WEEKLY TOP TEN | December 11, 2023, 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Critical Severity CVEs Impact Several Atlassian Products
Atlassian has disclosed four critical-severity vulnerabilities impacting their Confluence, Jira, and Bitbucket products. Atlassian products are extremely popular, and due to the high probability of sensitive information being hosted using these products, threat actors are extremely quick to start exploitation. All of the vulnerabilities have a CVSS score of 9.0 or above; however, two, CVE-2023-22523 and CVE-2022-1471, have a CVSS score of 9.8.
- Adobe ColdFusion Vulnerabilities Used in Attacks Targeting the US Government
A vulnerability in Adobe Cold Fusion tracked as CVE-2023-26360 has been used to attack the FCEB (Federal Civilian Executive Branch) of the US government. According to CISA, the attackers used this vulnerability to “establish an initial foothold on two agency systems in two separate instances.” They also state that the threat actors were able to deliver malware to the compromised web servers via an HTTP post request. However, CISA has clarified that at this time there are no signs of data exfiltration or lateral movement related to these incidents.
- Bluetooth Vulnerability Allows for Takeover of Apple, Android, and Linux Devices
The Idaho National Nuclear Laboratory was targeted in a cyberattack, which SiegedSec claimed responsibility for. The labs HR systems were compromised, revealing the personal data of every current and potentially some past employees. SiegedSec did not sell this data; rather, they posted the leak publicly for free, as seems to be their standard procedure after their last notable attack on NATO’s Communities of Interest (COI) Portal in July.
- Flaws in UEFI Leave Devices Open to Bootkit Infections
UEFI (Unified Extensible Firmware Interface) is the firmware component that handles the boot process of a device prior to the operating system being loaded. Security researchers have discovered a flaw in this process that allows for the modification of the boot process, bypassing typical boot security controls such as Secure Boot. If exploited, threat actors could load their own EFI image onto the device, installing a bootkit. These types of malware are nearly impossible to detect using standard security tools and analysis methods, as there is little to no modification of the actual operating system.
- Fake iOS Lockdown Mode Used in Malware Infections
Lockdown mode is an iOS feature that is designed to target at-risk individuals, such as journalists and political activists, and significantly restricts some features of the phone to reduce attack surface and harden the device. However, researchers at Jamf Threat Labs have discovered a technique that can be used to bypass this mode. In Jamf Labs research, they show that attackers who have already compromised a device can fake the activation of lockdown mode while maintaining a persistent malware infection on that device.
- New P2PInfect Botnet Targets Routers and IoT Devices
Researchers have uncovered a new botnet that is specifically targeting insecure routers and IoT devices. To accomplish this goal, the malware is written to specifically infect the MIPS CPU architecture, which is most often used in embedded systems. Initial access prior to infection is accomplished via SSH brute-force attacks from a list of common credentials that is hard-coded into the malware. This malware also employs defense evasion and anti-analysis techniques, such as self-termination if analysis is expected.
- Fake WordPress Security Advisory Used to Deliver Malware
Threat actors have begun to send WordPress site administrators fake security advisory emails, stating a new CVE impacting WordPress installations has been discovered. The fake vulnerability is claimed to be CVE-2023-45124 by the attackers. The malicious emails claim this is a Remote Code Execution vulnerability and urge administrators to install a plugin that supposedly mitigates the problem. If the admin clicks the link, they are sent to an extremely realistic-looking mimic of the WordPress site, complete with faked download statistics and phony reviews stating how amazing this plugin is. In all reality, this plugin creates a backdoor for attackers to take over the infected sites.
- North Korean State Hackers Have Stolen More Than Three-Billion Dollars of Cryptocurrency
Intelligence firm Recorded Future estimates that North Korean state hackers such as Lazzarus Group will have stolen more than three billion dollars’ worth of cryptocurrency in 2023, which follows the trend of previous years, with more stolen each year. Recorded futures estimates show Lazarus stole 1.7 billion in 2022, making this year nearly double that amount. It is also speculated that nearly half of the money stollen this way is put towards North Korea’s nuclear weapon development program.
- Twenty-One New Vulnerabilities Discovered in Sierra Routers
Serria AirLink routers are a popular choice for high-performance industrial applications, as well as medical and government facilities. Recently, Forescout Vedere Labs discovered a set of twenty-one new vulnerabilities impacting these routers and several of their software components. These vulnerabilities range from Remote Code Execution to Denial of Service, and at least five of these issues do not require the attacker to authenticate. According to the researchers, these vulnerabilities could allow an attacker “to take full control of an OT/IoT router in critical infrastructure.”
- Details About Russian APT ColdRiver Published by Microsoft Threat Intelligence
ColdRiver is a Russian affiliated APT group identified by Microsoft who targets “entities aligning with Russian state interests”. Microsoft has stated that this threat actor creates malicious websites using lookalike domains impersonating their target. They have also started to employ automatic scan evasion methods using scripts that redirect web crawlers to redirect or block these types of scans in an effort to evade detection.