Connect Secure Zero-Days Now Under Mass Exploitation

Summary: Two zero-day vulnerabilities affecting Ivanti’s Connect Secure VPN and Policy Secure network access control (NAC) appliances are now under mass exploitation. Volexity, a threat intelligence company, first spotted the zero-day exploit CVE-2023-46805 being used in authentication bypass attacks in December 2023. A second zero-day was identified on January 11, 2024, CVE-2024-21887 which utilizes command injection vulnerabilities. “Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” Volexity warned on January 15th.

The attackers backdoored their targets’ systems using a GIFTEDVISITOR webshell variant which was found on hundreds of appliances. Over 1,700 ICS VPN appliances were compromised with the GIFTEDVISITOR webshell. These appliances appear to have been indiscriminately targeted, with victims all over the world, and include government and military departments, telecoms, tech companies, banking and finance, and engineering firms, among others. CISA (Cybersecurity and Infrastructure Security Agency) has stated the attacks are likely Chinese APT related and have released an emergency bulletin with information and recommendations on best practices to avoid compromise.

Why it matters: Ivanti, the developer of Connect Secure, has not released any patches to fully mitigate these threats. Admins are highly encouraged however to apply mitigation measures provided by the vendor on all ICS VPNs on their network. They should also run Ivanti’s Integrity Checker Tool and consider all data on the ICS VPN appliance (including passwords and any secrets) as compromised if signs of a breach are found, as detailed in the ‘Responding to Compromise’ section of Volexity’s previous blog post.

Threat monitoring service Shadowserver currently tracks more than 16,800 ICS VPN appliances exposed online, almost 5,000 in the United States (Shodan also sees over 15,000 Internet-exposed Ivanti ICS VPNs).

Atlassian Confluence Data Center and Server Remote Code Execution Vulnerability (CVE-2023-22527)

Summary: Atlassian Confluence Data Center and Server is vulnerable to a critical severity vulnerability, tracked as CVE-2023-22527. Successful exploitation of the vulnerability may lead to remote code execution. The vulnerability originates from a template injection flaw on out-of-date Confluence Data Center and Server versions. The vulnerability may allow an unauthenticated attacker to perform remote code execution on an affected version. The issues were included in Atlassian’s January 2024 security bulletin, which details 23 other security defects in third-party dependencies in Jira, Crowd, Bitbucket, and Bamboo Data Center and Server instances, some of them more than five years old.

The security defect impacts all out-of-date Confluence 8 versions released before December 5, 2023, and Confluence version 8.4.5, which no longer receives backported fixes. Atlassian notes that there are no workarounds available for this bug and that even Confluence instances that are not directly accessible from the internet might be at risk. The company urges customers to update to the latest Confluence versions (namely 8.5.5 LTS and 8.7.2) but notes that the patches will also be backported to all LTS versions that have not reached end-of-life.

Confluence 7.19.x Long Term Support (LTS) versions and Atlassian Cloud instances are not affected, nor does this vulnerability impact Atlassian Cloud sites.

Why it matters: Atlassian has not stated that any of these vulnerabilities are currently being exploited in the wild, but Confluence flaws are often the target of threat actors. Customers using an affected version are urged to take immediate action to prevent the likelihood of these flaws being exploited, especially following widespread details of these vulnerabilities existing. It is also not recommended to continue using instances that cannot be patched due to reaching their end-of-life.

New Outlook Flaw Let Attackers Access Hashed Passwords

Summary: This vulnerability was reported to Microsoft in July 2023, which has since been completely patched as of December 12, 2023; however, unpatched systems are still vulnerable to exploitation and stealing of hashed passwords. The vulnerability, tracked as CVE-2023-35636, is a security vulnerability found in Microsoft Outlook’s calendar sharing function. This exploit enables attackers to intercept NTLM v2 hashes, which are used for authentication in Microsoft Windows systems. NTLM v2 can be exploited one of two ways:

  1. Offline Brute-Force Attack: In this type of attack, attackers have access to the NTLM v2 hash and attempt to crack the user’s password by trying various combinations until a match is found. This attack is virtually undetectable as it leaves no network traces.
  1. Authentication Relay Attack: In an authentication relay attack, attackers intercept NTLM v2 authentication requests and relay them to a different server, potentially gaining unauthorized access to the victim’s intended server.

Apart from Outlook, attackers can leverage Windows Performance Analyzer (WPA) and Windows File Explorer to gain access to NTLM v2 hashes. By exploiting URI handlers and specific parameters, attackers can trick these applications into revealing sensitive information.

Why it matters: Although Microsoft has patched this vulnerability, they state that many implementations are still vulnerable due to organizations not pushing this update. Microsoft has released the following guidelines to help safeguard credentials:

  1. SMB Signing: Enable SMB signing to protect SMB traffic from tampering and man-in-the-middle attacks. This feature digitally signs all SMB messages, allowing recipients to detect and reject any tampered messages.
  1. Block Outgoing NTLM v2: Starting with Windows 11 (build 25951), you can block outgoing NTLM authentication, adding an extra layer of security.
  1. Force Kerberos Authentication: Whenever possible, enforce Kerberos authentication and block NTLM v2 at both the network and application levels. This helps prevent the use of NTLM v2 where it is not required.

By taking these precautions, you can significantly reduce the risk of falling victim to NTLM v2 attacks and ensure the safety of your systems and data.


Major Companies Targeted by Midnight Blizzard Hackers

Summary: Newly disclosed breaches of Microsoft and Hewlett-Packard Enterprise highlight the persistent threat posed by Midnight Blizzard, a notorious Russian cyber-espionage group. The group is tied to the Foreign Intelligence Service of the Russian Federation (SVR RF) APT 29 (Cozy Bear or NOBELIUM), formerly the KGB, and was also behind the SolarWinds attack of 2021. While both HP’s and Microsoft’s breaches came to light within days of each other, the situation mainly illustrates the ongoing reality of Midnight Blizzard’s international espionage activities and the lengths it will go to find weaknesses in organizations’ digital defenses.

HP Enterprises stated on January 24, 2024, the attack was detected on December 12, 2023, targeting their cloud-based email environment, but the attack began as early as May 2023. Hackers “accessed and exfiltrated data… from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” HP stated in their SEC filing. HP Enterprise said the breach likely came about as the result of another incident, discovered in June 2023, in which Midnight Blizzard also accessed and exfiltrated company “SharePoint” files. An HP spokesperson stated: “The accessed data is limited to information contained in the HPE users’ email boxes.”

A few days prior to HP’s announcement of their breach, Microsoft stated on January 19, 2024, that they detected a system intrusion on January 12th, which they attributed to a breach that occurred in November 2023. The attackers targeted and compromised some historic Microsoft system test accounts that then allowed them to access “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” As per Microsoft, the attackers appeared to be seeking information about Microsoft’s investigations and knowledge of Midnight Blizzard itself. “The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company wrote in its disclosure. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

Why it matters: As these organizations are two of the largest technology companies in the world, it stands to reason they would be the targets of state-backed hacking groups. However, these events highlight the need for constant awareness that attacks can arise from anywhere at any time, and that cyber espionage groups are highly trained and determined to breach an ever-growing list of targets. Researchers point out that it’s always productive to have renewed attention on the issue of persistent state-backed espionage.

FBI Director Warns of China Hacking Threat

Summary: FBI Director Christopher Wray stated on January 31st, 2024, the FBI has shut down a China-backed hacking group known as “Volt Typhoon” that was targeting US infrastructure. The director went on to say that hundreds of routers were part of this compromise attempt, and they were targeted due to being outdated, “easy targets.” The hackers had been targeting U.S. water treatment plants, the power grid, oil and natural gas pipelines, and transportation systems. “Today, and literally every day, they’re actively attacking our economic security, engaging in wholesale theft of our innovation, and our personal and corporate data,” Wray said. Microsoft announced the initial threat of Volt Typhoon in May of 2023, stating the group had been active as early as 2021.

The FBI is warning that these attacks are gaining in frequency and their technical expertise is also increasing. As the upcoming 2024 Presidential race continues to heat up, and tensions between the US and China being strained due to debate over Taiwan, these attacks are only going to increase. The hackers are believed to be using access to some of the devices to burrow further into sensitive critical infrastructure — things like ports and transportation networks. General Paul Nakasone, the head of the National Security Agency, stated: “We need to have a vigilance that continues onward. This is not an episodic threat that we’re going to face. This is persistent.”

Why it matters: Though cyber officials have long sounded the alarm about China’s offensive cyber capabilities, Wray’s dramatic public warning underlines the huge level of concern at the top of the US government about the threat Chinese hackers pose to critical infrastructure nationwide. The Chinese hackers are working “to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous,” Wray said. “Unfortunately, the technology underpinning our critical infrastructure is inherently insecure because of decades of software developers not being held liable for defective technology. That has led to incentives where features and speed to market have been prioritized against security, leading our nation vulnerable to cyber invasion,” said Jen Easterly, who leads the US Cybersecurity and Infrastructure Security Agency.

It is therefore more important than ever that hardware devices are kept up to date to ensure they present a harder attack surface to threat actors like Volt Typhoon and others who are backed by governments with immense resources. Only timely patches and constant vigilance can help prevent future exploitation by entities that insist on doing US persons, businesses and government harm.

Ivanti Patches and CVEs

Summary: Ivanti released new patches for CVE-2023-46805 and CVE-2024-21887 . The two CVEs were recently announced on January 10, 2024. The CVEs target the VPN components of Ivanti products:

  • CVE-2023-46805 – An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
  • CVE-2024-21887 –  A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Partial patches are also now available for the recently released CVE-2024-21893 and CVE-2024-21888 which have had patches released but not for all versions of the affected systems.

  • CVE-2024-21888 – A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
  • CVE-2024-21893 – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Ivanti states that patches are available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3. The remaining supported versions are to be patched in a staggered schedule.

Why it matters: VPNs were created to ensure the security of the user. The presence of vulnerabilities in the products compromises the very purpose of their creation. The concerning part of all this is that the number of recent vulnerabilities not only compromises their products and but also the security of the customers. It is important for those affected to update all their products to the latest version or patch and to ensure that their usage remains secure.

Security Tip of the Month – “I Can’t Believe He is Gone” Facebook Phishing Scam

Summary: Scammers continue to use hacked accounts to phish users’ credentials. One such message spreading in January 2024 appears to mourn someone’s death. While the exact text varies, the post typically says something to the extent of “I can’t believe he’s gone. I’ll miss him so much” followed by crying emojis and a link to another Facebook post. Usually, multiple people are tagged in the post, making the post appear legitimate, however they lead unsuspecting users to a website that steals your Facebook credentials. This phishing attack is ongoing and widespread on Facebook through friend’s hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform. As the posts come from friends’ hacked accounts, they appear convincing and trustworthy, which makes this a highly successful phishing campaign.

Many of the links redirect users to fake news videos that use branding for major news outlets, such as CNN or the BBC. Clicking the play button takes you through several redirects, very likely to perform fingerprinting, where sites gather information about your browser, your location, and other sites you’ve visited. The scammers do this to make sure you are redirected to a site that is likely to generate the most profit from people fitting your profile.

Why it matters: Facebook strongly recommends turning on two-factor authentication to prevent unauthorized access to user accounts as well as reporting the activity to or through the report links that appear throughout the siteAlthough this phishing tactic is targeting Facebook users, many people still use the same password for multiple sites which could include corporate network accounts. Users are highly recommended to use different passwords for each login to prevent hackers from recycling credentials to other sites, as this poses a security risk when users unwittingly use the same password repeatedly. This becomes an even greater risk on Facebook when a large amount of personal information is freely provided by users which could include where they work and potential colleagues who could also be targeted by scammers.