InfoSec Weekly

August 07, 2023

Table Of Contents

High-Severity Flaw in PaperCut Print Management Software Enables Remote Code Execution

Description

Cybersecurity researchers have recently identified a significant security flaw in the PaperCut print management software for Windows, tracked as CVE-2023-39143. This vulnerability is rated as high severity, with a CVSS score of 8.4, indicating its potential impact.The flaw affects versions of PaperCut NG/MF prior to version 22.1.3. It has been classified as a combination of a path traversal and file upload vulnerability. This means that attackers can manipulate file paths to gain unauthorized access to files and directories and upload arbitrary files to the PaperCut MF/NG application server.The most concerning aspect of CVE-2023-39143 is that unauthenticated attackers can exploit it. They do not need any prior privileges or user interaction to potentially read, delete, and upload files to the server. In certain configurations, this vulnerability could lead to remote code execution, enabling attackers to run their malicious code on the affected server. The severity of this flaw is heightened by the fact that the “external device integration” setting, which is enabled by default in some PaperCut installations, can exacerbate the attack surface.It’s essential to note that this vulnerability is distinct from a previous one (CVE-2023-27350) discovered in the same software. Unlike its predecessor, CVE-2023-39143 does not require attackers to have any prior privileges and is more complex to exploit. Attackers need to chain multiple issues together to compromise a server successfully.

Infected Technology

PaperCut

Source

https://thehackernews.com/2023/08/researchers-uncover-new-high-severity.html

Recommendation

• Keep the papercut upto date

CVE ID

CVE-2023-39143


API Access Flaw Found in Ivanti MobileIron Core Version 11.2

Description

A critical vulnerability (CVE-2023-35082):(bypass vulnerability) previously a zero-day vulnerability, has been identified in Ivanti’s MobileIron Core 11.2 version, potentially allowing unauthorized access to restricted functions. MobileIron Core, a product by Ivanti, enables secure management of mobile devices, applications, and content, combining MDM, MAM, and MCM capabilities. MobileIron Core 11.2 is no longer supported as of March 15, 2022 so no new patches were released for the vulnerability but a recommendation to upgrade to the latest version was issued.

Infected Technology

Ivanti’s MobileIron Core 11.2 version. Source https://cybersecuritynews.com/ivanti-mobileiron-api-access-flaw/ Recommendation • Upgrade to the latest version of Ivanti Endpoint Manager Mobile (EPMM). • Practice regular software version tracking, make timely upgrades, remain vigilant and take precautions against potential threats.

CVE_ID

CVE-2023-35082


New Rilide Malware Attacking Enterprise Employees to Steal Credentials

Description

A new variant of the Rilide stealer, a malicious browser extension identified in April 2023 by Trustwave SpiderLabs, is reported to be targeting enterprise employees and crypto wallets. This version effectively evades the restrictions imposed by Google Chrome’s Extensions manifest V3, enabling it to execute in-line JavaScript code. The malware primarily focuses on pilfering credentials from bank accounts in Australia and the UK, while also capturing screenshots and transmitting the stolen data through a Telegram channel. The enhanced Rilide variant boasts capabilities such as disabling browser extensions, gathering browsing history and cookies, conducting on-demand screenshots, injecting malicious scripts for cryptocurrency theft, and masquerading as a Palo Alto GlobalProtect VPN extension on the Chrome Web Store. It also integrates CursedChrome for authenticated web browsing as the victim. Perpetrators have leveraged Twitter campaigns related to NFTs to entice users into sharing their information, employing dedicated Discord servers and websites to distribute the malware. Trustwave SpiderLabs has published a comprehensive report detailing the attack vector and methods, along with a list of compromise indicators for security personnel’s reference.

Source

https://cybersecuritynews.com/rilide-stealer-malware/

Infected Technology

Different browsers

Recommendation

• Browser extension management • Multifactor Authentication MFA and least privilege.


Phishers Exploit Salesforce’s Email Services Zero-Day in Targeted Facebook Campaign

Description

A sophisticated Facebook phishing campaign exploits a zero-day flaw in Salesforce’s email services, enabling targeted attacks with the company’s domain. Emails appear as Meta notifications from “@salesforce.com” addresses, urging recipients to click on a link due to “investigation” claims. The link directs to a rogue page aiming to steal account credentials and 2FA codes. The phishing kit is hosted on the deprecated Facebook apps platform, making it hard to detect. The attackers manipulate Salesforce’s email validation by configuring an Email-to-Case routing, allowing verification via a controlled address link. Salesforce patched the flaw on July 28, 2023. Such attacks highlight the trend of using legitimate services for malicious purposes.

Infected Technology

Salesforce Email Services

Source

https://thehackernews.com/2023/08/phishers-exploit-salesforces-email.html

#####Recommendation · Use advanced detection tools. · Strengthen cloud security practices.


Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability

Description

Cybersecurity researchers discovered an actively exploited vulnerability, CVE-2023-35082, in some versions of Ivanti Endpoint Manager Mobile (EPMM). This flaw allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below). If exploited, it could potentially give unauthorized remote access to users’ personally identifiable information and allow limited changes to the server. The vulnerability was fixed in MobileIron Core 11.3 but had not been flagged previously as a security flaw. Rapid7 found that CVE-2023-35082 and CVE-2023-35078 share the same origin, and they can be combined to allow an attacker to write malicious web shell files and execute them on the appliance. It’s recommended for users to update to the latest supported version to secure against potential threats. Two other security flaws, CVE-2023-35078 and CVE-2023-35081, impacting Ivanti EPMM were also recently patched.

Source

https://thehackernews.com/2023/08/researchers-discover-bypass-for.html

Infected Technology

Systems running of Ivanti EPMM and MobileIron Core.

Recommendation

• Regularly perform security audits and vulnerability assessments to identify potential weaknesses in the software. • Apply Patches: Ensure that all available security patches and updates for Ivanti EPMM are applied promptly. This includes fixing the other two recently patched vulnerabilities (CVE-2023-35078 and CVE-2023-35081) to prevent unauthorized access and path traversal attacks

CVE

CVE-2023-35082



call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us