Major cybersecurity events in the last week make clear that hackers just keep getting savvier — and security teams need to be vigilant to keep up.
Ransomware groups continue to exploit unpatched vulnerabilities. Remote code execution (RCE) vulnerabilities, such as those exploited by a pair of botnets, highlight the hazards of unpatched devices and the need for patch management. And a rather ingenious application of the Windows Container Isolation Framework demonstrates the potential vulnerability of endpoint security measures. Citrix, Juniper, VMware and Cisco are just a few of the IT vendors whose products made news for security vulnerabilities in the last week.
Collectively, these episodes highlight the need for comprehensive cybersecurity defenses and timely patch management for risk mitigation.
August 28, 2023
Ransomware Group Exploits Citrix NetScaler Vulnerability
In July, Citrix released a patch for a critical remote code execution vulnerability (CVE-2023-3519), which affected the company’s NetScaler ADC and NetScaler Gateway products and carried a severity rating of 9.8 out of 10 on the CVSS vulnerability scale.
Now ransomware attackers, possibly affiliated with FIN8, are exploiting unpatched Citrix products to launch attacks. Unpatched devices can give attackers privileged access to networks, particularly those set up as VPN virtual servers, ICA proxies, RDP proxies, or AAA servers. CVE-2023-3519 was used by the attackers to infect computers, including misleading PowerShell scripts, malware payloads within normal processes, and PHP web shells for remote control. Despite the patch, over 1,900 Citrix NetScaler devices were compromised.
Organizations should deploy Citrix’s patch as soon as possible, carefully seek for indications of compromise (IoCs), and closely monitor their NetScaler devices for any symptoms of penetration. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued recommendations for detecting exploit activity linked to this vulnerability.
See the top Patch and Vulnerability Management products
August 29, 2023
Juniper Vulnerabilities Expose Network Devices to Remote Attacks
A critical vulnerability in Juniper EX switches and SRX firewalls is being tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847.
This major security weakness can allow unauthenticated attackers to execute code on vulnerable devices through the Internet-exposed J-Web configuration interface. The threat escalated with the release of a proof-of-concept (PoC) by watchTower Labs, followed by exploit attempts observed by the Shadowserver Foundation. Despite swift patches by Juniper, concerns persist over unpatched Juniper routers, with over 8,200 devices with exposed J-Web interfaces, particularly in South Korea.
Admins can apply the security updates, upgrade their JunOS software to the current version, or disable Internet access to the J-Web interface to eliminate the attack vector.
August 30, 2023
Kinsing Botnet Targets Openfire Admin Console Vulnerability
CVE-2023-32315, a high-severity bug in Openfire’s admin console, is being exploited by threat actors for remote code execution. The vulnerability allows for path traversal so attackers can modify file directories, access files, and execute code. Attackers have generated new admin accounts and uploaded malicious JAR files containing web shells using the unauthenticated Openfire Setup Environment, enabling numerous malicious actions.
Organizations are advised to patch this vulnerability promptly and take measures to secure their systems to prevent unauthorized access.
DreamBus Botnet Exploits Critical RocketMQ Vulnerability
A severe remote code execution vulnerability in Apache RocketMQ servers is being aggressively targeted by the DreamBus botnet. The high-severity remote code execution vulnerability is listed as CVE-2023-33246. Versions of RocketMQ before 5.1.0 are affected. This vulnerability is particularly severe since it gives an unauthenticated attacker the same access capabilities as the system user process, enabling them to send commands to the RocketMQ server.
Juniper Threat Labs has identified ongoing attacks that exploit CVE-2023-33246 since June 19, 2023. This vulnerability allows for the deployment of the bash script “reketed,” which serves as a downloader for the DreamBus botnet and is hosted on a TOR hidden server, making it challenging to track.
To protect your RocketMQ servers and stop any CVE-2023-33246 exploitation, take the following security precautions:
- Check for any patches or updates for CVE-2023-33246 and install them to your RocketMQ server as soon as possible
- Implement stringent security measures such as least privilege access, adequate user authentication, and network segmentation.
- Consider adopting network security measures like intrusion detection and prevention systems (IDPS) to identify and prevent harmful traffic from reaching your RocketMQ server.
August 31, 2023
VMware Updates Address Multiple Critical Vulnerabilities
VMware Aria Operations for Networks, formerly known as vRealize Network Insight, has a critical SSH authentication bypass flaw, identified as CVE-2023-34039, with a CVSS severity rating of 9.8. The vulnerability could potentially enable remote attackers to bypass SSH authentication protocols, granting unauthorized access to private system endpoints that could result in attacks like command line interface manipulation, configuration alterations, malware installation, and lateral movement within compromised networks. VMware has issued an update and advisory and recommends upgrading to version 6.11 or applying the KB94152 patch for earlier releases.
The VMware update also patched another high-severity Aria Operations for Networks flaw, CVE-2023-20890, an arbitrary file write vulnerability that could allow an attacker with administrative access to perform remote code execution. Given that this software is utilized by large organizations with valuable assets, any critical flaw can be significant.
Cisco VPN Attacks: Credential Stuffing, Brute Force, Ransomware
Hackers have targeted Cisco ASA SSL VPNs using credential stuffing and brute-force techniques, Rapid7 researchers reported. It is suspected that the Akira ransomware organization used an undisclosed weakness in Cisco VPN software to evade authentication. Insufficient logging on compromised Cisco ASA equipment makes threat mitigation more difficult. This potential vulnerability allows attackers to bypass authentication on systems lacking multi-factor authentication (MFA).
Once the attackers successfully breach the VPNs, they gain remote access to the victim networks. They often employ software such as AnyDesk for this purpose. Furthermore, the attackers compromise other systems by pilfering domain credentials from the NTDS.DIT Active Directory database. In several instances, these incursions culminate in ransomware attacks, wreaking havoc on organizations.
Admins and security teams must act quickly to protect their VPN networks from these persistent and evolving threats:
- Deactivate default accounts and passwords connected with your VPN systems to prevent brute-force attacks.
- MFA should be enabled for all VPN users.
- Check to see whether logging is enabled on your VPN systems. Logging can give crucial information about infiltration attempts and can help with forensic investigations.
September 1, 2023
Endpoint Security Bypassed Using Windows Container Isolation
Deep Instinct researchers have demonstrated an innovative approach to bypassing endpoint security, publishing a blog based on their recent DEF CON presentation that leveraged the Windows Container Isolation Framework to bypass security barriers undetected.
Microsoft’s container design isolates a container’s file system from the host system using dynamically created images. This architecture reduces the size of the operating system by introducing “ghost files” that refer to different system volumes. The researchers used this redirection method to conceal file system processes, leaving security products confused.
The Windows Container Isolation Framework’s minifilter driver, wcifs.sys, is key to this evasion approach. This driver supports file system isolation between Windows containers and their host, allowing malicious actors to influence I/O requests such as creating, reading, writing, and deleting files without raising security software’s suspicion. It permits certain file actions to proceed unnoticed since it operates at a lower altitude range than antivirus filters. This attack, however, requires administrator privileges and cannot override host system files.
Organizations must use a multi-pronged security approach to minimize the exploitation of this Windows Container Isolation Framework issue. This includes the following:
- Ensuring that systems are patched and upgraded on a regular basis to address any known vulnerabilities.
- Implementing the concept of least privilege helps to limit unauthorized access and decreases the risk of exploitation.
- Endpoint security solutions, including antivirus and intrusion detection systems, remain critically important for detecting and blocking possible attacks.
September 4, 2023
MinIO Under Attack by Malicious Updates
The Security Joes Incident Response team reported on exploits of object storage vulnerabilities that date from March 2023. These vulnerabilities are identified as CVE-2023-28432 and CVE-2023-28434. The attack chain spotted by Security Joes during an investigation targeted the high-performance and distributed object storage system known as MinIO. The malicious update replaces the legitimate MinIO binary with a malicious version, thereby compromising the system.
Security Joes advises using the “mc admin update” command, as documented by MinIO, to mitigate these issues. This command automates the update of all MinIO servers in the deployment.
See our other recent weekly vulnerability recaps: