CyberSecurity.PH #012
United Nations names Philippines in cyber fraud networks; a collection of AI exploits; Microsoft SharePoint actively exploited; Ivanti actively exploited; GitLab zero-click account hijack; Juniper pre-auth RCE
Philippines
Latest United Nations report names Philippines as part of rapidly growing South East Asian cyber fraud networks
The United Nations Office on Drugs and Crime (UNODC) has this week released a lengthy report titled “Casinos, Money Laundering, Underground Banking, and Transnational Organized Crime in East and Southeast Asia: A Hidden and Accelerating Threat” - UNODC
The report highlights cyber crime activity occurring within the Philippines centered around casinos, offshore-gambling-operators and crypto-currency platforms.
From the report “…Clark Freeport Zone in Pampanga, rescuing 1,090 individuals including 919 foreign nationals and 171 Filipinos at the Colorful and Leap Group Company in the Clark Sun Valley Hub. The syndicate, concealing its criminal activities using its POGO license, was found to be forcing victims to carry out cyberfraud and cryptocurrency investment fraud…”
Additional reading - The Register, The Record
Cybersecurity Threat Landscape
An overload of critical vulnerabilities (CVSS 9+) that are already being exploited by multiple threat actors this week. If you operate any of the impacted products (SharePoint, Gitlab, Confluence, Ivanti, Juniper, SonicWall, Chrome) and are running late on the patching cycle (ie more than a week) or the product is internet facing, then you may need to consider that your product has already been compromised - please focus and address with urgency.
Microsoft SharePoint critical bug now actively exploited
CISA has added Microsoft SharePoint vulnerability CVE-2023-29357 to its Known Exploited Vulnerability to Catalog.
Reported by Microsoft “… An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user…", "An attacker who successfully exploited this vulnerability could gain administrator privileges. The attacker needs no privileges nor does the user need to perform any action."
Additional reading - Bleeping Computer, The Hacker News
Ivanti (Pulse VPN) now actively exploited, at least 1700 VPN endpoints already exploited
We highlighted the Ivanti issue last week, it is now reported that “… thousands of Ivanti VPN instances have been compromised across the globe in the last five days thanks to two serious, as yet unpatched zero-day vulnerabilities disclosed last week.” - Dark Reading
Ivanti have been providing customers steps for mitigation but have not yet provided patches to resolve the issues - ivanti.com
Volexity, that originally reported on these vulnerabilities have produced a followup report that describes at least 1700 VPN endpoints compromised and that threat actors now appear to have automated exploit tool chains - volexity.com
Additional reading - Dark Reading, The Record, The Register
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
- Authentik - an open-source Identity Provider (IdP) that can integrated into existing environments to support new protocols, and is an awesome solution for implementing sign-up, recovery, into your application - https://github.com/goauthentik/authentik
- Fresh Resolvers - if you are working on sub-domain takeover reviews for your organization you may need up-to-date lists of reliable DNS servers - https://github.com/threatpatrols/fresh-resolvers
- ssh-audit - SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) - https://github.com/jtesta/ssh-audit
- AI Exploits - A collection of real world AI/ML exploits for responsibly disclosed vulnerabilities, the team at Protect AI have done a good job here in building a collection of exploits to help cybersecurity practitioners to understand and prevent them - https://github.com/protectai/ai-exploits
Cybersecurity Vulnerabilities
GitLab zero-click account hijacking vulnerability (CVSS 10)
GitLab has released security updates for customers that self host the Community Edition and the Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction (CVE-2023-7028, CVSS 10) - gitlab.com
Gitlab remains awesome, we love Gitlab, but this issue is as serious as it gets. If you are in scope for this vulnerability you need to act now.
Additional reading and advice on addressing this issue - Bleeping Computer, Cyber.gov.au, The Register
Atlassian Confluence CVSS 10 with a RCE (yes again!)
Confluence, the corporate knowledge management platform from Atlassian has shown up with yet another CVSS 10 vulnerability CVE-2023-22527 that is easily exploited by anyone that can reach the web endpoint - atlassian.com
Atlassian states that patches for the last CVSS 10 issue in November mitigate this new issue, however the latest patches also address additional problems beyond those as well - time to get patching again.
Additional reading - Dark Reading, Bleeping Computer, The Register
Juniper warns of critical pre-auth RCE vulnerability affecting firewalls and switches
Juniper has announced patches for CVE-2024-21591 that can be exploited by unauthenticated threat actors to achieve root privileges on unpatched devices with full remote-command execution abilities.
Additional reading - Bleeping Computer, The Register
Google Chrome patches latest zero-day vulnerability being actively exploited
Google states that “Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild” - googleblog.com
The Google Chrome “stable” channel has been updated to 120.0.6099.234 for Mac and 120.0.6099.224 for Linux and 120.0.6099.224/225 that address this issue.
Additional reading - Bleeping Computer
170k+ SonicWall appliances still unpatched and vulnerable
Reported by The Hacker News this week “Over 178,000 SonicWall firewalls exposed over the internet are exploitable to at least one of the two security flaws that could be potentially exploited to cause a denial-of-service (DoS) condition and remote code execution (RCE).”
The issues (CVE-2022-22274, CVE-2023-0656) described in the article date back to 2022 and 2023. According to the report, thousands of appliances have not been updated and are likely sitting ducks waiting to be taken over.
A check using the public service, Shodan, shows that at least 1,900 SonicWall appliances are operating in the Philippines.
Additional reading - The Hacker News
Got news or something you’d like us to mention, feel free to get in contact - [email protected]