InfoSec Weekly

November 5, 2023

Table Of Contents

Iran’s MuddyWater Espionage Group Adopts Advanced Tactics to Target Israeli Entities

Description

In a recent development in the ever-evolving landscape of state-sponsored cyber espionage, Iran’s MuddyWater, a known nation-state actor, has launched a spear-phishing campaign with a twist, targeting two Israeli entities. What sets this campaign apart is the use of a new infection vector that deploys a legitimate remote administration tool known as Advanced Monitoring Agent, provided by N-able. Cybersecurity firm Deep Instinct recently disclosed the details of this campaign, shedding light on the group’s updated Tactics, Techniques, and Procedures (TTPs).

MuddyWater is no stranger to the cybersecurity community. This cyber espionage crew, believed to operate under the auspices of Iran’s Ministry of Intelligence and Security (MOIS), has been active since at least 2017. Over the years, it has been responsible for various campaigns, often utilizing spear-phishing emails with direct links or attachments that lead to the deployment of remote access tools. Previous tools utilized by MuddyWater include ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.

Infected Technology

The spear-phishing campaign targeted Israeli entities, exploiting a multi-stage infection vector that involved the use of a new file-sharing service, Storyblok, to deliver the Advanced Monitoring Agent remote administration tool.

Source

https://thehackernews.com/2023/11/irans-muddywater-targets-israel-in-new.html

Recommendation

Implement robust email security solutions to detect and block spear-phishing attempts.


Microsoft Edge Vulnerability Let Attackers Execute Malicious Code

Description

Recent security flaws in Microsoft Edge (Chromium-based) have been identified, posing risks of remote code execution and spoofing attacks.An unauthenticated, remote attacker can potentially exploit this vulnerability to remotely execute commands on Microsoft Edge versions that are affected. However, Microsoft clarifies that to exploit this vulnerability, user interaction is necessary beforehand.

In the case of the Microsoft Edge spoofing vulnerability, it can be exploited by an unauthenticated attacker with network access, but specific user interactions are needed for it to work. However, there is no additional information available about this vulnerability at this time.

Infected Technology

• Microsoft Edge (Chromium-based)

• Microsoft Edge (Chromium-based) Extended Stable.

• Microsoft Edge for Android

Source

https://cybersecuritynews-com.cdn.ampproject.org/c/s/cybersecuritynews.com/microsoft-edge-vulnerability/?amp

Recommendation

• Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.

CVE ID

CVE-2023-36022, CVE-2023-36029, and CVE-2023-36034.


Apache ActiveMQ Servers Exposed to Critical CVE-2023-46604 RCE Vulnerability

Description

More than 3,000 Apache ActiveMQ servers exposed to the internet are at risk due to a critical remote code execution (RCE) vulnerability identified as CVE-2023-46604. Apache ActiveMQ is an open-source, multi-protocol, Java-based message broker. The vulnerability is a critical severity RCE with a CVSS v3 score of 10.0, allowing attackers to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. Approximately 7,249 servers with ActiveMQ services are exposed, with 3,329 using vulnerable ActiveMQ versions. Vulnerable versions include Apache ActiveMQ 5.18.0 before 5.18.3, Apache ActiveMQ 5.17.0 before 5.17.6, Apache ActiveMQ 5.16.0 before 5.16.7, and Apache ActiveMQ before 5.15.16.

Infected Technology

Apache ActiveMQ servers

Source

https://cybersecuritynews.com/3000-apache-activemq-servers/

Recommendation

Upgrade to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3

CVE ID

CVE-2023-46604


Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss

Description

Atlassian has issued a warning about a critical security vulnerability in Confluence Data Center and Server, identified as CVE-2023-22518, with a high CVSS score of 9.1, which could result in significant data loss when exploited by an unauthenticated attacker. This improper authorization vulnerability affects all versions of Confluence Data Center and Server and has been addressed in specific versions. Although it does not impact data confidentiality, Atlassian has urged immediate action to secure instances and recommends disconnecting publicly accessible instances until the patch is applied. Users outside of the support window are advised to upgrade, while Atlassian Cloud sites are unaffected. While there is no evidence of active exploitation, Atlassian has emphasized the importance of applying the patches to prevent potential exploitation, particularly following the release of critical information about the vulnerability.

Infected Technology

Confluence Data Center and Server

Source

https://thehackernews.com/2023/10/atlassian-warns-of-new-critical.html

Recommendation

Update to the lastest patched version.

CVE ID

CVE-2023-22518



call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us