April 03, 2023

Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution

Description

A high-severity vulnerability has been discovered in Microsoft’s Azure Service Fabric Explorer. This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code on containers hosted on a Service Fabric node. This flaw is tracked as CVE-2023-23383, and it has a CVSS score of 8.2, indicating its high severity. The vulnerability is a cross-site scripting (XSS) issue that could lead to the execution of code on containers hosted on a Service Fabric node.The vulnerability is referred to as ‘Super FabriXss,’ and it resides in a ‘Node Name’ parameter. This parameter allows an attacker to embed an iframe to retrieve files from a remote server controlled by the attacker. By exploiting this vulnerability, an attacker could execute a malicious PowerShell reverse shell, allowing them to run code on the container deployed to the cluster. This could potentially lead to system takeover. Both Linux and Windows clusters were found to be vulnerable to the attack.The researchers who discovered the vulnerability observed that modifying a Node name in the user interface is reflected in the Node’s independent dashboard. They then crafted a URL and enabled the Cluster Event Type under the Events tab, which allowed them to trigger a JavaScript payload, eventually achieving remote code execution (RCE). Orca Security’s proof-of-concept (PoC) uses a URL with an embedded iframe that triggers an upgrade of an Internet Information Services (IIS) application that includes an instruction to download a .bat file containing an encoded reverse shell. The attacker can then use the reverse shell to gain remote access to the application and use it to launch further attacks, access sensitive information, or potentially take over the cluster node hosting the container.To carry out the attack, an attacker could create a custom URL that, when accessed by an authenticated user with appropriate permissions, could instruct the user to enable the Cluster Event Type, triggering the code execution chain. However, Microsoft believes that exploitation of this vulnerability is ’less likely’ due to the required user interaction and the complexity of the attack.

Infected Technology

Infected Technology Microsoft’s Azure Service Fabric Explorer

Source

https://www.securityweek.com/severe-azure-vulnerability-led-to-unauthenticated-remote-code-execution/

Recommendation

• Keep software and operating systems up to date. • Use strong and unique passwords and enable two-factor authentication. • Limit access to sensitive data and systems • Use reliable antivirus and endpoint protection software. • Regularly back up data and store backups offline

CVE

CVE-2023-23383

3CX Supply Chain Attack

Description

3CX, a software provider for business communications, was hit by a supply chain attack where attackers compromised its software build pipeline or poisoned an upstream dependency to distribute a malicious version of its app package for Windows and macOS. The attackers utilized DLL side-loading in the Windows version to load a rogue library that could steal sensitive data stored in web browsers, while the macOS version bypassed Apple’s notarization checks to download an unknown payload from a command-and-control server. The attack is attributed to Labyrinth Chollima, a North Korea-aligned state-sponsored actor affiliated with the Lazarus Group. 3CX is urging customers to update to version 18.12.422 and use the web app (PWA) version. Google is blocking downloads of the old MSI installer files through its Chrome web browser.

Infected Technology

3CX VOIP

Source

https://thehackernews.com/2023/03/3cx-supply-chain-attack-heres-what-we.html

Recommendation

• Keep software and systems up to date. • Implement multi-factor authentication (MFA). • Conduct regular security assessments.

Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation

Description

The security breaches associated with Cacti, Realtek, and IBM Aspera Faspex vulnerabilities continue to cause concern in the cybersecurity industry. Cyber attackers are exploiting these security flaws to hack into unpatched systems, and the consequences of these hacks can be severe. The CVE-2022-46169 and CVE-2021-35394 vulnerabilities allow for the delivery of botnets such as MooBot and ShellBot. CVE-2022-46169 is an authentication bypass and command injection flaw in Cacti servers that enables unauthenticated users to execute arbitrary code. This flaw has also been observed to serve ShellBot payloads since January 2023. CVE-2021-35394 is an arbitrary command injection vulnerability in the Realtek Jungle SDK that has been previously used to distribute botnets like Mirai, Gafgyt, Mozi, and RedGoBot. However, the recent development marks the first time it has been used to deploy MooBot, a Mirai variant that has been active since 2019.Furthermore, cyber attackers have been exploiting CVE-2022-47986, a critical YAML deserialization issue in IBM’s Aspera Faspex file exchange application, since February 2023. The vulnerability has been co-opted by cybercriminals in ransomware campaigns associated with Buhti and IceFire, shortly after the release of the proof-of-concept (PoC) exploit.

Infected Technology

Cacti, Realtek, IBM Aspera Faspex

Source

https://thehackernews.com/2023/04/cacti-realtek-and-ibm-aspera-faspex.html

Recommendation

Apply patches as soon as possible or take the service offline if a patch cannot be installed and use strong passwords and change them periodically.

CVE ID

CVE-2021-35394 CVE-2022-46169 CVE-2022-47986

Russian hacking group Winter Vivern has been actively exploiting Zimbra flaws to steal the emails of NATO and diplomats.

Description

A group of hackers known as Winter Vivern (also referred to as TA473) and suspected to be aligned with Russian and/or Belarussian geopolitical goals, has been actively exploiting a vulnerability in unpatched Zimbra instances (CVE-2022-27926) to gain access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia-Ukrainian War. The CVE-2022-27926 vulnerability affects Zimbra Collaboration versions 9.0.0 and is used to host publicly facing webmail portals. TA473 has been targeting US elected officials and staffers since February 2023 using bespoke JavaScript payloads designed for each government target’s webmail portal. The group also carries out lateral phishing attacks to infiltrate target organizations. The payloads are designed to conduct Cross Site Request Forgery attacks, steal usernames and passwords, and store active session and CSRF tokens from cookies that allow login to publicly facing vulnerable webmail portals. TA473 uses scanning tools like Acunetix to identify unpatched webmail platforms used by target organizations and sends phishing emails containing malicious URLs that exploit known vulnerabilities to execute JavaScript payloads within the victim’s webmail portals

Infected Technology

Zimbra

Source

https://securityaffairs.com/144263/intelligence/winter-vivern-email-portals-nato.html

Recommendation

• Patch your Zimbra Collaboration software: Ensure the Zimbra Collaboration software is updated and patched to the latest version to prevent exploitation of vulnerabilities like CVE2022-27926.
• Implement multi-factor authentication (MFA): Enforce MFA for all user accounts to add an extra layer of security and prevent unauthorized access even if an attacker has stolen the user’s login credentials

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

Description

The Elementor Pro plugin is a popular premium plugin used by over 12 million websites, and its exploitation can have serious consequences. The flaw is caused by a broken access control issue, and it is being abused in the wild from several IP addresses that attempt to upload arbitrary PHP and ZIP archive files. This vulnerability is the latest in a string of security issues affecting WordPress plugins. The advisory comes a year after a critical vulnerability was found in the Essential Addons for Elementor plugin. WordPress has also recently issued auto-updates to fix another critical bug in the WooCommerce Payments plugin, which allowed attackers to gain administrator access to vulnerable sites. It is important for website owners to regularly update their plugins and themes to stay protected against known vulnerabilities.

Infected Technology

WordPress Elementor Pro

Source

https://thehackernews.com/2023/04/hackers-exploiting-wordpress-elementor.html

Recommendation

• Update Elementor Pro plugin to the latest version. • Monitor the website for any suspicious activity. • Implement security measures such as firewalls and intrusion detection systems. • Keep all plugins, themes, and WordPress core up to date.

Spyware Vendors Exploit Zero and N-Day Vulnerabilities Against Mobile Device

Description

Google’s Threat Analysis Group (TAG) recently released a report revealing that two distinct, highly targeted campaigns exploited zero-day vulnerabilities on Android and iOS devices last year. These campaigns were used by commercial spyware vendors, who took advantage of the patch gap between the release of a fix and when it was deployed on the targeted devices. The scale of these two campaigns and the nature of their targets are still unknown. The first campaign, which occurred in November 2022, utilized shortened links over SMS messages to target users in Italy, Malaysia, and Kazakhstan. Clicking on the links would redirect recipients to web pages hosting exploits for Android or iOS, before they were redirected again to legitimate news or shipment-tracking websites. The iOS exploit chain leveraged multiple bugs, including a then-zero-day vulnerability and a pointer authentication code (PAC) bypass, to install an .IPA file onto the susceptible device. The Android exploit chain comprised three exploits to deliver an unspecified payload. While one of these vulnerabilities was patched by Arm in August 2022, it’s unknown if the adversary was already in possession of an exploit for the flaw prior to the release of the patch. The second campaign was observed in December 2022, consisting of several zero-day and n-day exploits targeting the latest version of Samsung Internet Browser, with the exploits delivered as one-time links via SMS to devices located in the UAE. The exploits ultimately implanted a C++-based malicious toolkit capable of harvesting data from chat and browser applications. These campaigns highlight the proliferation of dangerous hacking tools in the commercial spyware industry, which poses severe risks to the internet.

Infected Technology

Android, IOS Devices

Source

https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/

Recommendation

• Keep software up to date and be cautious of shortened links in SMS messages. • Regularly review app permissions on mobile devices to prevent them from accessing unnecessary information or functionality.

CVE

CVE-2022-42856 CVE-2021-30900 CVE-2022-3723 CVE-2022-4135