4 min read
Cyber Threat Intelligence Briefing - January 15, 2024
The PacketWatch Intelligence Team : Jan 15, 2024 2:31:43 PM
Welcome back for another bi-weekly threat intelligence report from PacketWatch. This week, we cover recent Twitter/X account compromises and a vulnerability rundown.
We've also enriched our original threat intelligence report to include resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
LESSONS LEARNED
Mandiant and SEC Twitter/X Account Compromises
Since the new year, there have been a string of account takeovers on the social media platform X, formerly known as Twitter. These account takeovers have been used to push cryptocurrency scams and cryptocurrency 'wallet drainers.'
Threat actors target high-profile accounts, using various methods to accomplish the account takeover.
On January 3, Google-owned cybersecurity firm Mandiant had their X account hijacked and was used to distribute phishing links to the CLINKSINK drainer.
On January 9, the U.S. Securities and Exchange Commission X account was hijacked and used to issue a fake announcement of the approval of Bitcoin ETFs.
How Is It Happening?
While the SEC account takeover is still under investigation, Mandiant disclosed their account takeover was likely due to a brute force password attack and that, due to certain circumstances, multi-factor authentication (MFA) was not properly enabled on the account, which allowed the brute force attack to succeed.
Another recent account takeover occurred on the X account of blockchain security firm CertiK. It was later revealed that an employee at the company was phished by a threat actor posing as a journalist using yet another hacked X account.
Beyond Network Security
In the modern era of social media, information security goes well beyond the corporate network. Almost every company has social media accounts across various platforms like X, Facebook, Instagram, etc. These accounts represent the company brand and are a great way for organizations to communicate with their customers. However, losing control of these accounts to threat actors is a major threat to brand reputation and could be abused for further exploitation.
How To Protect Your Organization
- Review which employees have access to these corporate social media accounts. Access should be restricted to only necessary personnel.
- Additionally, passwords used on these accounts should follow the same strict password policies used within the corporate environment.
- Strong MFA should be enabled on these accounts. Avoid SMS and push-based MFA, as these can be easily bypassed and abused.
- Like all social engineering risks, users should be trained to identify phishing attacks and avoid clicking dangerous links.
- Many organizations leverage third-party social media platforms like Hootsuite, SproutSocial, Later, and HubSpot. They often require access to an account's APIs for automation or data gathering. Each social media account will have its own set of API keys. Access and ownership of these keys should also be audited. Avoid embedding plaintext API keys directly in code as they may lead to accidental disclosure in code repositories.
Additional Resources
- https://www.mandiant.com/resources/blog/solana-cryptocurrency-stolen-clinksink-drainer-campaigns
- https://www.bleepingcomputer.com/news/security/us-secs-x-account-hacked-to-announce-fake-bitcoin-etf-approval/
- https://www.bleepingcomputer.com/news/security/web3-security-firm-certiks-x-account-hacked-to-push-crypto-drainer/
- https://twitter.com/zachxbt/status/1743260567060787424
https://www.strac.io/blog/sharing-and-storing-api-keys-securely
Vulnerability Roundup
CVE-2023-29357: Microsoft SharePoint Vulnerability Under Active Exploitation
CISA recently added CVE-2023-29357, a Microsoft SharePoint privilege escalation vulnerability, to the Known Exploited Vulnerabilities (KEV) catalog.
This vulnerability was patched by Microsoft in June 2023's Patch Tuesday updates.
While this is 'only' a privilege escalation flaw, the CVE received a CVSS score of 9.8 since the attacker can complete the exploit remotely without user interaction.
The attacker simply needs to send a spoofed JSON Web Token (JWT) to the vulnerable server, and it will give them access as an authenticated user.
Administrators are urged to patch immediately if they have not already done so.
SOCRadar Resources
Find available PoC's and Exploits at CVE-2023-29357 (SOCRadar)
Additional Resources
- https://www.tenable.com/blog/cve-2023-29357-cve-2023-24955-exploit-chain-released-for-microsoft-sharepoint-server
- https://thehackernews.com/2024/01/act-now-cisa-flags-active-exploitation.html
CVE-2024-21591: New RCE Vulnerability in Juniper Networks Junos OS
Juniper Networks recently disclosed a new vulnerability, CVE-2024-21591, for their J-Web configuration interfaces across various Junos OS versions in SRX Series firewalls and EX Series switches.
The flaw allows for unauthenticated network-based denial of service or remote code execution that can lead to root privileges on the device.
Juniper is not aware of this vulnerability being exploited in the wild, but administrators are urged to patch as soon as possible, or restrict J-Web access to only trusted networks.
The vulnerable versions are listed below:
- Junos OS versions earlier than 20.4R3-S9;
- Junos OS 21.2 versions earlier than 21.2R3-S7;
- Junos OS 21.3 versions earlier than 21.3R3-S5;
- Junos OS 21.4 versions earlier than 21.4R3-S5;
- Junos OS 22.1 versions earlier than 22.1R3-S4;
- Junos OS 22.2 versions earlier than 22.2R3-S3;
- Junos OS 22.3 versions earlier than 22.3R3-S2;
- Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3
SOCRadar Resources
Read related Tweets and news stories on SOCRadar here.
Additional Resources
- https://www.bleepingcomputer.com/news/security/juniper-warns-of-critical-rce-bug-in-its-firewalls-and-switches/
- https://www.tenable.com/cve/CVE-2024-21591
CVE-2023-7028: Maximum Severity Vulnerability Disclosed by GitLab
GitLab issued a security bulletin highlighting a critical vulnerability in both GitLab Community Edition and Enterprise Edition, CVE-2023-7028.
Vulnerable versions of GitLab lack proper email verification, and it is possible for an attacker to issue a password reset email to a secondary, unverified email address, leading to a full account takeover.
Per GitLab, users with multi-factor authentication enabled on their accounts are still susceptible to password resets, but MFA prevents a full account takeover. Administrators are urged to patch as soon as possible.
The vulnerable versions are listed below:
- 16.1 to 16.1.5
- 16.2 to 16.2.8
- 16.3 to 16.3.6
- 16.4 to 16.4.4
- 16.5 to 16.5.5
- 16.6 to 16.6.3
- 16.7 to 16.7.1
SOCRadar Resources
View available PoC's and Exploits, repositories, and Tweets on SOCRadar here.
Additional Resources
CVE-2024-20272: Cisco Discloses High Severity Flaw in Unity Connection
Cisco recently disclosed details of a new vulnerability in the web-based management system for their Unity Connection software, CVE-2024-20272.
Due to a lack of authentication in a specific API, an unauthorized remote attacker can upload a malicious file, execute arbitrary commands, and escalate privileges to root on the system. The vulnerability affects versions 12.5 and earlier as well as version 14. Version 15 is unaffected.
According to Cisco, there is no evidence of PoC exploits or exploitation of this vulnerability in the wild. However, administrators are urged to update as soon as possible.
SOCRadar Resources
View SOCRadar's Vulnerability Intelligence here.
Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Disclaimer
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.