InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Operation Zero, a prominent zero-day broker, has announced a substantial bounty of up to $4 million for exploits targeting Telegram. This initiative underscores the escalating demand for vulnerabilities in widely used communication platforms.
Zero-day brokers like Operation Zero specialize in acquiring undisclosed software vulnerabilities, often to sell them to government agencies or other entities. The significant reward offered for Telegram exploits highlights the platform’s critical role in global communications and the potential impact of such vulnerabilities.â
This development raises concerns about the security of messaging applications and the lengths to which organizations will go to uncover potential weaknesses. Users are reminded of the importance of staying updated on security practices and being cautious about the information shared over these platforms.â
As the cybersecurity landscape evolves, the focus on securing communication channels like Telegram becomes increasingly vital. Both users and developers must remain vigilant against emerging threats to ensure the integrity and confidentiality of their communications.
The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA).
âIn June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organizationâs non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victimâs active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement,â the agency shared in an advisory published on Thursday.
IoCs, IR and mitigation advice
The attack was reported to CISA and Citrix in July 2023, and Citrix announced fixes for it on July 18.
The security bulletin mentioned that âexploits of CVE-2023-3519 on unmitigated appliances have been observed,â but no additional details about the attacks or how to check whether an organizations had been a target had been publicly shared.
A list of indicators of compromise (IoCs) had been shared with select organizations, under the understanding that the info would not be widely shared (i.e., that the contents would be restricted to those organization and shared with its clients âon a need-to-know basisâ).
âAs we hear from the Citrix community, more and more attacked systems are being found. The first exploits have also been available for purchase on the dark web for some time,â German IT consultant Manuel Winkel said on July 19.
He shared advice on how to check whether oneâs organization has been hit, and advised on what to do if the result is positive.
CISAâs advisory offers more details about the threat actor activity in the attack detected at the critical infrastructure organization, delineates attack detection methods, and offers advice on incident response if compromise is detected.
In-the-wild exploitation of CVE-2023-3519
Greynoise has created a tag to show in-the-wild probing of internet-facing NetScaler ADC platforms and Gateways with authentication attempts through CVE-2023-3519, but so far there have been no detections.
Standalone and Nmap scripts for identifying vulnerable installations have been published on GitHub.
If what Winkel says is true â namely, that first exploits for CVE-2023-3519 have been available for purchase on the dark web for a while â itâs possible that there are many compromised organizations out there who didnât manage to block the attackersâ lateral movement.
Itâs currently impossible to say what the attackersâ ultimate goal is, but affected organizations may discover it soon if they donât react quickly.
UPDATE (July 22, 2023, 10:55 a.m. ET):
Technical analyses of the flaw are now public and threat actors could use them to create a reliable exploit soon. Patch quickly!
Microsoft confirms âDogWalkâ zero-day vulnerability has been exploited
Microsoft has published a fix for a zero-day bug discovered in 2019 that it originally did not consider a vulnerability.
The tech giant patched CVE-2022-34713 â informally known as âDogWalkâ â on Tuesday, noting in its advisory that it has already been exploited.
According to Microsoft, exploitation of the vulnerability requires that a user open a specially-crafted file delivered through a phishing email or web-based attack.
âIn a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability,â Microsoft explained. âAn attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.â
Later in the advisory, Microsoft said the type of exploit needed is called an âArbitrary Code Execution,â or ACE, noting that the attacker would need to convince a victim through social engineering to download and open a specially-crafted file from a website which leads to a local attack on their computer.
A three-year wait
The bug was originally reported to Microsoft by security researcher Imre Rad on December 22, 2019. Even though a case was opened one day later, Rad said in a blog post that Microsoft eventually declined to fix the issue six months later.
Microsoft initially told Rad that to make use of the attack he described, an attacker would need âto create what amounts to a virus, convince a user to download the virus, and then run it.â The company added that âas written this wouldnât be considered a vulnerability.â
âNo security boundaries are being bypassed, the PoC doesnât escalate permissions in any way, or do anything the user couldnât do already,â Microsoft told Rad.
But in June, as security researchers dug into the âFollinaâ vulnerability, cybersecurity expert j00sean took to Twitter to resurface the issue and spotlight it again. Â
Bonuses:
1) It's not needed to use a remote location for "ms-search". We can use folder Downloads. 2) As the downloaded file is diagcab, there's no prompt to open an executable in a remote location. And MOTW prompt bypass. pic.twitter.com/2WP40H6f8I
Rad noted that on August 4, Microsoft contacted him and said they âreassessed the issueâ and âdetermined that this issue meets our criteria for servicing with a security updateâ tagging it as CVE-2022â34713.
Microsoft said in its advisory that, like Follina, this is yet another vulnerability centered around Microsoft Support Diagnostic Tool (MSDT)
âPublic discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,â Microsoft said this week.
Microsoft acknowledged but did not respond to requests for comment about why their assessment of the issue changed after three years, but Microsoft security research and engineering lead Johnathan Norman took to Twitter to thank Rad and j00sean for highlighting the issue.
âWe finally fixed the #DogWalk vulnerability. Sadly this remained an issue for far too long. thanks to everyone who yelled at us to fix it,â he said.Â
if there is a way to bypass the fix it is probably my fault đ
Coalfire vice president Andrew Barratt said he has not seen the vulnerability exploited in the wild yet but said it would âbe easily delivered using a phishing/rogue link campaign.â
When exploited, the vulnerability places some malware that automatically starts the next time the user reboots/logs into their Windows PC, Barratt explained, noting that while it is not a trivial point-and-click exploit and requires an attachment to be used in an email, it can be delivered via other fileservers â making it an interesting tactic for an insider to leverage.
âThe vast majority of these attachments are blocked by Outlook, but various researchers point out that other email clients could see the attachment and launch the Windows troubleshooting tool (which it leverages as part of the exploit),â Barratt said. âThe challenge for a lot of anti-malware is that the file leveraged doesnât look like a traditional piece of malware, but could be leveraged to pull more sophisticated malware on to a target system. Itâs an interesting technique but not one that is going to affect the masses. Iâd expect this to be leveraged more by someone meeting the profile of an insider threat.â
Bharat Jogi, director of vulnerability and threat research at Qualys, added that Microsoft likely changed its tune related to CVE-2022â34713 because todayâs bad actors are growing more sophisticated and creative in their exploits.
Jogi noted that Follina has been recently used by threat actors â like China-linked APT TA413 â in phishing campaigns that have targeted local U.S. and European government personnel, as well as a major Australian telecommunications provider
Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.
The emergency patches will be rolled out in the next weeks. Users could update their browser manually by visiting the entry Chrome menu > Help > About Google Chrome.
Google did not disclose technical details for the CVE-2022-0609 to avoid massive exploitation of the bug. The IT giant also avoided disclosing info regarding the attack in the wild exploiting the flaw.
âAccess to bug details and links may be kept restricted until a majority of users are updated with a fix,â Google added.
