InfoSec Weekly
November 13, 2023
Table Of Contents
Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability
Description
Recent findings from Microsoft reveal that the notorious threat actor known as Lace Tempest has once again struck, exploiting a zero-day vulnerability in SysAid IT support software. Upon successful exploitation, Lace Tempest utilized the compromised SysAid software to deliver a malware loader for the Gracewire malware. Subsequent actions involved human-operated activities, including lateral movement, data theft, and the deployment of ransomware. SysAid has since released a patch (version 23.3.36) to address the vulnerability.
The attack methodology involves uploading a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service. This web shell provides backdoor access to the compromised host and delivers a PowerShell script, executing a loader that loads Gracewire. Another PowerShell script erases evidence of exploitation post-deployment.
Infected Technology
SysAid IT Support Software (On-Premise Installations)
Source
https://thehackernews.com/2023/11/zero-day-alert-lace-tempest-exploits.html
Recommendation
Organizations using SysAid should urgently apply the provided patch (version 23.3.36) to address CVE-2023-47246 and fortify their defenses against potential ransomware attacks.
CVE ID
CVE-2023-47246
Threat Actors Use HelloKitty Ransomware To Further Exploit Apache ActiveMQ
Description
The recently discovered Apache ActiveMQ remote code execution (RCE) vulnerability, CVE-2023-46604, is being actively exploited by threat actors to distribute ransomware, specifically associated with the HelloKitty ransomware family. The flaw, rated critical with a CVSS v3 score of 10.0, exploits serialized class types in the OpenWire protocol, allowing attackers to execute arbitrary shell commands. HelloKitty ransomware, known since 2020, is leveraging the Windows Installer to load remote binaries post-exploitation, initiating encryption processes with a distinctive “.locked” extension. A fix for this vulnerability has been released in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
Infected Technology
• Apache ActiveMQ servers
Source
https://cybersecuritynews.com/hellokitty-ransomware-apache-activemq/
Recommendation
• Upgrade to latest versions of Apache ActiveMQ: 5.15.16, 5.16.7, 5.17.6, or 5.18.3
CVE ID
CVE-2023-36022, CVE-2023-36029, and CVE-2023-36034
Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss
Description
Veeam has recently released security updates addressing four vulnerabilities in its ONE IT monitoring and analytics platform, two of which are deemed critical. The first critical flaw, CVE-2023-38547, poses a risk of remote code execution on the SQL server by enabling an unauthenticated user to access information about Veeam ONE’s SQL server connection. The second critical vulnerability, CVE-2023-38548, allows an unprivileged user with Veeam ONE Web Client access to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service. Additionally, a cross-site scripting vulnerability (CVE-2023-38549) and a vulnerability allowing unauthorized viewing of the Dashboard Schedule (CVE-2023-41723) have also been identified. While the first three affect Veeam ONE versions 11, 11a, and 12, the fourth impacts only version 12. Fixes for these issues are available in updated versions. Given the recent exploitation of critical flaws in Veeam backup software by threat actors like FIN7 and BlackCat ransomware, users are strongly advised to apply the fixes promptly by stopping monitoring and reporting services, replacing files with those provided in the hotfix, and restarting the services.
Infected Technology
ONE IT monitoring and analytics platform
Source
https://thehackernews.com/2023/11/critical-flaws-discovered-in-veeam-one.html
Recommendation
Fixes for the issues are available in the below versions:
- Veeam ONE 11 (11.0.0.1379)
- Veeam ONE 11a (11.0.1.1880)
- Veeam ONE 12 P20230314 (12.0.1.2591)
CVE ID
CVE-2023-38547, CVE-2023-38548, CVE-2023-38549, CVE-2023-41723
CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation
Description
CISA recently included a significant vulnerability in the Service Location Protocol (SLP) among its Known Exploited Vulnerabilities. This move comes after the agency found evidence of active exploitation of the flaw, indicating a high level of risk in the protocol’s security.CISA reported that a vulnerability in the Service Location Protocol (SLP) enables an unauthenticated remote attacker to register services and employ falsified UDP traffic, potentially causing a significant denial-of-service (DoS) attack due to its amplification factor.The specific details regarding how the flaw is being exploited are not yet clear. However, previous alerts from Bitsight highlighted the potential for this weakness to be exploited for launching DoS attacks with a notable amplification effect.
Infected Technology
• IBM Integrated Management Module (IMM), HP printers, Konica Minolta printers, Planex routers, VMware ESXi servers.
Source
CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation (thehackernews.com)
Recommendation
• Disabling the SLP service on systems running on untrusted networks. • Network operators are advised to conduct reconnaissance to locate and aid in fixing exploitable SLP reflectors or amplifiers present on their networks or those of their clients.
CVE ID
CVE-2023-29552
Ready to get started?
Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.
Contact Us