4 min read

Cyber Threat Intelligence Briefing - January 15, 2024

Cyber Threat Intelligence Briefing - January 15, 2024

Welcome back for another bi-weekly threat intelligence report from PacketWatch. This week, we cover recent Twitter/X account compromises and a vulnerability rundown.

We've also enriched our original threat intelligence report to include resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

LESSONS LEARNED

Mandiant and SEC Twitter/X Account Compromises

account takeover twitter x - generated by dalle

Since the new year, there have been a string of account takeovers on the social media platform X, formerly known as Twitter.  These account takeovers have been used to push cryptocurrency scams and cryptocurrency 'wallet drainers.'

Threat actors target high-profile accounts, using various methods to accomplish the account takeover.

On January 3, Google-owned cybersecurity firm Mandiant had their X account hijacked and was used to distribute phishing links to the CLINKSINK drainer.

On January 9, the U.S. Securities and Exchange Commission X account was hijacked and used to issue a fake announcement of the approval of Bitcoin ETFs.

How Is It Happening?

While the SEC account takeover is still under investigation, Mandiant disclosed their account takeover was likely due to a brute force password attack and that, due to certain circumstances, multi-factor authentication (MFA) was not properly enabled on the account, which allowed the brute force attack to succeed.

Another recent account takeover occurred on the X account of blockchain security firm CertiK.  It was later revealed that an employee at the company was phished by a threat actor posing as a journalist using yet another hacked X account.

Beyond Network Security

In the modern era of social media, information security goes well beyond the corporate network.  Almost every company has social media accounts across various platforms like X, Facebook, Instagram, etc.  These accounts represent the company brand and are a great way for organizations to communicate with their customers. However, losing control of these accounts to threat actors is a major threat to brand reputation and could be abused for further exploitation.

How To Protect Your Organization


Vulnerability Roundup

critical vulnerability

CVE-2023-29357: Microsoft SharePoint Vulnerability Under Active Exploitation

CISA recently added CVE-2023-29357, a Microsoft SharePoint privilege escalation vulnerability, to the Known Exploited Vulnerabilities (KEV) catalog.

This vulnerability was patched by Microsoft in June 2023's Patch Tuesday updates.

While this is 'only' a privilege escalation flaw, the CVE received a CVSS score of 9.8 since the attacker can complete the exploit remotely without user interaction.

The attacker simply needs to send a spoofed JSON Web Token (JWT) to the vulnerable server, and it will give them access as an authenticated user.

Administrators are urged to patch immediately if they have not already done so.

SOCRadar Resources

Find available PoC's and Exploits at CVE-2023-29357 (SOCRadar)

Additional Resources

CVE-2024-21591: New RCE Vulnerability in Juniper Networks Junos OS

Juniper Networks recently disclosed a new vulnerability, CVE-2024-21591, for their J-Web configuration interfaces across various Junos OS versions in SRX Series firewalls and EX Series switches.

The flaw allows for unauthenticated network-based denial of service or remote code execution that can lead to root privileges on the device.

Juniper is not aware of this vulnerability being exploited in the wild, but administrators are urged to patch as soon as possible, or restrict J-Web access to only trusted networks.

The vulnerable versions are listed below:

  • Junos OS versions earlier than 20.4R3-S9;
  • Junos OS 21.2 versions earlier than 21.2R3-S7;
  • Junos OS 21.3 versions earlier than 21.3R3-S5;
  • Junos OS 21.4 versions earlier than 21.4R3-S5;
  • Junos OS 22.1 versions earlier than 22.1R3-S4;
  • Junos OS 22.2 versions earlier than 22.2R3-S3;
  • Junos OS 22.3 versions earlier than 22.3R3-S2;
  • Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3

SOCRadar Resources

Read related Tweets and news stories on SOCRadar here.

Additional Resources

CVE-2023-7028: Maximum Severity Vulnerability Disclosed by GitLab

GitLab issued a security bulletin highlighting a critical vulnerability in both GitLab Community Edition and Enterprise Edition, CVE-2023-7028.

Vulnerable versions of GitLab lack proper email verification, and it is possible for an attacker to issue a password reset email to a secondary, unverified email address, leading to a full account takeover.

Per GitLab, users with multi-factor authentication enabled on their accounts are still susceptible to password resets, but MFA prevents a full account takeover.  Administrators are urged to patch as soon as possible.

The vulnerable versions are listed below:

  • 16.1 to 16.1.5
  • 16.2 to 16.2.8
  • 16.3 to 16.3.6
  • 16.4 to 16.4.4
  • 16.5 to 16.5.5
  • 16.6 to 16.6.3
  • 16.7 to 16.7.1

SOCRadar Resources

View available PoC's and Exploits, repositories, and Tweets on SOCRadar here.

Additional Resources

CVE-2024-20272: Cisco Discloses High Severity Flaw in Unity Connection 

Cisco recently disclosed details of a new vulnerability in the web-based management system for their Unity Connection software, CVE-2024-20272.

Due to a lack of authentication in a specific API, an unauthorized remote attacker can upload a malicious file, execute arbitrary commands, and escalate privileges to root on the system.  The vulnerability affects versions 12.5 and earlier as well as version 14.  Version 15 is unaffected. 

According to Cisco, there is no evidence of PoC exploits or exploitation of this vulnerability in the wild.  However, administrators are urged to update as soon as possible.

SOCRadar Resources

View SOCRadar's Vulnerability Intelligence here.



Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.


Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.