November 13, 2023

Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability

Description

Recent findings from Microsoft reveal that the notorious threat actor known as Lace Tempest has once again struck, exploiting a zero-day vulnerability in SysAid IT support software. Upon successful exploitation, Lace Tempest utilized the compromised SysAid software to deliver a malware loader for the Gracewire malware. Subsequent actions involved human-operated activities, including lateral movement, data theft, and the deployment of ransomware. SysAid has since released a patch (version 23.3.36) to address the vulnerability.

The attack methodology involves uploading a WAR archive containing a web shell and other payloads into the webroot of the SysAid Tomcat web service. This web shell provides backdoor access to the compromised host and delivers a PowerShell script, executing a loader that loads Gracewire. Another PowerShell script erases evidence of exploitation post-deployment.

Infected Technology

SysAid IT Support Software (On-Premise Installations)

Source

https://thehackernews.com/2023/11/zero-day-alert-lace-tempest-exploits.html

Recommendation

Organizations using SysAid should urgently apply the provided patch (version 23.3.36) to address CVE-2023-47246 and fortify their defenses against potential ransomware attacks.

CVE ID

CVE-2023-47246

Threat Actors Use HelloKitty Ransomware To Further Exploit Apache ActiveMQ

Description

The recently discovered Apache ActiveMQ remote code execution (RCE) vulnerability, CVE-2023-46604, is being actively exploited by threat actors to distribute ransomware, specifically associated with the HelloKitty ransomware family. The flaw, rated critical with a CVSS v3 score of 10.0, exploits serialized class types in the OpenWire protocol, allowing attackers to execute arbitrary shell commands. HelloKitty ransomware, known since 2020, is leveraging the Windows Installer to load remote binaries post-exploitation, initiating encryption processes with a distinctive “.locked” extension. A fix for this vulnerability has been released in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3.

Infected Technology

• Apache ActiveMQ servers

Source

https://cybersecuritynews.com/hellokitty-ransomware-apache-activemq/

Recommendation

• Upgrade to latest versions of Apache ActiveMQ: 5.15.16, 5.16.7, 5.17.6, or 5.18.3

CVE ID

CVE-2023-36022, CVE-2023-36029, and CVE-2023-36034

Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss

Description

Veeam has recently released security updates addressing four vulnerabilities in its ONE IT monitoring and analytics platform, two of which are deemed critical. The first critical flaw, CVE-2023-38547, poses a risk of remote code execution on the SQL server by enabling an unauthenticated user to access information about Veeam ONE’s SQL server connection. The second critical vulnerability, CVE-2023-38548, allows an unprivileged user with Veeam ONE Web Client access to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service. Additionally, a cross-site scripting vulnerability (CVE-2023-38549) and a vulnerability allowing unauthorized viewing of the Dashboard Schedule (CVE-2023-41723) have also been identified. While the first three affect Veeam ONE versions 11, 11a, and 12, the fourth impacts only version 12. Fixes for these issues are available in updated versions. Given the recent exploitation of critical flaws in Veeam backup software by threat actors like FIN7 and BlackCat ransomware, users are strongly advised to apply the fixes promptly by stopping monitoring and reporting services, replacing files with those provided in the hotfix, and restarting the services.

Infected Technology

ONE IT monitoring and analytics platform

Source

https://thehackernews.com/2023/11/critical-flaws-discovered-in-veeam-one.html

Recommendation

Fixes for the issues are available in the below versions:

• Veeam ONE 11 (11.0.0.1379)
• Veeam ONE 11a (11.0.1.1880)
• Veeam ONE 12 P20230314 (12.0.1.2591)

CVE ID

CVE-2023-38547, CVE-2023-38548, CVE-2023-38549, CVE-2023-41723

CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation

Description

CISA recently included a significant vulnerability in the Service Location Protocol (SLP) among its Known Exploited Vulnerabilities. This move comes after the agency found evidence of active exploitation of the flaw, indicating a high level of risk in the protocol’s security.CISA reported that a vulnerability in the Service Location Protocol (SLP) enables an unauthenticated remote attacker to register services and employ falsified UDP traffic, potentially causing a significant denial-of-service (DoS) attack due to its amplification factor.The specific details regarding how the flaw is being exploited are not yet clear. However, previous alerts from Bitsight highlighted the potential for this weakness to be exploited for launching DoS attacks with a notable amplification effect.

Infected Technology

• IBM Integrated Management Module (IMM), HP printers, Konica Minolta printers, Planex routers, VMware ESXi servers.

Source

CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation (thehackernews.com)

Recommendation

• Disabling the SLP service on systems running on untrusted networks. • Network operators are advised to conduct reconnaissance to locate and aid in fixing exploitable SLP reflectors or amplifiers present on their networks or those of their clients.

CVE ID

CVE-2023-29552