Cyber Threat Intelligence Briefing - July 31, 2023

Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights new CISA Risk Advisories, a new Nitrogen Malvertising Campaign, and Vulnerability Roundup.

New CISA Risk Advisories

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published two advisories highlighting common techniques and vulnerabilities being leveraged by threat actors.  Here are the key takeaways: 

FY22 Risk and Vulnerability Assessments Results

When threat actors are trying to gain initial access, the 'Valid Accounts' technique was used over 54% of the time.  This can be from threat actors purchasing valid account credentials from initial access brokers, finding compromised accounts in 3rd party data breaches and using credential stuffing (using the same password across different sites) to gain access, or even brute-forcing weak passwords.

• This highlights the importance of having a strong password policy in the organization.  All passwords should be long, random, and unique.  
• Multi-factor authentication (MFA) should be deployed wherever possible to mitigate brute-force attacks.
• Users should be educated on the importance of not re-using passwords across multiple accounts (will mitigate credential stuffing attacks).
• All applications and devices should be reviewed for default accounts.  These accounts should be removed immediately.
• Again, multi-factor authentication (MFA) is the best deterrent against this technique. 'Legitimate Accounts' was the top technique threat actors used for establishing persistence, accounting for over 56% of all cases.  

Additional details from CISA can be found here: 

• https://www.cisa.gov/sites/default/files/2023-07/FY22%20RVA%20Infographic_508c.pdf
  
• https://www.cisa.gov/sites/default/files/2023-07/FY22-RVA-Analysis%20-%20Final_508c.pdf

Preventing Web Application Access Control Abuse

This report focused on a specific type of access control vulnerability known as insecure direct object reference (IDOR).  This vulnerability allows the threat actor to modify or delete data and access sensitive data they should not have rights to.  According to CISA, these vulnerabilities are frequently exploited because "they are common, hard to prevent outside the development process, and can be abused at scale."

What does IDOR Look Like?

A simple example would be where a parameter is exposed in the URL, and simply changing the parameter displays the unauthorized data:

https://example[.]com/data.php?id=12345  -->  https://example[.]com/data.php?id=56789

How To Protect Your Organization

While much of the remediation for this vulnerability is on the development side of the web application, CISA does list recommendations for all end users:

• Ensure diligence when selecting web applications

  • Follow best practices for supply chain risk management, found here and here.

  • If it is provided, review the Software Bill of Materials (SBOM) for outdated, vulnerable, or unauthorized applications before usage of the software.

• Apply software patches for web applications as soon as possible.

• Configure the web application to log and alert on tamper attempts.

• Run vulnerability scans against web applications.

• Run web application penetration tests, especially against internet facing web applications.

• Use a web application firewall (WAF).

• Depending on the sensitivity of the data, consider using a data loss prevention (DLP) tool to prevent unauthorized data from leaving the application.

• Create and maintain an incident response plan.

Additional details from CISA and Varonis can be found here: 

• https://www.cisa.gov/sites/default/files/2023-07/aa23-208a_joint_csa_preventing_web_application_access_control_abuse.pdf
  
• https://www.varonis.com/blog/what-is-idor-insecure-direct-object-reference

Nitrogen Malvertising Campaign

Security firm Sophos recently published research on a new malicious advertising (malvertising) campaign known as 'Nitrogen.'

With this campaign, threat actors abuse Google and Bing search ads to trick IT users into downloading fake tools masquerading as AnyDesk, Cisco AnyConnect VPN, and WinSCP. 

These malicious downloads include legitimate versions of the tool to avoid suspicion from the user but include an additional malicious Python package which is used to connect back to the attacker's command and control (C2), open a Meterpreter shell, and eventually deploy Cobalt Strike for persistent access to the host. In some cases, this infection chain has led to the deployment of BlackCat (ALPHV) ransomware.

How to Protect Your Organization

These types of campaigns highlight the importance of application control within an organization.  All new software installs throughout the enterprise should be downloaded from a central repository of pre-approved applications.

If this is not possible, ensuring all endpoints have an up-to-date EDR solution deployed will help mitigate accidental attempts at installing these malicious packages.

Many EDR solutions also allow for application whitelisting.  These policies can be configured to only allow pre-approved applications to be installed on the host.

Additional details from Sophos and The Hacker News can be found here: 

• https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/
  
• https://thehackernews.com/2023/07/new-malvertising-campaign-distributing.html

Vulnerability Roundup

Over the last two weeks, multiple high-profile vulnerabilities were disclosed for multiple software and hardware vendors.  If your organization uses any of these technologies, it is recommended to patch them as soon as possible.

Citrix ADC and Gateway RCE (CVE-2023-3519)

• A critical vulnerability (CVE-2023-3519) in Citrix NetScaler ADC and Netscaler Gateway was disclosed.  For the device to be vulnerable, it must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an authentication virtual server.  It is believed that the exploit for this vulnerability was initially sold on as a 0-day.  Organizations are urged to patch immediately.  

• A full list of vulnerable versions and patching information can be found in the Citrix advisory here.

• CISA published an advisory containing technical details of the vulnerability, as well as detection methods to hunt for webshells on potentially compromised devices.  The advisory can be found here.

Ivanti Endpoint Manager Mobile 0-day (CVE-2023-35078/CVE-2023-35081)

• A zero-day vulnerability tracked as CVE-2023-35078 was disclosed by the Norwegian National Security Authority for the Ivanti Endpoint Manager Mobile (EPMM).  This vulnerability is an authentication bypass vulnerability that allows the threat actor to access certain API paths without authentication, allowing them to access PII data as well as make configuration changes.  A patch has since been made available, and it is recommended to upgrade to the latest version to mitigate exploitation.
• An additional vulnerability was discovered that can be used in conjunction with the previous vulnerability.  This new vulnerability, tracked as CVE-2023-35081, allows an authenticated administrator to write arbitrary files to the EPMM server, effectively allowing the threat actor to run OS commands on the server.

GameOver(lay) Ubuntu Privilege Escalation (CVE-2023-2640 / CVD-2023-32629)

• Two easy-to-exploit privilege escalation vulnerabilities were discovered in Ubuntu systems utilizing the OverlayFS file system, which is common in cloud computing instances of the popular Linux distribution.  These vulnerabilities are tracked as CVE-2023-2640 and CVD-2023-32629.  Both vulnerabilities can be patched by updating the Linux kernel to the latest version.  A detailed chart showing which specific versions of Ubuntu are vulnerable can be found here.

Critical Vulnerability in Metabase B.I. Software (CVE-2023-38646)

• Metabase, a business intelligence and data visualization software, published an advisory urging customers to patch it immediately.  The advisory disclosed a severe unauthenticated, remote code execution vulnerability, tracked as CVE-2023-38646, allowing for the attacker to run commands with the same privileges as the Metabase server.  So far, there is no evidence that this vulnerability has been exploited in the wild.

AmD Zen-2 ‘ZenBleed’ bug (CVE-2023-20593)

• Travis Ormandy from Google's Project Zero security team recently disclosed a new vulnerability in AMD's Zen 2 CPUs known as 'Zenbleed' (CVE-2023-20593).  Successful exploitation of this vulnerability could allow threat actors to read encryption keys and passwords along with other sensitive data. So far, there is no evidence of this vulnerability being exploited in the wild.
• A firmware update for servers running EPYC 7002 chips can be found here.
• Firmware updates for desktop and laptop CPUs will be released later in 2023.  A table showing the patch timelines for the various CPUs can be found here.

Atlassian Confluence / Bamboo RCE (CVE-2023-22505 and CVE-2023-22508 / CVE-2023-22506)

• Three remote code execution (RCE) vulnerabilities were disclosed by Atlassian.  To exploit these vulnerabilities, the threat actor needs to be authenticated with a valid account; however, no user interaction is required for the exploit.
• CVE-2023-22505 and CVE-2023-22508 both affect Confluence.  The patch for these vulnerabilities are in versions 8.3.2 and 8.4.0.
• CVE-2023-22506 affects Bamboo Data Center and was patched in versions 9.2.3 and 9.3.1.

Resources

• https://nsm.no/aktuelt/nulldagssarbarhet-i-ivanti-endpoint-manager-mobileiron-core
  
• https://www.bleepingcomputer.com/news/security/norway-says-ivanti-zero-day-was-used-to-hack-govt-it-systems/
  
• https://thehackernews.com/2023/07/ivanti-warns-of-another-endpoint.html
  
• https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US
  
• https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability
  
• https://thehackernews.com/2023/07/gameoverlay-two-severe-linux.html
  
• https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
  
• https://www.metabase.com/blog/security-advisory
  
• https://thehackernews.com/2023/07/major-security-flaw-discovered-in.html
  
• https://lock.cmpxchg8b.com/zenbleed.html
  
• https://blog.cloudflare.com/zenbleed-vulnerability/
  
• https://www.bleepingcomputer.com/news/security/zenbleed-attack-leaks-sensitive-data-from-amd-zen2-processors/
  
• https://www.darkreading.com/cloud/atlassian-rce-bugs-plague-confluence-bamboo
  
• https://jira.atlassian.com/browse/CONFSERVER-88265
  
• https://jira.atlassian.com/browse/CONFSERVER-88221
  
• https://jira.atlassian.com/browse/BAM-22400

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.