Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution
Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution.
The list of vulnerabilities is below:
- CVE-2022-1471 (CVSS score: 9.8) – Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products
- CVE-2023-22522 (CVSS score: 9.0) – Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0)
- CVE-2023-22523 (CVSS score: 9.8) – Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server)
- CVE-2023-22524 (CVSS score: 9.6) – Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0)
With Atlassian products becoming lucrative attack vectors in recent years, it’s highly recommended that users move quickly to update affected installations to a patched version.
Analysis from our SOC team
Atlassian tools are usually business critical and should be treated as such. A correct and swift patching procedure is crucial to quickly remediate high-impact vulnerabilities such as these. Also, limit accessibility from external networks where possible and set-up MFA to thwart attacks via phished credentials.
CERT.BE also released an advisory containing all necessary information in a compact format: https://www.cert.be/en/warning-critical-vulnerabilities-multiple-atlassian-product-versions-rce-possible-patch-immediately
Microsoft’s Threat Intelligence is warning of Russia-linked cyber-espionage group APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.
In March 2023, Microsoft published guidance for investigating attacks exploiting the patched Outlook vulnerability tracked as CVE-2023-23397. The vulnerability is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.
In recent attacks spotted by Microsoft’s Threat Intelligence, the nation-state actors primarily targeted government, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East.
Microsoft recommended organizations to patch their systems and kept them updated to mitigate this threat.
In October, the French National Agency for the Security of Information Systems ANSSI (Agence Nationale de la sécurité des systèmes d’information) warned that the Russia-linked APT28 group has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks.
Analysis from our SOC team
CVE-2023-23397 kicked up quite some dust when it first became known. Now, more than 6 months later, many Exchange servers are not yet patched and the vulnerability is not only being abused by cyber criminals anymore but also nation-state actors.
Patching of servers and services that are reachable from the internet should be prioritized and dealt with ASAP.
Reach out to us by replying on this mail if you need assistance with patching, threat hunting for signs of compromise or incident response related to this CVE.
Google fixed a critical zero-click RCE vulnerability (CVE-2023-40088) with the release of the December 2023 Android security updates.
Google December 2023 Android security updates addressed 85 vulnerabilities, including a critical zero-click remote code execution (RCE) flaw tracked as CVE-2023-40088.
The vulnerability resides in Android’s System component, it doesn’t require additional privileges to be triggered. An attacker can exploit the vulnerability to execute arbitrary code on the vulnerable devices without user interaction.
“The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.” reads the security advisory.
Analysis from our SOC team
Mobile phones are a huge part of our professional and personal lives. Therefore, it’s also important to stay updated to the newest version with those devices. Even when the device is personal and not managed by an organisation.
Black Hat researchers show top password managers on Android mobiles are prone to leak passwords when using WebView autofill function.
At this week’s Black Hat Europe conference, Ankit Gangwal of the International Institute of Information Technology (IIIT) showed how mobile apps using WebView controls can leak credentials from many password managers.
Gangwal and his students, Shubham Singh and Abhijeet Srivastava, revealed the credential-leaking vulnerability they call « AutoSpill ».
Gangwal explains that he and the students discovered the top 10 password managers are prone to AutoSpill, where an app can expose username and password credentials when invoking WebView. According to Gangwal, it’s a problem when a user unintentionally loads a malicious app.
« If it is a malicious application, it will receive the credentials for free, » Gangwal says. « No phishing required, no tricking needed, nothing is required. The worst part is that such applications can stay in the official stores [i.e., Google Play], where they can be distributed to a larger user base, which makes this problem even more serious, in my opinion. »
Password managers can mitigate the risk by associating a web domain with the input field that includes a username and password, Gangwal notes. « This way, they can develop a more secure coupling. »
Analysis from our SOC team
All affected password managers that have been tested and have already been notified about the issue. All except 1, which has not been disclosed, has responded and is looking into fixing it.
Currently there are no signs of exploitation but with this research becoming public, malicious apps will be created to steal credentials without user interaction.
Make sure to only download verified and trusted apps from the official store of your device to severely minimize the risk of becoming impacted until the vulnerability has been fixed.
Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector.
The DanaBot infections led to « hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware, » the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).
« The current Danabot campaign, first observed in November, appears to be using a private version of the info-stealing malware instead of the malware-as-a-service offering, » Redmond further noted.
The credentials harvested by the malware are transmitted to an actor-controlled server, which is followed by lateral movement via RDP sign-in attempts and ultimately handing off access to Storm-0216.
Analysis from our SOC team
Malvertising, where malicious code is injected into advertisements, is a successful technique to potentially infect many victims.
Even though the initial infostealing attack might be successful, there are plenty of opportunities to stop further damage while a ransomware operator takes all the usual steps before ending with encryption via ransomware.
A reliable and trusted antivirus solution combined with an EDR (endpoint detection & response) tool provides plenty of these opportunities to automatically stop or at least give plenty of alerts before the ransomware is deployed. An important factor here is that security alerts need to be monitored and acted upon quickly as attackers start to become faster in their entire attack chain.
If you don’t have the resources to do the monitoring and triage, Approach Cyber SOC can help lift the weight and do the monitoring for you.
Contact us if you’d like to know more about the SOC services that we provide to help you gain or keep your cyber serenity.
