released fixes for the vulnerability as part of its Patch Tuesday updates.

Tracked as CVE-2024-21410 (CVSS score: 9.8), the issue has been described as a case of privilege escalation impacting the Exchange Server.

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability,” the company said in an advisory published this week.

“The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”

Successful exploitation of the flaw could permit an attacker to relay a user’s leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user, Redmond added.

The tech giant, in an update to its bulletin, revised its Exploitability Assessment to “Exploitation Detected,” noting that it has now enabled Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14) update.

Details about the nature of the exploitation and the identity of the threat actors that may be abusing the flaw are currently unknown. However, Russian state-affiliated hacking crews such as APT28 (aka Forest Blizzard) have a history of exploiting flaws in Microsoft Outlook to stage NTLM relay attacks.

Earlier this month, Trend Micro implicated the adversary to NTLM relay attacks targeting high-value entities at least since April 2022. The intrusions targeted organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils.

CVE-2024-21410 adds to two other Windows flaws – CVE-2024-21351 (CVSS score: 7.6) and CVE-2024-21412 (CVSS score: 8.1) – that have been patched by Microsoft this week and actively weaponized in real-world attacks.

The exploitation of CVE-2024-21412, a bug that enables a bypass of Windows SmartScreen protections, has been attributed to an advanced persistent threat dubbed Water Hydra (aka DarkCasino), which has previously leveraged zero-days in WinRAR to deploy the DarkMe trojan.

“The group used internet shortcuts disguised as a JPEG image that, when selected by the user, allows the threat actor to exploit CVE-2024-21412,” Trend Micro said. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as part of its attack chain.”

Microsoft’s Patch Tuesday update also addresses CVE-2024-21413, another critical shortcoming affecting the Outlook email software that could result in remote code execution by trivially circumventing security measures such as Protected View.

Codenamed MonikerLink by Check Point, the issue “allows for a wide and serious impact, varying from leaking of local NTLM credential information to arbitrary code execution.”

The vulnerability stems from the incorrect parsing of “file://” hyperlinks by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///\\10.10.111.111\test\test.rtf!something”).

“The bug not only allows the leaking of the local NTLM information, but it may also allow remote code execution and more as an attack vector,” the cybersecurity firm said. “It could also bypass the Office Protected View when it’s used as an attack vector to target other Office applications.”

Feb 09, 2024NewsroomZero Day Vulnerability / Network Security

Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild.

The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests,” the company said in a bulletin released Thursday.

It further acknowledged that the issue is “potentially being exploited in the wild,” without giving additional specifics about how it’s being weaponized and by whom.

The following versions are impacted by the vulnerability. It’s worth noting that FortiOS 7.6 is not affected.

• FortiOS 7.4 (versions 7.4.0 through 7.4.2) – Upgrade to 7.4.3 or above
• FortiOS 7.2 (versions 7.2.0 through 7.2.6) – Upgrade to 7.2.7 or above
• FortiOS 7.0 (versions 7.0.0 through 7.0.13) – Upgrade to 7.0.14 or above
• FortiOS 6.4 (versions 6.4.0 through 6.4.14) – Upgrade to 6.4.15 or above
• FortiOS 6.2 (versions 6.2.0 through 6.2.15) – Upgrade to 6.2.16 or above
• FortiOS 6.0 (versions 6.0 all versions) – Migrate to a fixed release

The development comes as Fortinet issued patches for CVE-2024-23108 and CVE-2024-23109, impacting FortiSIEM supervisor, allowing a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.

Earlier this week, the Netherlands government revealed a computer network used by the armed forces was infiltrated by Chinese state-sponsored actors by exploiting known flaws in Fortinet FortiGate devices to deliver a backdoor called COATHANGER.

The company, in a report published this week, divulged that N-day security vulnerabilities in its software, such as CVE-2022-42475 and CVE-2023-27997, are being exploited by multiple activity clusters to target governments, service providers, consultancies, manufacturing, and large critical infrastructure organizations.

Previously, Chinese threat actors have been linked to the zero-day exploitation of security flaws in Fortinet appliances to deliver a wide range of implants, such as BOLDMOVE, THINCRUST, and CASTLETAP.

It also follows an advisory from the U.S. government about a Chinese nation-state group dubbed Volt Typhoon, which has targeted critical infrastructure in the country for long-term undiscovered persistence by taking advantage of known and zero-day flaws in networking appliances such as those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco for initial access.

China, which has denied the allegations, accused the U.S. of conducting its own cyber-attacks.

If anything, the campaigns waged by China and Russia underscore the growing threat faced by internet-facing edge devices in recent years owing to the fact that such technologies lack endpoint detection and response (EDR) support, making them ripe for abuse.

“These attacks demonstrate the use of already resolved N-day vulnerabilities and subsequent [living-off-the-land] techniques, which are highly indicative of the behavior employed by the cyber actor or group of actors known as Volt Typhoon, which has been using these methods to target critical infrastructure and potentially other adjacent actors,” Fortinet said.

Feb 06, 2024NewsroomCybersecurity / Vulnerability

A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation.

The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others.

The attacks exploit CVE-2024-21893 (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication.

Ivanti had previously divulged that the vulnerability had been exploited in targeted attacks aimed at a “limited number of customers,” but cautioned the status quo could change post public disclosure.

That’s exactly what appears to have happened, especially following the release of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7 last week.

The PoC involves fashioning an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw, to achieve unauthenticated remote code execution.

It’s worth noting here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS score: 7.5), an SSRF vulnerability present in the open-source Shibboleth XMLTooling library. It was fixed by the maintainers in June 2023 with the release of version 3.2.4.

Security researcher Will Dormann further pointed out other out-of-date open-source components used by Ivanti VPN appliances, such as curl 7.19.7, openssl 1.0.2n-fips, perl 5.6.1, psql 9.6.14, cabextract 0.5, ssh 5.3p1, and unzip 6.00, thus opening the door for more attacks.

The development comes as threat actors have found a way to bypass Ivanti’s initial mitigation, prompting the Utah-based company to release a second mitigation file. As of February 1, 2024, it has begun releasing official patches to address all the vulnerabilities.

Last week, Google-owned Mandiant revealed that several threat actors are leveraging CVE-2023-46805 and CVE-2024-21887 to deploy an array of custom web shells tracked as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.

Palo Alto Networks Unit 42 said it observed 28,474 exposed instances of Ivanti Connect Secure and Policy Secure in 145 countries between January 26 and 30, 2024, with 610 compromised instances detected in 44 countries as of January 23, 2024.

Feb 01, 2024NewsroomVulnerability / Software Update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2022-48618 (CVSS score: 7.8), concerns a bug in the kernel component.

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Apple said in an advisory, adding the issue “may have been exploited against versions of iOS released before iOS 15.7.1.”

The iPhone maker said the problem was addressed with improved checks. It’s currently not known how the vulnerability is being weaponized in real-world attacks.

Interestingly, patches for the flaw were released on December 13, 2022 with the release of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, although it was only publicly disclosed more than a year later on January 9, 2024.

It’s worth noting that Apple did resolve a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which was shipped on July 20, 2022.

“An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication,” the company said at the time. “A logic issue was addressed with improved state management.”

In light of the active exploitation of CVE-2022-48618, CISA is recommending that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by February 21, 2024.

The development also comes as Apple expanded patches for an actively exploited security flaw in the WebKit browser engine (CVE-2024-23222, CVSS score: 8.8) to include its Apple Vision Pro headset. The fix is available in visionOS 1.0.2.

Jan 31, 2024NewsroomVulnerability / Zero Day

Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild.

The list of vulnerabilities is as follows –

• CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator

• CVE-2024-21893 (CVSS score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication

The Utah-based software company said it found no evidence of customers being impacted by CVE-2024-21888 so far, but acknowledged “the exploitation of CVE-2024-21893 appears to be targeted.”

It further noted that it “expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public.”

In tandem to the public disclosure of the two new vulnerabilities, Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3.

“Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment,” it said. “Customers should expect this process to take 3-4 hours.”

As temporary workarounds to address CVE-2024-21888 and CVE-2024-21893, users are recommended to import the “mitigation.release.20240126.5.xml” file.

The latest development comes as two other flaws in the same product – CVE-2023-46805 and CVE-2024-21887 – have come under broad exploitation by multiple threat actors to deploy backdoors, cryptocurrency miners, and a Rust-based loader called KrustyLoader.

Jan 23, 2024NewsroomVulnerability / Cyber Attack

Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server, within three days of public disclosure.

Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible installations.

The shortcoming affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5.

But merely days after the flaw became public knowledge, nearly 40,000 exploitation attempts targeting CVE-2023-22527 have been recorded in the wild as early as January 19 from more than 600 unique IP addresses, according to both the Shadowserver Foundation and the DFIR Report.

The activity is currently limited “testing callback attempts and ‘whoami’ execution,” suggesting that threat actors are opportunistically scanning for vulnerable servers for follow-on exploitation.

A majority of the attacker IP addresses are from Russia (22,674), followed by Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador.

Over 11,000 Atlassian instances have been found to be accessible over the internet as of January 21, 2024, although it’s currently not known how many of them are vulnerable to CVE-2023-22527.

“CVE-2023-22527 is a critical vulnerability within Atlassian’s Confluence Server and Data Center,” ProjectDiscovery researchers Rahul Maini and Harsh Jaiswal said in a technical analysis of the flaw.

“This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands.”

Jan 12, 2024NewsroomCyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The issue, tracked as CVE-2023-29357 (CVSS score: 9.8), is a privilege escalation flaw that could be exploited by an attacker to gain administrator privileges. Microsoft released patches for the bug as part of its June 2023 Patch Tuesday updates.

“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Redmond said. “The attacker needs no privileges nor does the user need to perform any action.”

Security researcher Nguyễn Tiến Giang (Jang) of StarLabs SG demonstrated an exploit for the flaw at the Pwn2Own Vancouver hacking contest, earning a $100,000 prize.

The pre-authenticated remote code execution chain combines authentication bypass (CVE-2023–29357) with a code injection bug (CVE-2023-24955, CVSS score: 7.2), the latter of which was patched by Microsoft in May 2023.

“The process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain,” Tiến Giang noted in a technical report published in September 2023.

Additional specifics of the real-world exploitation of CVE-2023–29357 and the identity of the threat actors that may be abusing them are presently unknown. That said, federal agencies are recommended to apply the patches by January 31, 2024, to secure against the active threat.