Weekly Top 10 – 11.06.2023- Threat Actors Use Credentials Scraped from GitHub for Crypto Mining, Infamous Mozi IOT Botnet Goes Dark, HelloKitty Ransomware Gang Leverages Vulnerabilities in Apache, Boeing Confirms Cyberattack and Lockbit Claims Responsibility

WEEKLY TOP TEN | November 06, 2023 15:00 GMT

1. Unpatched Vulnerabilities Discovered in NGINX Ingress Controller
   On June 22nd, Trend Micro’s Zero Day Initiative (ZDI) disclosed three critical vulnerabilities in SolarWinds Access Rights Manager, which have now been patched. Each of these vulnerabilities occur pre-authentication and allows attackers to gain remote code execution as the SYSTEM user. According to the advisory details from ZDI, these vulnerabilities were all caused by a lack of proper sanitization and validation of user input.
2. F5 Discloses Critical Remote Code Execution Vulnerability in BIG-IP
   
   F5, the company behind BIG-IP, a suite of networking hardware and software tools, has disclosed a critical vulnerability currently being tracked as CVE-2023-46747, with a CVSS score of 9.8. This flaw allows for attackers to completely bypass authentication, and execute commands as the root user, allowing for complete takeover of the victim device. Patches have been released for all vulnerable versions.
3. Threat Actors Use Credentials Scraped from GitHub for Crypto Mining
   DevOps engineers and Developers often hard-code credentials and API keys into scripts to perform automated tasks. However, sometimes these scripts are uploaded publicly to GitHub without removing the sensitive information. Recently, attackers have been observed exploiting this fact, they search for exposed secrets and use them to authenticate to the corresponding devices. They then leverage this access install cryptocurrency miners. GitHub does have a feature to scan for and remove secrets from repositories, but it must be enabled in settings to take effect.
4. Malicious NuGet Packages Delivered via Typosquatting
   
   NuGet is a package manager for .NET packages similar to Python PIP or JavaScript NPM. A typosquatting campaign has been discovered by ReversingLabs in which attackers upload malicious packages to NuGet with names such as MinecraftPocket.Server or DiscordsRPC, which take advantage of spelling mistakes or names similar to those of legitimate packages. When a developer mistakenly downloads one of these packages, malware is installed. The most commonly observed in this campaign is SeroXen RAT.
5. Atlassian Discloses a Second Critical Vulnerability in Confluence This Month
   
   A new critical vulnerability in Confluence has been disclosed by Atlassian. This vulnerability, (CVE-2023-22518 CVSS Score 9.1) is an issue with improper authorization in Confluence Data Center. Atlassian urges the administrators of all publicly available Confluence Data Center instances to update to the latest version and has warned that if exploited, significant data loss could occur. Atlassian once again states that Atlassian Cloud deployments are not impacted by this vulnerability.
6. Cybercriminals’ URL Shortening Service Uncovered
   
   The DNS security firm Infoblox has discovered a URL shortening service run by a threat-actor dubbed Prolific Puma. The URLs created with this service were used for phishing and malware distribution. Infoblox estimates that over 75,000 URLs using the .US TLD (top level domain) have been registered by Prolific Puma since April 2022. The .US TLD made up over half of the URLs registered, however .link, .info, .com, .cc, and .me were also observed.
7. Boeing Confirms Cyberattack and Lockbit Claims Responsibility
   
   On October 30^th, the LockBit ransomware gang claimed they had breached the aerospace company Boeing and exfiltrated sensitive data. Now as of November 2^nd, Boeing has confirmed a cyberattack against their services department, however they have not explicitly attributed the attack to LockBit. Boeing made clear that this attack made no impact on passenger or flight safety.
8. HelloKitty Ransomware Gang Leverages Vulnerabilities in Apache
   
   November 1^st security firm Rapid 7 disclosed a critical vulnerability in Apache ActiveMQ which is being tracked as CVE-2023-46604 and has a 10.0 CVSS score. This vulnerability is a deserialization issue that allows attackers to run arbitrary code remotely on ActiveMQ instances. Several deployments of the HelloKitty ransomware strain have been observed using this flaw in Apache to gain initial access into victim networks.
9. Infamous Mozi IOT Botnet Goes Dark
   
   The Mozi botnet was a collection of devices infected with a customized malware which meshed features from the Marai and Gafgyt malware families. Many of the devices in this botnet were poorly configured IOT (Internet of Things) devices such as cheap smart home appliances. It was speculated that over 1.5 million devices were part of this botnet in mid-2021. Recently, the Mozi botnet went offline, researchers from several organizations have speculated that this botnet was intentionally shut down by its creators due to pressure from Chinese law enforcement.
10. SketchUp Microsoft O365 Library Introduces Over 100 Vulnerabilities
    
    In June 2023 Microsoft decided to add integration support for SketchUp modeling software in Office 365, since then, researchers at ZScaler’s ThreatLabz have discovered over one-hundred vulnerabilities related to this change. Microsoft has now temporarily paused the ability to interact with .skp (sketchup) files in MS Office applications.