InfoSec Weekly
June 19, 2023
Table Of Contents
Wordpress Stripe Payment Plugin Vulnerable to IDOR Exposes PII
Description
The Wordpress Stripe Payment Plugin developed by WooCommerce is a plugin which is used to integrate the Stripe payment gateway onto Wordpress websites by the developers for the means of online financial transactions. However, in the WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions, a vulnerability exposing the plugin to Unauthenticated Insecure Direct Object Reference (IDOR) attack was discovered. Due to improper handling of order objects and a lack of access control mechanisms within the ‘javascript_params’ and ‘payment_fields’ functions of the plugin, the vulnerability listed as CVE-2023-34000, exposed PII (personally identifiable information) of customers such as their full names, email ids and shipping addresses. Exposure of such sensitive information can be leveraged by malicious actors, through which the customers with leaked details can become victims to further scams, social engineering attacks, phishing attacks and many more threats.
Infected Technology
WooCommerce Stripe Gateway Plugin version 7.4.0
Source
Recommendation
• Implement secure coding practices and properly test the code along with each function for bugs and vulnerabilities regularly. (For this case, Implement proper access control and proper object handling.)
CVE ID
CVE-2023-34000
Cl0p Ransomware Exploits Vulnerability in MOVEit Transfer App
Description
A recent global cyberattack has targeted multiple US federal government agencies and numerous companies worldwide. The attack leveraged a vulnerability in MOVEit software, widely used for data transfer, and is allegedly orchestrated by a Russian cybercriminal group known as CLOP. While the impact is being assessed, there have been no ransom demands made to federal agencies thus far. The software vendor, Progress Software, is working on a patch to address the vulnerability, and the US Cybersecurity and Infrastructure Security Agency (CISA) is providing support to affected entities. This incident highlights the importance of proactive security measures such as patch management, vulnerability assessments, and incident response planning to mitigate risks in today’s evolving threat landscape. The attack has impacted multiple federal agencies, as well as several hundred companies and organizations in the US. The extent of data compromise is currently under investigation. The Department of Energy confirmed that records from two entities, including Oak Ridge Associated Universities, a research center, and a contractor affiliated with the Waste Isolation Pilot Plant, were compromised. While ransom demands have not been made to federal agencies, the CLOP ransomware group is known for demanding multimillion-dollar ransoms. The financial impact on affected companies and organizations is yet to be determined. Progress Software, the developer of MOVEit, has acknowledged the vulnerability and is working on a patch to address the issue. The affected software, MOVEit Cloud, has been taken offline to expedite the patching process. The US Cybersecurity and Infrastructure Security Agency (CISA) is providing support to federal agencies affected by the attack. CISA is working urgently to understand the impacts, ensure timely remediation, and collaborate with law enforcement and other relevant entities.
Infected Technology
MOVEit Transfer
Source
https://edition.cnn.com/2023/06/15/politics/us-government-hit-cybeattack/index.html
Recommendation
• Maintain up-to-date backups of critical data to mitigate the impact of a potential breach or data loss. • Disable all HTTP and HTTPS traffic on ports 80 and 443 for MOVEit Transfer until the vulnerability is addressed.
Chinese APT group UNC3886 seen exploiting unpatched VMware ESXi
Description
The Chinese APT group known as UNC3886 has been exploiting a zero-day vulnerability in VMware Tools to bypass authentication and gain privileged access to Windows, Linux, and PhotonOS (vCenter) guest virtual machines. VMware’s advisory regarding the CVE associated with this vulnerability categorizes it as a low risk because it can only be exploited by an attacker who has completely compromised an ESXi host. If an ESXi host is fully compromised, it can cause VMware Tools to fail in authenticating host-to-guest operations, thereby compromising the confidentiality and integrity of the guest VMs. By leveraging the zero-day vulnerability (CVE-2023-20867), the attacker can execute commands and transfer files to and from guest VMs using a compromised ESXi host without requiring guest credentials.
Infected Technology
VMware ESXi
Source
https://www.itnews.com.au/news/chinese-attackers-exploiting-unpatched-vmware-esxi-instances-596858
Recommendation
• Regularly monitor and review ESXi host logs for any suspicious activities or unauthorized access attempts. • Limit privileged access to ESXi hosts.
CVE ID
CVE-2023-20867
Critical FortiOS and FortiProxy Vulnerability Exploited
Description
The Fortigate vulnerability, assigned the CVE-2023-27997 identifier and having a CVSS score of 9.2, is a critical security flaw found in FortiOS and FortiProxy SSL-VPN. This vulnerability involves a heap-based buffer overflow, which can be exploited by a remote attacker. By sending specifically crafted requests, the attacker can trigger the overflow and potentially execute arbitrary code or commands on the affected system. This could lead to unauthorized access, control, and compromise of the targeted system. Given its severity, immediate attention and remediation are necessary to prevent potential exploitation.
Infected Technology
Fortinet Products
Source
https://thehackernews.com/2023/06/critical-fortiosand-fortiproxy.html
Recommendation
• Update to the latest firmware version to avert potential risks.
CVE ID
CVE-2023-27997
New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries
Description
Threat actors have launched a new type of software supply chain attack targeting open-source projects by exploiting expired Amazon S3 buckets. By seizing control of these buckets, attackers can serve rogue binaries without modifying the modules themselves. The attack was first observed in the case of an npm package called bignum, where a now-expired S3 bucket was claimed by a malicious third party. When users downloaded the package, they unknowingly received malware-containing binaries that exfiltrated data from their computers. The attacker rerouted the package’s source pointer toward the hijacked bucket. Reverse engineering of the malware revealed its ability to steal user credentials and transmit the data to the compromised bucket. Checkmarx found numerous packages using abandoned S3 buckets, highlighting the constant search for new ways to compromise the software supply chain. This incident serves as a reminder to developers and organizations about the risks posed by abandoned hosting buckets or obsolete subdomains.
Infected Technology
Amazon S3 buckets
Source
https://thehackernews.com/2023/06/new-supply-chain-attack-exploits.html
Recommendation
• Keep software dependencies up to date. • Use code scanning and vulnerability assessments. • Monitor and track the software supply chain. • Apply access controls and permissions to storage buckets
Ready to get started?
Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.
Contact Us