State actors actively attack Ivanti, Ubiquity, and Microsoft’s Windows AppLocker, and ransomware attackers probe for unpatched ScreenConnect servers in this week’s vulnerability recap. Apply patches as fast as possible to avoid attacks and the subsequent possible expenses and liabilities associated with breaches and remediation.
February 26, 2024
FCKeditor Used for SEO Poisoning on Government, University Sites
Type of vulnerability: Malicious URL redirect.
The problem: A Spanish researcher detected malicious URL redirects on a number of commercial and university websites, including Yellow Pages Canada, MIT, and Purdue, as well as government sites for Texas, Virginia, and Spain. All sites incorporated the archaic FCKeditor plug-in, which stopped receiving support in 2010.
Attackers abuse the plug-in to add malicious links and HTML pages to legitimate sites so that the legitimate URLs bypass malicious URL screening in most browsers. Instead of malicious URLs, some pages insert web pages designed to poison SEO results by manipulating Google and other search algorithms to bump malicious web pages up the search results.
The fix: Examine websites and remove all FCKeditor plug-in instances. Replace it with the regularly updated and maintained CKEditor or an equivalent tool.
Read more about how websites and application vulnerability scanners can proactively help development teams catch issues.
February 27, 2024
Ransomware Gangs Target Unpatched ScreenConnect Servers
Type of vulnerability: Authentication bypass and path traversal.
The problem: As detailed last week, ConnectWise’s ScreenConnect vulnerabilities allow attackers to compromise sensitive data and gain access to outside directories and possibly even key system files. The Shadowserver researchers detect over 600 IPs attacking more than 8,000 vulnerable instances worldwide and Trend Micro announced their detection of attacks from the notorious Black Basta and Bl00dy ransomware gangs.
These ransomware attackers represent two of many attackers exploiting vulnerable servers for reconnaissance, network discovery, and privilege escalation. Successful attackers drop Cobalt Strike beacons and other payloads such as remote access trojans (RATs) to maintain and expand access.
The fix: Urgently update on-premise servers to version 23.9.8.
Having trouble patching quickly? Patch management-as-a-service can help accelerate patching processes.
Ubiquiti SOHO Routers Compromised to Form Stealthy Russian Botnets
Type of vulnerability: Various arbitrary code execution (ACE) and remote code execution (RCE) attack vulnerabilities.
The problem: The FBI warns that during the dismantling of the Moobot botnet, agents detected code from other Russian attackers, including the notorious Fancy Bear (AKA: APT28 or Military Unit 26165) also responsible for the attack on the US Democratic National Committee (DNC) before the 2016 election. The code detected includes backdoors that permit arbitrary code execute (ACE) for device takeover, credentials theft, data stealing, and more.
The targeted Ubiquity edge routers often will be installed in small or home office (SOHO) environments for remote workers, small satellite offices, or small businesses. Since these devices ship with automatic updates disabled, many organizations remain potentially exposed and actively exploited.
The fix: To eliminate malware infections, perform a factory reset, upgrade to the latest firmware, change all default usernames and passwords, and adjust firewall rules to block exposure to unwanted remote management services.
Azure-Connected IoT Vulnerable to Remote Code Execution
Type of vulnerability: Internet of things (IoT) RCE vulnerability.
The problem: The C library for “uAMQP,” a lightweight Advanced Message Queuing Protocol (AMQP), contains vulnerability CVE-2024-27099 with a CVSS score of 9.8. Microsoft incorporates AMQP into several Azure Cloud Services including Azure IoT Hubs, Azure Event Hubs, and Azure Service Bus. Attackers can use low complexity attacks to trigger “double-free” weaknesses to access heap memory and execute code.
The fix: Update libraries and instances to versions patched after February 8, 2024.
February 28, 2024
Internet Exposed 3D-Printers Hacked to Broadcast Vulnerability Exposure
Type of vulnerability: Missing valid credential check in printer service APIs.
The problem: Nearly 3 million owners of internet connected Anycubic 3D-printers suddenly found hacked_machine_readme.gcode files added to their devices. The files warned owners that the MQTT software allowed “any valid credential to connect and control your printer.” The hacker didn’t harm systems, but expect any open systems to be targeted by more malicious hackers in the near future.
The fix: Disconnect printers from internet access until a patch becomes available.
Lazarus Already Exploited the Just-Patched Windows AppLocker Driver
Type of vulnerability: Windows Kernel elevation of privilege vulnerability.
The problem: The Windows AppLocker Driver vulnerability, CVE-2024021338, enables attackers with system access to gain SYSTEM privileges. Although patched two weeks ago along with 72 other vulnerabilities, Microsoft hadn’t classified the flaw as an actively-exploited zero-day vulnerability.
However, Avast disclosed that their researchers discovered and reported the vulnerability in August 2023 after reverse-engineering a rootkit deployed by the infamous North Korean hacking group dubbed Lazarus. The attack bypasses security checks in the whitelisting tool and allows the attackers to disable security products such as Microsoft Defender or Crowdstrike Falcon, hide activities, and maintain system persistence.
The fix: Apply Windows patches ASAP.
Consider how managed detection and response (MDR) can help locate potential compromises, stop attacks, and help remediate systems.
February 29, 2024
Factory Resets of Ivanti VPN Appliances Don’t Remove Hacker Presence
Type of vulnerability: Persistent unauthenticated user resource access.
The problem: The US Cybersecurity & Infrastructure Security Agency (CISA) announced that Ivanti’s vulnerability updates and tools to check for compromise might not detect and remove all attacker presence on affected Connect Secure and Policy Secure gateways. Chinese APT attackers could potentially maintain root access and system persistence even after updates.
The fix: CISA warns federal agencies to assume credentials are compromised, hunt for indicators of compromise, run Ivanit’s revised detection tool, and apply all available patches. CISA also contains strong language with bolded text that cautions against continued use of the products.
“The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.”
CISA Warns of Active Exploitation of June 2023–Patched Windows Streaming Vulnerability
Type of vulnerability: Untrusted pointer dereference weakness.
The problem: Unpatched Windows systems become vulnerable to low-complexity, no-user-interaction-required attacks against a Microsoft Streaming Service Proxy vulnerability, CVE-2023-29360. Patched in June 2023, the vulnerability wasn’t noteworthy at the time, although attacks can gain SYSTEM level access.
However, CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog and requires Federal Agencies to patch by March 21, 2024. Check Point’s research team notes that CVE-2023-29360 is one of several vulnerabilities added to the Rasberry Robin worm after patch release, but before exploits become publicly disclosed.
The fix: Patch or isolated vulnerable Windows systems.
Leap Year Bugs Exposed In Citrix, Sophos & More
Type of vulnerability: Software invalid date processing errors for February 29, 2024.
The problem: Although leap years occur every four years, sometimes programmers use 365 days for a year and fail to account for the extra day. In some cases the issue will go unnoticed, but this year users experienced prominent failures including:
- Citrix HDX: The video redirection service terminated unexpectedly unless users reset system clocks to a different date.
- Sophos Endpoint, Server, and Home: Security certificate validation warnings for systems rebooted on the 29th blocked browsing sessions.
- New Zealand self-service gas stations: Pump payment transactions couldn’t be performed at stations owned by Allied Petroleum, Gull, and Z Energy.
- Japanese driver management system: Driver’s license machines in the prefectures of Ehime, Kanagawa, Niigata, and Okayama failed to send personal data properly.
The fix: Affected tools publicized workarounds, but as a rare exception, this vulnerability doesn’t require patching or remediation.
March 1, 2024
HikVision Warns of Security Management System Vulnerability
Type of vulnerability: Insufficient server-side validation.
The problem: HikVision’s HikCentral Professional security management system controls related surveillance equipment and contains both a high (CVSS 7.5) and a medium (CVSS 4.3) level vulnerability. HikVision remains vague about the consequences of the exploit other than to caution of improper URL and system access; however, attackers widely exploited these systems in the past, so they remain likely targets.
The fix: Update to patched versions of HikCentral Professional.
Read next:
- VulnRecap 2/26/24 – VMWare, Apple, ScreenConnect Face Risks
- Patch Management Best Practices & Steps
- 6 Best Threat Intelligence Feeds to Use
