This Week in Cyber 17th November 2023

Analyst Insight

This week's threat landscape reveals a concerning array of vulnerabilities affecting industry giants such as Akamai, Docker, Atlassian, Apache, and VMware. These vulnerabilities expose critical weaknesses in their products, demanding swift action to secure digital infrastructures. Immediate patches or strategic workarounds are imperative, underscoring the crucial role of a vigilant IT team in safeguarding customer systems.

Telesoft’s Managed Detection Response (MDR) service functions as a vigilant digital watchtower, constantly monitoring for potential threats. With 24/7 monitoring and human-led threat hunting, the service can promptly identify attackers attempting to exploit these vulnerabilities. This week's threat report underscores the dynamic nature of cybersecurity, with new vulnerabilities discovered daily. An MDR service stands as a proactive shield, preventing these vulnerabilities from compromising your systems.

Exploring Vulnerabilities in Akamai and F5

In a recent investigation, a seasoned researcher brought to light a string of vulnerabilities affecting tech giants Akamai and F5. The narrative unfolds with the revelation of a smuggle gadget—an ingenious piece of code capable of manipulating content and exploiting weaknesses within the target system. Despite initial setbacks in attempting to breach front-end defenses with host header injections, the researcher persevered, ultimately discovering a method to circumvent these barriers. The breakthrough occurred when redirecting a major bank's Single Sign-On (SSO) portal through a meticulously crafted attack chain that utilised Akamai's edge to send malformed requests to F5's BIGIP, resulting in a global redirection to a domain controlled by the attacker. This groundbreaking development was aptly named "God Mode Pwnage."

As the research progressed, the investigator pinpointed over a thousand Akamai customers utilising F5's BIGIP, with a substantial percentage vulnerable to cache poisoning. Exploiting this vulnerability, the researcher redirected login portals of major financial corporations to a customised Burp Collaborator instance, successfully pilfering authorisation tokens and other sensitive data. The impact rippled across financial corporations, banks, tech companies, and beyond. Taking an unexpected turn, the researcher delved further into obtaining NTLM credentials by leveraging Akamai's vulnerabilities to compromise F5's BIGIP servers. This revelation underscores the intricate interconnections among major service providers, highlighting the potential for unprecedented security risks when one vulnerability leads to another.

The research, spanning an intensive three-month period, not only accentuates the gravity of the identified vulnerabilities but also prompts ethical considerations regarding responsible disclosure and compensation for independent researchers. The investigator's commitment to responsible disclosure, despite the potential for substantial financial gain through alternative channels, underscores the ethical nuances inherent in the domain of cybersecurity research. The narrative concludes with a resolute stance: the researcher, armed with additional techniques awaiting deployment, remains steadfast in their dedication to addressing security flaws responsibly, navigating the intricate landscape of corporate responses and ethical quandaries.

Docker API Instances Targeted in OracleIV DDoS Botnet Campaign

Threat actors are exploiting publicly-accessible Docker Engine API instances to launch a distributed denial-of-service (DDoS) botnet named OracleIV. Attackers deliver a malicious Docker container, disguised as a MySQL image, containing Python malware and an XMRig miner. The campaign involves retrieving a shell script from a command-and-control server to conduct DDoS attacks, including slowloris, SYN floods, and UDP floods. Exposed Docker instances have become lucrative targets, facilitating various malicious activities. The campaign, observed by Palo Alto Networks Unit 42, began in late July 2023 and peaked around August 12, 2023.

C3RB3R Ransomware Unleashes Havoc: Exploiting Atlassian's Confluence Vulnerability

In a recent cybersecurity revelation, SentinelOne has uncovered a surge in the exploitation of CVE-2023-22518, a critical vulnerability within Atlassian’s Confluence Datacenter and Server software. This exploit, disclosed on October 31, 2023, provides unauthenticated remote attackers with the ability to create a backdoor administrator account, setting the stage for the deployment of C3RB3R (Cerber) ransomware on both Windows and Linux hosts. The gravity of this threat is underscored by over 5,000 vulnerable environments identified through a Shodan search, prompting Atlassian to elevate the CVSS score from 9.1 to 10 on November 6. Urgent action is now imperative as organisations grapple with the necessity of promptly addressing this vulnerability.

C3RB3R ransomware, a notorious player since 2016, has resurfaced with heightened activity in this campaign, notably displaying the distinct "C3RB3R" branding in ransom notes and victim payment portals. The attack sequence involves leveraging CVE-2023-22518 to create a backdoor, followed by deploying PowerShell scripts to download ransomware payloads from remote servers.

Critical Apache ActiveMQ Flaw

A critical security flaw, CVE-2023-46604, was recently discovered in Apache ActiveMQ, allowing threat actors to achieve arbitrary code execution in memory with a CVSS score of 10.0. Apache addressed this vulnerability in versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month. Exploiting this flaw, ransomware outfits, including those deploying HelloKitty and a variant akin to TellYouThePass, along with the SparkRAT remote access trojan, have actively targeted systems. VulnCheck discovered that threat actors are utilising a public proof-of-concept exploit, employing the ClassPathXmlApplicationContext class within ActiveMQ to load a malicious XML bean configuration file via HTTP, achieving unauthenticated remote code execution. A noisy method with an abundance of network traffic; MDR teams would be able to sight the anomalous activity and act on it accordingly. Yet more obscure, quiet, methodologies are being produced and discovered by researchers. Those that have not updated their ActiveMQ systems should do so at their earliest convenience.

Urgent VMware Critical Vulnerability:

Recently VMware have disclosed a critical and unpatched security flaw. CVE-2023-34060, affecting the Cloud Director, has a vulnerability score of 9.8. It allows for malicious actors to bypass authentication portions on port 22 and port 5480. Affecting instances that have been upgraded to version 10.5, from older versions, VMware have managed to provide a workaround using shell-script. WA_CVE-2023-34060.sh enables users to mitigate risk without causing downtime. This ordeal rests upon the back of a recent patch release for another flaw in the vCenter Servers. Prompt action is required when addressing vulnerabilities in their virtualisation service.