Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 22-28 July
Cl0p ransomware campaign exploiting vulnerability in MOVEit
On 31 May 2023, Progress Software released a patch for a critical SQL injection vulnerability that could allow attackers to gain full control of a MOVEit software installation. Specifically, this security flaw, registered as CVE-2023-34362, CVSSv3 9.8, was considered a 0-day because its exploitation was actively identified prior to its patch. Days later, Microsoft attributed a campaign to exploit this vulnerability to ransomware operators Cl0p. Since then, the number of victims, according to Konbriefing, has increased to 522 organisations across a multitude of sectors globally, including consulting, technology and retail companies, with the US being the most affected country. Based on these facts, Ryan McConechy, CTO of Barrier Networks, told the digital media Spiceworks that the authorities recommend organisations not to negotiate with the attackers.
Critical vulnerability in MikroTik routers
Researchers at VulnCheck reported that a critical elevation of privilege flaw in MikroTik RouterOS routers poses a significant risk to more than 900,000 devices. The vulnerability identified as CVE-2023-30799 (CVSS 9.1) allows remote threat actors with existing administrator accounts to gain super-admin level through the device's HTTP or Winbox interface. Although valid credentials are required, the system is not protected against brute-force attacks due to a known default admin user. The vulnerability was originally disclosed in June 2022 as an exploit called FOISted without a CVE identifier. However, it was not fully patched until July 2023 for version 6.49.8. A PoC developed by VulnCheck demonstrated that it is possible to control the RouterOS operating system, gain super-admin access through simple privilege escalation, and hide activities. MikroTik recommends applying the latest update, removing administrative interfaces from the Internet, restricting login IP addresses, disabling Winbox and using only SSH with public/private keys to mitigate the vulnerability.
https://vulncheck.com/blog/mikrotik-foisted-revisited
15,000 Citrix servers found vulnerable to RCE attacks
Researchers at the non-profit Shadowserver Foundation have warned that a search of open sources reveals that at least 15,000 Citrix servers are currently vulnerable to CVE-2023-3519, CVSSv3 of 9.8, which could be exploited by a threat actor to remotely execute code without authentication. It should be noted that exploiting this vulnerability requires the vulnerable device to be configured as a gateway or virtual authentication server. Shadowserver notes that these Citrix Netscaler ADC and Citrix Gateway devices appear with a last update date prior to the release of the patch, so they are assumed to be vulnerable. On the other hand, CISA warned that a critical infrastructure in the United States was recently attacked by a 0-day exploit of this vulnerability.
More info: https://twitter.com/Shadowserver/status/1682355280317919233
Apple releases security update for new 0-day vulnerability
Apple has released a new security update for iOS, iPadOS, macOS, tvOS, watchOS and Safari to address a 0-day vulnerability it is aware of that has been exploited in recent attacks against iOS versions prior to iOS 15.7.1. The vulnerability, which is listed as CVE-2023-38606 (not yet assigned CVSS), allows a malicious application to potentially change the state of the kernel. CVE-2023-38606 is the third vulnerability related to Operation Triangulation, a zero-click attack (receiving the message triggers infection without any user interaction) against iOS devices via iMessage. The other two 0-days, CVE-2023-32434 and CVE-2023-32435, have already been patched by Apple.
More info: https://support.apple.com/en-us/HT213841
Vulnerability in AMD Zen2 CPUs allows the theft of sensitive data
Google security researcher Tavis Ormandy discovered a new vulnerability affecting AMD Zen2 CPUs that could allow a threat actor to steal sensitive data, such as passwords and encryption keys, at a rate of 30 KB/s from each CPU core. The vulnerability has been classified as CVE-2023-20593 and is caused by improper handling of an instruction called 'vzeroupper' during execution, a common performance-enhancing technique used in all modern processors. After triggering an exploit optimized for the vulnerability, a threat actor could leak sensitive data from any system operation, including those taking place in virtual machines, isolated sandboxes, containers, etc. The Google researcher has published a PoC to exploit the vulnerability.
More info: https://lock.cmpxchg8b.com/zenbleed.html
