Welcome to Security Sunday – Week 44. our weekly summary from the world of cybersecurity (30 October – 5 November 2023).
We’re collecting notable incident and vulnerability reports from the past week.
Boeing confirms cyber attack in connection with LockBit ransomware claims
Aerospace giant Boeing is investigating a cyberattack that affected its business and distribution after ransomware gang LockBit claimed to have penetrated the company’s network and stolen data.
Boeing said the incident did not affect flight safety and confirmed it is cooperating with law enforcement and regulatory authorities in the ongoing investigation.
Boeing’s website was down at the time of writing, displaying a message that the ongoing outage was due to “technical issues”.
“We are aware of a cyber incident that has affected elements of our parts and distribution business. This issue does not affect flight safety,” Boeing told BleepingComputer.
Apache ActiveMQ vulnerability exploited in ransomware attacks
More than 3,000 Apache ActiveMQ servers exposed to the Internet are vulnerable to RCE vulnerability CVE-2023-46604. This vulnerability is marked as critical by CVSS v3 with a score of 10 and allows attackers to execute arbitrary commands in the OpenWire protocol.
Apache ActiveMQ is a scalable open-source message broker that supports client-server communication, Java and various cross-language clients, and many protocols including AMQP, MQTT, OpenWire, and STOMP.
Because the project supports a diverse set of secure authentication and authorization mechanisms, it is widely used in enterprise networks.
According to an Apache report dated 27. On October 2023, the issue has been fixed in versions 5.15.16, 5.16.7, 5.17.6 and 5.18.3, to which it is recommended to upgrade.
Link:
https://www.theregister.com/2023/11/02/apache_activemq_vulnerability/
Release of the new CVSS v4.0 Vulnerability Severity Assessment Standard
FIRST has officially released the next generation of the CVSS v4.0 standard, which was created eight years after the previous major version, CVSS 3.0.
“The revised standard offers finer granularity in the underlying metrics, removes ambiguity in subsequent scoring, simplifies threat metrics, and increases the effectiveness of evaluating environment-specific security requirements,” FIRST said.
“In addition, several additional vulnerability assessment metrics have been added, including automation (wormable), recovery (resilience), value density, vulnerability response effort, and urgency.
A key enhancement of CVSS v4.0 is the additional usability for OT/ICS/IoT.
This latest version also adds a new nomenclature with severity ratings of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE) and Base + Threat + Environmental (CVSS-BTE).
A complete list of all the changes delivered with CVSS v4.0, including finer granularity through new Base metrics and better impact metrics, is available at FIRST.org
Link:
https://www.first.org/cvss/v4.0/specification-document
Mozi IoT Botnet’s Mysterious Kill Switch
The unexpected drop in malicious activity associated with the Mozi botnet in August 2023 was due to a command distributed to the bots.
“The decline was first felt in India on August 8,” ESET said in an analysis published this week. “A week later, on August 16, the same thing happened in China. While a mysterious control payload – aka kill switch – stripped Mozi bots of most features, they retained persistence.”
Mozi is an IoT botnet that originated from the source code of several well-known malware families such as Gafgyt, Mirai and IoT Reaper. It was first spotted in 2019 and is known to use weak and default remote access passwords for initial access, as well as unpatched security vulnerabilities.
Sharp drop in Mozi activity – from approximately 13,300 hosts 7. August at 3,500 10. August – but is reportedly the result of an unknown actor instructing the bots to download and install an update designed to neutralise the malware.
“Despite the drastic reduction in functionality, the Mozi bots retained persistence, indicating a deliberate and premeditated removal,” said security researchers Ivan Bešina, Michal Škuta and Miloš Čermák.
“There are two potential instigators of this intervention: the original creator of the Mozi botnet or Chinese law enforcement authorities who may have enlisted or coerced the cooperation of the original actor or actors,” Beshin said.
Link:
https://www.darkreading.com/ics-ot/somebody-just-killed-mozi-botnet
New zero-days vulnerabilities in Microsoft Exchange allow RCE attacks and data theft
Microsoft Exchange is affected by four zero-day vulnerabilities that can be remotely exploited by attackers on affected installations to execute arbitrary code or access sensitive information.
Zero-day vulnerabilities were disclosed by Trend Micro’s Zero Day Initiative (ZDI), which is 7. and reported to Microsoft on September 8, 2023.
Although Microsoft acknowledged the report, its security engineers decided that the vulnerabilities were not serious enough to require immediate action and postponed the fixes until a later date.
ZDI disagreed with this response and decided to publish the errors under its own tracking IDs, ZDI-23-1578, ZDI-23-1579, ZDI-23-1580 and ZDI-23-1581.
All of these vulnerabilities require authentication for exploitation, which lowers their CVSS severity rating to 7.1 to 7.5. In addition, requiring authentication is a mitigating factor and perhaps the reason why Microsoft has not prioritised fixing these bugs.
However, it should be noted that cybercriminals have many ways to obtain Exchange server login credentials, including forcing weak passwords, conducting phishing attacks, purchasing them, or obtaining them from information theft logs.
Still, the above zero-days should not be considered unimportant, especially ZDI-23-1578, can result in a complete system compromise.
We also recommend implementing multi-factor authentication to prevent cybercriminals from accessing Exchange instances even if account credentials have been compromised, ZDI said.
Atlassian warns of exploiting Confluence vulnerability, public exploit available
Atlassian has warned administrators that a public exploit of the critical Confluence security flaw is now available that can be exploited to launch attacks that destroy data.
This is an improper authorization vulnerability, tracked as CVE-2023-22518, with a severity rating of 9.1/10, that affects all versions of Confluence Data Center and Confluence Server software.
“We have no reports of active abuse yet, but customers must take immediate action to protect their instances. If you have already applied the patch, there is no need to take any further action.”
Atlassian has patched this vulnerability in versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1 of the Confluence datacenter and server.
Link: https://www.bleepingcomputer.com/news/security/atlassian-warns-of-exploit-for-confluence-data-wiping-bug-get-patching/
Cyber attack
- Huawei, Vivo phones flag Google app as TrojanSMS-PA malware
- Okta security breach: 134 customers exposed in October support hack
- Ace Hardware reports that 1,202 devices were affected during the cyber attack
- Weekend cyber attack knocks British Library out of service
- Flipper Zero: Bluetooth spam attacks ported to new Android app