Daily Brief

Citrix has issued warnings and patches for two zero-day security vulnerabilities (CVE-2023-3519 and CVE-2023-4966) affecting NetScaler ADC and NetScaler Gateway, currently being exploited in the wild. Users of affected versions are urged to upgrade to a supported version with patches and advised not to expose the management interface to the internet to mitigate risk. VMware disclosed a critical security vulnerability (CVE-2023-34063) in Aria Automation, allowing authenticated attackers to gain unauthorized access. The flaw is characterized by a "missing access control" issue. VMware customers must apply a specific patch and follow a supported upgrade path to version 8.16, as certain intermediate versions may reintroduce the vulnerability. Atlassian released patches for a critical RCE flaw (CVE-2023-22527) in Confluence Data Center and Server, with a maximum severity CVSS score of 10.0. The vulnerability allows template injection leading to RCE by an unauthenticated attacker. The RCE issue is resolved in Confluence versions 8.5.4, 8.5.5, 8.6.0, 8.7.1, and 8.7.2 with Atlassian urging users to update their installations immediately to the latest version. Separate reports highlight the danger of malicious browser extensions and discuss strategies, including the adoption of Zero Trust security to minimize the attack surface.

Finnish telecom giant Nokia has launched a new business unit in the USA, Nokia Federal Solutions, focused on selling to the U.S. government. The move capitalizes on U.S. efforts to remove Chinese-made equipment from national networks due to security fears, specifically targeting telecom providers Huawei and ZTE. The U.S. has not only barred Huawei and ZTE from importing U.S. tech but has also pressured allies to exclude Chinese telecom equipment from their infrastructure. Although Huawei has denied any wrongdoing, U.S. concerns are fueled by Chinese laws that could compel companies to share information with the government. Nokia sees an opportunity in the American preference for non-Chinese technology in critical infrastructure, particularly given that the U.S. lacks major domestic players in RAN technology. Nokia Federal Solutions will offer typical telecom technologies as well as "tactical private wireless" systems for military use, recently acquired from Fenix Group. The establishment of this dedicated entity is a strategic move by Nokia to secure lucrative contracts with the U.S. government by addressing national security concerns.

Google has released an update to fix a zero-day vulnerability in the Chrome browser that was actively being exploited by attackers. The vulnerability is identified as CVE-2024-0519 and involves an out-of-bounds memory access in the V8 JavaScript engine that could lead to heap corruption. Attackers exploiting this flaw could bypass security mechanisms, potentially leading to code execution beyond just causing a denial of service. Detailed information about the attacks and the identities of threat actors have been withheld to prevent further exploitation. The flaw was anonymously reported and Chrome users must update to the latest versions provided for Windows, macOS, and Linux to protect against the risk. This is the first zero-day vulnerability in Chrome reported in 2024, following eight similar issues rectified by Google in the previous year. Users of other Chromium-based browsers are encouraged to stay vigilant and apply relevant updates as they are made available.

The FBI and CISA have released a joint warning about Androxgh0st malware, which targets cloud service credentials. Androxgh0st exploits old vulnerabilities in popular frameworks and servers, including PHPUnit, Laravel, and Apache HTTP Server. The malware primarily targets .env files to obtain user credentials for services like AWS, Office 365, SendGrid, and Twilio. Attackers have been observed using the stolen credentials to create new AWS users and instances for further malicious activities. The US government agencies recommend updating systems and software, denying all unnecessary URI requests, and regularly reviewing .env files for unauthorized access. Suggested mitigations also include making sure Apache servers run secure versions and maintaining updated OS, software, and firmware. The security alert provides indicators of compromise and suggests one-time and regular reviews of stored cloud credentials to identify potential unauthorized use.

GitHub addressed a vulnerability allowing attackers to access credentials in production containers via environment variables. The issue, tracked as CVE-2024-0200, could lead to remote code execution on unpatched servers and was patched in various GitHub Enterprise Server versions. The exploit required authentication with an organization owner role, limiting its potential for abuse. GitHub rotated all potentially exposed credentials as a preventative measure, even though the vulnerability was believed to be unexploited previously. Users dependent on specific GitHub keys, like the commit signing key and encryption keys for GitHub Actions and Dependabot, must import new public keys. GitHub advises regular API checks for public keys to ensure the use of up-to-date credentials. An additional high-severity command injection vulnerability, CVE-2024-0507, was also patched, which could allow privilege escalation. GitHub has a history of key rotation and revocation due to previous incidents of exposed or stolen secrets.

MacOS information-stealers are rapidly evolving to escape detection by the built-in anti-malware system, XProtect, despite frequent malware database updates. SentinelOne's report identified three significant examples of such malware: KeySteal, Atomic Stealer, and CherryPie, each employing methods to bypass XProtect and most antivirus engines. KeySteal, an info-stealer targeting Apple's Keychain, has changed enough since Apple's last signature update to avoid detection, leveraging hardcoded command and control addresses. Atomic Stealer now uses cleartext AppleScript rather than code obfuscation, includes checks to prevent execution on virtual machines, and disables the Terminal app to avoid analysis. CherryPie, also a cross-platform info-stealer, employs anti-analysis, VM detection, and admin privilege to deactivate Gatekeeper, although recent XProtect updates have improved detection. Overall, the rapid evolution of these information-stealers against static security measures like XProtect underscores the need for dynamic or heuristic antivirus solutions and a layered security approach. Enhanced network monitoring, firewalls, and consistent application of security updates are recommended to bolster defenses against these adapting threats.

Citrix has warned customers to immediately patch two zero-day vulnerabilities in Netscaler ADC and Gateway appliances to prevent exploitation. Identified as CVE-2023-6548 and CVE-2023-6549, the security flaws could lead to remote code execution and denial-of-service attacks. Attackers require low-privilege user access and management interface access to exploit these vulnerabilities for remote code execution. The zero-days only affect customer-managed Netscaler appliances, not Citrix-managed cloud services or adaptive authentication solutions. Over 1,500 Netscaler management interfaces are currently exposed online, as per data from Shadowserver. Citrix emphasizes the importance of installing updated versions immediately and advises customers using end-of-life software to upgrade to supported versions. In the absence of immediate update capabilities, Citrix advises blocking network traffic to affected instances and avoiding exposure of the management interface to the internet. Previous Netscaler vulnerabilities have been exploited by threat groups targeting government and large tech companies, highlighting the critical need for timely updates.

The expanding attack surface presents new challenges in protecting the network edge as more processes migrate to distributed sites. Traditional, centralized data centers with robust controls are more secure than distributed edge locations. Long supply chains and the lack of dedicated IT security professionals at the edge increase risks, especially in sectors like healthcare, energy, and manufacturing. Data breaches at the edge can have immediate and significant impacts on daily operations and regulatory compliance. Dell Technologies' webinar, featuring Jeroen Mackenbach, highlights the need for a Zero Trust security approach at the edge, with continuous verification of devices. The webinar explains that visibility and automation are critical components of a successful Zero Trust strategy to manage and mitigate cybersecurity threats. Dell's NativeEdge platform offers a solution to address edge security challenges by reducing attack surfaces and enhancing visibility and control.

Google addressed a high-severity Chrome zero-day exploited in the wild, designated CVE-2024-0519. The vulnerability resides in Chrome's V8 JavaScript engine, leading to out-of-bounds memory access. Updated Chrome versions released for Windows, Mac, and Linux platforms, less than a week after reporting. Google has yet to disclose specific details about the attacks exploiting the zero-day. The update is distributed worldwide and available immediately, with automatic updates following. The flaw could allow attackers to bypass protection mechanisms like ASLR and enable code execution via other weaknesses. In addition to CVE-2024-0519, Google fixed other significant flaws, such as CVE-2024-0517 and CVE-2024-0518. Past year, Google rectified eight zero-day bugs, some of which were utilized to deploy spyware on devices of high-risk individuals.

The Calvià City Council in Majorca was hit by a ransomware attack, impacting municipal services and demanding $11 million in ransom. The town is a significant tourist destination, attracting over 1.6 million visits each year, thus making the impact of the attack more severe. A crisis committee was formed to assess damage and recovery plans, with IT specialists engaged in a forensic analysis of the breach. Administrative processes are suspended until January 31, 2024, but citizens can use the General State Administration portal for urgent submissions. The police's cybercrime department was notified, and the city council filed complaints while maintaining services via phone and in-person contact. No major ransomware group has claimed responsibility for the attack as of this writing; however, the ransom amount of approximately $11 million was reported by local media. The mayor declared that the municipality would not be paying the ransom, highlighting the resolve against succumbing to such cyber extortion threats.

Atlassian revealed a critical remote code execution flaw, CVE-2023-22527, affecting Confluence Data Center and Server, rated a perfect 10 on the CVSS scale. An additional high-severity vulnerability, CVE-2020-25649, impacting Jira Software Data Center and Server, could allow XML external entity attacks. Atlassian's advice for administrators is to promptly update to the latest versions of Confluence and Jira Software to mitigate the risks. VMware disclosed a serious access control vulnerability, CVE-2023-34063, affecting all versions of Aria Automation before 8.16, with a CVSS score of 9.9. VMware recommends upgrading to Aria Automation 8.16 and applying the patch to prevent unauthorized access to organizations and workflows. Both companies are currently unaware of any exploitation of these vulnerabilities but stress the importance of immediate updating as attackers may already be searching for unpatched systems.

The FBI and CISA have issued a warning about Androxgh0st malware that is building a botnet and stealing cloud service credentials. Androxgh0st scans for vulnerable websites and servers using PHPUnit, PHP, and Apache with known RCE vulnerabilities, exploiting them to obtain sensitive information. The malware targets .env files that contain credentials for AWS, Microsoft Office 365, SendGrid, and Twilio, aiming to use these for further malicious activities. Stolen credentials are being used to conduct spam campaigns by checking email sending limits and impersonating legitimate companies. Threat actors create fake pages and backdoors on compromised websites to access databases and deploy additional malicious payloads. FBI and CISA have provided mitigation recommendations and request information on any suspicious activity linked to Androxgh0st. CISA has included certain vulnerabilities exploited by Androxgh0st in its Known Exploited Vulnerabilities Catalog, mandating federal agencies secure their systems by specified dates.

'PixieFail' refers to nine critical vulnerabilities found in the IPv6 network protocol stack used by Tianocore's EDK II, affecting PXE boot processes in enterprise environments. Discovered by researchers at Quarkslab, these security flaws can lead to denial of service, information disclosure, remote code execution, DNS cache poisoning, and session hijacking. Remediation efforts coordinated through CERT/CC and CERT-FR saw initial disclosures with the aim to provide vendors enough time to patch the vulnerabilities. Two substantial flaws, CVE-2023-45230 and CVE-2023-45235, have been highlighted for their potential to enable remote code execution, leading to possible full system compromise. Major technology companies such as Arm Ltd., Insyde Software, American Megatrends Inc., Phoenix Technologies, and Microsoft, along with Intel, are among the impacted vendors. Google's ChromeOS source tree includes the EDK2 package; however, it is not utilized in production Chromebooks and does not suffer from the PixieFail vulnerabilities. Patching progress has been slow, with postponed disclosure dates and most patches currently still undergoing testing; Tianocore has addressed seven of the nine reported vulnerabilities.

More than 178,000 SonicWall next-generation firewall devices remain unpatched against critical vulnerabilities dating back to 2022. Security engineer Jon Williams from Bishop Fox highlights widespread patch negligence, with 76% of public-facing devices at risk. The two most concerning vulnerabilities, CVE-2022-22274 and CVE-2023-0656, can cause denial of service (DoS), and the more severe one may lead to remote code execution (RCE). Findings reveal that attackers can exploit the bugs by sending malicious HTTP requests, causing crashes and potentially forcing devices into a maintenance mode. Though no active exploitation of these vulnerabilities is reported, their existence and PoC availability increase the risk of future attacks, especially with historical targeting of unpatched SonicWall gear by Chinese cyberspies. While the potential for RCE could be significant, cybercriminals have not widely exploited these flaws, likely due to monetization challenges and availability of easier targets. Industry experts emphasize the importance of applying patches despite the challenges in resources and prioritization among the plethora of vulnerabilities organizations must manage. SonicWall has not issued a public response to this study's findings.

Atlassian alerts users of a critical remote code execution vulnerability in pre-December 2023 versions of Confluence Data Center and Server. Assigned CVE-2023-22527, the flaw receives the highest severity score (CVSS v3: 10.0) and permits unauthenticated template injection attacks. Latest supported versions of the platforms received mitigation measures during regular updates; older versions, including those out of support, remain vulnerable. Affected versions include 8.0.x to 8.5.3, with fixes available in subsequent releases (8.5.4 LTS, 8.6.0, and 8.7.1). Atlassian advises users to upgrade to actively supported releases due to the absence of security updates for older, out-of-support versions. There are no provided workarounds or mitigation strategies besides applying the updates; if not feasible, taking systems offline is recommended. Instances that are not internet-facing or restrict anonymous access are less at risk but still susceptible, highlighting the need for vigilance and monitoring. Atlassian notes the challenge in providing indicators of compromise due to the varied nature of potential attacks using this vulnerability.