Featured Story
Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss
Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in “significant data loss if exploited by an unauthenticated attacker.”
Tracked as CVE-2023-22518, the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of “improper authorization vulnerability.”
All versions of Confluence Data Center and Server are susceptible to the bug, and it has been addressed in the following versions:
- 7.19.16 or later
- 8.3.4 or later
- 8.4.4 or later
- 8.5.3 or later, and
- 8.6.1 or later
Atlassian is also urging customers to take immediate action to secure their instances, recommending those that are accessible to the public internet be disconnected until a patch can be applied.
What’s more, users who are running versions that are outside of the support window are advised to upgrade to a fixed version. Atlassian Cloud sites are not affected by the issue.
While there is no evidence of active exploitation in the wild, previously discovered shortcomings in the software, including the recently publicized CVE-2023-22515, have been weaponized by threat actors.
Although no active exploitation is on-going, public information has been found to be publicized yesterday about the critical vulnerability. This will play in the hand of threat actors seeking to use this vulnerability in the short term.
Analysis from our SOC team
While there is currently no evidence of active exploitation by threat actors, we want to emphasise the message that Atlassian is giving to to either patch the system or take it disconnect the system from being accessible to the public internet until the patch is applied.
Threat actors have shown many times in the past that they are capable to weaponize vulnerabilities in a very short time span. Especially if there is public information available about the exploit as it is in this case, most of the time it’s days not weeks before mass exploitation starts.
Make sure to check the advisory linked below for the most up-to-date information from Atlassian.
Atlassian advisory: https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-confluence-server-1311473907.html
Other news
F5 this week warned customers about a critical security vulnerability, tracked as CVE-2023-46747 (CVSS 9.8), that impacts BIG-IP and could result in unauthenticated remote code execution.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by F5.
On October 30, F5 updated its original advisory warning that threat actors are actively exploiting the vulnerability. The attackers chain the vulnerability with another flaw in BIG-IP’s configuration utility tracked as CVE-2023-46748 (CVSS score of 8.8).
“F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.” For indicators of compromise for CVE-2023-46748, please refer to the advisory for CVE-2023-46748 linked in our analysis.
Analysis from our SOC team
Mass exploitation of devices sitting on the edge of your network such as F5 BIG-IP can pose a significant threat when they are compromised.
Sufficient logging allows your organisation to do threat hunting on the IOCs provided by F5 and other types of suspicious unwanted behaviour. If needed Approach SOC can assist with the necessary steps to keep your environment safe.
F5 advisory for CVE-2023-46747: https://my.f5.com/manage/s/article/K000137353
F5 advisory for CVE-2023-46748: https://my.f5.com/manage/s/article/K000137365
Researchers from Kaspersky discovered a sophisticated malware, dubbed StripedFly, that remained under the radar for five years masquerading as a cryptocurrency miner.
In 2022, the researchers detected within the WININIT.EXE process an older code that was associated with the NSA-linked Equation malware. Further analysis revealed that the malware has been used since at least 2017. Kaspersky discovered that the detections between 2017 and 2022 had previously misclassified as a cryptocurrency miner.
The malicious code has a complex modular structure that supports both Linux and Windows. The malicious code relies on a built-in TOR network tunnel for C2 communications, it supports an update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket.
Kaspersky researchers discovered that over one million updates have been downloaded from the C2 infrastructure since 2017.
“What was the real purpose? That remains a mystery. While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead. The prevailing narrative often centers around ransomware actors collecting anonymous ransoms, but this case seems to defy the norm.” concludes the report. The question remains, but only those who crafted this enigmatic malware hold the answer.
Analysis from our SOC team
It’s important to monitor assets such as laptops provided to employees with advanced security software such as an Endpoint Detection & Response (EDR) tool. EDRs allow you to see much more in-depth what’s being executed on a system compared to an Anti-Virus solution.
Although company laptops are not to be used for personal use, it does happen quite frequently and increases the potential of software such as a cryptominer being installed by the end-user when they have local admin rights.
Contact our SOC for more information how we can assist you with this
A new malvertising campaign has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads.
“Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead.”
The infected website in question is an unnamed online portal that specializes in wedding planning, which had been injected with malware to serve bogus links to the PyCharm software.
The execution of the PyCharm installer results in the deployment of several stealer and loader families, such as Amadey, PrivateLoader, RedLine, Stealc, and Vidar, a deluge that renders the infected system completely unusable.
Analysis from our SOC team
2023 is the year where we have seen, and still are seeing, frequent malicious advertisements on Google to lure people into installing malware instead of the program they’re looking for.
It’s important to bring awareness to users about threats like this as most users often click the first link on Google without thinking. As the first link is often an advertisement, it’s an easy trap for unsuspecting employees to fall in to.
Don’t hesitate to contact us to make use of the expertise from our awareness team to educate and inform your end users.
Okta is back on the record with another cybersecurity incident, this time via a breach of its third-party vendor, Rightway Healthcare, which has exposed the personal and healthcare data of nearly 5,000 Okta employees.
Okta, in a statement, emphasized that only its employees, not its customers, were impacted by the incident.
Certainly, in comparison to recent compromises tied to Okta, this specific data leak by Rightway isn’t a standout event. From threat actors gaming the company’s software platform to breach MGM Resorts to catastrophic effect in September, to October’s incident when attackers compromised Okta’s own systems to steal customer data, including session tokens and cookies (followed days later by a supply chain attack on its customer 1Password), it’s been a rough few weeks for the identity and access management (IAM) vendor.
However, disclosure of another cybersecurity incident anywhere in its software supply chain could raise questions about Okta’s overall security posture, particularly among its cybersecurity-conscious clientele.
Asked about how Okta would reassure its customers it is taking proactive steps to shore up its overall cybersecurity posture, the company spokesperson said they are sticking to the statement, for now.
Analysis from our SOC team
Okta has been in the news quite frequently this year, more specifically in the second half of the year. The IAM vendor is having a rough time keeping the confidence in their product and brand after all these back-to-back security incidents.
From what our SOC team sees on X (previously known as Twitter), Okta made some dubious internal security decisions such as getting rid of their entire internal red team and completely re-forming their internal blue team while also getting rid of a lot of the people that helped build their internal SOC throughout the years.
It’s important to layer your security and also invest in detection and response tools and processes as well as sufficient logging to identify misuse of IAM platforms such as Okta, whether it’s related to a breach at Okta or any other third party or not.
