Previous Issues of vulnerability Weekly
- Security Vulnerability of the Week 12/09/22 – Application Security – Cloud Security – Linux Malware, Windows patched 64 vulns with zero-day, Uber Hack Timeline, GTA 6/Rockstar Hack – This week we deep dive into Linux Malware, Windows patched 64 vuln with zero day, Uber Hack Timeline, GTA 6/Rockstar Hack
- Security Vulnerability of the Week 12/09/22 – Application Security – Uber Hack Timeline – Special Focus on Uber latest news on hack
- Security Vulnerability Weekly 22/08/22 – Apple Vulnerability, Android Bugdrop Vulnerability, WordPress, CISA, and recent Hacks to Mailchimp and Twilio – Apple Vulnerability, CISA new vulnerability for September, Bugdrop new android vulnerabilities, recent hacks to twilio exposing digital ocaean clients and Mailchimp hack
- Security Vulnerability of the Week 08/08/22 – Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 25/07/22– Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 10/07/22 – OPENSSL Hearbleed2, Apache Common, CuteBoi NPM exploit, Iconburst NPM exploit, Orbit attack, Follina Weaponization, Chrome’s latest vulnerabilities
- Security Vulnerability of the Week 04/07/22 – Jenkins massive plugins issue , zoho, Exchange backdoors, Edge high vuln
This week we deep dive into Exchange zero-day and large-scale exploit, cobalt strike, bitbucket.
INFRA/Network
Two new Microsoft Exchange zero-days exploited in the wild from Chinese ATP
On September 30th two vulnerabilities have been discovered in a large attack.
On September 29 a Vietnamese researcher warned the ATP was targeting exchange servers with RCE directly on the system.
As RCE is a category of devastating attacks as they allow an attacker to further deploy payloads and additional exploits.
GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.
“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.
The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue, requiring federal agencies to apply the patches by October 21, 2022.
Microsoft issued the statement:
Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
Microsoft has recently published.
Mitigation:
Alert as highly exploitable (especially 41040). The current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns
On-premises exchange:
“The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”
To apply the mitigation to vulnerable servers, you will need to go through the following steps:
- Open the IIS Manager.
- Expand the Default Web Site.
- Select Autodiscover.
- In the Feature View, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules.
- Select Request Blocking and click OK.
- Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
- Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
- Change the condition input from {URL} to {REQUEST_URI}
Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:
- HTTP: 5985
- HTTPS: 5986
On-premises exchange follow the recommendations: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Option 2: Microsoft created the following script for the URL Rewrite mitigation steps. https://aka.ms/EOMTv2
Currently, there are 318,382 server exposed with exchange running
At the time of attack USA, Japan, and UK/Germany were the targets of ATP coming from China
CVE-2022-41040, is a Server-Side Request Forgery (SSRF) –
A vulnerability has been found in Microsoft Exchange Server 2013/2016/2019 and classified as critical. This vulnerability affects an unknown part. The manipulation with an unknown input leads to a privilege escalation vulnerability. The CWE definition for vulnerability is CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. As an impact, it is known to affect confidentiality, integrity, and availability.
The weakness was published 09/30/2022. The advisory is available at msrc-blog.microsoft.com. This vulnerability was named CVE-2022-41040. Technical details are unknown but an exploit is available.
The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation from vulndb) even tough exploit was developed by
It is declared as highly functional.
It is possible to mitigate the problem by applying the configuration setting.
Why EPSS alone was not active – EPSS currently is scoring vulnerabilities at 0.0 (data still needs to be retrieved)
CTI information gives a range from 8 to now 5 after successful mitigation
CVE-2022-41082– Microsoft Advisory
Currently actively exploited in the wild with persistance – exploit is less active than CVE-2022-41040,
A vulnerability was found in Microsoft Exchange Server 2013/2016/2019 and classified as critical. This issue affects an unknown code of the component PowerShell Handler. Impacted are confidentiality, integrity, and availability.
The weakness was released on 09/30/2022. It is possible to read the advisory at msrc-blog.microsoft.com. The identification of this vulnerability is CVE-2022-41082. Technical details are unknown, but an exploit is available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation from vulndb).
BitBucket Server vulnerability hack CISA warns agencies.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed critical flaw impacting Atlassian’s Bitbucket Server and Data Center to the Known Exploited Vulnerabilities (KEV) catalogue, citing evidence of active exploitation.
CVE-2022-36804, the issue relates to a command injection vulnerability that could allow malicious actors to gain arbitrary code execution on susceptible installations by sending a specially crafted HTTP request.
“All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected; this means that all instances running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability,” Atlassian noted in a late August 2022 advisory.
The shortcoming discovered and reported by security researcher @TheGrandPew impacts all versions of Bitbucket Server and Datacenter released after 6.10.17, inclusive of 7.0.0 and newer –
- Bitbucket Server and Datacenter 7.6
- Bitbucket Server and Datacenter 7.17
- Bitbucket Server and Datacenter 7.21
- Bitbucket Server and Datacenter 8.0
- Bitbucket Server and Datacenter 8.1
- Bitbucket Server and Datacenter 8.2, and
- Bitbucket Server and Datacenter 8.3
“An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian said in an advisory.
Currently, there are 166 Publicly exposed bitbuckets. Exposing Bitbucket is not recommended.
https://www.shodan.io/search?query=bitbucket
Cobalt Strike beacon disguised as job advert.
The renowned attack platform cobalt strike has been targeted by attackers with a malware campaign distributed by documents and disguised as job advertisements.
Several exploits in the wild with Remote Code Execution
“The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new Wednesday analysis.
Together with this attack Cobalt strike was found with a vulnerability.
Official Registration as medium CVSS score for CVE-2022-39197
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7, allowing a remote attacker to execute HTML on the Cobalt Strike team server. To exploit the vulnerability, one must first inspect a Cobalt Strike payload and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Public Service Association, a trade union based in New Zealand.
“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” the researchers said.
“Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain.”
Official Statement from HelpSystem maintainer of Cobalt stike
An independent researcher identified as “Beichendream” contacted us about an XSS vulnerability they discovered in the team server. This would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code remotely. We created a CVE for this issue which has been fixed.
Official advisory: https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/
As several exploit attempts of the platform, avoids using or exposing cobalt strike software.
Also be wary of any attachment or report
Currently, there are 1949 cobalt strike exposed system recorded in shodan
Previous Issues of vulnerability Weekly
- Security Vulnerability of the Week 12/09/22 – Application Security – Cloud Security – Linux Malware, Windows patched 64 vulns with zero-day, Uber Hack Timeline, GTA 6/Rockstar Hack – This week we deep dive into Linux Malware, Windows patched 64 vuln with zero-day, Uber Hack Timeline, GTA 6/Rockstar Hack
- Security Vulnerability of the Week 12/09/22 – Application Security – Uber Hack Timeline – Special Focus on Uber latest news on hack
- Security Vulnerability Weekly 22/08/22 – Apple Vulnerability, Android Bugdrop Vulnerability, WordPress, CISA, and recent Hacks to Mailchimp and Twilio – Apple Vulnerability, CISA new vulnerability for September, Bugdrop new android vulnerabilities, recent hacks to Twilio exposing digital ocaean clients and Mailchimp hack
- Security Vulnerability of the Week 08/08/22 – Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 25/07/22– Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 10/07/22 – OPENSSL Hearbleed2, Apache Common, CuteBoi NPM exploit, Iconburst NPM exploit, Orbit attack, Follina Weaponization, Chrome’s latest vulnerabilities
- Security Vulnerability of the Week 04/07/22 – Jenkins massive plugins issue , zoho, Exchange backdoors, Edge high vuln
