In an effort to prevent further exploitation, Google has refrained from disclosing specific details about the security flaw but has acknowledged the existence of an active exploit in the wild.
New by me at Forbes: Google has issued a patch for all Chrome users just 24 hours after TAG hackers revealed a high-severity zero-day. Kudos for the speedy response!
Cisco security advisory contains a zero-day: A vulnerability in the AnyConnect SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to send packets with another VPN user's source IP address. CVE-2023-20275 (4.1 medium severity). The Cisco Product Security Incident Response Team (PSIRT) is aware of public announcements about the vulnerability that is described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
🔗 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-Y88QOm77
Via Rob Hansen on Facebook: "Amanda Spindel was the first to alert me to a new zero-day attack on Chrome that's now being seen in the wild. If you're running Chrome or a Chrome-derived browser like Edge or Opera, please update immediately."
(I use mostly the DuckDuckGo and Mozilla Firefox browsers.)
Akamai reports that two unidentified Zero-Day RCE vulnerabilities are actively being exploited in the wild to build a distributed denial-of-service (DDoS) InfectedSlurs botnet. The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful. Akamai implies that the two Zero-Days affect router and NVR models, and would reveal details after the vendor(s) release a patch in December. Note: the threat actors use racial slurs and offensive language in their filenames. IOC provided, as well as YARA and Snort rules. Link:https://www.akamai.com/blog/security-research/2023/nov/new-rce-botnet-spreads-mirai-via-zero-days
Google TAG: Zimbra 0-day used to target international government organizations
In June 2023, Google’s Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, an email server many organizations use to host their email. Since discovering the 0-day, now patched as CVE-2023-37580, TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the initial fix became public on Github. To ensure protection against these types of exploits, TAG urges users and organizations to keep software fully up-to-date and apply security updates as soon as they become available. Link:https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/
"Hackers potentially linked to the Russian GRU Main Intelligence Directorate carried out a series of highly coordinated cyberattacks targeting Danish critical infrastructure in the nation's largest cyber incident on record, according to a new report.
SektorCERT, a nonprofit cybersecurity center for critical sectors in Denmark, reported that attackers gained access to the systems of 22 companies overseeing various components of Danish energy infrastructure in May. The report published Sunday says hackers exploited zero-day vulnerabilities in Zyxel firewalls, which many Danish critical infrastructure operators use to protect their networks."
@avoidthehack@AAKL Yep, I tooted about it yesterday morning while the news was fresh. There's a Microsoft Threat Intelligence tweet. The official SysAid security advisory describes post-compromise activity and includes PowerShell commands and Indicators of Compromise. The Huntress article contains technical analysis and additional IOC.
CISA and federal agencies are aware of the exploited Zero-Day, and are likely to add at least 2-3 to the Known Exploited Vulnerabilities Catalog soon.
Microsoft has discovered exploitation of a 0-day vulnerability in the SysAid IT support software in limited attacks by Lace Tempest, a threat actor that distributes Clop ransomware. Microsoft notified SysAid about the issue (CVE-2023-47246), which they immediately patched. Link:https://twitter.com/msftsecintel/status/1722444141081076219
Security Week: The Atlassian Confluence improper authorization vulnerability CVE-2023-22518 (9.1 critical severity, disclosed 31 October 2023 by Atlassian, significant data loss) is reported under active exploitation. CVE-2023-22518 has a now-public Proof of Concept, as well as technical details (released by Project Discovery). See GreyNoise observations of CVE-2023-22518 exploitation. Link:https://www.securityweek.com/exploitation-of-critical-confluence-vulnerability-begins/
Rapid7 is observing exploitation of Atlassian Confluence in multiple customer environments, with some of the exploits targeting CVE-2023-22518 and even CVE-2023-22515, potentially leading to ransomware deployment. Edit: Post-exploitation behavior and IOC included.
🔥 New Microsoft Exchange zero-days allow RCE, data theft attacks
➥ @BleepingComputer
「 Despite Microsoft acknowledging the reports, its security engineers decided the flaws weren't severe enough to guarantee immediate servicing, postponing the fixes for later.
ZDI disagreed with this response and decided to publish the flaws under its own tracking IDs to warn Exchange admins about the security risks 」