Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Why you should care about CVE-2023-43770:
ESET Research previously reported on 25 October 2023 that the Winter Vivern APT was exploiting a similar RoundCube cross-site scripting vulnerability CVE-2023-5631 as a zero-day against European overnmental entities and a think tank.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #06/2024 is out! It includes the following and much more:
➝ 🔓 #Juniper Support Portal Exposed Customer Device Info
➝ 🔓 🇹🇭 Major #DataBreach in #Thailand Exposes Personal Data of 20 Million Elderly Citizens
➝ 🔓 🇫🇷 Millions at risk of fraud after massive health data hack in #France
➝ 🔓 🇺🇸 #Verizon employee inadvertently leaks data of 63 thousand colleagues
➝ 🔓 🖥️ #AnyDesk Hacked: Revokes Passwords, Certificates in Response
➝ 🔓 🇺🇸 #Clorox says #cyberattack caused $49 million in expenses
➝ 💸 📈 #Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline
➝ 🇺🇸 💰 US offers $10 million for tips on #Hive ransomware leadership
➝ 🇨🇳 🇺🇸 #China-backed Volt Typhoon hackers have lurked inside US #criticalinfrastructure for ‘at least five years’
➝ 🇨🇳 🇳🇱 Chinese Hackers Exploited #FortiGate Flaw to Breach Dutch #Military Network
➝ 🇮🇷 🇮🇱 #Iran accelerates cyber ops against #Israel from chaotic start
➝ 🇧🇾 🇺🇸 Belarusian National Linked to BTC-e Faces 25 Years for $4 Billion #Crypto Money Laundering
➝ 🇭🇰 💸 #Finance worker pays out $25 million after video call with #deepfake ‘chief financial officer’
➝ 🇺🇦 #ukraine is Creating a ‘Cyber Diplomat’ Post
➝ 🇩🇰 #Denmark orders schools to stop sending student data to #Google
➝ 🇪🇺 ⚖️ #EU proposes criminalizing AI-generated child sexual abuse and deepfakes
➝ 🇳🇱 💰 #Uber Fined 10 Million Euros by Dutch Data Regulator
➝ 🇺🇸 🛂 US to Roll Out Visa Restrictions on People Who Misuse #Spyware to Target Journalists, Activists
➝ 🦠 💬 Raspberry Robin #Malware Upgrades with #Discord Spread and New Exploits
➝ 🦠 🍎 New #macOS Backdoor Linked to Prominent Ransomware Groups
🦠 🪥 Surprising 3 Million Hacked #Toothbrushes Story Goes Viral—Is It True?
➝ 🇨🇦 🐬 #Canada declares #FlipperZero public enemy No. 1 in car-theft crackdown
➝ 🩹 #Ivanti: Patch new Connect Secure auth bypass bug immediately
➝ 🐛 📍 Security flaw in a popular smart helmet allowed silent location tracking
➝ 🩹 Critical Patches Released for New Flaws in #Cisco, #Fortinet, #VMware Products
➝ 🐛 🐧 Critical Boot Loader #Vulnerability in Shim Impacts Nearly All #Linux Distros
➝ 🐛 ✈️ #Airbus App Vulnerability Introduced Aircraft Safety Risk
➝ 🩹 #QNAP Patches High-Severity Bugs in QTS, Qsync Central
--
📚 This week's recommended reading is: "x86 Software Reverse-Engineering, Cracking, and Counter-Measure" by Stephanie Domas & Christopher Domas
--
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
"In theory, this shouldn't give an attacker the ability to compromise the firmware itself, but in reality, it gives them code execution before ExitBootServices (the handoff between the firmware still running the hardware and the OS taking over), and that means a much larger attack surface against the firmware -- the usual assumption is that only trusted code is running before ExitBootServices"
New Fortinet zero-day:
CVE-2024-21762 (9.6 critical) FortiOS - Out-of-bound Write in sslvpnd: A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
Note: This is potentially being exploited in the wild.
Fortinet vulnerabilities have historically been targeted by People’s Republic of China (PRC) state-sponsored cyber actors. On 19 January 2023, Mandiant reported the exploitation of FortiOS SSL VPN vulnerability CVE-2022-42475 as a zero-day by suspected Chinese threat actors. Mandiant published a subsequent blog post on 16 March 2023 detailing the exploitation of another FortiOS zero-day CVE-2022-41328 by the Chinese threat actor UNC3886. CISA, FBI and NSA assess that PRC state-sponsored cyber actors are seeking to position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. CISA’s joint cybersecurity advisory on 07 February 2024 states that Chinese Advanced Persistent Threat (APT) Volt Typhoon likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. Fortinet also provided case studies of Volt Typhoon targeting of manufacturing, consulting, local government, and internet service provider sectors, and post-exploitation activity described as Living Off the Land (LotL) techniques.
A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
"Workaround : disable SSL VPN (disable webmode is NOT a valid workaround)"
⚠️ Patch Alert → Critical #vulnerability in #JetBrains' TeamCity On-Premises (CVE-2024-23917) allows unauthenticated remote attackers to gain administrative control and take over servers.
Wake up sheeple: Fortinet just tried to hide two maximum severity vulnerabilities in an older security advisory:
CVE-2024-23108 (10.0 critical)
CVE-2024-23109 (10.0 critical)
Both have the same description: "An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests."
🔗(10 October 2023) https://www.fortiguard.com/psirt/FG-IR-23-130
The Register summarizes Fortinet's week of bungled official responses from a publication's perspective, leading up to the disclosure of an exploited zero-day CVE-2024-21762 in FortiOS SSL VPN.
🔗 https://www.theregister.com/2024/02/09/a_look_at_fortinet_week/
Yet another JetBrains TeamCity On-Prem vulnerability: CVE-2024-23917 (9.8 critical)
If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.
Why you should care about CVE-2024-23917:
Russian Foreign Intelligence Service (SVR) exploited a similar JetBrains TeamCity authentication bypass vulnerability CVE-2023-42793 (9.8 critical) worldwide, as reported in a CISA cybersecurity advisory dated 13 December 2023, less than 2 months ago.
Hot off the press! CISA adds CVE-2023-4762 (8.8 high Google Chrome Type Confusion in V8 JavaScript Engine) to the Known Exploited Vulnerabilities Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog