Weekly Cyber Reports

This Week in Cyber 06th October 2023

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

5th October, 2023


Multiple Critical Security Vulnerabilities Discovered in Exim Mail Transfer Agent: Risk of Information Disclosure and Remote Code Execution

Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent. These vulnerabilities, reported anonymously in June 2022, could lead to information disclosure and remote code execution. The CVE’s are as follows:

CVE-2023-42114 (CVSS score: 3.7): Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability.

CVE-2023-42115 (CVSS score: 9.8): Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability.

CVE-2023-42116 (CVSS score: 8.1): Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability.

CVE-2023-42117 (CVSS score: 8.1): Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability.

CVE-2023-42118 (CVSS score: 7.5): Exim libspf2 Integer Underflow Remote Code Execution Vulnerability.

CVE-2023-42119 (CVSS score: 3.1): Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability.

The most severe of these vulnerabilities is CVE-2023-42115, which allows remote, unauthenticated attackers to execute arbitrary code on affected Exim installations. This vulnerability exists within the SMTP service.

Exim maintainers have indicated that fixes for CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are available in a protected repository and ready to be applied by distribution maintainers. However, the status of the remaining issues is unclear.

The Zero Day Initiative (ZDI) raised concerns about the handling of these vulnerabilities and noted that the disclosure timeline was exceeded by several months. ZDI recommends restricting interaction with Exim as a mitigation strategy until patches are available.


Cloudflare's Vulnerabilities: Certitude's Insightful Revelation

Certitude's recent research has shed light on critical vulnerabilities within Cloudflare's Firewall and DDoS protection mechanisms, raising concerns about potential exploits in the platform. These vulnerabilities emerge from shared infrastructure accessible to all Cloudflare tenants, regardless of their credibility.

Exploiting Cloudflare's implicit trust in connections from its network, attackers can bypass security measures using their Cloudflare accounts. One issue arises from shared Cloudflare certificates used in Authenticated Origin Pulls, enabling attackers to route malicious payloads through Cloudflare, effectively sidestepping the platform's security protocols. Additionally, abusers can manipulate Cloudflare IP address allowlisting, opening the door to rogue inputs and threats against other platform users.

In response, Cloudflare has updated its documentation, urging users to enhance their security by configuring Authenticated Origin Pulls with custom certificates rather than relying solely on Cloudflare's default settings. Certitude's findings emphasize the evolving nature of cyber threats, underscoring the importance for organizations to adopt robust security practices that extend beyond standard protocols to safeguard their digital infrastructure effectively.


FBI Raises Concerns of Dual Ransomware Attacks

A recent alert from the FBI has illuminated a concerning trend in cyberattacks: the emergence of dual ransomware assaults hitting the same victims, a tactic that has been on the rise since July 2023. In these attacks, cybercriminals deploy two distinct ransomware variants within an alarmingly short timeframe, ranging from 48 hours to just 10 days apart. These variants include notorious strains like AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.

What makes these attacks even more alarming is the added pressure tactics employed by hackers. Alongside data encryption, they are increasingly resorting to custom data theft, wiper tools, and malware to coerce victims into paying the ransom. This dual attack approach significantly amplifies the financial and operational impact on compromised entities. While dual ransomware attacks aren't entirely new, their recent escalation underscores a growing sophistication among cybercriminals, necessitating a proactive response from organizations.


GitHub Faces Impersonation Crisis

GitHub, the popular platform for developers to manage their project code, is under siege from a sophisticated impersonation scam. Cybercriminals are breaching accounts, installing malware, and stealing passwords under the guise of GitHub’s trusted feature, Dependabot. This deceitful tactic involves attackers obtaining access tokens belonging to their targets, then manipulating compromised accounts to resemble “Dependabot[bot].” The attackers infiltrate projects, inserting malicious code and tampering with existing JavaScript files to incorporate malware. This malicious software attempts to steal passwords from form submissions, sending them to a command and control server operated by the attackers. Notably, these stolen tokens provided access to both public and private repositories, impacting a wide range of projects.

The attackers’ crafty move lies in mimicking Dependabot, GitHub’s legitimate tool that automates dependency updates for developers. By disguising their bogus updates as Dependabot notifications, the attackers deceive users into thinking everything is normal. While the imitation isn’t flawless, unsuspecting users might be fooled. The key indicator of fake activity is the profile avatar: Dependabot features a square profile image and a “bot” tag, whereas regular accounts have a circular avatar and cannot replicate the bot tag. GitHub users are urged to stay vigilant and verify the authenticity of Dependabot notifications to prevent falling victim to this ongoing cyber threat.


Microsoft Uncovers Advanced Cyber Attack Attempt Targeting Cloud Servers

In a recent report, Microsoft has revealed a sophisticated cyber attack campaign where malicious actors attempted to breach cloud environments through an SQL Server instance. The attackers initially exploited a SQL injection vulnerability within an application, gaining access and elevated permissions on a Microsoft SQL Server instance deployed in an Azure Virtual Machine (VM). Leveraging these permissions, they aimed to move laterally to additional cloud resources, abusing the server's cloud identity.

The attackers' strategy involved exploiting the xp_cmdshell option, enabling them to run operating system commands, conduct reconnaissance, download executables, and establish persistence through scheduled tasks. Notably, they attempted data exfiltration using a publicly accessible tool called webhook[.]site, aiming to evade detection by disguising outgoing traffic as legitimate. While the attackers tried to utilize the cloud identity of the SQL Server instance, the operation ultimately failed due to an unspecified error, highlighting the increasing sophistication of cloud-based attack techniques.


Lu0Bot, the Node.js Malware Threat

In a recent analysis, cybersecurity experts delved deep into the complexities of Lu0Bot, a malware strain making waves in the cyber threat landscape. What sets Lu0Bot apart is its use of unconventional programming languages like Node.js, enabling it to sidestep advanced detection systems. This sophisticated malware is platform-agnostic, targeting modern web apps and employing multi-layer obfuscation techniques, making it a significant threat to both organizations and individuals alike.

The malware's low activity level currently masks its potential danger. However, a recent technical analysis revealed a modus operandi that combines an SFX packer, self-extracting archives, and a unique Node interpreter named fjlpexyjauf.exe. This interpreter, once activated, executes encrypted JavaScript code. The malware creators demonstrate a high level of sophistication, encrypting strings through alternative BASE64 forms and employing RC4 encryption techniques, creating a convoluted web of evasion.


Critical Vulnerability Exploited in Atlassian's Confluence Software Allowing Unauthorized Admin Access

A critical vulnerability in Atlassian's Confluence Server and Confluence Data Center has been exploited by attackers to create and misuse admin accounts, potentially impacting public-facing instances. The vulnerability, identified as CVE-2023-22515, affects versions 8.0.0 through 8.5.1.

Instances on the public internet are particularly at risk, as the flaw is exploitable anonymously. Some customers have already fallen victim to this zero-day vulnerability, and updates are available to address the issue. Atlassian recommends mitigation measures, including restricting external network access and securing certain endpoints. Users are urged to take steps to determine if a compromise has occurred, remove unauthorized admins, and assess any potential damage or data access.


Ransomware Hackers Exploit Critical Vulnerabilities in WS_FTP Server, Posing Global Threat

Ransomware attackers have begun exploiting recently patched vulnerabilities in WS_FTP Server, a file-sharing application developed by Progress Software. These vulnerabilities, including CVE-2023-40044 and CVE-2023-42657, are rated with high severity scores, with one reaching a rating of 10/10. The flaws allow attackers to execute malicious code with elevated system privileges, posing a significant risk to enterprise networks.

Researchers have observed active exploitation of these vulnerabilities, with multiple organizations affected. Admins are urged to prioritize patching and take preventive measures to safeguard their systems.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus