Welcome to XM Cyber’s new weekly news round-up, Exposures, Exposed!
This column takes a look at all the events regarding cyber exposures that caught our eye over the course of the week. With the ever-changing cyber ecosystem, there are always new exposures and vulnerabilities to be explored and understood – and hopefully, before they have the chance to impact your organization. Our research team actively tracks new CVEs and exposures and will continue to update this spot as new information emerges.
Here’s a look at some of this week’s most impactful news items:
Ivanti Sentry Zero-day Vulnerability
Software provider Ivanti is warning users of their Ivanti Sentry platform of a new vulnerability, which is being tracked as CVE-2023-38035. This is an API authentication bypass flaw that impacts versions 9.18 and earlier and according to Ivanti, “does not impact other Ivanti products, such as Ivanti EPMM or Ivanti Neurons for MDM.”
According to Ivanti, this vulnerability “may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.” The company stressed that although the severity level is considered to be “high”, the risk of exploitation is low for organizations that don’t expose port 8443 to the internet.
DreamBus Malware is Back
DreamBus malware botnet has been around for ages, displaying worm-like capabilities but earlier this week Juniper Networks reported that after a long hiatus, the malware is back, exploiting a remote code execution vulnerability in messaging and streaming platform Apache RocketMQ. The goal of the malware is to deliver cryptocurrency miners and there are already reports of it being exploited in the wild.
The vulnerability is being tracked as CVE-2023-33246, with a “critical” classification and means that under certain circumstances, an unauthenticated user can perform remote code execution. But due to its modular nature, it’s entirely possible that in the future, it could be updated to have additional capabilities.
Four Juniper Vulnerabilities Create a Potent Attack Path
Speaking of Juniper, researchers from watchTowr Labs released a PoC earlier this week that demonstrated how attackers are taking advantage of a chain of 4 critical exploits in the company’s SRX firewalls and EX switches. These vulnerabilities, which are being tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 could enable unauthenticated attackers to perform remote code execution on devices that haven’t been patched.
According to Juniper’s own report, “By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices,”. This is especially interesting to us here at XM Cyber as we are focused on how exposures and vulnerabilities chain together to create powerful attack paths that lead to valuable assets – and this PoC serves as a perfect illustration of the concept.
CISA Warns of Barracuda Attacks (and not the fish type…)
A critical bug in Barracuda Email Security Gateways is being tracked as CVE-2023-2868 and has been found to allow Chinese spies to infiltrate certain government entities. A few months ago, researchers from Google-owned Mandiant reported they were following a complex months-long espionage campaign being carried out by APT Group UNC4841. The attack leveraged the aforementioned CVE and Barracuda released the necessary patch in May – but now, CISA is warning that new malicious tools are being used to achieve persistence on the devices.
According to Mandiant, “A limited number of previously impacted victims remain at risk due to this campaign.” …“In this second wave, Mandiant discovered the actor attempting to maintain access to compromised environments via the deployment of new malware families.”
As this is clearly an ongoing situation, users of the gateway should scan network logs to find any IoCs that may exist.
That’s all for this week! Be sure to check back next week for the next installment.