Exposures, Exposed! Weekly Round-up Oct 29 - Nov 3

Exposures, Exposed! Weekly Round-up Oct 29 - Nov 3

Welcome! It’s another 'Exposures, Exposed!", XM Cyber's weekly compilation of pivotal exposure events. Our dedicated team vigilantly surveys the cyber world to identify the most noteworthy exposures. Below, you'll find our carefully curated assortment of this week's most urgent and relevant exposures:

Critical F5 BIG-IP Vulnerabilities Exploited - Urgent Fixes Needed

F5 issued a warning regarding the exploitation of a critical security vulnerability in its BIG-IP software, just days after the vulnerability was disclosed publicly. This vulnerability could allow an unauthenticated attacker with network access through the management port to execute arbitrary system commands as part of an exploit chain. ProjectDiscovery released a proof-of-concept (PoC) exploit for this flaw.

The affected versions of the software include 17.1.0, 16.1.0 - 16.1.4, 15.1.0 - 15.1.10, 14.1.0 - 14.1.5, and 13.1.0 - 13.1.5. F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748, an authenticated SQL injection vulnerability in the BIG-IP Configuration utility. This means that attackers are combining both vulnerabilities to run arbitrary system commands. 

Users are advised to check for indicators of compromise (IoCs) related to the SQL injection flaw, such as suspicious entries in the /var/log/tomcat/catalina.out file.

As a result of the active exploitation, the US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to implement the vendor-provided patches by November 21, 2023. 

Atlassian Warns of Critical Confluence Flaw, Urges Immediate Action

Atlassian issued a warning regarding a critical security vulnerability in Confluence Data Center and Server. This vulnerability could potentially lead to significant data loss if exploited by an unauthenticated attacker, and affects all versions of Confluence Data Center and Server.

Atlassian released patches to address the vulnerability in versions 7.19.16 or later, 8.3.4 or later, 8.4.4 or later, 8.5.3 or later, and 8.6.1 or later. While the flaw could result in data loss, there is no impact on confidentiality since the vulnerability would not enable an attacker to exfiltrate any instance data.

Atlassian did not disclose the exact details of the vulnerability and the exploitation method, so as to prevent threat actors from developing exploits. Atlassian is strongly urging its customers to take immediate action to secure their instances, including disconnecting instances with access to the public internet until patches can be applied. Users running unsupported versions are advised to upgrade to a fixed version. Fortunately, Atlassian Cloud sites are unaffected by this issue.

Elektra-Leak Attack Targets AWS Keys on Public GitHub

A cyberattack campaign known as "Elektra-Leak" is actively targeting Amazon Web Services (AWS) identity and access management (IAM) credentials exposed in public GitHub repositories. 

Palo Alto Networks researchers discovered that the attackers used these credentials to create AWS Elastic Compute (EC2) instances for cryptocurrency mining. The campaign generated at least 474 large-format Amazon EC2 instances for crypto-mining between August 30 and October 6. Notably, the attackers initiated attacks within just five minutes of IAM credentials being exposed on GitHub, despite Amazon's quarantine policies.

The threat actor behind Elektra-Leak used automated tools to continuously clone public GitHub repositories and search for exposed AWS keys. Once exposed keys were found, the perpetrators conducted reconnaissance on associated AWS accounts and created multiple EC2 instances in different AWS regions. The attackers then downloaded a payload for Monero cryptocurrency mining.

Despite Amazon's quarantine measures, the campaign continued to exploit exposed keys. Palo Alto Networks recommended that organizations immediately revoke API connections tied to exposed AWS IAM credentials and generate new ones. Using short-lived credentials for dynamic operations in production environments was also advised. 

Critical Cisco IOS XE Vulnerability Exploit Code Publicly Released

Researchers publicly released exploit code for a critical Cisco IOS XE vulnerability (CVE-2023-20198, discussed in last week’s issue of Exposures, Exposed!). This vulnerability was discovered by Cisco during the resolution of multiple Technical Assistance Center support cases and is actively being exploited by threat actors.

CVE-2023-20198 allows remote, unauthenticated attackers to potentially gain administrator privileges (creating an account on affected systems with privilege level 15 access) and take control of vulnerable routers. Cisco warned of active exploitation of this vulnerability for affected systems that are exposed to the internet or untrusted networks. It affects both physical and virtual devices that have the Web User Interface (Web UI) feature enabled and use the HTTP or HTTPS Server feature.

Security firms have reported that thousands of Cisco IOS XE devices have thus far been compromised by attackers exploiting this vulnerability. Cisco advises administrators to disable the HTTP Server feature on internet-facing systems and has provided commands for doing so. The company also includes Indicators of Compromise (IoCs) in its advisory.

Researchers at Horizon3.ai have also published technical details about the vulnerability, along with the proof-of-concept exploit code, increasing the urgency for affected organizations to address this critical issue.

Severe Security Flaws in NGINX Ingress Controller for Kubernetes

Three high-severity security flaws in the NGINX Ingress controller for Kubernetes were disclosed, which could allow threat actors to steal secret credentials from Kubernetes clusters. The vulnerabilities are as follows:

  1. CVE-2022-4886 - Path sanitization bypass allowing obtaining ingress-nginx controller credentials
  2. CVE-2023-5043 - Annotation injection leading to arbitrary command execution
  3. CVE-2023-5044 Code injection via the nginx.ingress.kubernetes.io/permanent-redirect annotation 

Exploiting these vulnerabilities would enable an attacker to manipulate the Ingress object's configuration to steal sensitive cluster credentials, potentially leading to unauthorized access to data. Moreover, CVE-2022-4886 could allow an attacker to siphon Kubernetes API credentials owing to a lack of validation in the "spec.rules[].http.paths[].path" field.

To mitigate these flaws, the software’s maintainers released several fixes and workarounds. Notably, enabling the "strict-validate-path-type" option and setting the "--enable-annotation-validation" flag helps prevent the creation of Ingress objects with invalid characters and enforces additional restrictions.

That’s all for this week – have exposures any to add to our list? Let us know!





To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics