5 min read
Cyber Threat Intelligence Briefing - March 11, 2024
The PacketWatch Intelligence Team : Mar 11, 2024 11:51:56 AM
This week, we cover lessons learned from the recent Microsoft Security and Midnight Blizzard statement, X's new feature's privacy risk, and a vulnerability roundup.
KEY TAKEAWAYS
Microsoft & Midnight Blizzard
Last week, Microsoft published a security update blog stating that the Russian state-sponsored threat actor Midnight Blizzard (a.k.a. Nobelium) has continued their attacks on Microsoft infrastructure after their initial compromise in November 2023.
While this attack is being undertaken by "advanced" nation-state actors, some key takeaways from the initial intrusion may apply to most organizations. In the original disclosure published on January 19 by Microsoft, they stated:
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.
"The threat actor used a password spray attack"
By definition, a password spray attack is "a type of brute force attack that involves a malicious actor attempting to use the same password on multiple accounts before moving on to try another one."
Put simply, the threat actor will choose a password such as "password" and then attempt to gain access to every account possible using that password. This type of attack only works when two conditions are met: The passwords being "guessed" are extremely weak, and the accounts being brute-forced do not have multi-factor authentication (MFA).
In the case of Microsoft, it is clear that they used weak passwords in their test environment and did not apply MFA to test accounts.
"Legacy non-production test tenant"
Legacy implies that operating systems, software, and protocols are old and outdated.
Legacy systems are rarely (if ever) patched, implying they have unmitigated security vulnerabilities.
In this case, this "non-production test tenant" was exposed to the entire internet without restrictions on who or even what country could access it.
So often, non-production test environments or "dev" environments are hastily put together with little regard for security policies. These environments rarely get the same protections as the rest of the "production" environment. If these poorly configured and poorly defended environments are left open to the internet, threat actors will take advantage as they did here.
Additionally, based on Microsoft's wording, it appears that this test environment was never decommissioned after its original use case. Once test/dev environments are no longer necessary, they should be removed completely, or at the very least, they should be blocked from the open internet.
"Used the account's permissions to access..."
This legacy non-production test tenant still had permissions that allowed it to view and access production data and production accounts. Test accounts, especially ones deployed in non-secure environments, should never have access to production networks.
While test environments may not have sensitive data, they may still have artifacts that can be leveraged for further intrusions into an organization's network. We must all be vigilant in applying rigid security around all assets, even those "just used for testing."
Additional Resources
- https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
- https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/
- https://arstechnica.com/security/2024/03/microsoft-says-kremlin-backed-hackers-accessed-its-source-and-internal-systems
New X (Twitter) Privacy Risk
Last week, X, formerly known as Twitter, launched a new feature for audio and video calling.
While at face value, this feature appears to have some utility, users should be aware of the privacy risks associated with it.
The feature is enabled by default in the X apps for mobile devices but is not yet available in the browser. Per X's documentation on the service, calls are routed peer-to-peer between users, and IP addresses may be visible to each other.
This feature in the app can expose the user's IP address to external parties. To hide the user's IP address, they must toggle the "Enhanced call privacy" in the X Message settings. Doing this will relay the call through X's infrastructure.
It should also be noted that X does not mention that the calls are encrypted, so X or other parties have the potential to listen in.
It is recommended that users who are concerned about their privacy but still choose to use the X app on their mobile devices disable this feature completely.
Additional Resources
-
https://www.vmware.com/security/advisories/VMSA-2024-0006.html
- https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-sandbox-escape-flaws-in-esxi-workstation-and-fusion/
Vulnerability Roundup
CVE-2024-22252 - CVE-2024-22255: VMware Sandbox Escape
VMware recently published security updates for critical sandbox escape vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation products. Sandbox escape vulnerabilities can allow a threat actor to gain access to the host operating system where the VMware hypervisor is installed.
These vulnerabilities, CVE-2024-22252 to CVE-2024-22255, require the threat actor to have elevated or administrative privileges on the virtual machine.
While there has not been evidence of these vulnerabilities being exploited in the wild due to their critical nature, it is recommended that administrators apply the appropriate updates as soon as possible. A full listing of vulnerable versions and their updates can be found here.
Additional Resources
- https://platform.socradar.com/app/threatfeed/cve/CVE-2024-22252/details
- https://www.vmware.com/security/advisories/VMSA-2024-0006.html
- https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-sandbox-escape-flaws-in-esxi-workstation-and-fusion/
CVE-2024-27198: JetBrains Authentication Bypass Under Active Exploitation
A critical authentication bypass vulnerability in JetBrains TeamCity on-prem servers, CVE-2024-27198, is currently under active exploitation.
Successful exploitation allows an attacker full control over the TeamCity server with administrative privileges. Proof-of-concept exploits, and Metasploit modules have been published in the wild.
Administrators are urged to patch to TeamCity version 2023.11.4 immediately.
- Details on how to apply the appropriate patches can be found on the JetBrains blog here.
- Full details of the vulnerability and exploit can be found here.
Additional Resources
- https://platform.socradar.com/app/threatfeed/cve/CVE-2024-27198/details
- https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out/
- https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
- https://www.bleepingcomputer.com/news/security/critical-teamcity-flaw-now-widely-exploited-to-create-admin-accounts/
- https://www.splunk.com/en_us/blog/security/security-insights-jetbrains-teamcity-cve-2024-27198-and-cve-2024-27199.html
CVE-2024-21899, CVE-2024-21900, CVE-2024-21901: QNAP Vulnerabilities
QNAP recently disclosed a security update detailing three new critical vulnerabilities affecting a multitude of their products, including QTS, QuTS hero, QuTScloud, and myQNAPcloud.
The most severe of these new vulnerabilities is CVE-2024-21899, a remote authentication bypass vulnerability that allows an unauthenticated threat actor to take control of the system.
The advisory also includes CVE-2024-21900 and CVE-2024-21901. The first is a command injection vulnerability, and the other is an SQL injection vulnerability. These are less severe as they require the threat actor to be already authenticated on the device.
The QNAP advisory here provides a full listing of affected systems and their fixed versions. Administrators are urged to patch as soon as possible.
Additional Resources
- https://platform.socradar.com/app/threatfeed/cve/CVE-2024-21899/details
- https://www.qnap.com/en/security-advisory/qsa-24-09
- https://www.bleepingcomputer.com/news/security/qnap-warns-of-critical-auth-bypass-flaw-in-its-nas-devices/
Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.
If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.