The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Welcome to Picus Security's weekly cyber threat intelligence roundup!
Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.
Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.
March 29: Latest Vulnerabilities, Exploits and Patches
Here are the top vulnerabilities and exploitations that were observed in the third and last week of March.
CVE-2023-48788: Fortinet FortiClient EMS Pre-auth SQL Injection Vulnerability Is Under Attack
A critical vulnerability identified in Fortinet FortiClient EMS, known as CVE-2023-48788, is being actively exploited, as confirmed by CISA [1].
The attack cycle of CVE-2023-48788 begins when an attacker sends a specially crafted request to the FmcDaemon.exe component. This component is designed to listen for requests on port 8013 and communicate with the FCTDas.exe data access server, which translates these requests into SQL queries for the Microsoft SQL Server database [2].
The critical flaw lies in how FmcDaemon.exe and FCTDas.exe process the FCTUID within the request. The attacker modifies the FCTUID to include malicious SQL commands. Since FCTDas.exe doesn't properly sanitize this input, the injected SQL commands are executed directly on the database.
One of the potent attack vectors exploited through this vulnerability is the activation and use of the xp_cmdshell command within Microsoft SQL Server. This command allows for the execution of arbitrary shell commands on the server, thereby granting the attacker the ability to execute remote code. Although the SQL Server might not have xp_cmdshell enabled by default, the attacker can use additional SQL injections to activate this feature.
As of writing this blog on 28th March, there were nearly 130 vulnerable FortiClient EMS instances reported by Shadow Server.
Proof-of-Concept exploit can be reached here.
Note that the PoC does not execute remote code but demonstrates the vulnerability's presence by showing how SQL injection can be achieved.
Source: Shadow Server
CVE-2024-23897: A Critical File Read Vulnerability in Jenkins’ args4j Library Exposes Over 45,000 Servers
Jenkins, a key player in the automation server domain, has encountered a critical vulnerability, CVE-2024-23897, primarily affecting its Command-Line Interface (CLI) due to a flaw in the args4j library [3].
This vulnerability enables an unauthenticated user to read files, potentially escalating to more severe compromises, especially in Jenkins instances integral to various operational infrastructures.
A staggering figure of over 45,000 unpatched Jenkins servers has been reported, highlighting a significant security oversight within the user community.
Source: Shadow Server
The attack lifecycle commences with an adversary exploiting the file read vulnerability to access sensitive files on the Jenkins server. This access could lead to further exploitation, where even more critical data or system functionalities could be compromised. Notably, the flaw allows reading the first few lines of any file for an unauthenticated user, while an authenticated user could exploit this to read entire files, increasing the attack's severity.
In response to this looming threat, Jenkins has introduced patches in versions 2.442 and LTS 2.426.3, effectively disabling the feature that led to the exploit. The urgency to apply these updates cannot be overstated, as the window of opportunity for attackers remains open until these patches are universally adopted across vulnerable instances.
CVE-2023-41724: Ivanti Released a Patch for Standalone Sentry Remote Code Execution Vulnerability
Ivanti has proactively issued patches for a critical vulnerability in Standalone Sentry [4], cataloged as CVE-2023-41724, a finding highlighted by NATO's Cyber Security Centre [5]. This vulnerability permeates all supported iterations of Standalone Sentry—versions 9.17.0 through 9.19.0—enabling unauthenticated network interlopers to perform arbitrary command executions.
In parallel, Ivanti has remedied CVE-2023-46808 in its Neurons for ITSM solution, where authenticated users could exploit elevated privileges to execute commands. This latter issue affects versions up to 2023.3 for on-premises deployments, which now necessitate immediate patch application to forestall exploitation risks.
Despite the absence of reported exploitations, Ivanti's swift response to these vulnerabilities underscores a robust commitment to security, especially in light of historical exploits against their systems by advanced threat actors.
CVE-2024-29943 & CVE-2024-29944: Mozilla Released Fixes for Two Critical Vulnerabilities
Mozilla swiftly addressed two critical vulnerabilities in Firefox version 124.0.1 [6], discovered during the Pwn2Own Vancouver 2024 hacking competition [7].
CVE-2024-29943 involved an out-of-bounds read/write flaw in JavaScript object handling, potentially allowing arbitrary code execution or information disclosure [8].
The second vulnerability, CVE-2024-29944, exclusive to desktop Firefox, enabled attackers to inject an event handler into a privileged object, escalating to arbitrary JavaScript execution within the parent process [8].
These patches are crucial for safeguarding against possible exploitation that could compromise user data and system integrity, underscoring the importance of updating to the latest Firefox version promptly.
Fixed Version: 124.0.1 or higher
Germany Warns for the 17.000 Exposed Exchange Server
In Germany, the national cybersecurity authority has highlighted a concerning situation where about 17,000 Microsoft Exchange servers are exposed online with significant vulnerabilities [9], affecting many schools and colleges, clinics, doctor's offices, nursing services and other medical institutions, lawyers and tax consultants, local governments, and medium-sized companies [10].They stress the importance of updating these servers to the latest security standards. Specifically, administrators should install the March 2024 security updates as follows:
- Exchange Server 2019 CU14 Mar24SU (Build number 15.2.1544.9)
- Exchange Server 2019 CU13 Mar24SU (build number 15.2.1258.32)
- Exchange Server 2016 CU23 Mar24SU (build number 15.1.2507.37)
These updates are critical to safeguarding the servers against potential cyber threats.
March 29: Top Threat Actors Observed In Wild
Here are the top threat actors that were active in the third and last week of March.
INC Ransom Extortion Gang Threatening National Health Service (NHS) of Scotland To Release 3 TB of Data
The INC Ransom extortion gang has issued a stark threat to the National Health Service (NHS) of Scotland, asserting that it will disclose three terabytes of sensitive data it claims to have pilfered from the organization [11]. This cybercriminal group, which surfaced in July 2023, specializes in data extortion and has a history of targeting entities across various sectors, including healthcare. Their latest exploit involves the NHS Scotland, particularly impacting the NHS Dumfries and Galloway, a regional health board.
The cyberattack, which reportedly took place on March 15, compromised a significant volume of patient and staff information, including medical assessments and psychological reports. Despite the ransom demand, NHS Dumfries and Galloway, in collaboration with law enforcement and cybersecurity agencies, is addressing the breach and ensuring that affected individuals are notified and guided on protective measures.
The incident underscores the growing threat of ransomware attacks on critical healthcare infrastructure, spotlighting the need for robust cybersecurity measures in safeguarding sensitive health data.
Sandworm-linked Threat Group UAC-0165 Took Down an Ukrainian ISP
Recent cyberattacks on Ukrainian internet service providers (ISPs), disrupting services for over a week, are likely orchestrated by a Russian state-backed group affiliated with Sandworm, specifically subgroup UAC-0165 [12].
Source: Twitter
Solntsepek, a group claiming responsibility, is under scrutiny for these attacks, which align with their previous operations, including a significant assault on Kyivstar in 2023. Ukrainian authorities are investigating, noting substantial evidence linking Solntsepek to these incidents, targeting ISPs like Triacom and KIM, essential for government and military communications.
The attacks, which involved data theft and service disruption, coincide with the discovery of AcidPour, a new malware variant. AcidPour, a more potent successor to AcidRain used in the Viasat attack, signifies an advanced threat capability, potentially indicating a focused effort to undermine Ukrainian critical infrastructure. The malware's design suggests a strategic intent to cause extensive operational damage.
March 29: Latest Malware Attacks
Here are the malware attacks and campaigns that were active in the third and last week of March.
Sign1 Malware Campaign Infects 39,000 WordPress Sites
The Sign1 malware campaign, identified by Sucuri, has compromised over 39,000 WordPress sites, injecting JavaScript to display unwanted pop-ups and redirects [13].
This malware cleverly employs time-based randomization and XOR encoding for obfuscation, creating URLs that change every 10 minutes to download additional malicious scripts. Intriguingly, the malware is selective, only activating for visitors referred by major sites like Google or Facebook, which helps it evade detection by site administrators.
Notably, the campaign utilizes legitimate plugins, such as Simple Custom CSS and JS, for injection, a tactic that avoids altering website files directly. A correlation was observed between the registration of malicious domains used by Sign1 and spikes in download rates for this plugin, suggesting a strategic approach to mass infection.
Source: Sucuri
With the campaign's increasing sophistication, website owners are urged to adopt robust security measures, regularly update plugins, and actively monitor for signs of compromise to safeguard their sites.
New Wiper-Malware Called AcidPour Targeting Linux x86 Network Devices
A newly identified malware, AcidPour, is raising alarms in the cybersecurity community with its data-wiping capabilities, primarily targeting Linux x86 IoT and network devices [14].
This malware is a variant of the previously known AcidRain wiper, which has been implicated in disruptive cyberattacks, notably against satellite communications provider Viasat. Unlike its predecessor that focused on the MIPS architecture, AcidPour expands its reach to devices with Linux-based embedded systems, indicating a potential for broader impact.
The malware demonstrates a significant codebase evolution from AcidRain, with about 30% overlap, suggesting either advancement or a distinct origin possibly mimicking AcidRain's methods. AcidPour's design to target a variety of devices, including those using Logical Volume Management, signals a strategic shift to affect a wider array of networked hardware. The discovery, uploaded from Ukraine, adds a layer of complexity in attributing the actors behind this variant.
References
[1] “Known Exploited Vulnerabilities Catalog,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. [Accessed: Mar. 28, 2024]
[2] L. French, “Fortinet FortiClient EMS SQL injection flaw exploited in the wild,” SC Media, Mar. 26, 2024. Available: https://www.scmagazine.com/news/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild. [Accessed: Mar. 28, 2024]
[3] “Jenkins Args4j CVE-2024-23897 Files Exposed Code at Risk,” Trend Micro, Mar. 19, 2024. Available: https://www.trendmicro.com/en_us/research/24/c/cve-2024-23897.html. [Accessed: Mar. 28, 2024]
[4] “Ivanti Community.” Available: https://forums.ivanti.com/s/article/CVE-2023-41724-Remote-Code-Execution-for-Ivanti-Standalone-Sentry?language=en_US. [Accessed: Mar. 28, 2024]
[5] S. Gatlan, “Ivanti fixes critical Standalone Sentry bug reported by NATO,” BleepingComputer, Mar. 20, 2024. Available: https://www.bleepingcomputer.com/news/security/ivanti-fixes-critical-standalone-sentry-bug-reported-by-nato/. [Accessed: Mar. 28, 2024]
[6] “Security Vulnerabilities fixed in Firefox 124.0.1,” Mozilla. Available: https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/. [Accessed: Mar. 28, 2024]
[7] D. Childs, “Pwn2Own Vancouver 2024: Bringing Cloud-Native/Container Security to Pwn2Own,” Zero Day Initiative, Jan. 16, 2024. Available: https://www.thezdi.com/blog/2024/1/16/pwn2own-vancouver-2024-bring-cloud-nativecontainer-security-to-pwn2own. [Accessed: Mar. 28, 2024]
[8] P. Arntz, “Patch now: Mozilla patches two critical vulnerabilities in Firefox,” Malwarebytes, Mar. 26, 2024. Available: https://www.malwarebytes.com/blog/news/2024/03/patch-now-mozilla-patches-two-critical-vulnerabilities-in-firefox. [Accessed: Mar. 28, 2024]
[9] S. Gatlan, “Germany warns of 17K vulnerable Microsoft Exchange servers exposed online,” BleepingComputer, Mar. 26, 2024. Available: https://www.bleepingcomputer.com/news/security/germany-warns-of-17k-vulnerable-microsoft-exchange-servers-exposed-online/. [Accessed: Mar. 28, 2024]
[10] “[No title].” Available: https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-223466-1032.pdf?__blob=publicationFile&v=7. [Accessed: Mar. 28, 2024]
[11] B. Toulas, “INC Ransom threatens to leak 3TB of NHS Scotland stolen data,” BleepingComputer, Mar. 27, 2024. Available: https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/. [Accessed: Mar. 28, 2024]
[12] D. Antoniuk, “Sandworm-linked group likely knocked down Ukrainian internet providers.” Available: https://therecord.media/ukraine-isps-attacks-solntsepek-sandworm-gru. [Accessed: Mar. 28, 2024]
[13] B. Martin, “Sign1 Malware: Analysis, Campaign History & Indicators of Compromise,” Sucuri Blog, Mar. 20, 2024. Available: https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html. [Accessed: Mar. 28, 2024]
[14] B. Toulas, “New AcidPour data wiper targets Linux x86 network devices,” BleepingComputer, Mar. 19, 2024. Available: https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targets-linux-x86-network-devices/. [Accessed: Mar. 28, 2024]