Threat Pulse – November 2023
Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.
If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.
Hackers Start Exploiting Critical ownCloud Flaw
Hackers are taking advantage of a critical vulnerability, CVE-2023-49103, in ownCloud, an open-source file synchronisation and sharing solution.
This flaw exposes sensitive information such as admin passwords, mail server credentials, and license keys in containerised deployments.
ownCloud administrators are urged to promptly address the issue, as exploiting this vulnerability for data theft is straightforward. The recommended solution involves deleting a specific file, disabling the ‘phpinfo’ function in Docker containers, and updating potentially exposed secrets like admin passwords and access keys.
Immediate action is crucial to mitigate the risk posed by this vulnerability.
SysAid On-Prem Software CVE-2023-47246
This path traversal vulnerability has been exploited by a known threat actor (CL0P) to gain unauthorised access to SysAid on-prem software, move through systems, and achieve code execution. The attacker uploads a malicious payload that enabled them to inject trojan malware on the system.
Using the user.exe malware loader, the attacker can run Powershell scripts to inject the GraceWire trojan on three executables: spoolsv.exe, msiexec.exe, and svchost.exe.
Each of these executables is used to run Windows services, so malware takeover can lead to a non-functioning device.
Recommendations for organisations that use SysAid:
- Ensure that your SysAid systems are updated to version 23.3.36, which includes the patches for the identified vulnerability.
- Review any credentials or other information that would have been available to someone with full access to your SysAid server and check any relevant activity logs for suspicious behaviour.
- Conduct a thorough compromise assessment of your SysAid server to look for any indicators as seen below.
Gamaredon’s LittleDrifter USB Malware Spreads Beyond Ukraine
A recently identified USB worm dubbed ‘LitterDrifter’ attributed to the Russia-linked threat group Gamaredon appears to have spread beyond Ukraine, its likely intended target.
As well as targeting companies in Ukraine, LitterDrifter infections have been observed throughout Europe and the US and in parts of Asia.
Written in VBScript, the malware contains two main functions, to automatically spread to other USB drives and to communicate with a flexible set of command-and-control (C&C) servers. However, it can also execute payloads received from the C&C.
Thousands of servers exposed as LockBit ransomware exploits Citrix Bleed in attacks
A publicly available exploit is being used to target exposed Citrix Netscaler devices in order to breach large organisations, steal data and encrypt files by ransomware gangs.
Threat actors are exploiting the Citrix Bleed vulnerability (CVE-2023-4966) previously disclosed last month and is continuing to be abused in attacks.
Mandiant reported that threat actors started exploiting Citrix Bleed in late August, when the security flaw was still a zero day. In the attacks, hackers used HTTP GET requests to obtain Netscaler AAA session cookies after the multi-factor authentication stage (MFA).
Threat Actors Leverage File-Sharing Service and Reverse Proxies for Credential Harvesting
A phishing campaign involving malicious emails containing a link to a file-sharing solution, which further leads to a PDF document with a secondary link designed to steal login info and session cookies.
StripedFly Malware Operated Unnoticed for 5 Years, Infecting 1 Million Devices
An advanced strain of malware masquerading as a cryptocurrency miner has managed to fly the radar for over five years, infecting no less than one million devices around the world in the process.
The threat, codenamed StripedFly, has been described as an “intricate modular framework that supports both Linux and Windows.”
A Russian cybersecurity vendor, which first detected the samples in 2017, said the miner is part of a much larger entity that employs a custom EternalBlue SMBv1 exploit attributed to the Equation Group in order to infiltrate publicly accessible systems.
Atlassian warns of exploit for confluence data wiping bug
A public exploit (CVE-2023-22518) is now available for a critical confluence security flaw, that can be used to wipe and destroy data on Internet-exposed instances.
It is being flagged as a “improper authorisation vulnerability in Confluence Data Centre and Server”. All previous versions are susceptible to the bug, which is why it has been rated a 9.1/10 severity on the common vulnerability scoring system.
The vendor has not explained the bug in detail, so as not to tip off any attackers. This is common practice regarding security flaws.
Admins have been urged to patch this exploit, to avoid critical data being destroyed. The exploit can be used to wipe data on impacted servers. However, it cannot be used to steal data.
DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.
Talk to the team to see how you can start protecting your business against cyberattacks today.
