Threat Response
All threat responses
- 21-11-2024 - Threat Response - Critical Authentication Bypass in PAN-OS Management Web Interface
- 24-10-2024 - Threat Response - Critical vulnerability in FortiManager
- 27-09-2024 - Threat Response - RCE in Common Unix Printing System (CUPS - CVE-2024-47176)
- 18-09-2024 - Threat Response - Critical Vulnerability in VMware VCenter
- 6-08-2024 - Threat Response Critical Veeam vulnerabilities
- 27-07-2024 - Threat Response - Vulnerability In SonicOS
- 01-07-2024 - Threat Response Critical Vulnerability In OpenSSH - (RegreSSHion - CVE-2024-6387)
- 28-06-2024 - Threat Response - Compromise Of TeamViewer
- 19-06-2024 - Threat Response - Critical Vulnerability in VMware VCenter
- 31-5-2024 - Threat Response - Check Point Security Gateway Information Disclosure vulnerability
- 24-4-2024 - Threat Response - Critical Vulnerabilities In Cisco ASA And Cisco Firepower Threat Defense - CVE-2024-20353 & CVE-2024-20359
- 12-4-2024 - Threat Response - Critical Vulnerability In PAN-OS GlobalProtect - CVE-2024-3400
- 30-3-2024 - Threat Response - Backdoor In Xz Utils
- 16-2-2024 - Threat Response - Microsoft Exchange Server Elevation of Privilege Vulnerability
- 15-2-2024 - Threat Response - Critical Vulnerability In Microsoft Outlook
- 8-2-2024 - Threat Response - FortiOS Unauthenticated Remote Code Execution
- 31-1-2024 - UPDATE: Threat Response - Critical Vulnerabilities in Ivanti Connect Secure
- 15-1-2024 - Threat Response - Critical vulnerability in GitLab (CVE-2023-7028)
- 11-1-2024 - Threat Response - High Risk Vulnerability In Ivanti Secure Access VPN (Previously Pulse Secure)
- 10-11-2023 - Threat Response - High Risk Vulnerability In Ivanti Secure Access VPN (Previously Pulse Secure)
- 31-10-2023 - Threat Response - Critical Vulnerability In Apache ActiveMQ
- 23-10-2023 - Threat Response - Critical Vulnerability In NetScaler ADC And NetScaler Gateway
- 16-10-2023 - Threat Response - Critical Vulnerabilities In Cisco IOS XE Software (CVE-2023-20198)
- 28-09-2023 - Threat Response - Critical vulnerability in libwebp (CVE-2023-4863)
- 24-07-2023 - Threat Response - Authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
- 24-07-2023 - UPDATE: Threat Response - Critical Vulnerabilities In NetScaler ADC And NetScaler Gateway
- 18-07-2023 - Threat Response - Critical Vulnerabilities in NetScaler ADC and NetScaler Gateway
- 12-07-2023 - Threat Response - Office and Windows HTML Remote Code Execution Vulnerability
- 13-06-2023 - Update: Threat Response - Remote Code Execution Vulnerability In Fortinet SSL-VPN
- 12-06-2023 - Remote Code Execution vulnerability in Fortinet SSL-VPN
- 30-03-2023 - Campaign Using 3CXDesktopApp Software
- 15-03-2023 - Critical Vulnerability in Microsoft Outlook
- 09-03-2023 - High risk vulnerability in Veeam Backup & Replication
- 06-02-2023 - VMware Remote Code Execution Vulnerabilities
- 24-12-2022 - Data Breach at LastPass
- 23-12-2022 - Update 3: Zero-day vulnerabilities in Microsoft Exchange
- 14-12-2022 - Critical vulnerability in Citrix Gateway and Citrix ADC
- 12-12-2022 - Critical vulnerability in Fortinet SSL VPN
- 09-11-2022 - Critical vulnerabilities in Citrix Gateway and Citrix ADC
- 01-10-2022 - Update: Critical vulnerability in OpenSSL 3
- 18-09-2022 - Vulnerability in Apache Commons Text library
- 31-10-2022 - Critical vulnerability in OpenSSL 3
- 06-10-2022 - Update 2: Zero-day vulnerabilities in Microsoft Exchange
- 04-10-2022 - Update: Zero-day vulnerabilities in Microsoft Exchange
- 30-09-2022 - Zero-day vulnerabilities in Microsoft Exchange
- 03-08-2022 - Multiple Critical Vulnerabilities in VMware
Date: 30-03-2023
Intrusion campaign using 3CXDesktopApp software
On Wednesday the 29th of March 2023, CrowdStrike reported malicious activity from a signed binary of the 3CXDesktopApp software[1]. We advise to uninstall the 3CXDesktopApp software completely from the endpoints until a newer version has been released by 3CX.
3CX Desktop App is a softphone application from 3CX which is used for Voice over IP (VoIP) and telephony services. Based on the information available at the time of writing, the compromised binary is the first stage of a multi-stage attack chain. The malicious activity observed includes connecting to an infrastructure controlled by a threat actor. This threat actor controlled infrastructure is then used to deliver the payloads for the subsequent stages. According to the sources[2], the final stage appears to be an info-stealer malware which is downloaded on the affected endpoint.
Impact
We assess the impact of this campaign as High since the campaign involves deployment of an 'infostealer' through the 3CX software. Usage of the compromised software give the adversary full access to the accounts and data on the system where the update is installed. This can lead to full compromise of the IT Infrastructure. At the time of writing, the compromised binary of 3CXDesktopApp is being actively abused.
Risk
As the campaign uses signed binary of the 3CXDesktopApp which is widely used, the risk of potential compromise of endpoints is High. Furthermore, the updates are automatically installed.
What should you do?
Based on the information available at the time of writing the 3CXDesktopApp client applications for both Windows and MacOS are impacted.
Northwave customers that are covered by Northwave's EDR service are already adequately protected at this point.
To other readers, we advise to following remediation steps:
-
Search your software inventory for 3CX software.
If Microsoft Defender for Endpoint is available, the following Hunting Query can be used to search for 3CX software:DeviceTvmSoftwareEvidenceBeta
| where SoftwareName contains "3CX" - Uninstall the 3CXDesktopApp software completely from the endpoints. If the software is critical for business functions, web based version of the application should be used.
-
Secondly, we advise to add the hashes of the detected atomic indicators[3] to the Endpoint Detection and Response application and scan the endpoints which had the 3CXDesktopApp software installed. A scan from Thor-lite scanner with updated signatures can also be executed on the endpoints to detect malicious activity from the compromised 3CXDesktopApp software[4].
If Microsoft Defender for Endpoint is available, the following Hunting Query can be used to search for known malicious versions used in this campaign: -
DeviceFileEvents | where SHA256 == "dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc" or SHA256 == "fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405" or SHA256 == "92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61" or SHA256 == "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb" or SHA256 == "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868" or SHA256 == "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983" or SHA256 == "5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290" or SHA256 == "e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec" or SHA256 == "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896"
- If the compromised executables were discovered on the endpoint, please reset all credentials used on that endpoint, reset all active sessions and enforce multi-factor authentication (MFA).
What will Northwave do?
Northwave has added the indicators of compromise to its detection platform and has already reached out to the customers where this threat was detected. We will continue to monitor this dynamic situation and will provide updates for significant developments. Clients of Northwave's Endpoint Detection & Response are currently adequately protected against this threat.
Sources:
[1]: https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
[4]: https://twitter.com/cyb3rops/status/1641339448053858304
Date: 15-03-2023
Critical Vulnerability in Microsoft Outlook
On Tuesday, March 14th 2023, Microsoft patched a high risk vulnerability in Microsoft Outlook (CVE-2023-23397) that can provide an attacker high privileges without authentication[1]. This vulnerability can be exploited by an attacker by sending a malicious email to a victim with a vulnerable version of Outlook in order impersonate the victim and get access to victim’s device[2]. Microsoft also suggested this exploitation can occur before the email is viewed in the preview pane. This means no interaction from the victim is needed for a successful attack. Subsequently, this may lead attackers to gain access of the victim’s NTLM hash and allow an attacker to authenticate as the user. We recommend to install the update provided by Microsoft as soon as possible[4].
Impact:
We estimate the risk of this vulnerability as high, because the successful exploitation could lead the attacker to access the device as an user. This vulnerability affects Microsoft Exchange server. This vulnerability is tracked under CVE-2023-27532 and has a CVSSv3.1 score of 9.8.
Risk:
As the vulnerability is related to gaining the privilege access by an attacker, the risk of this exploitation is high. At the time of writing there is no indication that this vulnerability is currently actively exploited in the wild[3].
What should you do?
This vulnerability is currently mitigated in the latest Microsoft updates and thus, we advise to install the Outlook Security Update regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, other hosting platforms)[4]. Also, we advice to add the users to the 'Protected Users' security group, however this may cause impact to applications that require NTLM authentication[4]. Finally, we recommend to block outbound TCP traffic over port 445 from the network using a perimeter firewall, a local firewall and also via VPN settings[1].
What will Northwave do?
At the moment, the vulnerability is mitigated by Microsoft in the latest updates. Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. we will continue to monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Sources:
[2]: https://www.ncsc.nl/actueel/advisory?id=NCSC-2023-0128
[4]: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Date: 09-03-2023
High risk vulnerability in Veeam Backup & Replication
On the 7th of March 2023, Veeam fixed a high risk vulnerability (CVE-2023-27532) via an update in its Backup & Replication product in versions V11a/V12[1]. Northwave recommends to install the update as soon as possible. The vulnerability allows attackers to obtain encrypted credentials stored in the configuration database. This may lead to gaining access to the backup infrastructure hosts. Since this vulnerability could have a big impact, Northwave would like to warn you and advise you on actions to take in order to mitigate the risk of the vulnerability.
Impact
Northwave estimates the impact of this vulnerability as high. According to Veeam's advisory[1], the root cause of this vulnerability is the process, Veeam.Backup.Service.exe (TCP 9401 by default), which allows an unauthenticated user to request encrypted credentials. This vulnerability is tracked under CVE-2023-27532 and has a CVSSv3.1 score of 7.5. It affects all Veeam Backup & Replication versions, making it possible for adversaries to request encrypted credentials which may then be used to access backup servers and thereby hampering or exfiltrating backup data.
Risk
Northwave estimates the risk of this vulnerability as high, because of the popularity and widespread usage of Veeam Backup & Replication. At the time of writing there is no indication that this vulnerability is currently actively exploited in the wild[2]. However, Northwave expects that the patch may be reverse engineered and exploited by threat actors in the near future.
What should you do?
This vulnerability is resolved by Veeam in the following Veeam Backup & Replication build numbers: 11a[3] and 12[4]. Northwave recommends to update all Veeam Backup & Replication installations as soon as possible.
Temporary Workaround: if you use an all-in-one Veeam appliance with no remote backup infrastructure components, you can alternatively block external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed.
What will Northwave do?
At the moment, there is not much information about the vulnerability available. Whenever more details become available, the Northwave SOC will investigate possible detection rules. Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. Northwave will continue to monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Sources
[1]: https://www.veeam.com/kb4424
[2]: https://thestack.technology/veeam-vulnerability-warning/
Date: 06-02-2023
VMWARE REMOTE CODE EXECUTION VULNERABILITIES
Two years back, on the 25th of February 2021, we sent a Threat Response[1] regarding multiple critical vulnerabilities in VMware products. One of these vulnerabilities (CVE-2021-21974) affects VMware ESXi and allows threat actors to execute arbitrary code on vulnerable ESXi systems when they are able to reach the system over the network on port 427.
Currently, threat actors actively target VMware ESXi[2] by deploying ransomware on systems that have not yet been patched for this vulnerability. Worldwide, more than 120 systems show signs of being encrypted by ransomware[3] and the Northwave CERT is already supporting some organisations that are victim of these attacks.
Impact
Vulnerability CVE-2021-21974 applies to ESXi and Cloud Foundation and makes it possible for a threat actor with access to port 427 (OpenSLP) to exploit a memory vulnerability, after which remote code can be executed[4]. The impact of this vulnerabilities is estimated as high. Currently, organisations are hit with ransomware, resulting in the encryption of all the virtual machines on the compromised VMware ESXi systems. However, threat actors can also choose other payloads resulting in different types of attack.
Risk
As the vulnerability is under active attack, the risk of exploitation is high.
What should you do?
VMware provided patches to resolve the vulnerability. Northwave advises to apply these patches immediately on ESXi and Cloud Foundation instances where applicable. Also, Northwave recommends to prevent access to the management interfaces of VMware ESXi systems from the internet in general.
What will Northwave do?
Customers having a Northwave NIDS deployed in their network as part of their Northwave IDRS subscription are monitored for exploitation attempts for this vulnerability. Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. Northwave will continue to monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information. (contact)
Disclaimer applies, see below.
Sources
[1]: https://northwave-security.com/threat-response-vmware–remote–code–execution–vulnerabilities/
[2]: https://www.ncsc.nl/actueel/advisory?id=NCSC%2D2021%2D0173
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974
Date: 24-12-2022
DATA BREACH AT LASTPASS
Recently, password management company LastPass suffered a data breach. Yesterday, they reported[1] new details about their investigation of the breach. These details indicate impact for customers of LastPass. We are sending this Threat Response to give LastPass customers some guidance on how to assess their risk and take appropriate steps. If your company does not use LastPass, you can skip the rest of this Threat Response.
Description
LastPass offers a password manager that is used by private individuals and companies. Passwords are stored in a so-called vault, that is encrypted using the master password of the user. The vault is stored on the systems of LastPass and on the user’s endpoint.
In August, LastPass suffered a data breach[1] where information about their internal systems was stolen. In November, the attacker presumably used this information to gain further access into a cloud storage provider used by LastPass. Yesterday, LastPass concluded that the attacker gained access to information about customers (including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses) and also copies of vaults that were made for backup purposes.
Impact
Customers of LastPass should consider their password vaults stolen, and information about their LastPass usage stolen as well. The direct impact of having vaults stolen is limited but significant: inside the vault, the URLs of the websites that the user stored credentials for, are not encrypted. So someone who has access to the vault, even an encrypted vault, can read all the URLs the user has stored inside. This may include URLs to internal systems and URLs that include access tokens or API keys.
To our best knowledge and own research, “notes” on login items and “secure notes” are encrypted inside the password vault.
If the attacker is able to guess the password to a vault, of course the impact is much bigger: the attacker gains access to all items in the vault, including all usernames and passwords.
Risk
Password vaults are encrypted with the user’s master password. The encryption key is derived from the password in such a way that brute-force guessing all possible passwords is not feasible. Therefore, an attacker who wants to gain access to a vault is likely to perform a smarter attack by using dictionaries of common passwords, common words and words specific to the season and the company. They will then generate variations on these passwords by applying prefixes and suffixes that people often use to make their password satisfy complexity requirements.
LastPass offers administrators the option to set password policies, but by default no restrictions on passwords are in place for Business accounts.
Because of a combination of these facts, Northwave believes the risk to consist of two things:
- Users inside your company having passwords that can be guessed using the above approach. Their vaults could be opened by an attacker that uses this approach.
- Targeted phishing based on the leaked company details and URLs inside vaults.
Northwave considers a password “guessable” in this context if it:
- Is shorter than 12 characters
- Is between 12 and 18 characters but contains dictionary words or words related to your company
- Is 18 characters or longer but is based on a single dictionary word
Mitigation
To best mitigate the risk, all users should change all passwords that were stored in their vault at the time of the breach. However, for most companies this is not a feasible option. Instead, to decrease the mentioned risks, the following steps can be taken:
- Inform your users about the LastPass breach and warn them about phishing in the coming months. Even more than normally, they should be aware not to enter usernames/passwords on websites they arrived at from email links, but browse to those websites themselves.
- Have all users assess their LastPass passwords for guessability. If their password is guessable, have them change their master password immediately, and also passwords of the systems you deem critical.
What should you do?
Northwave recommends following the above steps to make sure that the risk of login items leaking is minimised.
What will Northwave do?
Northwave will monitor any developments regarding this breach. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information. (contact)
Disclaimer applies, see below.
Sources
[1]: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
Date: 23-12-2022
Update 3: Zero-day vulnerabilities in Microsoft Exchange
On Friday, September 30th two zero-day vulnerabilities in the Microsoft Exchange Server 2013, 2016, and 2019 were identified [1][3]. These vulnerabilities (CVE-2022-41040, CVE-2022-41082), collectively known as ProxyNotShell were used by attackers to bypass authentication on Exchange servers and perform remote code execution. For unpatched on-premises Exchange servers, a workaround was proposed by blocking exposed Remote PowerShell ports and adding a URL-rewrite rule [1]. An official Exchange Server update was published on November 8th for both vulnerabilities.
On Tuesday, December 20th CrowdStrike identified a new exploit method called OWASSRF, consisting of CVE-2022-41080 (Privilege Elevation) and CVE-2022-41082 to achieve Remote Code Execution on an Exchange server through the OWA (Outlook Web Access) endpoint. This new method bypasses the aforementioned workarounds for unpatched Exchange servers. The OWASSRF method does not utilise the CVE-2022-41040 vulnerability for initial acces. CrowdStrike assesses it is highly likely that the OWASSRF technique is tied to CVE-2022-41080 [4]. Furthermore, the OWASSRF method was discovered in attacker tooling and produced the same behaviour as observed in recent Play ransomware intrusions [4]. Because there is a high likelihood this new method is being actively exploited, we are sending you this update.
An official Exchange Server patch for CVE-2022-41082, which was released on November 8th, renders the exploitability of the OWASSRF technique impossible.
Impact
Successful exploitation of the vulnerability CVE-2022-41080 (Privilege Elevation) could allow an already authenticated attacker to remotely execute code, exploiting CVE-2022-41082 on on-premises Exchange servers only utilising Microsofts previously published workarounds. This vulnerability is likely being actively exploited by attackers. For this reason we estimate the impact as high.
Risk
On-premises Exchange servers that were not patched and rely on the workarounds that Microsoft published [1] are still vulnerable for the OWASSRF exploit technique. Since Exchange servers are exposed to the internet, vulnerable servers can become an easy target for attackers. Additionally, targeted attacks likely tied to this technique have been observed [4]. For this reason we estimate the risk as high.
Mitigation
An official Exchange Server patch was released on November 8th (KB5019758) to address these vulnerabilities [5]. Alternatively, blocking Remote PowerShell access prevents authenticated attackers from abusing the CVE-2022-41082 [1]. Please note that the URL-rewrite workaround proposed by Microsoft for ProxyNotShell is not effective against OWASSRF.
What should you do?
Make sure that all on-premises Exchange servers receive the November 8th (KB5019758) patch. If you are unable to apply this patch immediately, Northwave recommends to disable OWA until the patch can be applied. Furthermore, ensure blocking Remote PowerShell access to prevent authenticated attackers from abusing vulnerability CVE-2022-41082 [1].
What will Northwave do?
For customers with EDRS based on Defender on Endpoint, Northwave will closely monitor for activity related to Web Shells in IIS servers and Exploitation of Exchange server vulnerabilities. Moreover, we will use the Northwave SOC Defender Management application to actively detect any suspicious activity indicating the exploitation of this new technique. If access to our Defender Management application is not arranged, please contact your Security Operations Manager (SOM) for instructions. For customers with EDRS based on ESET, active post-exploitation will be detected. We are also looking into additional capabilities to detect these attacks with ESET.
Furthermore for non-EDRS customers, Northwave already implemented a Microsoft Sentinel use case based on Windows Security Events to detect WebShell activity on Exchange servers. Northwave will monitor developments around this attack technique. We will reach out to you again if there are important updates, including if the threat posed by this activity increases.
If you have any questions or require any additional information please reach out to us by phone or email. (contact)
Disclaimer applies, see below.
Sources
[3]: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0610
[4]: https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
[5]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082
Date: 14-12-2022
CRITICAL VULNERABILITY IN CITRIX GATEWAY AND CITRIX ADC
- Citrix Gateway and Citrix ADC 13.0 before 13.0-58.32
- Citrix Gateway and Citrix ADC 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
- Citrix Gateway and Citrix ADC 13.0 before 13.0-58.32
- Citrix Gateway and Citrix ADC 12.1 before 12.1-65.25
- Citrix ADC 12.1-FIPS before 12.1-55.291
- Citrix ADC 12.1-NDcPP before 12.1-55.291
Date: 12-12-2022
CRITICAL VULNERABILITY IN FORTINET SSL VPN
On the 12th of December, Fortinet resolved a vulnerability in the Fortinet SSL VPN[1]. Northwave recommends to install the update as soon as possible. The vulnerability is tracked under CVE-2022-42475 and has a CVSSv3.1 score of 9.3. The vulnerability allows unauthorized attackers to obtain remote code execution on the Fortinet SSL VPN systems via a specially crafted request due to a heap-based buffer overflow vulnerability in the FortiOS SSL VPN service.
Since these vulnerabilities could have a big impact, Northwave would like to warn you and advice you on actions to take to mitigate the risk of the vulnerability.
Description
The Fortinet SSL VPN is an on-premise solution to establish a secure, encrypted connection between the public internet and the corporate network. These systems are mostly publicly available on the internet allowing users to connect to the VPN from anywhere.
The following versions of the Fortinet FortiOS with the SSL VPN are vulnerable:
- FortiOS version 7.2.0 trough 7.2.2
- FortiOS version 7.0.0 trough 7.0.8
- FortiOS version 6.4.0 trough 6.4.10
- FortiOS version 6.2.0 trough 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Impact
Since these vulnerabilities make it possible for an attacker to gain unauthorized access Fortinet SSL VPN environments and possibly the applications running in these environments. Northwave assumes that exploitation of these vulnerabilities will have a high impact. At this time there are indications that the vulnerabilities are actively exploited according to Fortinet[1]. Because the information regarding these vulnerabilities is now publicly available and active exploitation was confirmed by Fortinet, Northwave expects Proof-of-Concept exploit code for this vulnerability will be published soon.
Risk
Northwave estimates the risk of these vulnerabilities as high, because of the popularity of these Fortinet SSL VPN solutions and the widespread usage of this software. The main risk is that an attacker could gain unauthorized access to the systems and the internal network through the VPN system.
Mitigation
Fortinet has released an update for the vulnerabilities on December 12th. Northwave advises users which use the vulnerable versions of the Fortinet SSL VPN to update to the following versions as soon as possible:
- FortiOS version 7.2.3 or higher
- FortiOS version 7.0.9 or higher
- FortiOS version 6.4.11 or higher
- FortiOS version 6.2.12 or higher
- FortiOS-6K7K version 7.0.8 or higher
- FortiOS-6K7K version 6.4.10 or higher
- FortiOS-6K7K version 6.2.12 or higher
- FortiOS-6K7K version 6.0.15 or higher
What should you do?
Northwave recommends to update the Fortinet SSL VPN to one of the versions mentioned above as soon as possible if you use a vulnerable version of the software.
What will Northwave do?
For customers with IDRS Northwave included the known IOC’s provided by Fortinet into the Northwave Detection Platform (NDP).
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information. (contact)
Disclaimer applies, see below.
Sources
[1]: https://www.fortiguard.com/psirt/FG-IR-22-398
Date:09-11-2022
Critical vulnerabilities in Citrix Gateway and Citrix ADC
On the 8th of November Citrix announced that three vulnerabilities in Citrix Gateway and ADC had been solved with an update [1]. Northwave advises to install the update as soon as possible. With these vulnerabilities malicious actors could bypass authentication, security measures or use brute-force methods to gain access to user environments. The vulnerability with ID CVE-2022-27510 makes it possible to bypass authentication remotely, which means that a malicious actor could get access to the Citrix environment and possibly also the applications running on it. A pre-condition for this vulnerability is that the appliance must be configured as a Gateway and the SSL VPN functionality is used or if the system is configured as ICA proxy with authentication.
Since these vulnerabilities could have a big impact Northwave would like to warn you and advise you on actions to take to mitigate the risk of these vulnerabilities.
Description
Citrix Gateway is an on-premise solution for remote access of applications and resources [2]. Citrix ADC is an Application Delivery Controller which can be used to monitor and manage application delivery. It gives insight in details of the ADC infrastructure like application performance, health and security [3].
The following versions of Citrix Gateway and Citrix ADC are vulnerable:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
- Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
- Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
- Citrix ADC 12.1-FIPS before 12.1-55.289
- Citrix ADC 12.1-NDcPP before 12.1-55.289
Impact
Since these vulnerabilities make it possible for a malicious actor to access Citrix environments and possibly the applications running in these environments unauthorized, Northwave assumes that (future) exploitation of these vulnerabilities will have a high impact. At this time there are no indications that the vulnerabilities are actively exploited according to the National Cyber Security Center of The Netherlands [4]. Because the information regarding these vulnerabilities is now publicly available Northwave expects that these vulnerabilities might be actively exploited in the future.
Risk
Northwave estimates the risk of these vulnerabilities as high, because of the popularity of these Citrix solutions and the widespread usage of this software. The main risk is that a malicious actor could gain unauthorized access to and leak sensitive information. There is also a possibility to gain local admin/root rights by using privilege escalation [4].
Mitigation
Citrix has released an update for the vulnerabilities on November 8th [1]. Northwave advises users which use the vulnerable versions of Citrix Gateway and Citrix ADC to update to the following versions as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-33.47 or newer
- Citrix ADC and Citrix Gateway 13.0-88.12 or newer versions of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.21 or newer versions of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.289 or newer versions of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.289 or newer versions of 12.1-NDcPP
What should you do?
Northwave advises to update Citrix Gateway and Citrix ADC to one of the versions mentioned above as soon as possible if you use a vulnerable version of the software.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. We will also investigate whether any additional action can be taken based upon available information within our monitoring services.
You can call us by phone or send us an email if you would like additional information. (contact)
Disclaimer applies, see below.
Sources
[2]: Citrix – https://www.citrix.com/en-gb/products/citrix-gateway/
[3]: Citrix – https://www.citrix.com/en-gb/products/citrix-adc/
[4]: NCSC – https://advisories.ncsc.nl/advisory?id=NCSC-2022-0701
Date: 01-10-2022
UPDATE: CRITICAL VULNERABILITY IN OPENSSL 3
The developers of OpenSSL[1] released OpenSSL update version 3.0.7 on November 1, 2022. This version contains fixes to two HIGH risk vulnerabilities. Northwave recommends upgrading products that use OpenSSL as soon as possible. The OpenSSL developers originally announced a CRITICAL security update for OpenSSL version 3[2]. Northwave has informed you of this critical vulnerability in OpenSSL 3 in a previous Threat Response[3]. After new insights, the OpenSSL developers decided to downgrade the vulnerability to HIGH instead of CRITICAL, since exploitation is unlikely in common scenarios[4].
The vulnerabilities are tracked under CVE-2022-3786 and CVE-2022-3602.
Mitigation
OpenSSL released a security update to version 3.0.7 on Tuesday, the 1st of November that mitigates the vulnerability[2]. Following this, vendors will be able to integrate the new version into their products and release updates for these products.
What should you do?
Northwave recommends performing the following actions:
- Implement the security update of OpenSSL (version 3.0.7) as soon as suppliers have implemented the security update in their software.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. We will also investigate whether any additional action can be taken based upon available information within our monitoring services.
You can call us by phone or send us an email if you would like additional information. (contact)
Disclaimer applies, see below.
Sources
[1]: OpenSSL organization – https://www.openssl.org/
[2]: OpenSSL version 3.0.7 published – https://mta.openssl.org/pipermail/openssl-announce/2022-November/000241.html
[3]: Threat Response: Critical Vulnerability in OpenSSL 3 – https://northwave-security.com/threat-response-critical-vulnerability-in-openssl-3/
[4]: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
Date: 18-09-2022
Vulnerability in Apache Commons Text library
On Tuesday 13 October 2022, a vulnerability was identified in the Apache Commons Text library [1]. This vulnerability allows attackers to remotely execute arbitrary code on servers running applications that use this library. Given the widespread use of this library, we inform you about this vulnerability in this Threat Response. This vulnerability is registered under the CVE number: CVE-2022-42889 and is also known as “Text4Shell”.
Today on 18 October 2022, the Dutch National Cyber Security Center (NCSC) published a security advisory [2] assessing the impact and risk of this vulnerability. The situation surrounding the vulnerability is currently evolving. The NCSC currently does not observe any active exploitation of the vulnerability. In this Threat Response, we explain the nature of the vulnerability, the NCSC’s current estimated impact and what you can do to prevent exploitation.
Description
On 13 October 2022, the vulnerability with CVE number: CVE-2022-42889 was disclosed by Apache. The vulnerability concerns the Apache Commons Text library. This is a generic text manipulation library. The vulnerability affects versions 1.5 to 1.9. This vulnerability shows similarities to the Log4Shell vulnerability in Apache Log4J, however there are circumstances that make successful exploitation more difficult. The exact circumstances for successful exploitation are currently unknown.
On 18 October 2022, the NCSC estimated the impact and risk of this vulnerability. The vulnerability resides in the functionality that handles text interpolation, namely “StringSubstitutor”. This is a function that converts variables in text into their corresponding values. Research has shown that three filters can be abused: “script”, “dns” and “url”. Proof-of-concept code is available on the Internet that can be used to exploit this vulnerability.
Impact
Successful exploitation of vulnerability CVE-2022-42889 could lead to the execution of arbitrary code resulting in taking over the server on which the application runs. The NCSC therefore estimates impact of vulnerability as high.
Risk
Currently, versions of Apache Commons Text 1.5 to 1.9 are known to be vulnerable, in combination with all versions of JDK. JDK versions above 15 have the “StringSubstitutor” function disabled by default. However, if “StringSubstitutor” is used, Apache Commons Text still remains vulnerable. The NCSC currently does not report that the vulnerability is exploited in practice. However, exploit-code is publicly available. Therefore, the NCSC rates the risk as high.
Mitigation
To mitigate the vulnerability, version 1.10 is available for Apache Commons Text. Versions of JDK above version 15 have the “StringSubstitutor” function disabled by default, so the default installation is not vulnerable. However, when this function is used, all versions above JDK 15 are also vulnerable.
What should you do?
We recommend identifying whether any systems are using the Apache Commons Text library and updating it to 1.10 if the current version is among the vulnerable versions.
What will Northwave do?
Northwave is investigating the possibility of detecting the vulnerability for customers with monitoring in place.
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information. (contact)
Disclaimer applies, see below.
Sources
[1]: https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
Date: 31-10-2022
Critical vulnerability in OpenSSL 3
On the 25th of October, the developers of OpenSSL[1] announced that a critical security update will be released for OpenSSL version 3 on the 1st of November between 13:00 and 17:00 UTC[2]. At this point, no details about the vulnerability are known, but OpenSSL appoints this classification if the vulnerability impacts common configurations and is likely to be exploitable[3]. Because many applications utilize the OpenSSL library, we want to inform you about the potential impact and provide you with actions that can be taken beforehand through this Threat Response. The vulnerability only impacts version 3 of OpenSSL, which was released in the summer of 2021. Software that utilizes an older version is not vulnerable.
Description
OpenSSL is a popular software product that that is used to encrypt digital communication and data using TLS/SSL. OpenSSL is commonly used in solutions that are found on: servers, endpoints, operational technology (OT), Internet of Things (IoT), network equipment, etc.
Impact
There is no information about the vulnerability in the OpenSSL software library, other than that the vulnerability specifically impact version 3. At the point of writing, there are no indications that the vulnerability is being exploited at this moment. Based on the ‘critical’ classification by OpenSSL, Northwave assumes that (future) exploitation of the vulnerability will have a high impact. Additionally, we expect that publications from the cyber-security community will follow with examples on how to exploit the vulnerability soon after the update has been released by OpenSSL.
Risk
Because of the popularity of OpenSSL and widespread usage of software that utilizes OpenSSL[4][5], Northwave estimates the risk as high. Depending on the exact vulnerability, it might be possible that exploitation could allow for remote code execution or the compromise of secured communication.
Mitigation
OpenSSL will release a security update on Tuesday, 1st of November between 13:00 and 17:00 UTC that will mitigate the vulnerability[2]. Following this, vendors will be able to integrate the new version into their products and release updates for these products.
What should you do?
Northwave recommends performing the following actions:
- Proactively start inventorying the usage of OpenSSL version 3 within the organization. Consider all applications like: (TLS) proxies, VPN Servers, load balancers, and services provided by external vendors. Pay particular attention to systems that can be accessed from the internet.
- Implement the security update of OpenSSL (version 3.0.7) as soon as suppliers have implemented the security update in their software.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. We will also investigate whether any additional action can be taken based upon available information within our monitoring services.
You can call us by phone or send us an email if you would like additional information. (contact)
Disclaimer applies, see below.
Sources
[1]: OpenSSL organisatie – https://www.openssl.org/
[2]: Forthcoming OpenSSL Releases – https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
[3]: OpenSSL Security policy: Issue severity CRITICAL – https://www.openssl.org/policies/general/security-policy.html
[4]: Forks en Stars on Github openssl/openssl – https://github.com/openssl/openssl
[5]: Public statistics of OpenSSL usage – https://trends.builtwith.com/Server/OpenSSL
Date: 06-10-2022
Update 2:Zero-day vulnerabilities in Microsoft Exchange
On Friday, September 30th two zero-day vulnerabilities in the Microsoft Exchange Server 2013, 2016, and 2019 were identified [1][3]. Northwave has informed you of this in two previous Threat Responses. In our last Threat Response we informed you about an improved mitigation, since the initial mitigation could be bypassed[2]. However, more bypasses are discovered in the meantime, resulting in another update of the recommended mitigation.
Mitigation
Microsoft has updated their workaround, instructing to update both the blocking pattern as the condition. If you already applied the earlier mentioned blocking rule, please remove the old rule and apply the new rule. If you did not apply any workarounds yet please apply the following:
- Add a blocking rule [1] in in your Exchange Server to block the known attack pattern: “.*autodiscover\.json.*Powershell.*” in the {UrlDecode:{REQUEST_URI}} field.
- Block Remote PowerShell access to prevent authenticated attackers from abusing the second Remote Code Execution vulnerability (CVE-2022-41082) [1].
What will Northwave do?
For EDRS customers with Defender for Endpoint, Northwave has already implemented monitoring use cases to detect web-shell activity on Exchange IIS servers. For EDRS customers with ESET, post-exploitation activities will be detected and blocked by ESET. For IDRS customers with Microsoft Sentinel, Northwave has implemented a use case based on Windows Security Events to detect the web shell activity. Furthermore, for customers with the Northwave NIDS setup, network traffic monitoring for possible exploitation signatures has been implemented.
We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email. (contact)
Disclaimer applies, see below.
Sources
[3]: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0610
Date: 04-10-2022
Update: Zero-day vulnerabilities in Microsoft Exchange
On Friday, September 30th two zero-day vulnerabilities in the Microsoft Exchange Server 2013, 2016, and 2019 were identified [1][3]. Northwave has informed you of this in a previous Threat Response. In the meantime researchers discovered that the earlier mentioned mitigation is not sufficient[2].
These vulnerabilities are not seen to affect Microsoft Exchange Online users. However, if a hybrid setup with on-premise Exchange is used the setup is still vulnerable.
Mitigation
Microsoft has advised a workaround earlier, however this seems not to be effective. If you already applied the workaround mentioned in our previous Threat Response please update the attack pattern in the blocking rule. If you did not apply any workarounds yet please apply the following:
- Add a blocking rule [2] in in your Exchange Server to block the known attack pattern: “.*autodiscover\.json.*Powershell.*” in the {REQUEST_URI} field.
- Block Remote PowerShell access to prevent authenticated attackers from abusing the second Remote Code Execution vulnerability (CVE-2022-41082) [1].
Be aware that the linked Microsoft documentation[2] still mentions the previous attack pattern. Note: The impact of this rule is not fully known at this moment, several Twitter messages[4][5] suggest this change stops the Outlook client from working properly. However, other messages do not report this problem. Northwave recommends reviewing whether the Outlook client still works after applying the new rule.
What will Northwave do?
For EDRS customers with Defender for Endpoint, Northwave has already implemented monitoring use cases to detect web-shell activity on Exchange IIS servers. For EDRS customers with ESET, post-exploitation activities will be detected and blocked by ESET. For IDRS customers with Microsoft Sentinel, Northwave has implemented a use case based on Windows Security Events to detect the web shell activity. Furthermore, for customers with the Northwave NIDS setup, network traffic monitoring for possible exploitation signatures has been implemented.
We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email. (contact)
Disclaimer applies, see below.
Sources
[3]: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0610
[4]: https://twitter.com/wdormann/status/1577020025583841281
[5]: https://twitter.com/SysElement/status/1576930819901657089
Date: 30-09-2022
ZERO-DAY VULNERABILITIES IN MICROSOFT EXCHANGE
On Friday, September 30th two zero-day vulnerabilities in the Microsoft Exchange Server 2013, 2016, and 2019 were identified [1][3]. These vulnerabilities potentially allow authenticated attackers to perform remote code execution using PowerShell on the on-premises Exchange server. Microsoft confirmed these zero-days, and it is currently being tracked publicly as CVE-2022-41040 (Server-Side Request Forgery) and CVE-2022-41082 (Remote Code Execution). The behaviour is widely recognised to mimic the ProxyShell vulnerability from 2021 [4]. The ProxyShell vulnerability (CVE-2021-34473) was used by attackers to bypass authentication on Exchange servers and perform remote code execution.
These vulnerabilities are not seen to affect Microsoft Exchange Online users. For the on-premises Exchange server users, a workaround has been published to block exposed Remote PowerShell ports [1].
At the moment the vulnerability is not yet widely exploited. However, this may change in the future. Actual attacks abusing the vulnerability have already been observed.
Risk
The vulnerability is currently not yet exploited on large scale. However, since the Exchange servers are exposed to the internet, vulnerable servers can become an easy target for attackers. Additionally, targeted attacks have been observed [5]. For this reason, we estimate the risk as high.
Impact
Successful exploitation of the vulnerability CVE-2022-41040 (Server-Side Request Forgery) could allow an already authenticated attacker to remotely execute code (CVE-2022-41082) on the on-premises Exchange servers. This zero-day vulnerability is actively exploited by attackers. For this reason, we estimate the impact as high.
Mitigation
Microsoft is currently working on a fix to patch these vulnerabilities. Meanwhile, for on-premises Microsoft Exchange users, Microsoft has advised the following workarounds:
- Add a blocking rule [1] in in your Exchange Server to block the known attack pattern: “.*autodiscover\.json.*\@.*Powershell.*” in the {REQUEST_URI} field.
- Block Remote PowerShell access to prevent authenticated attackers from abusing the second Remote Code Execution vulnerability (CVE-2022-41082) [1].
What should you do?
Make sure the mitigations listed above are followed through to limit the attack surface for the zero-days. Administrators who wish to check if their Exchange servers for signs of potential compromise can use the following PowerShell command to scan their Internet Information Services (IIS) log files [5].
Get-ChildItem -Recurse -Path -Filter "*.log" |
Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
To identify the file path of IIS logs, the following command can be used:
Import-Module -Name WebAdministration
(Get-ItemProperty -Path 'IIS:\Sites\Default Web Site' -Name logfile).directory
What will Northwave do?
For customers with EDRS based on Defender on Endpoint, Northwave will closely monitor for activity related to Web Shells in IIS servers and Exploitation of Exchange server vulnerabilities [1]. Moreover, we will use the Northwave SOC Defender Management application to actively detect any suspicious activity indicating the exploitation of these zero-days. If access to our Defender Management application is not arranged, please contact your Security Operations Manager (SOM) for instructions. For customers with EDRS based on ESET, active post-exploitation will be detected. We are also looking into additional capabilities to detect these attacks with ESET.
Furthermore, for non-EDRS customers, Northwave is deploying a Microsoft Sentinel use case based on Windows Security Events to detect WebShell activity on Exchange servers. Northwave will monitor developments around these vulnerabilities. We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information, please reach out to us by phone or email. (contact)
Sources
[3]: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0610
Date: 03-08-2022
MULTIPLE CRITICAL VULNERABILITIES IN VMWARE
On Tuesday, August 2, 2022 a patch was released for multiple vulnerabilities in VMware products[1]. In total there are nine vulnerabilities, of which one is considered to be ‘critical’. The vulnerabilities can be used to bypass the authentication, execute code or escalate the privileges. We recommend installing the patches that VMware released as soon as possible to remediate these vulnerabilities.
In this threat response we explain the vulnerability, the potential impact and what action you should take to prevent exploitation.
Description
On Augusts 2, VMware released security patches, for a total of nine vulnerabilities. Of these vulnerabilities one is considered critical and five are considered high. The vulnerabilities allow an attack with network access to execute code or bypass the authentication. Because of this, we recommend to verify if the mentioned VMware products are used within your organisation. If this is the case, we advise to apply the released patches as soon as possible.
The following products and versions are affected by this vulnerability:
- VMware Workspace ONE Access (Access) 21.0.8.x
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM) 3.3.x
- VMware Identity Manager Connector (vIDM Connector) 3.3.6, 3.3.5, 3.3.4, 19.03.0.1
- VMware vRealize Automation (vRA) 7.6
- VMware Cloud Foundation 3.x, 4.4.x, 4.3.x, 4.2.x
- vRealize Suite Lifecycle Manager 8.x
It is unclear which versions of the Access Connector are affected by this vulnerability. A complete overview of all advisories that were published is available on the ‘VMware advisories’ information page[2].
Impact
An attacker who is able to successfully exploit the vulnerability is able to bypass the authentication mechanism of the particular VMware product. This results in the attacker obtaining administrator rights, for that reason Northwave classifies the impact on successful exploitation as high.
Risk
At the time of writing, there is no exploit code publicly available. For now, we classify the risk as medium. We do expect the first exploits to become available on short notice. Since these VMware products are regularly connected to the internet, Northwave classifies the risk of exploitation as high once an exploit is published.
Mitigation
VMware has released patches for the affected components that remediate the vulnerabilities. For the critical vulnerability a workaround is available, if patching is not an option. Additionally, VMware published an advisory that describes the mitigating measures in more detail[2].
What should you do?
Verify whether one or more of the mentioned VMware products are used within your organisation. Install the published patches for the applicable products as soon as possible.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email. (contact)
Disclaimer applies, see below.
Sources
[1]: https://blogs.vmware.com/security/2022/08/vmsa-2022-0021-what-you-need-to-know.html
[2]: https://www.vmware.com/security/advisories/VMSA-2022-0021.html
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.