CyberWatch - July 26, 2023

At a Glance

Ransomware, Malware & Phishing

1. Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports
2. Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware
3. Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks
4. Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities
5. Banking Sector Targeted in Open-Source Software Supply Chain Attacks
6. Local Governments Targeted for Ransomware – How to Prevent Falling Victim
7. Estee Lauder beauty giant breached by two ransomware groups
8. Over 400,000 corporate credentials stolen by info-stealing malware

Vulnerabilities

1. Over 20,000 Citrix Appliances Vulnerable to New Exploit
2. Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks
3. Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo
4. Apple fixes new zero-day used in attacks against iPhones, Macs
5. VMware fixes bug exposing CF API admin credentials in audit logs

Ransomware, Malware & Phishing

Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports

Analysis: The recent cyber-attack against Microsoft's email infrastructure by a Chinese nation-state actor known as Storm-0558 may have had a wider impact than initially reported.

Cloud security company Wiz revealed that the inactive Microsoft account (MSA) consumer signing key, used by the attacker to forge Azure Active Directory (Azure AD) tokens for unauthorized access to Outlook Web Access (OWA) and Outlook.com, could also be exploited to forge access tokens for various Azure AD applications. This includes personal account authentication applications like OneDrive, SharePoint, and Teams, as well as customer applications supporting "Login with Microsoft" functionality, and certain multi-tenant applications.

Microsoft is still investigating the scope of the cyber espionage campaign and is cautioning that the claims made are speculative and lack evidence to support them. Wiz researchers were surprised by Microsoft’s response, as analysis suggests that the compromised key had significant privileges, allowing attackers to impersonate users and access sensitive data across multiple applications.

To mitigate such attacks, organizations should implement strong identity and access management (IAM) practices, including regular audits of access privileges and the use of multi-factor authentication (MFA) to protect sensitive accounts. Additionally, continuous monitoring of security logs and threat intelligence feeds can help detect suspicious activities and potential signs of unauthorized access. Regularly reviewing and updating public keys and certificates used in identity providers can also bolster security against identity-based attacks.

Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware

Analysis: The Chinese nation-state actor APT41 — also known as Axiom, Blackfly, and other aliases — has been linked to two Android spyware strains, named WyrmSpy and DragonEgg. Cybersecurity company Lookout reported that APT41 — known for targeting various industries for intellectual property theft — has expanded its capabilities to include mobile devices. The spyware campaign's initial intrusion vector is suspected to involve social engineering.

WyrmSpy was first detected in 2017, while DragonEgg was discovered in early 2021, with new samples found as recently as April 2023. The rogue apps impersonate legitimate services, and once installed, they collect sensitive data such as photos, locations, SMS messages, and audio recordings. Both strains have connections to APT41 through their use of a common command-and-control server, previously linked to the threat actor's infrastructure.

The findings highlight the increasing threat of advanced Android malware and the need for robust mobile security measures. To protect against Android spyware like WyrmSpy and DragonEgg, Access Point recommends the following:

1. Only download apps from official app stores and avoid third-party app sources.
2. Regularly update mobile operating systems and applications to patch known vulnerabilities.
3. Implementing mobile security solutions and running regular malware scans can help to detect and prevent spyware infections.
4. Be cautious of suspicious links, attachments, and unexpected app requests for intrusive permissions.

Organizations should educate employees about the risks of social engineering and implement mobile device management (MDM) solutions to enforce security policies on company-owned devices. Mobile security should be an integral part of the overall cybersecurity strategy to safeguard against sophisticated mobile threats.

Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks

Analysis: Palo Alto Networks Unit 42 reveals that Mallox ransomware activities in 2023 have increased by 174% compared to the previous year.

Mallox follows the double extortion trend, stealing data before encrypting an organization's files and threatening to publish the data on a leak site to pressure victims into paying the ransom fee. The ransomware is linked to a threat actor associated with other strains like TargetCompany, Tohnichi, Fargo, and Xollam. Mallox targets a variety of sectors, including manufacturing, professional and legal services, and wholesale/retail.

The group primarily exploits poorly secured MS-SQL servers through dictionary attacks to gain network access. Recently, it has used malicious OneNote file attachments for initial access. After gaining a foothold on the target host, a PowerShell command retrieves the ransomware payload, which carries out various activities to avoid detection before starting the encryption process. TargetCompany has been recruiting affiliates for the Mallox ransomware-as-a-service (RaaS) program on the RAMP cybercrime forum.

The surge in Mallox infections is part of a broader trend of a 221% year-over-year increase in ransomware attacks as of June 2023, with 434 attacks reported in June 2023 alone. This is largely driven by Cl0p's exploitation of the MOVEit file transfer software vulnerability.

To protect against Mallox ransomware and similar threats, Access Point recommends the following:

1. Organizations should prioritize securing their MS-SQL servers and implement strong access controls, including two-factor authentication and least privilege principles, to prevent unauthorized access.
2. Regularly back up critical data to offline or isolated storage to aid in recovery without paying ransom demands.
3. Employ robust endpoint protection solutions and keep software up to date with the latest security patches to prevent initial compromise and the spread of ransomware across the network.
4. Educate employees about phishing and social engineering tactics to avoid falling victim to initial attack vectors.
5. Monitor network traffic for suspicious activities and employ behavior-based threat detection to aid in identifying ransomware activities early in the attack chain.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Exploit Public-Facing Application – T1190
• Command-Line Interface – T1059
• Indicator Removal on Host – T1070
• File Deletion – T1107
• Process Injection – T1055
• Credential Dumping – T1003
• System Information Discovery – T1082
• File and Directory Discovery – T1083
• Email Collection – T1114
• Data Encrypted for Impact – T1486

Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities

Analysis: A new stealthy malware strain known as BundleBot has been utilizing .NET single-file deployment techniques to discreetly collect sensitive information from compromised systems.

The malware is commonly distributed via Facebook Ads and compromised accounts, masquerading as legitimate program utilities, AI tools, or games. The attack starts with a fake Google Bard AI chatbot lure, prompting victims to download a bogus RAR archive which contains an executable file. This file unpacks into a .NET single-file application that fetches a password-protected ZIP archive from Google Drive. Inside this ZIP archive is another .NET single-file application acting as the BundleBot payload along with a command-and-control (C2) data serializer. The malware employs custom obfuscation to evade detection and has the ability to steal data from web browsers, capture screenshots, and gather account details from various platforms like Discord, Telegram, and Facebook.

To protect against BundleBot malware and similar threats, Access Point recommends the following:

1. Exercise caution when downloading files from unfamiliar sources, especially when prompted by social media ads or compromised accounts.
2. Employ multi-factor authentication to strengthen account security and help prevent unauthorized access.
3. Regularly update and patch software to mitigate known vulnerabilities.
4. Deploy robust security solutions that include anti-malware tools capable of detecting and blocking these types of malware.

Additionally, companies should promote awareness and education about phishing attacks and the risks associated with downloading files from untrusted sources, as they are essential to maintain a strong security posture.

Banking Sector Targeted in Open-Source Software Supply Chain Attacks

Analysis: Cybersecurity researchers have detected the emergence of BundleBot, a new malware strain targeting the banking sector through stealthy, open-source software supply chain attacks.

The attackers employ sophisticated techniques by attaching malicious functionalities to specific components in web assets, creating fake LinkedIn profiles to appear credible, and setting up customized command-and-control (C2) centers for each target. The malware was distributed through npm packages, and the attackers cleverly used Azure's CDN subdomains to deliver the second-stage payload, evading traditional deny list methods. The second-stage payload, Havoc, is an open-source C2 framework increasingly favored by malicious actors to avoid detection.

To defend against such supply chain attacks, organizations in the banking sector must enhance their supply chain security. Access Point recommends the following:

1. Establish robust verification procedures for open-source packages and publishers before deployment.
2. Implement multi-factor authentication (MFA) for all employees to add an extra layer of protection against unauthorized access.
3. Conduct regular cybersecurity awareness trainings to educate employees about potential threats and phishing techniques used by attackers.
4. Develop a comprehensive incident response plan will help to contain and mitigate the impact of any potential breach.
5. Employ defense evasion techniques, such as indicator removal and countering exfiltration methods, to make it more challenging for attackers to persist within the network.
6. Be vigilant against data collection and data destruction tactics to protect sensitive information from being compromised and misused.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access - T1566.001: Phishing: Spearphishing Link
• Defense Evasion - T1066.002: Indicator Removal on Host: Clear Windows Event Logs
• Exfiltration - T1041.001: Exfiltration Over C2 Channel: Exfiltration to Cloud Storage
• Collection - T1005.002: Data from Local System: Command and Scripting Interpreter
• Collection - T1039.004: Data from Network Shared Drive: Data Staged
• Impact - T1485.001: Data Destruction: File Deletion

Local Governments Targeted for Ransomware – How to Prevent Falling Victim

Analysis: Oakland, California experienced a ransomware attack in early 2023, which caused city officials to take most backend servers offline to contain the breach. Experts suspect a phishing email as the likely attack vector due to the small IT staff's potential security vulnerabilities.

The Play ransomware group claimed responsibility for the attack and exposed up to 600GB of data, impacting both city services and personal information of city employees and residents. The breach raised concerns about identity theft and posed challenges for IT services and city administration.

To strengthen cybersecurity defenses against ransomware attacks like the one experienced by Oakland, California, Access Point urges organizations to prioritize the following security measures:

1. Enhance email security through filtering and user training to prevent phishing attacks.
2. Enforce strong password policies and implement multi-factor authentication to bolster account security.
3. Regularly update and patch software to protect against known vulnerabilities.
4. Adhere to security compliance standards like NIST 800-63B, ISO 27001/27002, and SOC 2 to help establish best practices and ensure a secure environment.
5. Employ tools such as Specops Password Policy and Breached Password Protection to enforce stronger password policies, block compromised passwords, and enhance your overall security posture.

By taking these proactive steps, local governments can limit the scope of attacks and better protect themselves against ransomware threats.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: Spearphishing Attachment – T1193
• Credential Access: Credential Dumping – T1003
• Defense Evasion: Indicator Removal on Host – T1070
• Impact: Data Encrypted for Impact – T1486
• Impact: Disk Content Wipe – T1488
• Impact: Data Destruction – T1485
• Impact: Inhibit System Recovery - T1490

Estee Lauder beauty giant breached by two ransomware groups

Analysis: Beauty company Estée Lauder has fallen victim to two separate ransomware attacks carried out by the ALPHV/BlackCat and Clop ransomware groups.

The BlackCat gang expressed their dissatisfaction with the company's security measures and claimed they still had access to the network. The Clop ransomware gang exploited a vulnerability in the MOVEit Transfer platform to gain access to Estée Lauder's systems and steal data.

The company confirmed the attacks in an SEC filing and stated that it took down some systems proactively to prevent further expansion by the attackers. Both ransomware groups have listed Estée Lauder on their data leak sites, threatening to reveal stolen data if negotiations are not initiated.

To strengthen cybersecurity defenses, organizations should implement  the following proactive measures to detect and prevent ransomware attacks:

1. Perform regular security assessments and vulnerability scans to help identify and patch potential entry points for threat actors.
2. Ensure all software and systems are up to date with the latest patches and security updates to help mitigate the risk of exploitation.
3. Regularly backup critical data and store it offline to ensure data can be restored in case of a ransomware incident.
4. Maintain a tried and tested incident response plan in order to cut off your network to attackers with the least business impact.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access - T1566.001: Phishing: Spearphishing Attachment
• Initial Access - T1195: Supply Chain Compromise
• Execution - T1059.001: Command and Scripting Interpreter: PowerShell
• Credential Access - T1552.001: Unsecured Credentials: Credentials in Files
• Credential Access - T1555.003: Credentials from Password Stores: Credentials from Web Browsers
• Credential Access - T1555.004: Credentials from Password Stores: Credentials from Mail Clients
• Collection - T1119: Automated Collection
• Collection - T1005.001: Data from Local System: Clipboard Data
• Collection - T1030: Data Transfer Size Limits
• Impact - T1489: Service Stop
• Impact - T1490: Inhibit System Recovery
• Impact - T1486: Data Encrypted for Impact
• Impact - T1565.001: Data Manipulation: System Information Discovery
• Impact - T1565.002: Data Manipulation: System Time Discovery
• Impact - T1565.003: Data Manipulation: Time Modification
• Impact - T1565.004: Data Manipulation: File and Directory Discovery
• Impact - T1565.005: Data Manipulation: File and Directory Permissions Modification
• Impact - T1565.006: Data Manipulation: File Deletion
• Impact - T1486.001: Data Encrypted for Impact: Application Layer Encryption4

Over 400,000 corporate credentials stolen by info-stealing malware

Analysis: An analysis of nearly 20 million information-stealing malware logs sold on the dark web and Telegram channels has revealed a significant infiltration into business environments.

Information stealers target careless internet users, but they also pose a massive threat to corporate environments. Employees using personal devices for work or accessing personal content on work computers contribute to many info-stealer infections, stealing business credentials and authentication cookies. The most prominent information-stealing families, including Redline, Raccoon, Titan, Aurora, and Vidar, are offered to cybercriminals on a subscription-based model, enabling them to conduct malware campaigns that steal data from infected devices.

Cybersecurity firm Flare discovered a large number of logs containing access to business applications like AWS, Google Cloud, DocuSign, QuickBooks, Salesforce, and CRM platforms. Corporate credentials are considered high-value in the cybercrime underground, as they can be used to deploy backdoors, ransomware, and other payloads.

To minimize the risk of info-stealer malware infections, businesses should implement the following security measures:

1. Enforce the use of password managers to enhance password security.
2. Enable mandatory multi-factor authentication (MFA) for all accounts to provide an extra layer of protection.
3. Set strict controls on personal device use in corporate environments to prevent the potential spread of info-stealers.
4. Conduct thorough employee training on how to identify and avoid common infection channels such as malicious Google Ads, YouTube videos, and Facebook posts.
5. Educate employees on the danger of using their business credentials for personal use.
6. Implement a strong password hygiene policy that forces a password reset every 90 days with complexity including length, numbers and characters, and disallows the re-using of previous passwords.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: T1566.002 - Phishing: Spearphishing Attachment
• Credential Access: T1056.001 - Input Capture: Keylogging
• Collection: T1113 - Screen Capture
• Defense Evasion: T1564.004 - Hide Artifacts: Hidden Window
• Defense Evasion: T1564.005 - Hide Artifacts: Hidden Files and Directories
• Defense Evasion: T1564.006 - Hide Artifacts: Hidden Users
• Exfiltration: T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol: File Transfer Protocol
• Exfiltration: T1048.004 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol: Web Protocols
• Impact: T1489.001 - Service Stop: Windows Service
• Impact: T1485.001 - Data Destruction: File Deletion
• Impact: T1486 - Data Encrypted for Impact
• Impact: T1490 - Inhibit System Recovery
• Impact: T1492 - System Shutdown/Reboot
• Impact: T1565.001 - Data Manipulation: System Information Discovery
• Impact: T1565.002 - Data Manipulation: System Time Discovery
• Impact: T1565.003 - Data Manipulation: Time Modification
• Impact: T1565.004 - Data Manipulation: File and Directory Discovery
• Impact: T1565.005 - Data Manipulation: File and Directory Permissions Modification
• Impact: T1565.006 - Data Manipulation: File Deletion

Vulnerabilities

Over 20,000 Citrix Appliances Vulnerable to New Exploit

Analysis: Cybersecurity firm Bishop Fox warns about a newly discovered exploit technique that targets a critical vulnerability in Citrix Application Delivery Controller (ADC) and Gateway devices. Tracked as CVE-2023-3519 and recently patched, this high-severity bug allows attackers to execute arbitrary code remotely without requiring authentication on vulnerable appliances configured as gateways or AAA virtual servers.

The United States' Cybersecurity and Infrastructure Security Agency (CISA) has reported attacks exploiting this vulnerability since June 2023, with at least one case targeting a critical infrastructure organization. Now, Bishop Fox has identified a new method of exploiting the vulnerability, which can affect any appliance functioning as a gateway or AAA virtual server. This technique targets a specific route that is enabled by default on certain installations and does not rely on SAML to be enabled.

Bishop Fox describes the vulnerability as a simple unauthenticated stack overflow, made worse by the fact that some versions lack proper exploit mitigations. The exploit has been found to work easily without crashing the vulnerable process. Disturbingly, the analysis also reveals that a significant number of Citrix Gateway login pages accessible from the internet (approximately 61,000) remain unpatched, with approximately half of these devices (around 32,000) still vulnerable to CVE-2023-3519. Furthermore, roughly 21,000 unpatched appliances also expose the vulnerable route, leaving them susceptible to the new exploitation technique.

It is crucial to be aware of this cybersecurity threat and take the necessary measures to ensure the safety and integrity of your systems. Applying the latest patches and following recommended remediation strategies will help protect against potential exploits, safeguarding both your organization and your clients' data.

To safeguard organizations utilizing Citrix Application Delivery Controller (ADC) and Gateway devices, users should take immediate action on the following recommendations:

1. Apply the latest patches and updates to address the CVE-2023-3519 vulnerability
2. Review security configurations on gateways and AAA virtual servers
3. Enforce robust monitoring and detection mechanisms
4. Strengthen access controls with multi-factor authentication
5. Educate employees on cybersecurity risks
6. Consider engaging a cybersecurity consulting firm for vulnerability management expertise
7. Conduct regular security audits
8. Stay informed about emerging threats from trusted sources like CISA and Bishop Fox and promptly address any weaknesses found

By taking these comprehensive measures, users can ensure the utmost security for their systems and sensitive data, fostering reliability and peace of mind for both their team and clients.

Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks

Analysis: Cybersecurity researchers from Mandiant identified two zero-day vulnerabilities affecting the Windows Installers in the Atera remote monitoring and management software. These vulnerabilities, assigned the CVE identifiers CVE-2023-26077 and CVE-2023-26078, have the potential to facilitate privilege escalation attacks. If left unaddressed, attackers could exploit misconfigured Custom Actions running as NT AUTHORITY\SYSTEM, allowing them to execute local privilege escalation attacks. The flaws were discovered on February 28, 2023, and subsequently fixed in Atera versions 1.8.3.7 and 1.8.4.9, released on April 17, 2023, and June 26, 2023, respectively.

The vulnerabilities specifically target the MSI installer's repair functionality, creating a situation where operations can be triggered from an NT AUTHORITY\SYSTEM context even if initiated by a standard user. The first vulnerability, CVE-2023-26077, enables a local privilege escalation attack through DLL hijacking, which could provide attackers with unauthorized access to the NT AUTHORITY\SYSTEM user's Command Prompt. The second vulnerability, CVE-2023-26078, involves the execution of system commands that trigger the Windows Console Host (conhost.exe) as a child process. This can open a command window with elevated privileges, potentially exploited by malicious actors for a local privilege escalation attack.

In addition to the Atera software vulnerabilities, Kaspersky recently highlighted another critical privilege escalation flaw in Windows, identified as CVE-2023-23397, with a CVSS score of 9.8. This vulnerability was actively exploited by threat actors using specially crafted Outlook tasks, messages, or calendar events. The flaw was fixed after Microsoft disclosed its exploitation by Russian nation-state groups since April 2022. However, Kaspersky's findings revealed that an unknown attacker had already targeted government and critical infrastructure entities in Jordan, Poland, Romania, Turkey, and Ukraine a month before the public disclosure.

Vulnerability analysts here at Access Point Technology claim it is crucial for administrators and users to remain vigilant about cybersecurity threats like these and promptly update their software to the latest versions to mitigate potential risks. Taking proactive measures to review and secure Custom Actions can significantly enhance an organization's security posture and prevent potential attacks that exploit NT AUTHORITY\SYSTEM operations triggered by MSI repairs.

Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo

Analysis: Atlassian, an Australian software provider for project managers and developers, has released patches for several of its products with security flaws. The affected products are its Confluence Server, Data Center, and Bamboo Data Center products. These products have all been impacted by Remote Code Execution (RCE) vulnerabilities which, if exploited, could result in remote code execution on vulnerable systems:

• CVE-2023-22505 (CVSS: 8.0) – RCE in Confluence Data Center and Server was introduced in version 8.0.0. Allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, integrity, and availability. Requires no user interaction.
• CVE-2023-22508 (CVSS: 8.5) – RCE in Confluence Data Center and Server was introduced in version 7.4.0. Allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, integrity, and availability. Requires no user interaction.
• CVE-2023-22506 (CVSS: 7.5) – Injection, RCE in Bamboo was introduced in version 8.0.0 of Bamboo Data Center. Allows an authenticated attacker to modify actions taken by a system call and execute arbitrary code with high impact to confidentiality, integrity, and availability. Requires no user interaction.

Atlassian recommends applying these updates as soon as possible. Upgrade to version 9.2.3 or 9.3.1 of Bamboo and at least version 8.2.0 instance of Confluence Data Center and Server to remediate.

If you or your company are users of either Atlassian products — Confluence Data Center and Server or Bamboo —Access Point Technology recommends updating to the latest version of these products. Atlassian has become a target for threat actors as of late, so be aware of any security bulletins or news updates and apply the appropriate as soon as possible.

Apple fixes new zero-day used in attacks against iPhones, Macs

Analysis: Apple has recently released security updates to address several zero-day vulnerabilities that have been exploited in attacks targeting iPhones, iPads, and Macs. The first vulnerability, tracked as CVE-2023-37450, affects the WebKit component and was actively exploited. The second vulnerability, CVE-2023-38606, impacts devices running older iOS releases and was also exploited in attacks. This particular vulnerability is part of a zero-click exploit chain used to deploy Triangulation spyware on iPhones via iMessage exploits.

In addition to these two zero-days, Apple also addressed a third one, CVE-2023-32409, which was patched in May but has now been backported to devices running tvOS 16.6 and watchOS 9.6. The security updates were implemented in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5. The fixes involve improved checks, state management, bounds checks, input validation, and memory management to bolster the devices' defenses against potential cyber threats.

Throughout this year, Apple has diligently patched a total of 11 zero-day vulnerabilities that were exploited by attackers on devices running iOS, macOS, and iPadOS. They have been committed to swiftly addressing these security issues to protect their users from potential risks. It is crucial for users to promptly apply these updates to ensure their devices are secure and safeguarded against cyber threats.

As a crucial step in maintaining a strong cybersecurity posture, Access Point Technology recommends that users and administrators develop and implement a robust data backup strategy. Regularly and securely backing up critical information on all devices, including iPhones, iPads, and Macs, helps safeguard against potential data loss resulting from successful cyberattacks or unforeseen incidents. By having reliable backups, organizations can mitigate the impact of security breaches, ensure business continuity, and protect sensitive patient information, providing peace of mind to both their teams and clients.

VMware fixes bug exposing CF API admin credentials in audit logs

Analysis: VMware has taken measures to address an information disclosure vulnerability in their Tanzu Application Service for VMs (TAS for VMs) and Isolation Segment. This particular flaw, identified as CVE-2023-20891, is the result of credentials being exposed through system audit logs, leaving unpatched systems vulnerable to remote attacks by individuals with low privileges. Such attacks are of low complexity and do not necessitate user interaction.

The vulnerability arises from unpatched instances of TAS for VMs, where hex-encoded Cloud Foundry API admin credentials are logged in platform system audit logs. This puts organizations at risk, as threat actors exploiting this loophole can gain access to these credentials and use them to push malicious versions of applications. However, VMware reassures users that in standard deployment configurations, non-administrative users do not have access to system audit logs, offering some protection against potential attacks.

To mitigate the risk further, VMware strongly advises all TAS for VMs users affected by CVE-2023-20891 to rotate their Cloud Foundry API admin credentials promptly. By doing so, organizations can prevent attackers from leveraging any leaked passwords. The company provides comprehensive instructions on changing the credentials in a support document, though it emphasizes that the process is not officially tested as part of the Operations Manager test suite and should be approached with caution.

Access Point Technology recommends that individuals utilizing their services remain vigilant about potential vulnerabilities. Taking appropriate measures to ensure the security and integrity of their systems will safeguard against cyber threats.

Sources

https://thehackernews.com/2023/07/azure-ad-token-forging-technique-in.html

https://thehackernews.com/2023/07/chinese-apt41-hackers-target-mobile.html

https://thehackernews.com/2023/07/mallox-ransomware-exploits-weak-ms-sql.html

https://thehackernews.com/2023/07/sophisticated-bundlebot-malware.html

https://thehackernews.com/2023/07/banking-sector-targeted-in-open-source.html

https://thehackernews.com/2023/07/local-governments-targeted-for.html

https://www.bleepingcomputer.com/news/security/est-e-lauder-beauty-giant-breached-by-two-ransomware-gangs/

https://www.bleepingcomputer.com/news/security/over-400-000-corporate-credentials-stolen-by-info-stealing-malware/

https://www.securityweek.com/over-20000-citrix-appliances-vulnerable-to-new-exploit/

https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html

https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html

https://thehackernews.com/2023/07/atlassian-releases-patches-for-critical.html

https://www.bleepingcomputer.com/news/apple/apple-fixes-new-zero-day-used-in-attacks-against-iphones-macs/

https://www.bleepingcomputer.com/news/security/vmware-fixes-bug-exposing-cf-api-admin-credentials-in-audit-logs/

‍