For the last 2 weeks, Firecompass Research Team focused on 9 brand-new vulnerabilities which are Critical in severity, published by the global security research community. Ransomwares are targeting many of these vulnerabilities to get initial Access. All the vulnerabilities have Proof of Concepts (PoC) exploit code publicly available on Github making it is easy for attackers to target organizations that have exposed assets that these vulnerabilities target.
Key Vulnerabilities Tracked by FireCompass:
| CVE | Severity | Description |
|---|---|---|
| CVE-2023-23397 | High | Elevation of privilege vulnerability in Windows |
| CVE-2023-24880 | High | Zero-day vulnerability in Windows SmartScreen that was exploited in the wild by the Magniber ransomware operation |
| CVE-2023-21716 | High | The vulnerability allows adversaries to execute arbitrary commands with the victim’s privileges via malicious RTF files. Remember, Humans are the weakest link again. |
| CVE-2023-25136 | Critical | OpenSSH version 9.1 RCE and DOS attack |
| CVE-2023-23752 | High | An improper access check vulnerability that all unauthorized access to web service endpoints leading to sensitive information leakage. |
| CVE-2022-47966 | High | This vulnerability affects multiple Zoho ManageEngine products that allow Remote Code execution. |
Similar critical vulnerabilities were published in Oracle WebLogic Server (CVE-2023-21835), Adobe ColdFusion (CVE-2023-26360), Fortinet appliance (CVE-2022-39952). There are more but we focussed on these for now, given that these platforms are widely popular.
To remain safe against these critical vulnerabilities, it is imperative that organizations find and fix them at the earliest. The Firecompass Research Team urges organizations to identify their exposed assets, test for vulnerabilities, and fix any issues that are discovered. The Firecompass platform for Continuous Automated Red Teaming & External Attack Surface Management can find and test all those vulnerabilities, as well as other critical vulnerabilities on our customers’ network, as soon as they are discovered.
Technical Details:
Last two weeks, we have seen Microsoft patching some of its critical vulnerabilities which were being exploited by Russian actors and other ransomware actors:
CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability
The most critical among them is an elevation of privilege vulnerability in Windows. The CVE-2023-23397 vulnerability allows attackers to execute code with elevated privileges on targeted systems. It was used by Strontium (aka APT28), Sednit, Sofacy and Fancy Bear in attacks against government, transportation, and energy sectors in Europe.
CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability
Next is a zero-day vulnerability that was exploited in the wild by the Magniber ransomware operation. CVE-2023-24880 is a SmartScreen security feature bypass, and it was used in the Magniber attacks to trick users into downloading malicious MSI files. Windows SmartScreen filter checks the downloads against malicious sites and software and blocks the download of such packages or software if it finds a match. This vulnerability bypasses this feature thereby allowing users to download any kind of malware or other malicious software.
CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability
Another critical vulnerability recently being used by hackers and other threat actors is CVE-2023-21716. It is a heap corruption vulnerability found in MS Office Word’s RTF parser. On successful exploit, the vulnerability allows adversaries to execute arbitrary commands with the victim’s privileges via malicious RTF files. Even loading the malicious RTF document in the Preview Pane is enough for exploitation, and the victims do not have to open the payload. Due to the low complexity and high impact of potential exploitation, the CVE-2023-21716 vulnerability has a CVSS score of 9.8 (Critical).
Other than the critical Microsoft vulnerabilities there are a few other major vulnerabilities that are seen in the wild. Let’s discuss this in the next few paragraphs:
CVE-2023-26360: Adobe ColdFusion Improper Access Control vulnerability
It has been classified as a Critical flaw in Adobe ColdFusion 2021 version 5 and earlier, as well as ColdFusion 2018 version 15 and earlier since it enables threat actors to allow remote code execution (RCE). It is an improper access control issue which can be exploited by an unauthenticated attacker to allow running arbitrary code on a remote machine.
CVE-2023-23752: Joomla 4.0.0 through 4.2.7.
The next vulnerability affects Joomla – 4.0.0 through 4.2.7, which is directly not an RCE but can become a stepping stone for achieving RCE. CVE-2023-23752 is an improper access check vulnerability that allows unauthorized access to web service endpoints which can lead to sensitive information leakage. Hackers and malware actors are using this vulnerability to achieve RCE in the following two ways:
- There are endpoints which leak MySQL(publicly exposed) credentials. Using these credentials the attacker can change the Joomla Super User’s password. The attacker then logs into the administrative web interface and modifies the template to include a webshell or installs malicious plugins.
- There are endpoints which leak Joomla user databases (usernames, emails, assigned groups). The attacker can target a Super User and try brute force or credential stuffing and follow the previously showcased path for code execution.
CVE-2022-47966: Remote Code Execution Apache xmlsec:
Here, the security defect exists in a dependent Open Source software (Apache xmlsec, also known as XML Security for Java, version 1.4.1 and earlier), allowing attackers to execute arbitrary code remotely without authentication. Rapid7 has confirmed that some of the impacted Zoho ManageEngine products (including ADSelfService Plus, Application Control Plus and ServiceDesk Plus), are very popular among organizations and have been targeted in the recent attacks. Other impacted products include Access Manager Plus, Active Directory 360, ADAudit Plus, ADManager Plus, Application Control Plus, Device Control Plus, Endpoint Central, Endpoint Central MSP, PAM 360, Password Manager Pro, Remote Monitoring and Management (RMM), SupportCenter Plus, and Vulnerability Manager Plus.
CVE-2022-39952: FortiNAC
Threat actors are targeting Internet-exposed Fortinet appliances with exploits targeting CVE-2022-39952, an unauthenticated file path manipulation vulnerability in the FortiNAC web server that can be abused for remote command execution. The affected versions include 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4 and 8.3.7.
CVE-2023-21835: Oracle WebLogic Server
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is another vulnerability being exploited in the wild. Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. CVE-2023-21835 is an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.
CVE-2023-25136: OpenSSH
OpenSSH version 9.1 has been exploited in the wild in recent times. CVE-2023-25136 with a CVSS score of 9.1 is a double-free vulnerability introduced in OpenSSH 9.1 during options.kex_algorithms handling. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. This exploit has no prerequisite. Although primarily it was released that this vulnerability leads to Denial of Service attacks, in recent reports it has been published that it can also lead to Remote Code Execution when no memory exploitation mitigations are applied (like ASLR or NX).
By: Firecompass Research Team – Debdipta Halder, Soumyanil Biswas, Faran Siddiqui
References
- Firecompass Threat Intel Team
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- NVD CVE Feed
About FireCompass:
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Feel free to get in touch with us to get a better view of your attack surface.
