Executive summary

Cisco has published a security advisory warning regarding an active attack campaign labelled as “ArcaneDoor”. The campaign involves threat actors exploiting vulnerabilities in Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) to implant previously unknown malware, execute commands and exfiltrate data. Activity is thought to have begun in early January 2024.

What’s the risk to me or my business?

There is a risk that organisations running vulnerable software versions of Cisco ASA or FTD are leaving themselves at risk of allowing an attacker to implant malware, execute commands and exfiltrate data, impacting the confidentiality, integrity and availability of data. There is no current workaround, and Cisco advises to upgrade to a fixed software release immediately.

What can I do?

Black Arrow recommends following Cisco’s advice, and applying patches immediately. Additionally, organisations can also open a case with Cisco Technical Assistance Center, referencing the keyword “ArcaneDoor” to verify the integrity of their Cisco ASA or FTD devices. Further information on this can be found in the advisory provided by Cisco.

Technical Summary

CVE-2024-20353-  a denial of service vulnerability impacting Cisco ASA and FTD software.

CVE-2024-20359- A privilege escalation vulnerability, which could allow an authenticated local attacker to execute code with the highest level of privilege. Administrator level privileges are required to exploit this vulnerability.

Further information can be found below.

The advisories provided by Cisco can be found here:

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Palo Alto have issued a critical alert for an actively exploited attack in the GlobalProtect feature of PAN-OS software use in its firewall products. Successful exploitation allows an attacker to execute code with root privileges, the highest available.  Third parties have since disclosed a proof of concept for the exploit.

What’s the risk to me or my business?

The exploit applies only to applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. Organisations falling under this umbrella are leaving themselves at risk of allowing an attacker to perform code with root privileges, impacting the confidentiality, integrity and availability of data. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Whether you have a GlobalProtect gateway or GlobalProtect portal configured can be verified by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals).

Palo Alto has listed the following versions as vulnerable:

PAN-OS 10.2: < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3

 PAN-OS 11.0: < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1

PAN-OS 11.1: < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1

The issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. A full list of ETA’s of hotfixes are available in the advisory by Palo Alto.

What can I do?

Black Arrow recommends following Palo Alto’s advice and applying the available fixes immediately even if workarounds and mitigations have been applied as previous mitigations are no longer effective. If an update is not available, it is recommended that the advisory is checked to see when an one will be made available. The latest expected update is currently planned for 19 April 2024.

Technical Summary

CVE-2024-3400 -  A command Injection Vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software which can allow an unauthenticated attacker to execute code with root privileges.

Further information can be found here:

https://security.paloaltonetworks.com/CVE-2024-3400

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive Summary

In Microsoft’s April Patch Tuesday, updates were released to rectify 149 security issues across its product range. Notably, the update tackles two actively exploited zero-day vulnerabilities which are being exploited in to deploy malware. The exploited zero-day vulnerabilities allow for the bypassing of security feature prompts on SmartScreen and malicious drivers to deploy backdoors. Among these, 67 specifically addressed Remote Code Execution vulnerabilities. Among the updates provided by Microsoft were 3 critical vulnerabilities.

In addition to the Microsoft updates this week also saw Adobe and SAP provide updates for vulnerabilities in a variety of their products, with multiple rated as critical.

What’s the risk to me or my business?

Successful exploitation of these vulnerabilities allow for an attacker to distribute malware to a vulnerable system, gain remote code execution, cause a denial of service and impact the confidentiality, integrity and availability of information.

What can I do?

All vulnerabilities with an available patch should be updated as soon as possible.

Technical Summary

Microsoft

CVE-2024-26234: This vulnerability is caused by a malicious driver that has been signed with a valid Microsoft Hardware Publisher Certificate. The driver is used to deploy a backdoor.

CVE-2024-29988: This vulnerability, if actively exploited, allows a malicious attachment to bypass Microsoft Defenders SmartScreen prompts when a file is opened. This has been recorded as exploited by financially motivated Water Hydra hacking group.

Adobe

This month, Adobe released fixes for 24 vulnerabilities, of which 5 were rated critical, across Adobe After Effects, 2 critical vulnerabilities impacting Adobe Photoshop, Adobe Commerce and Adobe InDesign, a critical vulnerability impacting Adobe Experience Manager, Adobe Media Encoder, Adobe Bridge and Adobe Illustrator and 2 critical vulnerabilities impacting Adobe Animate. At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include Out of Bounds Read, Improper Input Validation, Cross-site Scripting (Stored XSS), Information Exposure and Arbitrary code execution.

SAP

This month, SAP has released 12 patches, which include 10 new releases and 2 updates from previous releases. The vulnerabilities encompass a range of issues, including Security misconfiguration, Information disclosure, Directory traversal, Denial of Service and Missing authorisation checks.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2024/04/09/microsoft-releases-the-april-2024-security-updates-for-windows/

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-two-windows-zero-days-exploited-in-malware-attacks/

Further details of the vulnerabilities addressed in Adobe After Effects can be found here: https://helpx.adobe.com/security/products/after_effects/apsb24-09.html

Further details of the vulnerabilities addressed in Adobe Photoshop can be found here:

https://helpx.adobe.com/security/products/photoshop/apsb24-16.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb24-18.html

Further details of the vulnerabilities addressed in Adobe InDesign can be found here:

https://helpx.adobe.com/security/products/indesign/apsb24-20.html

Further details of the vulnerabilities addressed in Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb24-21.html

Further details of the vulnerabilities addressed in Adobe Media Encoder can be found here:

https://helpx.adobe.com/security/products/media-encoder/apsb24-23.html

Further details of the vulnerabilities addressed in Adobe Bridge can be found here:

https://helpx.adobe.com/security/products/bridge/apsb24-24.html

Further details of the vulnerabilities addressed in Adobe Illustrator can be found here:

https://helpx.adobe.com/security/products/illustrator/apsb24-25.html

Further details of the vulnerabilities addressed by SAP can be found here:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2024.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

It is Valentine’s, and what better way to spend it than reading about Microsoft’s latest patch Tuesday. In this months patch Tuesday, Microsoft has provided updates to address 73 security issues across its product range, including two exploited zero-day vulnerabilities (CVE-2024-21351and CVE-2024-21412). Microsoft is classifying these as a flaw that is publicly disclosed or actively exploited with no official fix available. The two exploited vulnerabilities affect Windows Smart Screen and Internet Shortcut File, allowing security bypasses. They have both been added to the known ‘exploited vulnerabilities catalog’ by the Cybersecurity and Infrastructure Agency (CISA).

In addition to the updates from Microsoft, this week also saw Adobe fixing 38 vulnerabilities and SAP issued 13 new patches for its range of products, in which three of the patches were rated as critical.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited could allow an attacker to bypass security features and inject malicious code, impacting the confidentiality, integrity and availability of data.

Microsoft

There is no official fix for the exploited vulnerabilities, however they both require a user to interact with a malicious file. As such, it is important to make sure users remain vigilant when interacting with their emails. Organisations should follow the vulnerabilities closely, so that they can apply any patches immediately. Other available updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating. Other patches should be applied in a reasonable time frame.

Technical Summary

CVE-2024-21351: This vulnerability if actively exploited, allows an attacker to bypass Windows SmartScreen. It relies on an authorised attacker sending a malicious file and convincing a user to open it.

CVE-2024-21412: This vulnerability if actively exploited, allows an attacker bypass Windows security features and send malicious files to users. The attacker would still need to user to interact with the file.

Adobe

This month, Adobe has released fixes vulnerabilities impacting Adobe Acrobat and Reader (13, of which 5 are critical), Commerce (9, of which 6 are critical), Substance 3D Painter (13, of which 5 are critical), FrameMaker Publishing Server (1 critical), Audition (1 critical) and Substance 3D Designer (1 critical). Currently, Adobe is not aware of any active exploitation of these vulnerabilities. The vulnerabilities include issues such as arbitrary code execution and memory leaks.

SAP

This month, SAP has released 13 patches, which include 10 new releases and 3 updates from previous releases. These patches address 8 critical vulnerabilities affecting a variety of SAP products. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

Microsoft

Further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2024-patch-tuesday-fixes-2-zero-days-73-flaws/

https://www.ghacks.net/2024/02/13/the-windows-security-updates-for-february-2024-are-here/

Adobe

Further details of the vulnerabilities addressed in Adobe Acrobat and Reader be found here:

https://helpx.adobe.com/security/products/acrobat/apsb24-07.html

Further details of the vulnerabilities addressed in Adobe Substance 3D Painter be found here:

https://helpx.adobe.com/security/products/substance3d_painter/apsb24-04.html

Further details of the vulnerabilities addressed in Adobe FrameMaker be found here:

https://helpx.adobe.com/security/products/acrobat/apsb24-07.html

Further details of the vulnerabilities addressed in Adobe Audition be found here:

https://helpx.adobe.com/security/products/audition/apsb24-11.html

Further details of the vulnerabilities addressed in Adobe Substance 3D Designer be found here:

https://helpx.adobe.com/security/products/substance3d_designer/apsb24-13.html

SAP

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2024.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity.

Executive Summary

Fortinet have released a patch to fix a critical vulnerability in their FortiOS product, stating that is potentially being exploited in the wild. Successful exploitation of the vulnerability could allow a remote unauthorised attacker to execute code or commands.

What’s the risk to me or my business?

There is a risk that organisations using vulnerable versions of FortiOS are leaving themselves at risk of allowing an unauthenticated remote attacker to perform arbitrary code execution. This means an attacker could potentially gain unauthorised access and perform actions that could impact the confidentiality, integrity, and availability of the organisations data. This vulnerability only impacts organisations who have SSL VPN enabled.

The affected versions of FortiOS and FortiProxy are:

FortiOS

FortiOS 7.4 (7.4.0 through 7.4.2) – upgrade to 7.4.3 or above.

FortiOS 7.2 (7.2.0 through 7.2.6) – upgrade to 7.2.7 or above.

FortiOS 7.0 (7.0.0 through 7.0.13) – upgrade to 7.0.14 or above.

FortiOS 6.4 (6.4.0 through 6.4.14) – upgrade to 6.4.15 or above.

FortiOS 6.2 (6.2.0 through 6.2.15) – upgrade to 6.4.15 or above.

FortiOS 6.0 (all versions) - migrate to fixed release.

FortiProxy

FortiProxy 7.4 (7.4.0 through 7.4.2) - upgrade to 7.4.3 or above.

FortiProxy 7.2 (7.2.0 through 7.2.8) - upgrade to 7.2.9 or above.

FortiProxy 7.0 (7.0.0 through 7.0.14) - upgrade to 7.0.15 or above.

FortiProxy 2.0 (2.0.0 through 2.0.13) - upgrade to 2.0.14 or above.

FortiProxy 1.2 (all versions) - migrate to fixed release.

FortiProxy 1.1 (all versions) - migrate to fixed release.

FortiProxy 1.0 (all versions) - migrate to fixed release.

What can I do?

Black Arrow recommends applying the available patches for the vulnerability immediately due its severity. Further information can be found in the Fortigaurd security update below. Organisations have also been advised to disable SSL VPN if they cannot apply patches immediately, however this is not a long term solution.

Technical Summary

CVE-2024-2176 – This is a out-of-bound write vulnerability in the sslvpnd which may allow a remote unauthenticated attacker to execute arbitrary code or commands using  specifically crafted HTTP requests. 

Further information on the FortiOS vulnerability can be found here:

https://www.fortiguard.com/psirt/FG-IR-24-015

Further information on upgrading can be found here:

https://docs.fortinet.com/upgrade-tool

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s December Patch Tuesday provides updates to address 36 security issues across its product range, including 4 critical vulnerabilities and 1 zero-day. The zero-day, which impacts AMD processors, was originally disclosed in August 2023 with no patches provided by AMD.

In addition to the Microsoft updates this week, Adobe and SAP fixed multiple vulnerabilities across their product range. 

What’s the risk to me or my business?

The vulnerabilities, if actively exploited, can allow an attacker to escalate privileges, remotely execute code, cause sensitive data leaks and cause a denial of service. All of which can result in an impact to the confidentiality, integrity and availability of data in your organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the vulnerabilities that have a critical severity rating. Other patches should be applied in a reasonable time frame.

Technical Summary

Microsoft

CVE-2023-20588: A vulnerability in AMD processors that could potentially return speculative and sensitive data if exploirted.

CVE-2023-36019- A vulnerability in Microsoft Power Platform and Azure Logic Apps that allows spoofing.

CVE-2023-35630- A vulnerability in Internet Connection Sharing that if exploited, allows remote code execution.

CVE-2023-35628- A vulnerability in Internet Connection Sharing that if exploited, allows remote code execution.

CVE-2023-35641- A Remote Code Execution Vulnerability in Windows MSHTML, which is used for Internet Explorer.

Adobe

This month, Adobe released fixes for 212 vulnerabilities, of which 13 were rated critical, across Adobe Illustrator (3), Substance3D Sampler (6), After Effects (3) and Designer (1). The critical vulnerabilities include arbitrary code execution and memory leak.

SAP

Enterprise software vendor SAP has addressed 17 vulnerabilities, including 4 critical, in several of its products.

Microsoft

Further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/12/13/the-windows-december-2023-security-updates-fix-a-0-day-vulnerability/

Adobe

Further details of the vulnerabilities addressed in Adobe Illustrator can be found here:

https://helpx.adobe.com/security/products/illustrator/apsb23-68.html

Further details of the vulnerabilities addressed in Adobe Substance3D Sampler can be found here:

https://helpx.adobe.com/security/products/substance3d-sampler/apsb23-74.html

Further details of the vulnerabilities addressed in Adobe Substance3D After Effects can be found here:

https://helpx.adobe.com/security/products/after_effects/apsb23-75.html

Further details of the vulnerabilities addressed in Adobe Substance3D Designer can be found here:

https://helpx.adobe.com/security/products/substance3d_designer/apsb23-76.html

SAP

Further information of the vulnerabilities address by SAP can be found here:

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Financially motivated threat actors are currently exploiting a critical vulnerability in unpatched versions of Windows SmartScreen. The vulnerability which is under exploitation was patched in Microsoft’s November patch Tuesday. Since its patch, a proof of concept exploiting the vulnerability in Windows SmartScreen has become publicly available.

What’s the risk to me or my business?

Windows SmartScreen is a security feature that prevents potentially harmful malware from running.  It checks applications or files to ensure that they are safe; if they are not deemed to be safe, it will give the users the option to cancel running them. The now publicly available exploit allows an attacker to cause a victim to automatically run malware, bypassing SmartScreen checks and therefore impacting the confidentiality, integrity, and availability of data. For an attacker to be able to exploit, all they would need is a user to click on a malicious URL.

What can I do?

Black Arrow recommends applying the patches made available by Microsoft immediately, which can be found in our blog post detailed below. Organisations running unpatched versions are leaving themselves at risk of exploitation.

Technical Summary

CVE-2023-36025- A security bypass vulnerability in Windows SmartScreen

Further information can be found here:

https://www.blackarrowcyber.com/blog/advisory-15-november-2023-microsoft-adobe-fortinet-vmware-wordpress-updates

https://www.ghacks.net/2023/04/11/microsoft-windows-security-updates-april-2023-what-you-need-to-know-before-installation/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s November Patch Tuesday provides updates to address 58 security issues across its product range, including three actively exploited zero-day vulnerabilities. The exploited zero-day vulnerabilities include two privilege escalation vulnerabilities and a security bypass. These have been added the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. Also among the updates provided by Microsoft were 3 critical vulnerabilities.

In addition to the Microsoft updates this week Adobe, FortiGuard, VMware and WordPress also provided updates for vulnerabilities in their products. An addressed vulnerability in Citrix known as Citrix Bleed continues to remain a threat, with ransomware gang LockBit actively exploiting publicly known exploits for unpatched versions.

What’s the risk to me or my business?

The actively exploited vulnerability could allow an attacker with access, to bypass security, gain SYSTEM privileges and compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36036: An actively exploited elevation of privilege vulnerability in Windows Cloud Files Mini Filter.

CVE-2023-36033: An actively exploited elevation of privilege vulnerability in Windows DWM Core Library that could allow an attacker to gain the highest privileges.

CVE-2023-36025: An actively exploited vulnerability in Windows SmartScreen which allows a malicious internet shortcut to bypass security.

CVE-2023-36413: A Microsoft Office security feature bypass.

CVE-2023-36038: A denial of service vulnerability in ASP.NET Core.

Adobe

This month, Adobe released fixes for 25 vulnerabilities, of which 13 were rated critical, across Adobe Acrobat and Reader (17), ColdFusion (6), InCopy (1), and Dimension(1). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.

Citrix

The LockBit ransomware group are using the publicly available exploits for the Citrix bleed Vulnerability. There are currently thousands of publicly available endpoints which are running and still vulnerable.

FortiGuard

This month, Fortiguard released three advisories for vulnerabilities, including one critical vulnerability, impacting FortiOS, FortiProxy-DOS and FortiProxyVM.

VMware

VMware has patched one critical authentication bypass vulnerability, tracked as CVE-2023-34060 which impacts Cloud Director Appliances. There are no available workarounds.

WordPress

A WordPress plugin, WP Fastest Cache, is vulnerable to an SQL injection vulnerability tracked as CVE-2023-6063, which could allow unauthenticated attackers to read the contents of the site’s database. At current, more than 600,000 websites run a vulnerable version of WP Fastest Cache. A software patch has been made available by the developer.

Further details on other specific updates within this month’s Microsoft Patch Tuesday can be found here: https://www.ghacks.net/2023/04/11/microsoft-windows-security-updates-april-2023-what-you-need-to-know-before-installation/

https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2023-patch-tuesday-fixes-5-zero-days-58-flaws/

Adobe

Further details of the vulnerabilities addressed in Adobe Acrobat and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-54.html

Further details of the vulnerabilities addressed in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-62.html

Further details of the vulnerabilities addressed in Adobe InCopy can be found here: https://helpx.adobe.com/security/products/incopy/apsb23-60.html

Citrix

Further details about the Citrix Bleed vulnerability can be found here:

https://www.blackarrowcyber.com/blog/advisory-26-october-2023-citrix-bleed-vulnerability

FortiGuard

Further details on the FortiGuard advisories can be found here:

https://www.fortiguard.com/psirt

VMware

Further information of the vulnerability address by VMware can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0026.html

WordPress

Further information on the WordPress vulnerability can be found here:

https://www.bleepingcomputer.com/news/security/wp-fastest-cache-plugin-bug-exposes-600k-wordpress-sites-to-attacks/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Atlassian has published a security advisory warning users of an active exploitation of a critical vulnerability in all versions of Atlassian Confluence Data Center and Server, which could allow an unauthenticated attacker to perform actions with administrative functions. The vulnerability has been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.

What’s the risk to me or my business?

There is a risk that organisations operating a vulnerable version are leaving themselves at risk of allowing an unauthenticated attacker to reset confluence and create an administrator account. Atlassian has stated that exploitation can lead to a full loss of confidentiality, integrity and availability. This vulnerability affects all versions of Atlassian Confluence Data Center and Server.

What can I do?

Black Arrow recommends following Atlassian’s advice and applying updates immediately, which can be found in their advisory linked below. Atlassian have stated that publicly accessible Confluence Data Center and Server versions in particular, are at critical risk of exploitation.

In the event that you are unable to apply the updates, mitigations have been provided by Atlassian, however updates should be applied as soon as possible. The fixed versions of Confluence Data Center and Server are as follows:

• 7.19.16

• 8.3.4

• 8.4.4

• 8.5.3

• 8.6.1

Technical Summary

CVE-2023-22518-  An improper authorisation vulnerability in Atlassian Confluence Data Center and Server.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Further information can be found here:

https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

https://nvd.nist.gov/vuln/detail/CVE-2023-22518  

#threatadvisory #threatintelligence #cybersecurity

Update 25/10/2023:

Another actively exploited zero-day has been found and is being used in the wild (CVE-2023-20273). Both exploits are now being used together to gain initial access and create a new local user, then to elevate privileges allowing the new user to have admin privileges on the system.

Links to the new CVE can be found below.

Update 24/10/2023:

The method of identifying compromised devices was updated and the number of compromised devices jumped back up to 38,000.

Patches have been made available by Cisco and should be applied as soon as possible.

Update 23/10/2023:

The number of compromised devices dropped sharply from 50,000 to 100 after Cisco disclosed the existence of the vulnerability as it appears that attackers modified the implant of the exploitation in an attempt to mask their activity.  

Update 20/10/2013:

The number of Cisco devices hacked through exploitation of the zero-day has now reached approximately 40,000, according to multiple sources.

Executive summary

Cisco has published a security advisory warning users of an active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE software, which could allow an unauthenticated attacker to create an account with privileged exec mode enabled, allowing them full control. According to Shodan, there are 40,000 vulnerable devices with this vulnerability exposed online.

What’s the risk to me or my business?

There is a risk that organisations with a vulnerable device with the web UI feature exposed, are leaving themselves open to allowing an attacker full access of their Cisco device, impacting the confidentiality, availability and integrity of their data.

This vulnerability affects all Cisco devices that have the web UI feature enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands. There is no patch currently available but Cisco have stated they are working on a fix. In the meantime as a mitigation Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

What can I do?

Black Arrow recommends following Cisco’s advice and disabling the HTTP server feature. The commands can be found in Cisco’s security advisory which is linked below.

Technical Summary (updated 23/10/2023)

CVE-2023-20273 The vulnerability allows a malicious attacker to use an authenticated user, such as the one CVE-2023-20198 can create, to gain admin privileges to the system.

CVE-2023-20198  The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with the highest privilege. The CVE has been given the maximum severity rating.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Further information can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z#fs

Further information on the number of exploited devices can be found here: https://www.securityweek.com/number-of-cisco-devices-hacked-via-unpatched-vulnerability-increases-to-40000/

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s October 2023 Patch Tuesday provides updates to address 103 security issues across its product range, including two actively exploited zero-day vulnerabilities (CVE-2023-36563 and CVE-2023-41763).  One of the exploited zero-day vulnerabilities is a privilege escalation vulnerability in skype. The other is an information disclosure vulnerability in Microsoft WordPad that can result in disclosure of NTLM hashes. Also among the updates provided by Microsoft were 13 critical vulnerabilities.

In addition to the Microsoft updates this week also saw Adobe fix 13 vulnerabilities across various products, with a vulnerability in Adobe Reader under active exploitation, and Google addressing 20 vulnerabilities in Chrome.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker with access, to elevate privileges or capture the hashes of user passwords to gain access to that users accounts. Both compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36563: If exploited the vulnerability disclosures of information in Microsoft WordPad that could result in leak in NTLM hashes.

CVE-2023-41763: If actively exploited it allows for an attacker to escalate privileges in Skype that could lead to the exposure of sensitive information, such as IP addresses, port numbers and enabling an attacker to gain access to internal networks.

Adobe

This month, Adobe released fixes for 13 vulnerabilities, of which 8 were rated critical across Adobe Bridge (2), Commerce (10) and Photoshop (1). Adobe have stated a vulnerability in Adobe Reader is under active exploitation. The vulnerabilities include remote code execution, memory leak, privilege escalation and security bypass.

Chrome

An update for Google Chrome which patches 20 vulnerabilities, with the most severe allowing for arbitrary code execution to be performed by a malicious attacker. Depending on the privileges associated with the user an attacker could then install programs; view, delete or modify the data; or create new accounts with full user rights. Users whose accounts have fewer user rights could be less impacted than those who operate with administrative user rights. While there are currently no reports of these vulnerabilities being exploited in the wild, it is advised to update to the latest version as soon as possible.

further details on other specific updates within this patch Tuesday can be found here:

https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct

Further details about CVE-2023-36563 can be found here:              

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36563

Further details about CVE-2023-41763 can be found here:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-41763

Further details of the vulnerabilities addressed in Adobe Bridge can be found here:

https://helpx.adobe.com/security/products/bridge/apsb23-49.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here:

https://helpx.adobe.com/security/products/magento/apsb23-50.html

Further details of the vulnerabilities addressed in Adobe Photoshop can be found here:

https://helpx.adobe.com/security/products/photoshop/apsb23-51.html

Further details of the vulnerabilities addressed in Chrome can be found here:

https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

A new actively exploited zero-day vulnerability in Google Chrome which can lead to remote code execution has been identified, with patches released. Also this week, Mozilla released updates for high-severity vulnerabilities in both Firefox and Thunderbird.

What’s the risk to me or my business?

The actively exploited vulnerability and high-severity vulnerabilities can allow an attacker to execute malicious code, compromising the confidentiality, integrity and availability of data.

What can I do?

Security updates are available for both browsers. The updates for Chrome are available in version  117.0.5938.132 and should be applied immediately. The updates for Firefox are available in version 118 and should be applied as soon as possible.

Technical Summary

CVE-2023-5217: an actively exploited zero-day heap-based buffer overflow which can lead to execution of arbitrary code.

The security advisory from Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

The security advisory from Firefox can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-41/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

A critical vulnerability in WebP has been identified as being actively exploited. The vulnerability impacts multiple browsers including Chrome, Edge, Firefox and Opera and any software using the libwebp library. Successful exploitation can lead to malicious code execution.

What’s the risk to me or my business?

The actively exploited vulnerability can allow an attacker to execute malicious code on vulnerable software, compromising the confidentiality, integrity and availability of data.

What can I do?

Security updates are available for browsers impacted; these should be applied immediately. It has been noted that other applications which use the libwebp library are also impacted and it is recommended that organisations check if the software they use is vulnerable.

Technical Summary

CVE-2023-4863: The actively exploited vulnerability allows an attacker to perform a heap buffer overflow attack, allowing them to execute malicious code.

Further details on the vulnerability can be found here:

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

The security advisory from Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html

The security advisory from Firefox can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

The security advisory from Microsoft can be found here:

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-4863

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s September Patch Tuesday provides updates to address 59 security issues across its product range, including two actively exploited zero-day vulnerabilities. The exploited zero-days have both been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities Catalog”. Of the 59 security issues addressed by Microsoft , 5 were rated critical.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to gain SYSTEM privileges or capture and relay hashes of user passwords to gain access to that users account. Both compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

CVE-2023-36802: The actively exploited allows a local attacker to gain SYSTEM privileges.

CVE-2023-36761: This actively exploited vulnerability can allow an attacker to steal user password NTLM hashes of users who open a document, even if just in the preview plane.

Adobe

This month, Adobe released fixes for 5 vulnerabilities, including 1 critical vulnerability, across Adobe Acrobat & Reader (1), Adobe Connect (2) and Adobe Experience Manager (2).  The critical vulnerability, tracked as CVE-2023-26369, impacts both Windows and macOS versions of Adobe Acrobat & Reader and if exploited, can allow an attacker to execute malicious code.

Chrome

A new update for Google Chrome is available for Windows, Linux and macOS. The update addresses 16 security fixes, including one critical and actively exploited vulnerability which could cause for denial of service or allow code execution.

Mozilla

Mozilla released fixes for two critical vulnerabilities, impacting Firefox and Thunderbird. The vulnerabilities could allow an attacker to perform code execution.

SAP

Enterprise software vendor SAP has addressed 13 vulnerabilities in several of its products, including two critical-severity vulnerabilities that impact SAP BusinessObjects Business Intelligence Platform. 66Including remote execution and authentication bypass. A total of 5 vulnerabilities were given the “Hot News” priority, which is the highest priority according to SAP.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/09/12/the-windows-september-2023-security-updates-are-now-available/

Further information on Adobe Acrobat and Reader can be found here:

https://helpx.adobe.com/security/products/acrobat/apsb23-34.html

Further information on Adobe Connect can be found here:

https://helpx.adobe.com/security/products/connect/apsb23-33.html

Further information on Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb23-43.html

Further information on the patches by SAP can be found here:

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Further information on Google Chrome can be found here:

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html

Further information on Mozilla can be found here:

https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

This is an update following the 19 July Critical Citrix ADC and Gateway flaw actively exploited advisory by Black Arrow.

Executive Summary

Following the previous advisory on the Citrix Netscaler ADC vulnerability (CVE-2023-3519), the NCC Group has identified that as of 14 August, 1828 Citrix NetScaler servers remain compromised or ‘backdoored’ by attackers. Approximately 69% of the servers that contain a backdoor have been updated to remediate the vulnerability and are no longer vulnerable to CVE-2023-3519. This means that the affected systems were compromised by a malicious actor prior to the updates being applied, allowing the malicious actor to establish persistent access to the systems even after the vulnerability has been remediated.

What’s the risk to me or my business?

Successful exploitation of the vulnerability prior to updating would allow an attacker to perform arbitrary code execution with administrator privileges. The main attack campaign is believed to have taken place between late 20 July to early 21 July. If updates were not applied to affected and vulnerable systems prior to this date, exploitation may have already taken place.

Further information on the vulnerability can be found on our previous advisory linked below.

What can I do?

If you have not already updated to a Citrix version that resolves this vulnerability, Black Arrow recommends applying these updates urgently. All affected systems, updated and vulnerable, should be scanned for indicators of compromise (IoC), Mandiant have released a tool that can help organisations to scan their Citrix devices for evidence of post-exploitation indicators. If IoC’s are identified, then forensic data should be secured by taking a copy of both the disk and the memory of the appliance before any remediation or investigative actions are completed. If evidence of persistence such as a webshell is found, then this should be investigated through threat hunting techniques to establish the extent of the incident whilst conducting containment and remediation activities.

More information on the NetScaler vulnerability:

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Information on the Mandiant Tool:

https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519

Further information on the study of the exploited devices:

https://research.nccgroup.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/

Previous Advisory: https://www.blackarrowcyber.com/blog/advisory-19-july-2023-citrix-vulns-exploited

Executive summary

Microsoft’s August Patch Tuesday provides updates to address 86 security issues across its product range, including two zero-day vulnerabilities (CVE-2023-36884, CVE-2023-38180). The vulnerabilities allow remote code execution and denial of service. Among the updates provided by Microsoft, 6 addressed critical vulnerabilities.

What’s the risk to me or my business?

The vulnerabilities allow an attacker to remotely execute code and cause a denial-of-service, impacting the confidentiality, integrity and availability of data held by an organisation. CVE-2023-38180, which is a denial-of-service vulnerability has been recorded by the US Cybersecurity and Infrastructure Security Agency (CISA) in its “Known Exploited Vulnerabilities” Catalogue.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied immediately for the zero-day vulnerabilities and as soon as possible for all other vulnerabilities.  Microsoft has also published an separate advisory for CVE-2023-36884.

Technical Summary

CVE-2023-36884: This vulnerability, if exploited allows threat actors to create specially crafted documents which bypass Mark of the Web (MoTW) security features, causing files to be opened with no warning, allowing a threat actor to perform remote code execution.

CVE-2023-38180: The actively exploited vulnerability allows an attacker to cause a denial-of-service attack on .NET applications and Visual Studio.

Adobe

In addition to Microsoft’s Patch Tuesday Adobe released fixes for 36 vulnerabilities, of which 19 were rated critical. The critical vulnerabilities spanned across Adobe Acrobat and Reader (16), Adobe Commerce and  Adobe Dimension (2). At current, Adobe is not aware of any of these vulnerabilities being actively exploited. The vulnerabilities include remote code execution, memory leak and security bypass.

further details on other specific updates within this patch Tuesday can be found here:

https://www.ghacks.net/2023/08/08/the-windows-august-2023-security-updates-fix-critical-vulnerabilities-and-internet-explorer/

Further details about CVE-2023-38180 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180

Further details about CVE-2023-36884 can be found here:                     

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884  

The advisory from Microsoft can be found here:

Further information on CISA’s Known Exploited Vulnerabilities Catalog can be found here:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://msrc.microsoft.com/update-guide/vulnerability/ADV230003

Further details of the vulnerabilities addressed in Adobe Acrobat DC and Reader can be found here: https://helpx.adobe.com/security/products/acrobat/apsb23-30.html

Further details of the vulnerabilities addressed in Adobe Commerce can be found here: https://helpx.adobe.com/security/products/magento/apsb23-42.html

Further details of the vulnerabilities addressed in Adobe Dimension can be found here: https://helpx.adobe.com/security/products/dimension/apsb23-44.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

Executive Summary

Citrix have released a patch for three vulnerabilities, including one critical vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). If exploited, the critical vulnerability allows an unauthenticated malicious actor to perform remote code execution. The other two vulnerabilities allow an attacker to gain root administrator permissions and deliver malicious files and links to a victim.

Technical Summary

CVE-2023-3519 – This is a critical vulnerability which allows an unauthenticated attacker to perform remote code execution. For it to work it requires the appliance to be configured as a gateway.

CVE-2023-3466 – This vulnerability, categorised as high, allows an attacker to perform reflected cross-site scripting, allowing them to deliver malicious files, links, and emails. For it to work, it requires the victim to access an attacker-controlled link in the browser while being on the network.

CVE-2023-3467 – This vulnerability, categorised as high, allows an attacker to perform privilege escalation to gain the highest available. For successful exploitation the attacker needs to have authenticated access to the management interface access.

 What’s the risk to me or my business?

The vulnerabilities allow for a range of attacks such as unauthenticated remote code execution, privilege escalation to root as well as enabling an attacker the ability to distribute malicious files, links, and emails to users. All of which compromise the confidentiality, integrity, and availability of the data in your organisation.

Impacted versions of the products include the following:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 

• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 

• NetScaler ADC 13.1-FIPS before 13.1-37.159

• NetScaler ADC 12.1-FIPS before 12.1-55.297

• NetScaler ADC 12.1-NDcPP before 12.1-55.297

NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Citrix advises customers to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

 What can I do?

Citrix has recommended to apply patches which they have made available for the following versions:

• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases

• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0  

• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  

• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  

• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 

 More information on the Citrix ADC and Gateway flaw vulnerability can be found here:

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity 

An update from an advisory published on the 8th June 2023 by Black Arrow: https://www.blackarrowcyber.com/blog/advisory-08062023-barracuda-cisco-vmware-vulns

Executive summary

VMware has confirmed that exploitation of the critical rated CVE-2023-20887 has occurred in the wild. This vulnerability affects the VMware Aria Operations (formerly known as vRealize Network Insight) and allows a malicious actor with access to the network to perform remote code execution (RCE).

What’s the risk to me or my business?

The vulnerability, if exploited using command injection, could allow the attacker to have unrestricted access with root to compromise the confidentiality, integrity, and availability of data in your organisation.

Impacted versions include: VMware Aria Operations Networks version 6.x.

What can I do?

VMware have recommended applying patches which they have made available for the following versions: 6.2/6.3/6.4/6.5.1/6.6/6.7/6.8/6.9/6.10.

There are no workarounds for this vulnerability.

Further details on the VMware vulnerability can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0012.html

Further details on the VMware patch can be found here: https://kb.vmware.com/s/article/92684

Executive Summary

This week Microsoft released a patch for a critical actively exploited privilege escalation vulnerability in Microsoft Outlook. The vulnerability is tracked as CVE-2023-23397.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to gain authentication details from a targeted machine. These details can then be relayed to other systems or brute-forced offline, leading to compromise of the account.

Technical Summary:

The vulnerability allows an attacker to craft malicious emails which force a target device to connect to a remote UNC of the attackers choice. A UNC is a path that can be used to access network resources. Upon connection, the Net-NTLMv2 hash, which is a hash of the victim’s password is leaked to the attacker. The attacker can then relay this hash to authenticate as the victim on other services or decode the hash offline. At no point does the email need to be previewed or opened, it is triggered as soon as it is received and processed by the email server.

What can I do?

It is recommended that organisations apply the latest patches as soon as possible as this vulnerability is recorded as actively exploited. In their analysis, Microsoft recorded that this vulnerability was exploited by Strontium, a state-sponsored Russian hacking group. Organisations using strictly off-premises solutions are not impacted.

Further information on CVE-2023-23397 can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397  

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Executive summary

Microsoft’s February Patch Tuesday provides updates to address 75 security issues across its product range, including three actively exploited zero-days.

Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws.

The three exploited zero-day vulnerabilities include a security bypass vulnerability, remote execution vulnerability and an elevation of privileges vulnerability. Also among the updates provided by Microsoft were 9 critical vulnerabilities.

What’s the risk to me or my business?

The actively exploited vulnerabilities could allow an attacker to bypass security features to upload malicious files, remotely execute code and gain SYSTEM privileges; all of which could compromise the confidentiality, integrity and availability of data stored by an organisation.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerabilities and all other vulnerabilities that have a critical severity rating.

Technical Summary

The following is a breakdown of the actively exploited vulnerabilities which affected Microsoft Operating Systems:

CVE-2023-21715: A vulnerability which allows a local user with authentication to bypass Microsoft Office macro policies used to block untrusted or malicious files.

CVE-2023-21823: A remote code execution vulnerability which allows an attacker to execute code with system privileges, effectively providing them with unlimited permission. Microsoft Store will automatically update affected customers, providing automatic updates are enabled in the Store.

CVE-2023-23376: A vulnerability which allows a successful attacker to gain SYSTEM privileges, effectively providing them with unlimited permission.

Further details on other specific updates within this patch Tuesday can be found here: https://www.ghacks.net/2023/02/14/microsoft-windows-security-updates-february-2023-overview/ 

Further details about CVE-2023-21715 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21715

Further details about CVE-2023-21823 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823

Further details about CVE-2023-23376 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376