Q1 2023 Cyber Vulnerability Report and Impact

Fortinet Vulnerability Alert | March 2023

Background Information

Fortinet released an advisory detailing a critical security flaw (CVE-2023-25610) in their FortiOS and FortiProxy administrative interface. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.

Impact of the Vulnerability

The vulnerability affects the following Fortinet products and versions:

• FortiOS version 7.2.0 through 7.2.3

• FortiOS version 7.0.0 through 7.0.9

• FortiOS version 6.4.0 through 6.4.11

• FortiOS version 6.2.0 through 6.2.12

• FortiOS 6.0 all versions

• FortiProxy version 7.2.0 through 7.2.2

• FortiProxy version 7.0.0 through 7.0.8

• FortiProxy version 2.0.0 through 2.0.11

• FortiProxy 1.2 all versions

• FortiProxy 1.1 all versions 

Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.

Next Steps

1. Download and install the latest version of the affected products:

   • FortiOS version 7.4.0 or above

   • FortiOS version 7.2.4 or above

   • FortiOS version 7.0.10 or above

   • FortiOS version 6.4.12 or above

   • FortiOS version 6.2.13 or above

   • FortiProxy version 7.2.3 or above

   • FortiProxy version 7.0.9 or above

   • FortiProxy version 2.0.12 or above

   • FortiOS-6K7K version 7.0.10 or above

   • FortiOS-6K7K version 6.4.12 or above

   • FortiOS-6K7K version 6.2.13 or above

2. If you aren't able to immediately upgrade, the following workaround can be applied for FortiOS:

a. Disable HTTP/HTTPS administrative interface

    OR

    Limit IP addresses that can reach the administrative interface:

config firewall address
edit "my_allowed_addresses"
set subnet <MY IP> <MY SUBNET>
end

b. Then create an Address Group:

config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end

c. Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end

d. If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom
edit GUI_HTTPS
set tcp-portrange <admin-sport>
next
edit GUI_HTTP
set tcp-portrange <admin-port>
end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005

Please contact Fortinet customer support for assistance.

_________________________________

Adobe ColdFusion Vulnerability Alert | March 2023

Background Information

Adobe released an advisory detailing critical security flaws (CVE-2023-26359 & CVE-2023-26360) in their ColdFusion product, often used for web application development and delivery. The vulnerabilities allow for an unauthenticated attacker to execute arbitrary code or commands. Adobe reports at least one of the flaws is being actively exploited. Security patches have been released and should be applied as soon as possible.

Impact of the Vulnerability

The vulnerabilities affect the following Adobe ColdFusion products and versions:

• ColdFusion 2018

  • Update Number: Update 15 and earlier versions

  • Platform: All

• ColdFusion 2021

  • Update Number: Update 5 and earlier versions

  • Platform: All

Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network.

Next Steps

Download and install the latest version of the affected products:

• ColdFusion 2018, Update 16

• ColdFusion 2021, Update 6

_________________________________

3CX Desktop App Security Alert | March 2023

Background Information

A threat actor compromised the 3CX VoIP DesktopApp resulting in malicious code being installed in the legitimate software. The app is now being used in supply chain attacks. Cyber security firms have attributed the attacks to state-sponsored threat actors, noting that the malicious activity affects both Windows and Mac environments.

Impact of the Vulnerability

The vulnerabilities affect the following 3CX products and versions:

• Electron Windows App (shipped in Update 7) versions 18.12.407 and 18.12.416

• Electron Mac App versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416

Next Steps

We encourage your organization to take the following steps to mitigate against potential attack:

1. Uninstall 3CXDesktopApp on all platforms and remove artifacts left behind.

2. 3CX recommends using the PWA client while they work on fixes for the desktop app.

3. Retroactively hunt for indicators of compromise and block known-malicious domains.

We always recommend advanced EDR solutions enriched by active threat intelligence and proactive monitoring to stay on top of advanced threats like supply chain attacks.

Indicators of Compromise

We recommend blocking the following domains used by the backdoor:

akamaicontainer[.]com 
akamaitechcloudservices[.]com 
azuredeploystore[.]com 
azureonlinecloud[.]com 
azureonlinestorage[.]com 
convieneonline[.]com 
dunamistrd[.]com 
glcloudservice.[.] 
journalide[.]org 
msedgepackageinfo[.]com 
msstorageazure[.]com 
msstorageboxes[.]com 
officeaddons[.]com 
officestoragebox[.]com 
pbxcloudeservices[.]com 
pbxphonenetwork[.]com 
pbxsources[.]com 
qwepoi123098[.]com 
sbmsa[.]wiki 
sourceslabs[.]com 
Soyoungjun[.]com 
visualstudiofactory[.]com 
zacharryblogs[.]com

File Hashes:

Compromised MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868

ffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
d3dcompiler_47.dll: 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03

_________________________________

Banking Wire Fraud Alert | March 2023

Background Information

The apparent financial instability of several banking institutions, most prominently Silicon Valley Bank, has led many organizations to change their banking relationships. This means in the coming days there will be an unusually large volume of communication about banking information between organizations and their customers, vendors and partners. 

Any communication about sending or receiving payments carries risk: claims for fraudulent funds transfers (FFTs) are already the most frequent type experienced by Corvus customers. Since threat actors know that many organizations will be sending and receiving requests to change payment instructions, they will be poised to take advantage. In fact, Corvus has observed a large number of new website domain registrations with names that mimic bank login pages for use in phishing campaigns.

Next Steps

We encourage your organization to take the following steps to mitigate against potential attacks:

1. Ensure your finance team has an out of band authentication (OOBA) process established.

   • If there is no policy, or one is lacking detail, review this Corvus article for more information: Securing Funds Transfers (Out-of-Band Authentication and Other Considerations). The following practices are recommended to be included in your process: 

     1. Verify all requests to transfer payments or update payment information by calling a known phone number, and speaking to a known voice.

     2. If you do not have a contact at that organization, go to the organization’s main website and call a main number on the website, asking to be routed to the accounts receivables department.

     3. Confirm receipt of a test deposit of a nominal value prior to making a bank account change for your vendor.

     4. Do not relax any security practices due to urgency by other parties — it’s better to slightly delay a payment than to send funds to a threat actor!

2. Retrain all employees who deal with funds transfers on your company's payment policies, including your OOBA process.

   • During the training, alert employees to the likelihood of increased phishing attacks.

   • Remind employees that attackers may impersonate a financial institution, a vendor, a business contact, or a colleague (particularly executives or finance personnel).

_________________________________

ESXi Ransomware Campaign | February 2023

Background Information

On February 3rd, 2023, reports emerged showing an extensive ransomware campaign targeting publicly exposed VMware ESXi servers. Researchers believe that the threat actors responsible are exploiting a two-year-old vulnerability, CVE-2021-21974. However, the specific vulnerability is not yet confirmed. VMware has publicly stated there is no evidence of a Zero-Day vulnerability, believing the flaw to be an old one for which some organizations remain unpatched. At the latest reporting, approximately 3,800 servers have been ransomed, roughly 300 of which are in the United States.

Early samples of the campaign, ESXiArgs, were only encrypting configuration files and leaving data relatively intact. This made recovery possible without paying the ransom for a decryptor. Later samples of the ransomware have evolved, making recovery more difficult. The impact and possibility of recovery will need to be evaluated.

Based on Corvus Threat Intel data, nearly one-quarter of ransomware groups have leveraged ESXi servers as part of their attacks. This campaign is unique because threat actors are using ESXi servers as the point of entry into the network and systematically searching for publicly exposed vulnerable targets from the outset.

What is ESXi?

If you’ve ever heard of a “Virtual Machine” or “VM” this is essentially a computer within a computer. You can run a Windows operating system and have a separate VM running Linux. In order to function, this mini-computer needs to share resources with the primary operating system or other VMs. Each VM needs to have RAM, CPU, and storage resources to function but needs a way to know how to share these.

To properly manage the VM and share resources, there is something called a hypervisor to distribute these. ESXi is a hypervisor. It is essentially software that sits on a physical server and manages the resources to ensure the VMs under its jurisdiction can function properly.

Since hypervisors manage numerous VMs, they are an attractive target for ransomware actors. Attacking a single ESXi can disable all of the virtual machines underneath. Those virtual resources may have contained valuable data or housed applications or other infrastructure rendered unusable until recovery. This makes life for a threat actor much easier since they don’t have to discover and attack each virtual resource individually, instead one target can multiply their efforts.

In terms of market share for virtualization, the numbers may differ slightly depending on the firm doing the analysis. However, VMware is one of the top providers with ESXi specifically making up around 6%. It’s unclear whether these analyses rely on externally visible products or whether the methodology includes a way to track the internal assets of companies.

Next Steps

If you use ESXi at your organization, make sure it’s configured not to be publicly accessible from the internet. Threat actors continually scan for targets as part of this campaign, so don’t be one of them. Also, ensure your ESXi, vCenter, and other virtualization components are patched and up-to-date. 

Resources

• ESXiArgs Ransomware Virtual Machine Recovery Guidance (CISA)

• Exploit Vector Analysis of Emerging ‘ESXiArgs’ Ransomware (GreyNoise)

• ESXiArgs Ransomware Hits Over 3,800 Servers as Hackers Continue Improving Malware (SecurityWeek)

• An Analysis of the VMware ESXi Ransomware Blitz  (Intel471)

• How to secure your VMware ESXi hosts against ransomware (Truesec)

• Prevent Attackers From Taking Over ESXi 8.0 Hosts (Truesec)

_________________________________

Jira Vulnerability Alert | February 2023

Background Information

On February 1, 2023, Atlassian issued a security advisory for a critical vulnerability. The flaw, CVE-2023-22501, affects Jira Service Management Server and Data Center commonly used for collaboration and development. The vulnerability allows an attacker to impersonate another user and gain access to a Jira Service Management instance. Atlassian has released a security update and this should be installed as soon as possible.

Impact of the Vulnerability

An attacker could gain access to signup tokens sent to users with accounts that have never been logged into. This is possible in certain configurations when write access to a User Directory and outgoing email are enabled on a Jira Service Management instance.

Access to these tokens can be obtained in two cases:

• If the attacker is included on Jira issues or requests with these users, or

• If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.

Bot accounts are particularly susceptible to this vulnerability and could be targeted since their behavior often meets the criteria an attacker would need to acquire signup tokens. Corvus has observed similar vulnerabilities lead to data theft and extortion as well as ransomware attacks.

The vulnerability affects the following versions of Jira Service Management Server and Jira Service Management Data Center:

• 5.3.0

• 5.3.1

• 5.3.2

• 5.4.0

• 5.4.1

• 5.5.0

Note: Atlassian Cloud sites are not affected. If your Jira site is accessed via an atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability.

Next Steps

1. Update to a fixed version.

2. If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround:

   1. Download the version-specific JAR file from the table at this page (see “Mitigation” section).

   2. Stop Jira.

   3. Copy the JAR file into your Jira home directory.

      1. For Server: <Jira_Home>/plugins/installed-plugins

      2. For Data Center: <Jira_Shared>/plugins/installed-plugins

   4. Start Jira.

Resources

• https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-2023-02-01-1188786458.html

• https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-bug-giving-access-to-jira-service-management/

_________________________________

FortiWeb Vulnerability Alert | February 2023

Background Information

Fortinet released an advisory detailing a critical security flaw (CVE-2021-42756) in their web application firewall (WAF), FortiWeb products. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Corvus has observed similar vulnerabilities lead to ransomware incidents. Security patches have been released and should be applied as soon as possible.

Impact of the Vulnerability

The vulnerability affects Fortinet appliances running the following versions:

• FortiWeb versions 5.x all versions

• FortiWeb versions 6.0.7 and below

• FortiWeb versions 6.1.2 and below

• FortiWeb versions 6.2.6 and below

• FortiWeb versions 6.3.16 and below

• FortiWeb versions 6.4 all versions 

Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network. Impacted organizations should apply a security patch immediately.

Next Steps

1. Download and install the latest version of the affected products:

   • Upgrade to FortiWeb 7.0.0 or above

   • Upgrade to FortiWeb 6.3.17 or above

   • Upgrade to FortiWeb 6.2.7 or above

   • Upgrade to FortiWeb 6.1.3 or above

   • Upgrade to FortiWeb 6.0.8 or above

_________________________________

Control Web Panel Vulnerability Alert | January 2023

Background Information

A critical security flaw has been discovered in CentOS Control Web Panel 7 (CWP), a common interface for web hosting. The security flaw (CVE-2022-44877) allows a remote, unauthenticated attacker to perform arbitrary code execution. Attackers are actively exploiting this vulnerability. A security patch has been released and should be applied as soon as possible.

Impact of the Vulnerability

Attackers can exploit this vulnerability to gain full control over unpatched systems. Corvus has observed similar vulnerabilities lead to ransomware events.

Next Steps

1. Upgrade to the latest version of CWP as soon as possible:

   • 0.9.8.1148 (released on December 1, 2022)

Resources

• https://cloudsek.com/threatintelligence/poc-for-high-impact-rce-vulnerability-in-centos-web-panel-7-cve-2022-44877-increases-risk-of-attacks/

• https://arstechnica.com/information-technology/2023/01/vulnerability-with-9-8-severity-in-control-web-panel-is-under-active-exploit/

• https://control-webpanel.com/changelog

_________________________________

Zoho ManageEngine Vulnerability Alert | January 2023

Background Information

A critical security flaw has been discovered in numerous Zoho ManageEngine products, often used in IT management and IT security. The flaw (CVE-2022-47966) allows a remote, unauthenticated attacker to perform arbitrary code execution on systems running the vulnerable software. Zoho reports that for exploitation to be successful, SAML SSO must currently be enabled in the ManageEngine setup or have been enabled in the past.

Threat actors are actively exploiting this vulnerability. Zoho has released security patches and these should be applied immediately. Regardless of SAML configuration, applying security patches is recommended.

Impact of the Vulnerability

Attackers can exploit this vulnerability to gain full control over unpatched systems. Corvus has observed similar vulnerabilities lead to ransomware events.

The following table includes the impacted products and versions as well as the corresponding security patch.

Next Steps

1. Check the table above and upgrade to a fixed version of the specific product.

Resources

• https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html

• https://www.horizon3.ai/manageengine-cve-2022-47966-iocs/

• https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html

_________________________________

Git Vulnerability Alert | January 2023

Background Information

On January 17, 2023, security researchers in collaboration with GitLab announced the discovery of critical security flaws. Git is an open-source tool often used by software developers and engineers for version control as they collaborate on code changes. The flaws (CVE-2022-23521 & CVE-2022-41903) may allow a remote, unauthenticated attacker to perform arbitrary code execution on systems running vulnerable versions of Git.

Impact of the Vulnerability

Attackers may be able to exploit these vulnerabilities to gain full control over unpatched systems. Corvus has observed similar vulnerabilities lead to ransomware events.

The following table includes the impacted products and versions as well as the corresponding fixed versions.

• git-for-windows

  • Impacted Version(s): <=2.39.0(2)

  • Fixed Version(s): >=2.39.1

• git

  • Impacted Version(s): <= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0

  • Fixed Version(s): >= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1

Next Steps

1. Update to the latest version of Git across your organization.

   • The method to do this will vary depending on your operating system and package manager. See here for a general guide.

2. Other products used with Git may release their own patches or updates, so take inventory of any such products in use and apply patches quickly.

   • One commonly used product is GitLab, which already released patches for both the GitLab Community and GitLab Enterprise editions.

Resources

• https://www.x41-dsec.de/static/reports/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf

• https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released/