Welcome back for another bi-weekly threat intelligence report from PacketWatch. This week, we cover recent Twitter/X account compromises and a vulnerability rundown.
We've also enriched our original threat intelligence report to include resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
LESSONS LEARNED
Since the new year, there have been a string of account takeovers on the social media platform X, formerly known as Twitter. These account takeovers have been used to push cryptocurrency scams and cryptocurrency 'wallet drainers.'
Threat actors target high-profile accounts, using various methods to accomplish the account takeover.
On January 3, Google-owned cybersecurity firm Mandiant had their X account hijacked and was used to distribute phishing links to the CLINKSINK drainer.
On January 9, the U.S. Securities and Exchange Commission X account was hijacked and used to issue a fake announcement of the approval of Bitcoin ETFs.
While the SEC account takeover is still under investigation, Mandiant disclosed their account takeover was likely due to a brute force password attack and that, due to certain circumstances, multi-factor authentication (MFA) was not properly enabled on the account, which allowed the brute force attack to succeed.
Another recent account takeover occurred on the X account of blockchain security firm CertiK. It was later revealed that an employee at the company was phished by a threat actor posing as a journalist using yet another hacked X account.
In the modern era of social media, information security goes well beyond the corporate network. Almost every company has social media accounts across various platforms like X, Facebook, Instagram, etc. These accounts represent the company brand and are a great way for organizations to communicate with their customers. However, losing control of these accounts to threat actors is a major threat to brand reputation and could be abused for further exploitation.
Additional Resources
CISA recently added CVE-2023-29357, a Microsoft SharePoint privilege escalation vulnerability, to the Known Exploited Vulnerabilities (KEV) catalog.
This vulnerability was patched by Microsoft in June 2023's Patch Tuesday updates.
While this is 'only' a privilege escalation flaw, the CVE received a CVSS score of 9.8 since the attacker can complete the exploit remotely without user interaction.
The attacker simply needs to send a spoofed JSON Web Token (JWT) to the vulnerable server, and it will give them access as an authenticated user.
Administrators are urged to patch immediately if they have not already done so.
SOCRadar Resources
Find available PoC's and Exploits at CVE-2023-29357 (SOCRadar)
Additional Resources
Juniper Networks recently disclosed a new vulnerability, CVE-2024-21591, for their J-Web configuration interfaces across various Junos OS versions in SRX Series firewalls and EX Series switches.
The flaw allows for unauthenticated network-based denial of service or remote code execution that can lead to root privileges on the device.
Juniper is not aware of this vulnerability being exploited in the wild, but administrators are urged to patch as soon as possible, or restrict J-Web access to only trusted networks.
The vulnerable versions are listed below:
SOCRadar Resources
Read related Tweets and news stories on SOCRadar here.
Additional Resources
GitLab issued a security bulletin highlighting a critical vulnerability in both GitLab Community Edition and Enterprise Edition, CVE-2023-7028.
Vulnerable versions of GitLab lack proper email verification, and it is possible for an attacker to issue a password reset email to a secondary, unverified email address, leading to a full account takeover.
Per GitLab, users with multi-factor authentication enabled on their accounts are still susceptible to password resets, but MFA prevents a full account takeover. Administrators are urged to patch as soon as possible.
The vulnerable versions are listed below:
SOCRadar Resources
View available PoC's and Exploits, repositories, and Tweets on SOCRadar here.
Additional Resources
Cisco recently disclosed details of a new vulnerability in the web-based management system for their Unity Connection software, CVE-2024-20272.
Due to a lack of authentication in a specific API, an unauthorized remote attacker can upload a malicious file, execute arbitrary commands, and escalate privileges to root on the system. The vulnerability affects versions 12.5 and earlier as well as version 14. Version 15 is unaffected.
According to Cisco, there is no evidence of PoC exploits or exploitation of this vulnerability in the wild. However, administrators are urged to update as soon as possible.
SOCRadar Resources
View SOCRadar's Vulnerability Intelligence here.
Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.