Daily Brief

A Proof-of-Concept (PoC) exploit has been released for the 'Citrix Bleed' vulnerability that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. The exploitation of CVE-2023-4966, a critical-severity remotely exploitable disclosure flaw, has started to accelerate following Citrix’s warning to administrators. Researchers at Assetnote discovered the specifics of exploiting CVE-2023-4966 and released a PoC exploit on GitHub to illustrate the workings of the vulnerability and assist testing efforts.  Assetnote found the vulnerability could lead to buffer over-read by examining the differences in unpatched and patched versions of NetScaler. They found that the return value of the JSON payload generation function could be exploited, and the response size in the pre-patch version was sent without checks. During their testing, researchers found an exploitable default setting that allowed access to the hostname value for payload generation. Exploiting the vulnerability allowed for the session cookie to be retrieved, giving the attacker full access to vulnerable appliances. Since the CVE-2023-4966 exploit has been made publicly accessible, further cyber-attacks are expected to focus on targeting Citrix Netscaler devices to infiltrate corporate networks. Immediate patching to resolve the flaw is advised due to its use in ransomware and data theft attacks.

Cyberattacks are steadily evolving, with ransomware attacks becoming a major concern due to their capacity to both harm systems and extort money from victims. A recent report by Malwarebytes revealed a significant rise in global ransomware attacks in 2023, with 1,900 recorded against the US, Germany, France, and the UK combined. Cyber Security Ventures estimates that a ransomware attack will occur every two seconds by 2031, resulting in annual losses of approximately $265 billion worldwide. Although originally most targeted at larger organizations, ransomware attackers are broadening their scope to include small and medium enterprises as well as individuals. The Ransomware as a Service (RaaS) business model has facilitated the spread of these attacks, providing the necessary infrastructure and payment systems for less technically skilled criminals to engage in ransomware attacks. Poor password practices remain a common vector for ransomware attacks, underscored by the widespread use of the LockBit ransomware, highlighting the need for stronger password policies to mitigate such threats. To defend against ransomware, organizations are encouraged to adopt robust cybersecurity solutions, including those that block compromised passwords, often a point of vulnerability.

Winter Vivern, a Russian hacking group, has been exploiting a vulnerability in Roundcube webmail servers to target European government entities and think tanks since 11 October. The Roundcube development team released security updates to address the vulnerability five days after its detection by Slovak cybersecurity company, ESET. The threat actors implemented carefully crafted SVG documents as HTML email messages to inject arbitrary JavaScript code remotely. Phishing messages were designed to impersonate the Outlook Team, with malicious emails triggering a first-stage payload exploiting the Roundcube vulnerability. The JavaScript payload ultimately enabled the hackers to harvest and steal emails from the compromised servers. The group, first spotted in April 2021, has a history of strategically targeting government entities globally, including India, Italy, Lithuania, Ukraine, and the Vatican. Their interests roughly align with those of the Belarus and Russian governments. Winter Vivern has been actively targeting Zimbra and Roundcube email servers used by governmental organizations since at least 2022.

The threat actor group known as Winter Vivern, linked with Belarus and Russia, has been exploiting a zero-day flaw in the Roundcube webmail software to harvest email messages from victims' accounts. This new security vulnerability (CVE-2023-5631) is a stored cross-site scripting flaw that can be used to load any JavaScript code; a fix was released on October 14, 2023. Winter Vivern, also known as TA473 and UAC-0114, has been involved in attacks against Ukraine and Poland, alongside governmental entities across Europe and India. The group uses a phishing message carrying a Base64-encoded payload concealed in the HTML source code, which then translates to a JavaScript injection from a remote server. The final JavaScript payload allows the threat actor to exfiltrate email messages to a command-and-control server. ESET security researcher, Matthieu Faou, notes that the low sophistication of Winter Vivern's toolset should not undermine its threat, given their persistence, regularity of phishing campaigns and the high number of un-updated internet-facing applications.

Critical security flaws in the Open Authorization (OAuth) implementations of Grammarly, Vidio, and Bukalapak were disclosed, potentially allowing hackers to obtain access tokens and hijack user accounts. OAuth is used as a mechanism for cross-application access, permitting websites or apps to access users' information on other sites, like Facebook, without needing their passwords. Vidio's issue originated from a lack of token verification, which could enable an attacker to use an access token created for another App ID, facilitating full account takeover. A similar problem with token verification via Facebook login was found on Bukalapak.com, potentially leading to unauthorized account access. In the case of Grammarly, a flaw was discovered that allows the HTTP POST request used during Facebook login to be altered with an access token from a malicious website, enabling unauthorized account access. These flaws have been addressed by the respective companies following responsible disclosure between February and April 2023.

On October 26, the Register's James Hayes will discuss comprehensive data protection methods in a webinar with Zerto Senior Technology Expert Christopher Rogers. They will explore the integrated data protection tools developed by Zerto and HPE, including disaster recovery, backup, and ransomware resilience. These tools aim to safeguard a company's data landscape, covering on-premise, cloud-based, and SaaS data. The webinar will also discuss methods for ensuring business continuity amid disruptions like ransomware attacks and ways to adapt solutions to diverse environments. They will also touch on the Zerto Cyber Resilience Vault, a fortified data vault utilizing air gaps and immutability for high levels of data resilience and protection.

Around 60% of corporate data is now stored in the cloud, with Amazon S3 serving as a major data storage platform. Amazon S3, despite being a secure and reputable platform, is vulnerable to ransomware attacks as it holds vast amounts of sensitive data. The ransomware attacks are often initiated using leaked access keys, which offer threat actors access to the organization's data. Organizations can leverage Amazon S3’s existing logging solutions for activity – CloudTrail Data Events and Server Access Logs – as a part of their detection strategy for suspicious activity. It is crucial for organizations to comprehend the possible attack scenarios to effectively mitigate risks. Implementing proactive measures, ensuring visibility of data through efficient use of logs, and prioritizing threats are some of the steps organizations can take to mitigate risk and safeguard their S3 data against ransomware attacks. Team Axon, the expert threat hunting team from Hunters provides deep dive video into common attack scenarios and best practices to protect against ransomware attacks.

The cyberespionage group, Winter Vivern, also known as TA473, has exploited a XSS vulnerability in Roundcube Webmail to target European government entities and think tanks since 11th October. The flaw was promptly patched by Roundcube on 16th October. The group deployed HTML email messages, impersonating the Outlook Team, with coded SVG documents that could remotely inject JavaScript code. Opening the malicious email would automatically trigger a first-stage payload, exploiting the server vulnerability. The final JavaScript payload gave the hackers capability to harvest and steal emails from compromised webmail servers without any manual intervention by the recipient. Winter Vivern has previously targeted government entities globally, aligning their activities with the interests of Belarus and Russia. This year, their focus had been on Zimbra and Roundcube email servers owned by governmental organizations. Russian APT28 military intelligence hackers have previously exploited a similar vulnerability to compromise Roundcube email servers of the Ukrainian government and NATO officials. This time, Winter Vivern has escalated its activities by using a zero-day vulnerability in Roundcube. ESET warns that the group presents a persistent threat to European governments due to its apparent regularity in phishing campaigns, and reminds that a significant number of internet-facing apps are exposed owing to non-installation of updates.

VMware has issued security updates in response to a critical flaw in the vCenter Server that could enable remote code execution on the affected systems. The vulnerability, known as CVE-2023-34048, is described as an out-of-bounds write vulnerability in the implementation of the DCE/RPC protocol. The potential risk is that a malicious actor with network access to vCenter Server could trigger an out-of-bounds write potentially resulting in remote code execution. VMware also addressed a separate vulnerability, CVE-2023-34056, a partial information disclosure concern affecting vCenter Server, which could permit a malicious actor with non-administrator privileges to gain unauthorized data access. Despite no instances of 'in-the-wild' exploitation of these vulnerabilities being reported, VMware has advised customers to rapidly install the patches to limit any future threats.

Cybercriminals have been running a malvertising campaign against Brazil's PIX instant payment system, employing new malware known as GoPIX. User searches for "WhatsApp web" are exploited, with malicious ads shown first, leading to the infected landing page. Fraud prevention system IPQualityScore is being used to determine if site visitors aren't bots, allowing only genuine users to be redirected to a fake WhatsApp page where they download a malicious installer. The malware is downloaded from two different URLs, which varies depending on whether or not port 27275, used by Avast safe banking software, is open on the user machine. GoPIX functions as a clipboard stealer malware, hijacking PIX payment requests and replacing them with an attacker-controlled PIX string acquired from a command-and-control server. While the malware also supports Bitcoin and Ethereum substitution, these are hardcoded into the software rather than retrieved from the server. Other campaigns have targeted users downloading messaging apps such as WhatsApp and Telegram, often deploying bogus ads on search results. Fake adverts redirect users to counterfeit pages where they're encouraged to scan a QR code, linking threat actors to victims' accounts. Aspiring threat actors are also capitalising on Malware-as-a-Service offerings that lower the entry barrier and provide an easy method of conducting attacks, filling the cybercrime market with a plethora of information stealer options.

VMware has issued security updates to fix a critical vulnerability (CVE-2023-34048) in vCenter Server, which could be exploited for remote code execution attacks on servers. The bug was reported by Trend Micro's Zero Day Initiative, attributed to an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation. The firm claims there is no evidence of the bug currently being used in attacks. The fixes are available via standard vCenter Server update mechanisms. Due to the severity of the bug, VMware also issued patches for multiple end-of-life products no longer under active support, a move uncommon in VMware Security Advisories. In the absence of a workaround, admins are urged to tightly control network perimeter access to vSphere management components and interfaces. The vulnerability can potentially be exploited via network ports 2012/tcp, 2014/tcp, and 2020/tcp. VMware also patched a data vulnerability (CVE-2023-34056) that could allow threat actors with non-administrative privileges on vCenter servers to access sensitive data.

A ransomware gang, calling itself Hunters International, claims it gained access to the systems of a US plastic surgeon's clinic and has leaked patients' pre-operation images in an attempt to accelerate a ransom payment. This new group has targeted just two victims thus far, including a UK primary school earlier this month. Security experts linked Hunters International to the Hive group, which was disbanded in an international law enforcement operation in January. Hunters International posted four images of what it claims are patients of Dr Jaime Schwartz, a plastic surgeon with offices in Beverly Hills and Dubai. The group says this is "proof" of the 248,245 files it alleges to have stolen from the clinic. Following the release, the group published the names, addresses, photos, and in some cases videos of alleged patients in what it says will be the first of three total disclosures. Independent cybersecurity researchers have identified early links between Hunters International and former group Hive based on similarities in their code. The presence of code similarities, however, does not definitively establish a connection between groups as ransomware payloads often leak and can therefore be modified and used by entirely different groups.

VMware customers have been alerted about a proof-of-concept (PoC) exploit for a high-severity vulnerability identified as CVE-2023-34051 in Aria Operations for Logs. This flaw could allow for authentication bypass and remote code execution. James Horseman from Horizon3.ai and the Randori Attack Team were credited with finding and reporting the vulnerability. Horizon3.ai has released a PoC for the risk, leading VMware to update its advisory. The vulnerability is a patch bypass for several critical flaws VMware addressed earlier that year, highlighting the need for layered, rigorous defense strategies. At the same time, Citrix released an advisory encouraging customers to apply patches for the critical security vulnerability CVE-2023-4966, which affects NetScaler ADC and NetScaler Gateway and is currently under active exploitation. The existence of a PoC, labelled as 'Citrix Bleed', is likely to escalate exploitation attempts in the approaching days. Due to the active exploitation of CVE-2023-4966, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included it in their Known Exploited Vulnerabilities catalog and ordered federal agencies to apply the latest patches by November 8, 2023. This follows recent updates for three critical remote code execution risks in SolarWinds Access Rights Manager that could enable remote attackers to run code with SYSTEM privileges.

VMware has revealed a critical vulnerability, CVE-2023-34048, in its vCenter Server that scored a 9.8 out of 10 on the CVSSv3 scale and had an update issued weeks ago, including patches for unsupported versions of the software. The vulnerability, which enables a malicious actor with network access to vCenter Server to trigger an out-of-bounds write, has not been observed to be exploited yet. Oddly, no mention of this security patch was in the archived release notes for vCenter Server 8.0U2 that was released on September 21, leading to some confusion about whether this version initially addressed the vulnerability. Unusual steps were also taken to issue patches for end-of-life versions of vCenter, including versions 6.5, 6.7, and 7.0. A second lesser threat, CVE-2023-34056, was also revealed, which could allow a malicious actor with non-administrative privileges to access unauthorized data. The company continues normal operations despite imminent acquisition by Broadcom and complaints from some staff regarding their future employment.

The Samsung Galaxy S23 was hacked twice on the first day of the Pwn2Own 2023 hacking contest in Toronto. Penetration testing command (Pentest) Limited and the STAR Labs SG team successfully exploited imperfections in the Galaxy S23. Pentest Limited claimed a $50,000 prize, while STAR Labs took home $25,000. The hacked devices were all running the latest operating system versions with all security updates. Pwn2Own awarded $438,750 on the contest’s first day for successful demonstrations of 23 zero-day vulnerabilities. The competition, which organized by Trend Micro's Zero Day Initiative (ZDI), offers cash prizes of up to $350,000 for successfully exploiting devices, with more than $1,000,000 in cash available overall. Other devices targeted included Xiaomi's 13 Pro Smartphone, and various devices from Western Digital, QNAP, Synology, Canon, Lexmark, and Sonos.