The Threat and Vulnerability Roundup for this week is out! With great pride, Cyber Writes presents a weekly overview of the most recent cybersecurity news.
We highlight notable vulnerabilities and exploits, new attack tactics, and critical software patches.
Both individuals and organizations can determine the criticality of an asset, its vulnerabilities, and the mitigation measures needed to safeguard it adequately.
Vulnerabilities Uncovered
Citrix Servers Compromised
A critical remote code execution (RCE) vulnerability identified as CVE-2023-3519 has been the subject of several attacks, which have already compromised and backdoored hundreds of Citrix Netscaler ADC and Gateway servers.
Attackers used web shells on at least 640 Citrix servers in these attacks, according to security experts from the Shadowserver Foundation, a nonprofit organization focused on advancing internet security.
Most of the servers affected are located in the United States and Germany.
Abusing AWS SSM Agent
Legitimate SSM agents can turn malicious when attackers with high-privilege access use it to carry out ongoing malicious activities on an endpoint.
Once compromised, the threat actors retain access to the compromised system, allowing ongoing illicit activities on AWS or other hosts.
AWS Systems Manager Agent (SSM) is widely used and comes pre-installed on many AMIs, which makes it a potential attack surface for hackers on a large pool of AWS instances.
New LOLBAS Binaries Uncovered
Hackers actively leverage LOLBAS (Living-Off-the-Land Binaries-And-Scripts), it’s a popular methodology that threat actors use for exploiting legit tools to hide the illicit actions performed by them.
Since LOLBAS is gaining traction rapidly in cyber attacks, experts are also actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.
Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even the researchers opted for the automation approach and found 12 new files in 4 weeks, a 30% rise in known downloaders and executors.
AD CTS Attack Vector
The threat group known as “Nobelium,” responsible for the SolarWinds attacks, is now discovered to target Microsoft tenants through the new Cross-Tenant Synchronisation (CTS) feature introduced by Microsoft.
However, since this feature opens the gate to multiple tenants from one tenant, it is important to configure and manage correctly.
Misconfiguration can lead to threat actors using this feature for lateral movement across multiple tenants and performing malicious activities.
Microsoft Teams Phishing Attack
The attacker uses compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities.
Using new domains from compromised tenants, Midnight Blizzard leverages Microsoft Teams messages to steal credentials.
It targets organizations, engaging users and eliciting approval of multifactor authentication (MFA) prompts.
Salesforce Email Zero-day Flaw
Hackers exploited a zero-day vulnerability in Salesforce’s email services and SMTP servers.
Guardio Labs says attackers exploit Salesforce’s “Email-to-Case” feature, which organizations turn incoming customer emails into actionable tickets for their support teams.
The attackers use the “Email-To-Case” flow — gaining full control of the username part of the generated salesforce email address.
Ivanti MobileIron API Access Flaw
A critical vulnerability in Ivanti’s MobileIron Core 11.2 version could allow a malicious actor to gain unauthorized access to restricted functions.
To fix this vulnerability, users should upgrade to the latest version of Ivanti Endpoint Manager Mobile (EPMM).
QNAP Operating Systems Flaw
An uncontrolled resource consumption vulnerability has been reported to affect multiple QNAP operating systems. The vulnerability allows remote users to launch a denial-of-service (DoS) attack if exploited.
QNAP has fixed the vulnerability and urges users to immediately update their outdated systems and devices to mitigate this vulnerability.
Canon Printers Wi-Fi Connection settings Flaw
Recent reports from Canon indicate that around 200 models of Canon Inkjet printers store sensitive Wi-Fi connection information which third parties can extract.
As printers are part of the network and require multiple information about the SSID, network configuration, IP addresses of connected systems, and much more information, it is considered a valuable asset for threat actors who attempt to steal information from these printers.
Splunk SOAR Unauthenticated Log Injection
Splunk has discovered a vulnerability that allows unauthenticated log injection, which could enable malicious actors to run harmful code on the system.
The vulnerability exists in the Splunk SOAR, which also requires a terminal application capable of translating ANSI escape codes. In addition, the terminal also must have required permission to exploit this vulnerability.
IBM Security Verify Access Flaw
An Open-redirect vulnerability was discovered by IBM, which could allow threat actors to spoof the original URL of IBM Security Verify Access to lure victims into a malicious website and steal sensitive information.
This vulnerability is present due to the default configuration of the AAC (Advanced Access Control) module.
IBM mentioned that the patch to fix this vulnerability already exists, which users can use to prevent it from getting exploited.
Trust Wallet Browser Extension Flaw
Trust Wallet made a significant announcement on November 14th, 2022, unveiling its newly launched browser extension for wide usage.
The browser extension grants direct access to digital assets on multiple blockchains, a highly anticipated complement to the existing iOS and Android apps in Trust Wallet’s ecosystem.
Recently, security analysts at Ledger Donjon found a major vulnerability in this browser extension. The newly discovered flaw enables asset theft from any wallet created with it, and for this, no user interaction is needed.
New Collide+Power Exploit
The build and shared components on the CPUs are exploited by a method called Collide+Power. This attack vector does not target specific programs but the hardware itself.
Advanced software-based power side channels echoed the discovery of Meltdown and Spectre vulnerability, which leaked actual data values through underlying hardware.
The core causes of this vulnerability are the shared CPU components like internal memory systems.
New Releases
Black Hat AI Tools
The rapid growth in generative AI tech is dramatically changing the complete threat scenario since threat actors actively exploit this tech for several illicit purposes.
While besides this, the deceptive chatbot services are now fueled by another two copycat hacker tools that are completely based on ChatGPT‘s popularity.
FalconFeedsio recently identified two new black hat AI tools: XXXGPT and Wolf GPT.
Burp Suite 2023.8
The updated Burp suite scanner has new add-on features and bug fixes that enhance the scanning process’s overall performance.
On 27 July 2023, Portswigger released all improved versions of Burpsuite, including the reuse of HTTP/1, customizable SNI values, browser updates, and bug fixes.
They upgraded Burp’s built-in browser to 115.0.5790.110 for Windows and Linux and 115.0.5790.114 for Mac.
BloodHound
SpecterOps announced BloodHound Community Edition (CE), which will be available in early access on August 8, 2023!
BloodHound Enterprise is the company’s first defense solution for enterprise security and identity teams.
SpecterOps released version 5.0 of BloodHound Community Edition (CE), a free and open-source penetration testing solution that maps attack paths in Microsoft Active Directory (AD) and Azure environments.
AWS to Charge for the Public IPv4 Addresses
Amazon Web Services has been one of the most used Cloud Service Providers worldwide due to its reliability and low downtime. In a recent announcement, AWS mentioned that, with effect from February 2024, there will be a charge of 0.005$ /hour/IPv4 for all public IPv4 addresses.
This applies to IPv4 addresses even if they are not attached to any Amazon services like EC2, RDS, EKS, and others. For Free Tier accounts, there will be 750 hours of free usage of IPv4 addresses per month for 12 months which will not be charged.
Chrome Security Update
Google has published a security update for Chrome, updating the Stable channel for Mac and Linux to 115.0.5790.170 and 115.0.5790.170/.171 for Windows. The release of this upgrade will take place over the coming days/weeks.
This update offers 17 security fixes, including fixes discovered by external researchers.
Research
Researchers Jailbreak ChatGPT
ChatGPT and AI siblings were fine-tuned to avoid undesirable messages like hate speech, personal info, or bomb-making instructions.
Security researchers from different universities showed recently how a simple prompt addition breaks defenses in multiple popular chatbots.
Non-adversarially aligned LLMs fall victim to a single universal adversarial prompt, evading state-of-the-art commercial models.
Advisories
Top 42 Frequently Exploited Flaws of 2022
The Cybersecurity and Infrastructure Security Agency (CISA) has published a report which was co-authored by the NSA, FBI, and the FYEY (Five Eyes) from different countries.
As per the report, threat actors have been relying on outdated software vulnerabilities for exploitation instead of those disclosed recently. Systems that were exposed to the internet and left unpatched were mostly targeted.
The most exploited vulnerability of 2022 was CVE-2018-13379 which affected Fortinet SSL VPNs. Moreover, this vulnerability was one of the most exploited in 2020 as well as in 2021.
CISA Guide to Harden Cisco Firewalls
The National Security Agency (NSA) has released best practices for configuring and hardening Cisco Firepower Threat Defense (FTD) which can help network and system administrators in configuring these Next Generation Firewalls (NGFW).
These Cisco FTD systems provide a combination of application and network security features like application visibility and controls (AVC), URL filtering, user identity and authentication, malware protection, and intrusion prevention.
Cyber Attacks
Spyware App Compromised Over 60,000 Android Devices
Spywares are software that is used as a surveillance application to collect sensitive information from victims and send it to the person who installed the application.
These apps stealthily hide on the victim’s device, making them difficult to detect.
As per reports, the backend database of Spyhide consisted of around 60,000 compromised devices, dating back to 2016. The database included records of call logs, text messages, and location history along with photos and image metadata.
Hackers Use Google AMP Pages to Bypass Detection
A new phishing tactic was discovered that takes advantage of Google Accelerated Mobile Pages (AMP), which is known to be successful in bypassing email security infrastructure.
Threat actors have begun using Google AMP URLs as links inside their phishing emails as part of a new strategy.
These links have a track record of successfully contacting enterprise-level workers since they are hosted on trusted domains.
Cloud Host Accused of Aiding APT Hackers
The potentially unaware C2P entities that serve as legit businesses could be exploited easily by threat actors for attack campaigns and other illicit purposes.
Researchers at Halcyon Research and Engineering Team identified recently that Cloudzy, an Iranian VPS hosting provider with 15+ data centers all around the globe, had been leasing and reselling their server space to 17 different state-sponsored hacking groups.
Hackers Train AI-powered Cybercrime Tools
There have been several reports recently about cybercriminals using AI-powered tools for malicious purposes which can give a paradise of information for nefarious purposes.
Some of the recently popular malicious AIs include FraudGPT, WormGPT, XXXGPT, and WolfGPT.During an analysis, FraudGPT was found to be promoted by a person who goes under the name “CanadianKingpin12”.
Investigations revealed that the person tried to sell FraudGPT on open internet sites but due to the prohibition of “hard fraud” discussions and policy violations, his account was banned on some forums.
BlueCharlie Credential Stealing Infrastructure
BlueCharlie is a Russia-linked threat group that has been active since 2017 and is associated with several other names like Callisto, ColdRiver, Star Blizzard, and TA446.
While this threat group, BlueCharlie (aka TAG-53), mainly focuses on espionage and leak operations.
Recently, researchers at Recorded Future linked 94 new domains from March 2023 to BlueCharlie, indicating infrastructure modifications in response to public disclosures.
Android Malware Via WhatsApp
A new Android malware is circulating under the guise of a fake chat application that is being distributed through WhatsApp.
This malware is discovered to belong to the APT Bahamut and has some footprints of tactics used by the DoNot APT.
This malicious Android application is initially termed “Coverlm” which is installed under the name “SafeChat” on Android devices.
This android malware seems to be targeting individuals in the South Asian region.
New WikiLoader Malware
The Italian organizations, including tax agencies, were targeted by a new malware downloader delivering banking Trojan.
The new loader malware is presently undergoing active development, employing diverse, sophisticated mechanisms to evade detection effectively.
Proofpoint researchers identified this new loader malware, and they dubbed it “WikiLoader.” This malware was linked to TA544, known as Ursnif, and targets Italian organizations in multiple campaigns since December 2022.
macOS HVNC Tool
Threat actors targeting macOS have increased lately as there were several cases of macOS information stealer malware found in the past, and many are being currently exploited in the wild.
According to reports, there was a new macOS malware found that is capable of taking over the complete macOS system without any permission required from the user end.
This malware was found on a Russian hacking forum called “Exploit.”