This week from November 13 to November 17, Firecompass research identified a huge number of CVEs that are high in severity and ransomware, botnets, and threat actors creating havoc. Some of the CVEs identified are of popular commercial products used by variants of industries and somenew & well known malwares targeting industries for this week. In this, we will list important CVEs discovered as well as list of malware, threat actors and botnets which were most active along with the CVEs that they were using in their campaigns.
Also this week there was Microsoft Patch Tuesday of the month as well
The Key Vulnerabilities That FireCompass Has Focused On Are:
- CVE-2023-26205 – FortiADC Automation Privilege Escalation
- CVE-2023-34991 – Fortinet FortiWLM SQL Command Injection
- Microsoft Exchange Vulnerabilities
- CVE-2023-36425 – Microsoft DFS RCE
- CVE-2023-34060 – VMWare Cloud Director Authentication Bypass
- CVE-2023-36437 – Azure DevOps Server RCE
- CVE-2023-5189 – Ansible Path Traversal
- CVE-2023-36402 – Microsoft WDAC OLE DB RCE
- CVE-2023-41699 – Payara Server URL Redirection
- CVE-2023-48365 – Qlik Sense Enterprise
The Key Malwares And Threat Actors That FireCompass Has Focused On Are:
- CVE-2023-4966 – NetScaler ADC and NetScaler Gateway
- CVE-2023-27350 – PaperCut NG
- CVE-2023-40044 and CVE-2023-42657 – WS_FTP Server
- CVE-2023-42115, CVE-2023-42116 and CVE-2023-42117, – Exim
- CVE-2023-44487 – HTTP/2
- CVE-2023-41763 – Skype
- CVE-2023-22515 – Atlassian -Confluence Data Center & Server
- CVE-2023-20101 – Cisco Emergency Responder
- CVE-2020-1472 – Netlogon secure channel connection
Know The Vulnerabilities Impacting Key Industries and Companies:
CVE-2023-26205 – FortiADC Automation Privilege EscalationFortiADC Automation version 7.1.0 through 7.1.2, 7.0 all versions, 6.2 all versions, 6.1 all versions may allow an authenticated low-privileged attacker to escalate their privileges to super_admin via a specific crafted configuration of fabric automation CLI script.
CVE-2023-34991 – Fortinet FortiWLM SQL Command InjectionA improper neutralization of special elements used in an sql command (‘sql injection’) in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized code or commands via a crafted http request.
Microsoft Exchange Server VulnerabilitiesThis on 14th November, 2023 – Tuesday was the Microsoft Patch Tuesday where they disclosed several numbers of vulnerabilities. One of them being the popular Microsoft Exchange Server which is a prime target for threat actors. Four vulnerabilities were released, here is the list.
- CVE-2023-36035 – Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-36039 – Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-36050 – Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-36439 – Microsoft Exchange Server Remote Code Execution
CVE-2023-36425 – Microsoft DFS RCEFrom the patch Tuesday, a remote code execution vulnerability is present in Microsoft Distributed File System(DFS).
Shodan displays more than 70k endpoints. Countries like the USA, France and Taiwan have the highest number of endpoints
CVE-2023-34060 – VMWare Cloud Director Authentication BypassVMware Cloud Director Appliance contains an authentication bypass vulnerability in case of VMware Cloud Director Appliance on version 10.5. A malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console).
CVE-2023-36437 – Azure DevOps Server RCEFrom patch Tuesday, Azure DevOps Server is vulnerable to remote code execution.
CVE-2023-5189 – Ansible Path TraversalA path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.
CVE-2023-36402 – Microsoft WDAC OLE DB For SQL Server RCEMicrosoft WDAC OLE DB provider for SQL Server is vulnerable to remote code execution
CVE-2023-41699 – Payara Server URL RedirectionPayara Server is an open-source application server from GlassFish which has URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.
CVE-2023-48365 – Qlik Sense Enterprise RCEQlik Sense Enterprise is vulnerable to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application.
Know The Threat Actors Impacting Key Industries and Companies:
CVE-2023-4966 – LockBit Ransomware GangSensitive Information Disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability is found to be exploited by the LockBit ransomware gang. POC of the above vulnerabilty: https://github.com/mlynchcogent/CVE-2023-4966-POC
CVE-2023-27350 – MuddWater Iranian APT
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. This vulnerability is found to be exploited by the MuddWater Iranian APT.
POC of the vulnerbility:
CVE-2023-40044 and CVE-2023-42657 – Dark Pink APT
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system and
a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system. These vulnerabilities are found to be exploited by Dark Pink APT group.
PoC for CVE-2023-40044:
CVE-2023-42115, CVE-2023-42116 and CVE-2023-42117 – Dark Pink APT
An out-of-bounds write flaw exists in Exim within the smtp service, which listens on TCP port 25 by default and another vulnerability was found in Exim within the handling of NTLM challenge requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account or current process. In all of these cases, authentication is not required to exploit this vulnerability. All these vulnerabilities are found to be again exploited by Dark Pink APT group.
CVE-2023-44487 – Dark Pink APT
This vulnerability allows HTTP/2 protocol to allow a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This vulnerability has been found to be again exploited by Dark Pink APT group.
CVE-2023-41763 – Dark Pink APT
Skype for Business Elevation has suffered a serious vulnerability which allows it to perform Privilege Escalation Remotely. This vulnerability has been found to be again exploited by Dark Pink APT group.
CVE-2023-22515 – Dark Pink APT
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. This vulnerability has been found to be again exploited by Dark Pink APT group.
CVE-2023-20101 – Dark Pink APTA vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. This vulnerability has been found to be again exploited by Dark Pink APT group.
CVE-2020-1472 – Rhysida Ransomware Gang
An elevation of privilege vulnerability exists in Netlogon secure channel connection, when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’. This vulnerability was found to be exploited by the Rhysida ransomware gang.
The POC of the above vulnerability:
CVE-2023-4966 – Medusa Ransomware
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability was found to be actively exploited by Medusa ransomware group.
The POC of the above vulnerability:
By: Firecompass Research Team – Debdipta Halder, Soumyanil Biswas, Faran Siddiqui, Anirban Bain
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Feel free to get in touch with us to get a better view of your attack surface.