This Week in Cyber 15th December 2023

Analyst Insight

This week's cybersecurity landscape has seen the emergence of critical vulnerabilities affecting various technologies, underscoring the ongoing challenges in maintaining digital security. Notable entities such as Microsoft, WordPress, Android and ActiveMQ have reported vulnerabilities that demand immediate attention and remediation.  Prompt patch management is crucial to mitigate the risks posed by these vulnerabilities. Failure to apply timely patches can leave systems exposed to potential exploits, leading to unauthorised access, data breaches, and service disruptions. Telesoft’s MDR service complement patch management efforts by offering:

Real-Time Detection: Analysts promptly detect attempts to exploit unpatched vulnerabilities, enabling immediate response.
Prioritisation: Analysts prioritise vulnerabilities based on the organisation's risk appetite and potential impact, ensuring efficient allocation of resources.
Continuous Improvement: By analysing incidents and threat patterns, Telesoft’s MDR service contribute to the continuous improvement of an organisation's security posture.

In conclusion, the recent vulnerabilities emphasise the need for a comprehensive cybersecurity strategy that goes beyond patch management. Telesoft’s MDR service acts as a proactive and adaptive defense mechanism, crucial in the dynamic landscape of cyber threats.

Microsoft's Final Patch Tuesday of 2023 Addresses 33 Flaws, Including Critical Vulnerabilities

Microsoft's last set of Patch Tuesday updates for 2023 resolves 33 flaws, with four critical and 29 important vulnerabilities. While none of the issues are reported as publicly known or actively exploited, some notable ones include a Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2023-35628), Internet Connection Sharing (ICS) Remote Code Execution Vulnerability (CVE-2023-35630), and a Microsoft Power Platform Connector Spoofing Vulnerability (CVE-2023-36019), allowing the execution of malicious scripts. The update also addresses DHCP server vulnerabilities that Akamai highlighted for potential DNS record spoofing attacks on Active Directory domains.

Rhydisa, A Devastating Menace

Insomniac Games, the creative force behind hits like the ‘Marvel’s Spider-Man’ series, fell victim to a recent Rhydisa ransomware attack, demanding a 50 BTC ransom within 7 days. This follows a November 15th alert from CISA.gov detailing Rhydisa’s tactics. Our ongoing monitoring highlights Rhydisa's persistent threat, as discussed in previous blogposts. The malware, featuring a substantial .data section and processor-count-based encryption, poses a sophisticated danger. Beyond encryption, Rhydisa uses scheduled tasks, inhibits system recovery, and clears shadow copies. Prior to encryption, it carefully discovers files, skipping common extensions for stability. The aftermath involves strategic defacement, altering the registry and updating the wallpaper with a ransom note and victim-specific token. 

Critical Android AutoSpill Vulnerability

A significant security lapse has been identified in the Android autofill function affecting six prominent password managers. Termed the AutoSpill vulnerability, security researchers from the International Institute of Information Technology Hyderabad revealed its exploitation potential during the Black Hat Europe hacker conference. Triggered when an Android app uses WebView to call for a login page, the flaw allows credentials filled by a password manager to be shared with the host app, potentially compromising sensitive data. Vulnerable password managers include 1Password, LastPass, Enpass, Keeper, and Keepass2Android, with DashLane and Google Smart Lock susceptible when JavaScript injection is enabled.

Despite no evidence of real-world exploits, researchers emphasise the severe risks associated with AutoSpill. Exploiting the flaw does not necessitate malicious code within the app, enabling potential deployment through official app stores. Password managers, including 1Password, are actively working on updates to address this vulnerability. The seriousness of the issue underscores the need for Android security teams to implement best practices for password manager interactions with WebViews, as recommended by Google.

APAC Companies Targeted with SQL Injection Assaults

An emergent hacking group, named GambleForce, has been engaging in a string of SQL injection attacks against businesses in the Asia-Pacific (APAC) region since September 2023. Despite using, comparatively, basic techniques; they have been strikingly effective. SQL injections, targeting vulnerabilities in website content management systems, have allowed them to pilfer sensitive information and including user credentials. The group have targeted at least 24 organisations, including those within the gambling sector, government and retail. Six of these attacks have been successful, but there may be more. 

GambleForce relies exclusively on open-source tools such as dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell throughout its attacks, aiming to exfiltrate sensitive data from compromised networks. Notably, the group utilises the legitimate post-exploitation framework Cobalt Strike, with commands found in Chinese, adding a layer of mystery to its origins. The attack methods involve exploiting SQL injections in victims' public-facing applications and leveraging a medium-severity flaw in Joomla CMS (CVE-2023-23752) to gain unauthorised access. Group-IB, the research group that discovered the threat, has taken down GambleForce's command-and-control (C2) server and alerted the identified victims.

ActiveMQ, CVE-2023-46604 Explained

ActiveMQ, a commonly used messaging system, is currently facing a serious security issue known as CVE-2023-46604. This flaw enables threat actors to remotely control and execute commands on systems running ActiveMQ, posing a significant threat to data security. The vulnerability is due to how ActiveMQ handles certain types of data, enabling attackers to make the system run unauthorised commands. This flaw has been actively exploited by cybercriminals in real-world scenarios, primarily by ransomwares. To fix this issue, users are recommended to update ActiveMQ to the latest secure versions (5.15.16, 5.16.7, 5.17.6, or 5.18.3).