WEEKLY TOP TEN | SEPTEMBER 25, 2023 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Critical Vulnerabilities in WS_FTP Server
Progress Software, the developers of the now-infamous MoveIT, disclosed several vulnerabilities in their WS_FTP Server software, including two critical vulnerabilities with a CVSS score of 10 (CVE-2023-40044 and CVE-2023-42657). This is a .NET deserialization vulnerability that can lead to remote code execution. These vulnerabilities do appear to have been exploited in the wild.
- Zero-day in Exim Mail Server
Exim Mail Server is an open-source (GPL v2) flexible mail server for Unix operating systems. The maintainers recently announced several vulnerabilities via the OSS-security mailing list, most notably CVE-2023-42115, which allows for unauthenticated remote code execution. Three of these vulnerabilities, including 42115, have been patched, while fixes for the other three are still underway.
- Maximum Severity Vulnerabilities in Confluence
According to information released by Atlassian, a previously unknown vulnerability let threat actors access a number of Confluence user accounts without authorization. This vulnerability, which is now known as CVE-2023-22515, has a “low complexity” and permits remote code execution without user interaction. It is noteworthy that Confluence instances running on the Atlassian Cloud are unaffected by this vulnerability.
- Looney-Tunables Vulnerability in GLibC Allows for Privilege Escalation on Linux Machines
Qualys researchers discovered a vulnerability in the GNU C Library (glibc), a very common package observed in the most popular Linux distributions. This vulnerability (CVE-2023-4911) allows an attacker to gain root privileges on an exploited system via a bug in the GLIBC_TUNABLES environment variable. Patches are available for Ubuntu, Debian, Red Hat, and others.
- Threat Actors Abuse Open Redirect Vulnerability on Indeed.com
Threat actors have used an open redirect vulnerability in indeed.com to launch a phishing campaign that targets C-Suite executives across various industries. This vulnerability allows actors to send seemingly legitimate emails containing indeed.com URLs, which then redirect to the attacker-controlled website. This campaign leverages the EvilProxy phishing toolkit, which allows threat actors to hijack session tokens, bypassing MFA. Ensure users know to avoid clicking links within emails whenever possible, and double check destination URLs after clicking links to ensure no redirection to malicious websites has occurred.
- Zombie Zoom Links Allow for Unauthorized Access to Meetings
KrebsOnSecurity has discovered the usage of persistent Zoom links, these links use Zoom Personal Meeting IDs (PMI) and in-URL encrypted passwords to provide an easy entry into meetings for legitimate employees. However, due to the permanent nature of these identifiers, threat actors can use this information to join or even start Zoom meetings under the identity of a legitimate employee. Avoid these one-click links and rotate passwords used for meetings frequently.
- Bing AI Convinced to Solve CAPTCHA
A user on X (twitter) documented his workaround for getting Bing AI to solve CAPTCHA tests. When asking Bing AI to read the text in a provided CAPTCHA image, it responds with an explanation on why it cannot do that due to the rules its creators implemented. However, when this user changed the context, adding the CAPTCHA text into an image of a locket, asking the LLM to read the message under the guise of his “recently deceased grandmothers secret love code” the AI complied, along with condolences for the user’s loss. This type of filter-evasion has been seen frequently as of late to manipulate generative AI and LLMs to respond with prohibited content.
- CISA Adds Windows and JetBrains Vulnerabilities to its Known Exploited Vulnerabilities Catalogue
CISA recently added a JetBrains authentication bypass and Windows privilege escalation vulnerability to its Known Exploited Vulnerabilities list (KEV). The JetBrains vulnerability (CVE-2023-42793) allows for threat actors to gain remote code execution capabilities without a need for authentication with a CVSS score of 9.8. The vulnerability in Windows lies in the Cryptographic Next Generation Key Isolation service, CVE-2023-28229 (CVSS score of 7.0) and allows attackers to gain limited access to the SYSTEM user, which has ultimate authority over the computer.
- Google Patches Two Android Vulnerabilities Exploited in the Wild
In Googles October security bulletin, they brought awareness to two (now patched) vulnerabilities that had signs of exploitation in the wild, notably by mercenary (or commercial) spyware groups. The first vulnerability is CVE-2023-4863 (CVSS score 8.8), a heap overflow in libwebp that allows attacker to write to out of bounds memory. The second vulnerability is CVE-2023-4211 (CVSS score 5.5), which allows non-privileged users to make GPU processing requests on already freed sections of memory.
- iOS 17 Kernel Zero-Day Patched After Discovery of Exploitation
Apple released a security update for the brand-new iOS 17, there’s not much information on this vulnerability (CVE-2023-42824). Apple simply stated that it allows for privilege elevation and was observed being exploited in the wild against iOS 16.6 and earlier.