Flair Data Systems Cybersecurity Updates - 11/9/2023

I hope all are doing well and enjoying the Fall weather. We are finally seeing a little Fall in the Dallas Metroplex, even a little rain! Time to get out the sweaters. We also have a little bragging to do...the Texas Rangers won the world series! It was a great way to celebrate last week as well!

For those of you who are just joining us, I send out a weekly update to my mailing list and hope to translate those same topics for a wider audience in a cybersecurity blog. I hope you enjoy the post!

Going into this week's cybersecurity update, there were a lot of pressing topics on my mind. So, let's jump into my highlights in cybersecurity news...

Critical Firepower Vulnerability 

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inj-29MP49hN 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd02925  (requires a CCO account) 

• CVE-2023-20048 (CVSS 9.9): Vulnerability within the web services interface of the FMC could allow an authenticated, remote attacker to execute certain unauthorized configuration commands on a FTD device that is managed by the FMC 
• Due to insufficient authorization of configuration commands that are sent through the web service interface 
• For successful exploitation, an attacker would need valid credentials on the FMC software 
• Currently there are no known exploitations of this in the wild 
• Known affected releases: 6.2.3, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0 
• Known fixed releases: 6.4.0.17, 7.0.6, 7.2.4 

CVSS 4.0 Now Official 

https://www.first.org/cvss/v4-0/index.html 

https://blog.qualys.com/product-tech/2023/11/02/cvss-v4-is-now-live-and-what-do-you-need-to-know 

• Officially gone to GA as of Nov 1st, the last revised over 8 years ago with the release of CVSS v3.0 (June 2015) 
• Includes more granular breakdown of the Base Metrics, introduction of new nomenclature to denote combinations of Base, Threat, and Environmental metrics alongside new Base metric values for User Interaction (passive or active) 

MOZI Botnet Killswitch 

https://www.welivesecurity.com/en/eset-research/who-killed-mozi-finally-putting-the-iot-zombie-botnet-in-its-grave/ 

https://www.theregister.com/2023/11/01/mozi_botnet_kill_switch/ 

• Mozi Bot, emerged in late 2019, accounted for roughly 90% of all malicious IoT network traffic 
• In August of 2023, ESET noticed the Mozi traffic took a major slowdown, first in India (Aug 8) and then in China (Aug 16) 
• ESET researchers found that the control payload inside a UDP message acting as the kill switch 
• Disabling some system services 
• Replaced the original application file 
• Reordered some router/device configuration commands 
• Disabled access to various ports 
• The “who” behind the kill order is unknown but the assumption is either Chinese law enforcement or the creator 

Power outage darkens Cloudflare dashboard and APIs 

https://www.bleepingcomputer.com/news/security/cloudflare-dashboard-and-apis-down-after-data-center-power-outage/ 

https://www.cloudflarestatus.com/incidents/hm7491k53ppg 

• Cloudflare is stating that the root cause of the outage is due a regional power issue caused by generator failures that took down facilities. 
• Due to a regional outage, it affected multiple data center facilities within the state of Oregon that hosts Cloudflare’s control plane (dashboard, logging, etc.) 
• Investigation of the regional power outage and failure of generators is ongoing with data center vendors. 
• This outage impacted all services that rely on Cloudflare API infrastructure including Alerts, Dashboard functionality, Zero Trust, WARP, Cloudflared, Waiting Room, Gateway, Stream, Magic WAN, API Shield, Pages, and Workers 

Boeing says cyber incident affects parts and distribution 

https://www.cybersecuritydive.com/news/citrixbleed-patch-hunt-malicious/699164/#:~:text=%E2%80%9CWe%20are%20aware%20of%20a,law%20enforcement%20and%20regulatory%20authorities. 

https://nvd.nist.gov/vuln/detail/CVE-2023-4966 

• CVE-2023-4966: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN RDP Proxy) or AAA virtual server 
• Threat actors are targeting this vulnerability to expose users to session hijacking and other threat activity 
• Exploitation of the above vulnerability has been called CitrixBleed, where a patch was released on Oct 10 but attacks are still occurring. 
• Rapid7 has seen activity targeting retail, healthcare, and manufacturing. 
• Recommendation: Patch. 

Rightway Breach 

https://www.cybersecuritydive.com/news/okta-employees-third-party-attack/698662/ 

• Rightway (third-party vendor to Okta) had data breached on Sept 23rd that included an eligibility census file of roughly 5k current and former employees of Okta that included names, SS#, and health insurance plan numbers 
• This breach did not impact Okta services, but does not help the fact that Okta has experienced their own share of breaches in the recent months 

Okta explains hack source and response timeline 

https://www.bleepingcomputer.com/news/security/okta-says-its-support-system-was-breached-using-stolen-credentials/ 

https://sec.okta.com/harfiles 

• Threat actors were able to access systems that contained HAR files used for troubleshooting issues, the threat actors were able to access 5 customers Okta platforms – 3 of which are known as 1Password, Cloudflare, and BeyondTrust 
• During the investigation Okta found that an employee was signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop, where the username and password of the service account had been saved into the employee’s personal Google account 
• It was also discovered that depending on how someone viewed the HAR files, the log entries were generated differently (log entry and ID’s were different) 
• Multiple remediations are being put in place 
• Disable the compromised server account (completed) 
• Blocking the use of personal Google profiles with Google Chrome (complete) 
• Enhance monitoring for customer support systems (complete) 
• Binding Okta administrator session tokens based on network location (complete) 

Looney Tunables now being exploited 

https://www.helpnetsecurity.com/2023/11/07/kinsing-exploiting-looney-tunables/ 

https://www.helpnetsecurity.com/2023/10/05/cve-2023-4911/ 

• Looney Tunables – 
• CVE-2023-9841 a critical remote code execution vulnerability in the PHP testing framework PHPUnit for initial access 
• CVE-2023-4911 a buffer overflow vulnerability in the GNU C Library’s dynamic loader to achieve root privileges on the underlying Linux distribution 
• Kinsing (Money Libra) is a threat actor that has been active since late 2021 targeting cloud-native environments and applications to deploy cryptominers 
• The actors have been manually probing the environment for system and user information and started a new interactive shell session 
• They also downloaded and ran several scripts and another one that creates a webshell backdoor 

Lazarus Group uses KandyKorn against blockchain engineers 

https://securityaffairs.com/153622/hacking/lazarus-kandykorn-malware.html#:~:text=North%20Korea%2Dlinked%20Lazarus%20APT,interact%20with%2C%20and%20avoid%20detection. 

• Lazarus APT group (North Korea-linked) has been seeing using the new KandyKorn macOS malware in attacks against blockchain engineers 
• KandyKorn is an advanced implant that contains a variety of capabilities such as monitoring, interactions, and detection avoidance; and utilizes reflective loading, a direct-memory form of execution that could bypass detections 
• Lazurus is impersonating blockchain engineering community members on a public Discord server, which then trick members to download and decompress a Zip file containing malicious Python code masquerading by an arbitrage bot 
• Arbitrage bot is a tool that allows users to profit from cryptocurrency rate differences between platforms 

Mr. Cooper has experienced an incident 

https://www.bleepingcomputer.com/news/security/mortgage-giant-mr-cooper-hit-by-cyberattack-impacting-it-systems/ 

• Mr. Cooper, a U.S. mortgage lending company based out of the DFW area shutdown its IT systems on Oct 31st due to a cyberattack, including access to the online payment portal 
• On November 2nd, the company notified its customers of the incident – the type of attack and/if any data that was exfiltrated is unknown at this point in time. 

New Microsoft Exchange Zero Days 

https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-zero-days-allow-rce-data-theft-attacks/ 

• Trend Micro had reported the vulnerabilities to Microsoft on September 7th and 8th, 2023 – however Microsoft decided the flaws were not severe enough to guarantee immediate servicing and postponing the fixes for later 
• Trend Micro’s Zero Day Initiative (ZDI) posted their tracking ID’s to warn Exchange customers 
• ZDI-23-1578: Remote Code Execution flaw in the ’ChainedSerializationBinder’ class, where user data isn’t adequately validated, allowing attackers to deserialize untrusted data 
• Successful exploitation enables an attacker to execute arbitrary code as ‘SYSTEM’ 
• Microsoft Response: Customers who have applied the August Security Updates are already protected. 
• ZDI-23-1579: located in the ‘DownloadDataFromUri’ method, this flaw is due to insufficient validation of the URI before resource access 
• Attackers can exploit it to access sensitive information from Exchange servers 
• Microsoft Response: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to gain elevation of privilege. 
• ZDI-23-1580: In the ‘DownloadDataFromOfficeMarketPlace’ method, also stems from improper URI validation 
• Potentially leading to unauthorized information disclosure 
• Microsoft Response: The technique described requires an attacker to have prior access to email credentials. 
• ZDI-23-1581: Present in the ‘CreateAttachementFromUri’ method, this flaw resembles the previous bugs with inadequate URI validation 
• Risking sensitive data exposure 
• Microsoft Response: The technique described requires an attacker to have prior access to email credentials, and no evidence was presented that it can be leveraged to access sensitive customer information. 

All of the above vulnerabilities do require authentication to exploit – which made me think, why did Microsoft not prioritize fixing the bugs? 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!