CISA Warns of Active Exploitation and the questions from the podcast.
Notable security news for the week of April 28th, brought to you by Lior Rotkovitch from the F5 SIRT.
Every week I listen to a podcast while driving. As I was listening to Security Conversations , Ryan ask interesting question on why is it that the bad guys still winning in 2024? I tried remembering what was the situation 10 years ago or even from my early days at F5, 17 years ago.
Back then, the internet was the Wild Wild West where SQL injection where all over you, and XSS was by the kilos on any given web site, and every week Rsnake published a new article on new attack vectors. So, in this aspect of applying security, understanding the risks, and fixing them, we have made huge progress and we are in a much better place.
However, security has inherited challenges that can’t be ignored. It will always be easier to find one open window then to block all possible entry points or even know about them. Also, keeping security best practices enforced all the time can be a massive task if you don’t follow a robust process.
Those kind of things still happen, and the past week was a reminder where GitLab's vulnerability that allows password reset on unverified email that disclosed in January find its way few month later to the CISA Known Exploited Vulnerability (KEV) catalog with mandatory 60-patch policy enforcing “BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities”. This brings us to the human factor, where patching critical CVE’s is being delayed and the cost of being exploited is a major lose for something that can be relatively easy to prevent.
So the bad guys will have wins, but not all the time thanks to security people. This is the fundamental concept of security, reducing the amounts of incidents to a low as possible level. Until next time, keep it safe.
CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild.
Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address.
GitLab, which disclosed details of the shortcoming earlier this January, said it was introduced as part of a code change in version 16.1.0 on May 1, 2023.
"Within these versions, all authentication mechanisms are impacted," the company noted at the time. "Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login."
https://thehackernews.com/2024/05/cisa-warns-of-active-exploitation-of.html
https://www.darkreading.com/application-security/critical-gitlab-bug-exploit-account-takeover-cisa
Time line:
Jan 11, 2024
GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6
01/12/2024
Account Takeover via Password Reset without user interactions x
https://gitlab.com/gitlab-org/gitlab/-/issues/436084
01/12/2024
NVD Published Date: CVE-2023-7028 https://nvd.nist.gov/vuln/detail/CVE-2023-7028
May 01, 2024
CISA Adds One Known Exploited Vulnerability to Catalog
May 02, 2024
CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability
https://thehackernews.com/2024/05/cisa-warns-of-active-exploitation-of.html
BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities
Millions of Malicious 'Imageless' Containers Planted on Docker Hub Over 5 Years
“Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks.”
Of the 4.6 million imageless Docker Hub repositories uncovered, 2.81 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns –
- Downloader (repositories created in the first half of 2021 and September 2023), which advertises links to purported pirated content or cheats for video games but either directly links to malicious sources or a legitimate one that, in turn, contains JavaScript code that redirects to the malicious payload after 500 milliseconds.
- E-book phishing (repositories created in mid-2021), which redirects users searching for e-books to a website ("rd.lesac. ru") that, in turn, urges them to enter their financial information to download the e-book.
- Website (thousands of repositories created daily from April 2021 to October 2023), which contains a link to an online diary-hosting service called Penzu in some cases, or a harmless piece of text, suggesting that it could have been used during early testing phases.
The payload delivered as part of the downloader campaign is designed to contact a command-and-control (C2) server and transmit system metadata, following which the server responds with a link to cracked software.”
https://thehackernews.com/2024/04/millions-of-malicious-imageless.html
New Latrodectus malware attacks use Microsoft, Cloudflare themes
“Latrodectus is currently being distributed through reply-chain phishing emails, which is when threat actors use stolen email exchanges and then reply to them with links to malware or malicious attachments. The PDFs will use generic names like '04-25-Inv-Doc-339.pdf' and pretend to be a document hosted in Microsoft Azure cloud, which must first be downloaded to be viewed.
Clicking on the 'Download Document' button will bring users to a fake 'Cloudflare security check' that asks you to answer an easy math question. This captcha is likely to prevent email security scanners and sandboxes from easily following the attack chain and only delivering the payload to a legitimate user. When the correct answer is entered into the field, the fake Cloudflare captcha will automatically download a JavaScript file pretending to be a document named similar to "Document_i79_13b364058-83054409r0449-8089z4.js".
The downloaded JavaScript script is heavily obfuscated with comments that include a hidden function that extracts text from comments that start with '////' and then executes the script to download an MSI from a hardcoded URL. When the MSI file is installed, it drops a DLL in the %AppData%\Custom_update folder named Update _b419643a.dll, which is then launched by rundll32.exe. The file names are likely random per installation. This DLL is the Latrodectus malware, which will now quietly run in the background while waiting for payloads to install or commands to execute. As Latrodectus malware infections are used to drop other malware and for initial access to corporate networks, they can lead to devastating attacks. “
New Cuttlefish malware infects routers to monitor traffic for credentials
“A new malware named 'Cuttlefish' has been spotted infecting enterprise-grade and small office/home office (SOHO) routers to monitor data that passes through them and steal authentication information.
Lumen Technologies' Black Lotus Labs examined the new malware and reports that Cuttlefish creates a proxy or VPN tunnel on the compromised router to exfiltrate data discreetly while bypassing security measures that detect unusual sign-ins. The malware can also perform DNS and HTTP hijacking within private IP spaces, interfering with internal communications and possibly introducing more payloads. The method for the initial infection of the routers has yet to be determined, but it could involve exploiting known vulnerabilities or brute-forcing credentials. Once access is gained to a router, a bash script ("s.sh") is deployed and begins collecting host-based data, including details on directory listings, running processes, and active connections. “