Atlassian Confluence Data Center and Server Remote Code Execution Vulnerability (CVE-2023-22527)

Summary: Atlassian Confluence Data Center and Server is vulnerable to a critical severity vulnerability, tracked as CVE-2023-22527. Successful exploitation of the vulnerability may lead to remote code execution. The vulnerability originates from a template injection flaw on out-of-date Confluence Data Center and Server versions. The vulnerability may allow an unauthenticated attacker to perform remote code execution on an affected version. The issues were included in Atlassian’s January 2024 security bulletin, which details 23 other security defects in third-party dependencies in Jira, Crowd, Bitbucket, and Bamboo Data Center and Server instances, some of them more than five years old.

The security defect impacts all out-of-date Confluence 8 versions released before December 5, 2023, and Confluence version 8.4.5, which no longer receives backported fixes. Atlassian notes that there are no workarounds available for this bug and that even Confluence instances that are not directly accessible from the internet might be at risk. The company urges customers to update to the latest Confluence versions (namely 8.5.5 LTS and 8.7.2) but notes that the patches will also be backported to all LTS versions that have not reached end-of-life.

Confluence 7.19.x Long Term Support (LTS) versions and Atlassian Cloud instances are not affected, nor does this vulnerability impact Atlassian Cloud sites.

Why it matters: Atlassian has not stated that any of these vulnerabilities are currently being exploited in the wild, but Confluence flaws are often the target of threat actors. Customers using an affected version are urged to take immediate action to prevent the likelihood of these flaws being exploited, especially following widespread details of these vulnerabilities existing. It is also not recommended to continue using instances that cannot be patched due to reaching their end-of-life.

Major Companies Targeted by Midnight Blizzard Hackers

Summary: Newly disclosed breaches of Microsoft and Hewlett-Packard Enterprise highlight the persistent threat posed by Midnight Blizzard, a notorious Russian cyber-espionage group. The group is tied to the Foreign Intelligence Service of the Russian Federation (SVR RF) APT 29 (Cozy Bear or NOBELIUM), formerly the KGB, and was also behind the SolarWinds attack of 2021. While both HP’s and Microsoft’s breaches came to light within days of each other, the situation mainly illustrates the ongoing reality of Midnight Blizzard’s international espionage activities and the lengths it will go to find weaknesses in organizations’ digital defenses.

HP Enterprises stated on January 24, 2024, the attack was detected on December 12, 2023, targeting their cloud-based email environment, but the attack began as early as May 2023. Hackers “accessed and exfiltrated data… from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” HP stated in their SEC filing. HP Enterprise said the breach likely came about as the result of another incident, discovered in June 2023, in which Midnight Blizzard also accessed and exfiltrated company “SharePoint” files. An HP spokesperson stated: “The accessed data is limited to information contained in the HPE users’ email boxes.”

A few days prior to HP’s announcement of their breach, Microsoft stated on January 19, 2024, that they detected a system intrusion on January 12th, which they attributed to a breach that occurred in November 2023. The attackers targeted and compromised some historic Microsoft system test accounts that then allowed them to access “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” As per Microsoft, the attackers appeared to be seeking information about Microsoft’s investigations and knowledge of Midnight Blizzard itself. “The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company wrote in its disclosure. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

Why it matters: As these organizations are two of the largest technology companies in the world, it stands to reason they would be the targets of state-backed hacking groups. However, these events highlight the need for constant awareness that attacks can arise from anywhere at any time, and that cyber espionage groups are highly trained and determined to breach an ever-growing list of targets. Researchers point out that it’s always productive to have renewed attention on the issue of persistent state-backed espionage.

Ivanti Patches and CVEs

Summary: Ivanti released new patches for CVE-2023-46805 and CVE-2024-21887 . The two CVEs were recently announced on January 10, 2024. The CVEs target the VPN components of Ivanti products:

• CVE-2023-46805 – An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
• CVE-2024-21887 –  A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

Partial patches are also now available for the recently released CVE-2024-21893 and CVE-2024-21888 which have had patches released but not for all versions of the affected systems.

• CVE-2024-21888 – A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
• CVE-2024-21893 – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Ivanti states that patches are available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3. The remaining supported versions are to be patched in a staggered schedule.

Why it matters: VPNs were created to ensure the security of the user. The presence of vulnerabilities in the products compromises the very purpose of their creation. The concerning part of all this is that the number of recent vulnerabilities not only compromises their products and but also the security of the customers. It is important for those affected to update all their products to the latest version or patch and to ensure that their usage remains secure.

Security Tip of the Month – “I Can’t Believe He is Gone” Facebook Phishing Scam

Summary: Scammers continue to use hacked accounts to phish users’ credentials. One such message spreading in January 2024 appears to mourn someone’s death. While the exact text varies, the post typically says something to the extent of “I can’t believe he’s gone. I’ll miss him so much” followed by crying emojis and a link to another Facebook post. Usually, multiple people are tagged in the post, making the post appear legitimate, however they lead unsuspecting users to a website that steals your Facebook credentials. This phishing attack is ongoing and widespread on Facebook through friend’s hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform. As the posts come from friends’ hacked accounts, they appear convincing and trustworthy, which makes this a highly successful phishing campaign.

Many of the links redirect users to fake news videos that use branding for major news outlets, such as CNN or the BBC. Clicking the play button takes you through several redirects, very likely to perform fingerprinting, where sites gather information about your browser, your location, and other sites you’ve visited. The scammers do this to make sure you are redirected to a site that is likely to generate the most profit from people fitting your profile.

Why it matters: Facebook strongly recommends turning on two-factor authentication to prevent unauthorized access to user accounts as well as reporting the activity to phish@fb.com or through the report links that appear throughout the site. Although this phishing tactic is targeting Facebook users, many people still use the same password for multiple sites which could include corporate network accounts. Users are highly recommended to use different passwords for each login to prevent hackers from recycling credentials to other sites, as this poses a security risk when users unwittingly use the same password repeatedly. This becomes an even greater risk on Facebook when a large amount of personal information is freely provided by users which could include where they work and potential colleagues who could also be targeted by scammers.