SANS NewsBites

Recent Atlassian Confluence and VMWare Vulnerabilities being Exploited; Updated Ivanti Guidance; Microsoft Breach

January 23, 2024  |  Volume XXVI - Issue #06

Top of the News


2024-01-22

Critical Atlassian Vulnerability is Being Actively Exploited

Threat actors are actively exploiting a vulnerability in Atlassian Confluence Data Center and Server that the company disclosed on January 16. The flaw (CVE-2023-22527) is a critical template injection vulnerability affecting out-of-date versions of Atlassian Confluence Data Center and Server. The Shadowserver Foundation has observed nearly 40,000 attempts to exploit the vulnerability.

Editor's Note

We have been seeing these attacks starting this weekend and quickly escalating since then. Luckily, I do not believe too many Confluence instances are still on-premise and active. Most customers have moved to Atlassian's cloud-based solution.

Johannes Ullrich
Johannes Ullrich

Attackers, seeing yet another Atlassian vulnerability, are actively hunting for vulnerable Internet-exposed servers. There are no workarounds on this one; you have to apply the update. Don't stop with the fixed version, go to the latest versions - Confluence Data Center and Server 8.5.5 (LTS) or Confluence Data Center 8.7.2 (Data Center Only). CVE-2023-22527 should be considered critical/CVSS Score 10.0, don't wait for the addition to the KEV catalog.

Lee Neely
Lee Neely

2024-01-19

Known VMware Vulnerability is Under Active Exploitation

Researchers at Mandiant and VMware Product Security have observed state-sponsored threat actors exploiting a known vulnerability in VMware vCenter Server. The out-of-bounds write issue was disclosed and patched in October 2023. VMware determined that the vulnerability was severe enough to merit releasing fixes for products that had reached end-of-life.

Editor's Note

CVE-2023-34048, out-of-bounds write vulnerability, CVSS score of 9.8, has been exploited as far back as 2021. The detected threat actors target vulnerabilities on systems/services that don't typically have EDR. Aside from updating vCenter Server immediately, make sure that you're isolating access to only come from trusted systems and don't enable direct access from the Internet. You may want to do a check to make sure you don't have any vCenter Servers exposed. Services like Shodan, which are already scanning, make it easy to check.

Lee Neely
Lee Neely

We now know the vulnerability has been lurking around since 2021. VMware did the responsible thing by including patches for affected end-of-life products. That said, organizations should go ahead and update to the latest version of vCenter.

Curtis Dukes
Curtis Dukes

2024-01-19

CISA Emergency Directive to FCEB Agencies: Mitigate Ivanti Vulnerabilities Now

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive to Federal Civilian Executive Branch (FCEB) agencies to mitigate a pair of vulnerabilities affecting Ivanti Connect Secure and Policy Secure. The vulnerabilities can be “exploited in tandem … [to] allow a malicious threat actor to execute arbitrary commands on a vulnerable product.” Ivanti has published a temporary mitigation to protect systems until patches are available. The document directs FCEB agencies to implement the mitigation by midnight EST on Monday, January 22. In a separate story, CISA has added a third Ivanti vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Editor's Note

Patches should be available this week for the more recent versions of Ivanti Connect "Secure" VPN. Be careful if you rely on the mitigation provided by Ivanti. It works but is overwritten/disabled once you push a new configuration.

Johannes Ullrich
Johannes Ullrich

Secure CISA is asking agencies to report compromised services, requiring them to be removed from agency networks, initiate incident forensicating, as well as providing guidance for restoration of those services: reset the device, import the mitigation, then follow Ivanti's guidance for all compromised products. Leverage that process if you have a compromised device, regardless of being in the public or private sector.

Lee Neely
Lee Neely

Consider terminating encryption on the application, not on the perimeter, not on an operating system. Once set up, it is more convenient. Limits risk to one application rather than the enterprise. Hardware is cheap.

William Hugh Murray
William Hugh Murray

2024-01-22

Microsoft Officials’ eMail Breached by State-Sponsored Threat Actors

In a January 19 blog post, Microsoft disclosed that some of their corporate email accounts were compromised by a state-sponsored threat actor. Starting late last year, “the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.” Microsoft became aware of the attack on January 12.

Editor's Note

Last November Brad Smith, President of Microsoft, announced Microsoft’s Secure Future Initiative. A “Secure Future” can *not* include paths to corporate office email that relies only on reusable passwords for security. In the SFI announcement, Smith promised that “…over the next year we will enable customers with more secure default settings for multifactor authentication (MFA) out-of-the-box.” Replacing passwords with strong authentication has been done by many (though in this case, apparently not Microsoft) but needs the major IT platforms to make it easier to do and harder NOT to do.

John Pescatore
John Pescatore

This is similar to the attack on INL's Oracle HCM system. The lesson here is to make sure that you've got equivalent security on your non-production cloud services/tenants so information/access to them cannot be used to access your production services. Consider raising the bar higher by severely restricting access to those systems to only systems and users who are actively needed to perform that testing. Protect those environments as if they have production data, regardless of efforts to use de-identified/dummy or otherwise fake data; at some point developers will need to perform tests with live data.

Lee Neely
Lee Neely

We should remember that Microsoft are the victim of a crime here but it is disappointing that Microsoft fell victim to a password spray attack and the affected account did not have MFA enabled. This seems like a case of "Do as I say, not as I do."

Brian Honan
Brian Honan

What’s troubling about this report is that Microsoft appears to have failed in its most basic security practices. First, connecting non-production tenants to live services. Second, not addressing legacy accounts. It certainly looks like their new initiative, “Secure our Future,” is timely.

Curtis Dukes
Curtis Dukes

One more instance of an enterprise that offers strong authentication to its customers and users but fails to use it internally. Do not be one of those.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-01-19

Three UK Councils in Kent Say IT Systems Disrupted by Cyberattack

Three councils in the county of Kent, UK, have reported their IT systems were affected by a cyberattack that prompted them to take down online services. All three municipalities – Canterbury, Dover, and Thanet – outsource their HR and IT operations to Civica through the East Kent Services (EKS). A Civica spokesperson told TechCrunch that the incident is not related to any of their systems.

Editor's Note

This is a tough one as the common denominator between the three councils is the use of Civica services for their IT and HR services through an East Kent Services partnership, whose website is currently down, and who claim the incident is not related to their systems. Consider how you'd resolve a similar situation. Do you have services identified to investigate outsourced services to run these sorts of claims to ground while still having sufficient resources to put your house back in order?

Lee Neely
Lee Neely

Managed Service Providers (MSPs) are being targeted as part of supply chain attacks. As such, MSPs have increased their awareness of cybersecurity as part of IT services offerings. While Civica claims it's unrelated, it ultimately comes down to the SLA established for outsourced services.

Curtis Dukes
Curtis Dukes

2024-01-22

Data Center Ransomware Attack Causing IT Outages in Sweden

A ransomware attack affecting a Tietoevry cloud hosting services data center in Sweden has caused IT outages across the country. The attack occurred overnight between January 19-20. Outages have affected government agencies, colleges and universities, as well as Tietoevry’s own Primula managed HR and payroll system.

Editor's Note

While Tietoevry immediately isolated the affected system and has prevented the spread of the Akira ransomware to other parts of their infrastructure, this still leaves many customers impacted until services are restored. Tietoevry is communicating to affected customers, and leveraging a well-defined recovery process. Even so, some customers, such as the Grannagården grocery stores were forced to close their doors, at least temporarily. This begs the question of having an operational plan for when critical outsourced services are offline, including how long you can continue with business as usual versus shutting the doors and hunkering down.

Lee Neely
Lee Neely

Both of the stories relating to the three UK councils in Kent and this attack in Finland how dependent many organisations are now on third-party providers. While this dependency may provide many business benefits it also introduces significant business risk. The days of managing security risk using supplier questionnaires are over and we need to look at more proactive ways to manage our reliance on third parties, how to better respond incidents that impact them, and how to ensure our business can continue in the event a third party provider is the victim of an attack.

Brian Honan
Brian Honan

2024-01-22

Researcher Fined for Disclosing e-Commerce Database Vulnerability

A German court has fined a security researcher €3,000 (US$3,300) for gaining unauthorized access to a computer system and snooping on data after he discovered and reported a vulnerability in an e-commerce database. According to a news story by German media company Heise, the researcher “was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made a MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.”

Editor's Note

Modern Solution claims the researcher worked for a competitor and was not doing independent research. Initially, the German courts upheld the researcher's claims, but ultimately agreed with the company. Two lessons here. First, read the fine print when doing vulnerability disclosure to make sure you're not going to have issues when you report. Second, don't store connection credentials in plain text. The 1990's are calling and want their code back. There are many frameworks for managing connections securely, there is no need to write your own.

Lee Neely
Lee Neely

In this case, two wrongs don’t make a right. First, it’s never a good security practice to store secrets (password in this case) in program files. Second, the researcher claimed to have insider information in the legal complaint. The IT services company should do the right thing, own the vulnerability, and praise the researcher for responsibility reporting it.

Curtis Dukes
Curtis Dukes

2024-01-22

Apple Updates

Apple has released updates for iOS, iPadOS, macOS, Safari, watchOS, and tvOS. The updates for iOS, iPadOS, and macOS include fixes for at least 16 security issues, including several Web Kit vulnerabilities that are being actively exploited. Apple has also published an advisory regarding WebKit vulnerabilities that may have been exploited in older versions of iOS.

Editor's Note

In addition to patching a number of vulnerabilities, Apple introduced a new "stolen device protection" feature with this update. The feature is not enabled by default. If enabled, additional authentication will be required if using security relevant features while the device is not in one of the usual locations. This prevents thieves taking over devices after they observed the victim entering the PIN/Password. Recently, many victims reported having their devices stolen in public places like bars after the thief observed them entering the passcode.

Johannes Ullrich
Johannes Ullrich

I get these messages and envision gathering all the devices from around the house and hit update and grab a cup of coffee, then I remember the enterprise. You're going to want to push these updates as soon as your MDM has the updated content. iOS/iPadOS 17.3 addresses 16 CVEs, iOS/iPadOS 16.7.5, addresses 12, iOS/iPadOS 15.8.1 addresses only 2 CVEs. If you're not already, subscribe to Apple's Security-announce mailing list to get all the details in your inbox.

Lee Neely
Lee Neely

Apple users should enable automatic updates.

William Hugh Murray
William Hugh Murray

2024-01-23

SEC’s Twitter/X Account was Hijacked With a SIM Swap

In a January 22 statement to the media, the US Securities and Exchange Commission (SEC) confirmed that its Twitter/X account was taken over earlier this month through a SIM-swapping attack. The statement discloses that the account had previously been protected with multi-factor authentication, but that it was disabled in July 2023 because staffers were having trouble accessing the account.

Editor's Note

MFA disabled “…because staffers were having trouble accessing the account” indicates an enormous failure in Risk Assessment and Risk Management at the SEC. Any meaningful analysis would have prioritized fixing the implementation problems that was causing the problems. See the Microsoft item above, attackers are now surely spraying compromised passwords across SEC email accounts.

John Pescatore
John Pescatore

MFA using SMS is often argued as being better than no MFA. But if your organisation is a high profile one and therefore likely to be a target, then you need to move your MFA to more secure means such as using an authenticator app on a phone or using a hardware token.

Brian Honan
Brian Honan

Make sure you have policies about disablement/bypass of MFA. While troubleshooting is sometimes required, make sure it's understood that MFA must be operating as soon as possible, doubly so with VIP and company accounts.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Apple Updates Everything

https://isc.sans.edu/diary/Apple+Updates+Everything+New+0+Day+in+WebKit/30578

Atlassian Confluence RCE Vulnerability Exploits CVE-2023-22527

https://isc.sans.edu/diary/ScansExploit+Attempts+for+Atlassian+Confluence+RCE+Vulnerability+CVE202322527/30576

macOS Python Script Replacing Walling Applications with Rogue Apps

https://isc.sans.edu/diary/macOS+Python+Script+Replacing+Wallet+Applications+with+Rogue+Apps/30572

Updated Ivanti Mitigation Advise

https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

Czech Republic Sets IPv6 Shutdown date

https://konecipv4.cz/en/

Microsoft Breach

https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

Juniper Vulnerabilities

https://labs.watchtowr.com/the-second-wednesday-of-the-first-month-of-every-quarter-juniper-0day-revisited/

Brave Removing Strict Fingerprint Mode

https://brave.com/privacy-updates/28-sunsetting-strict-fingerprinting-mode/