Get the TIGR Threat Watch and Bulletin
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.
Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Critical Remote Code Execution Vulnerability in Splunk
A critical remote code execution (RCE) vulnerability, CVE-2023-46214, exists in Splunk Enterprise versions before 9.0.7 and 9.1.2 due to insufficient sanitization of user-supplied extensible stylesheet language transformations (XSLT). An attacker can execute arbitrary commands on a vulnerable Splunk server by uploading a malicious XSLT file and triggering its transformation. This grants the attacker unauthorized remote access and control.
Impact: This vulnerability severely threatens organizations relying on Splunk for log analysis and data processing. Successful exploitation could result in unauthorized access and control over systems processing extensive data volumes. The compromise of Splunk instances could lead to data breaches, loss of data integrity, and potential disruptions to critical IT infrastructures. Thousands of publicly exposed instances are searchable by attackers due to Splunk’s widespread use, heightening the risk of malicious exploitation.
Recommendation: Splunk has released patches for CVE-2023-46214 in versions 9.0.7 and 9.1.2. Organizations using vulnerable Splunk Enterprise versions should update as soon as possible.
Okta Databreach Scope Expanded to Include All Customer Support Users
In the aftermath of a security incident disclosed by Okta in October 2023 regarding their customer support management system (Okta Help Center), Okta Security has identified additional information that may impact customer security. The team initially believed that only 134, or less than 1%, of Okta’s customers were affected by this data breach. However, a review on November 3 discovered that the threat actor accessed and downloaded a report on September 28, 2023, containing names and email addresses of all Okta customer support system users. This incident affects all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, excluding those in FedRamp High and DoD IL4 environments. While the downloaded report does not include user credentials or sensitive data for 99.6% of users, it poses an increased risk of phishing and social engineering attacks.
Impact: The security incident involves a threat actor downloading a report from Okta’s customer support system, compromising users’ names and email addresses. Although the downloaded report lacks sensitive personal data for most users, there is a heightened concern for targeted phishing and social engineering attacks with the potential for threat actors to exploit the acquired information.
Recommendation: All Okta customers are recommended to implement Multi-Factor Authentication (MFA) for admin access, with a particular emphasis on enrolling administrative users in phishing-resistant authenticators such as FIDO2 Web/Auth or a smart card. Okta also encourages its users to deploy two early-access features called “Admin Session Binding” and “Admin Session Timeout”; more information can be found in the original article.
Google Releases Patch for Actively Exploited Integer Overflow Vulnerability in Chrome
A new CVE, tracked as CVE-2023-6345, has been addressed by Google in recent updates for its Chrome browser. This CVE takes advantage of an integer overflow bug in the open-source graphics library Skia. This graphics engine is also used in ChromeOS, Android, and Flitter products. First discovered by Google’s Threat Analytics Group, the company is aware of this CVE and its potential for exploitation. However, it has not disclosed much additional information for fear of its usage before updates are downloaded by most users.
Impact: CVE-2023-6345, if exploited, may lead to adverse events ranging from crashes to arbitrary code execution.
Recommendation: Google has released patches for this CVE in Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux. Users should update their Chrome applications as soon as possible. This version also addresses six other security flaws in Chrome. Other Chromium browsers, including Microsoft Edge, Opera, Brave, and Vivaldi, should also be updated as soon as patches are available.
🚩Pro-Russian Hacker Group Actively Scanning for Sharepoint Servers to Exploit CVE-2023-29357
Security researchers at the Sans Institute have observed active attempts by Russian threat actors to exploit a critical vulnerability in SharePoint, identified as CVE-2023-29357. This exploit, combined with CVE-2023-24955, enables remote code execution by bypassing authentication. The attackers focus on the /_api/web/siteusers URL in SharePoint servers to identify and impersonate admin users, allowing unauthorized access and control over the systems.
Impact: Successful exploit attempts of these SharePoint vulnerabilities can lead to unauthorized system access, data breaches, and potentially full system control by the attackers, posing significant risks to organizational security and data integrity.
Recommendation: Organizations should promptly apply all relevant Microsoft patches, especially for CVE-2023-29357 and CVE-2023-24955. The patches can be found here, and here.
Three Vulnerabilities, Including SSRF and RCE, found in Anyscale’s ‘Ray’ Unified Compute Framework
Security researchers at Bishop Fox have released a report on three vulnerabilities in the open-source software Ray, which is used to manage computing clusters in AI or Python workloads. The vulnerabilities are CVE-2023-48023, which is a critical remote code execution vulnerability that allows remote unauthenticated attackers to submit arbitrary commands for execution; CVE-2023-48022, a server-side request forgery that allows remote unauthenticated attackers to obtain AWS credentials via the AWS metadata API; and CVE-2023-6021, a vulnerability which allows for an unauthenticated remote attacker to acquire read access to files on the worker node, including sensitive files such as keys.
Impact: Any of these three vulnerabilities would allow an attacker to access the entire cluster’s resources. This could be used to exfiltrate sensitive information that the cluster is processing, copy intellectual property or mine cryptocurrency. These compromises would likely lead to loss of data confidentiality and high cloud provider bills. Additionally, exploitation of CVE-2023-48022 could allow attackers to compromise additional cloud resources with the credentials retrieved from AWS’s metadata API.
Recommendation: Any of these three vulnerabilities would allow an attacker to access the entire cluster’s resources. This could be used to exfiltrate sensitive information that the cluster is processing, copy intellectual property or mine cryptocurrency. These compromises would likely lead to loss of data confidentiality and high cloud provider bills. Additionally, exploitation of CVE-2023-48022 could allow attackers to compromise additional cloud resources with the credentials retrieved from AWS’s metadata API.
International Operation Dismantles Major Ransomware Group in Ukraine
In a significant collaborative effort, law enforcement from seven countries, supported by Europol and Eurojust, apprehended core members of a ransomware group in Ukraine. The group has deployed ransomware such as LockerGoga, MegaCortex, HIVE, and Dharma in cyber attacks across 71 countries. to encrypt the servers of over 250 major corporations. Law enforcement coordinated raids at 30 locations and arrested the group’s leader and four others during an operation on November 21. In addition to the arrest, authorities seized substantial assets, including computer equipment, electronic media, and cryptocurrency
Impact: The group’s leader and several key members were arrested for their roles in major ransomware operations against organizations across 71 countries. The arrest of the individuals and the seizure of their assets disrupts their current and future ransomware operations.
Recommendation: Organizations should continue to remain vigilant and report actual and suspected threats in their environments to authorities. This can aid law enforcement with their investigations, leading to criminalizing threat actors and taking down malicious infrastructure.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/blog/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/blog/category/tigr/feed