Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On October 4, 2023, Atlassian issued a security advisory revealing potential active exploitation of a previously unknown vulnerability (CVE-2023-22515, CVSS: 10) affecting Confluence Data Center and Server instances that are on-premises. This vulnerability can enable an unauthenticated, anonymous remote threat actor to escalate privileges by creating unauthorized Confluence administrator accounts and accessing Confluence instances across multiple versions of Confluence Data Center and Server.

On October 4, 2023, Cisco published a security advisory disclosing a critical authentication bypass vulnerability (CVE-2023-20101, CVSS: 9.8) in Cisco Emergency Responder. CVE-2023-20101 allows an unauthenticated, remote threat actor to utilize the root account (this account by default has hard coded credentials that cannot be altered) to log into an affected device.

Security orchestration, automation, and response (SOAR) has an opportunity to be a game changer in how we tackle cyber risk, but there is a significant disconnect between the promises made by existing SOAR platforms and how organizations are able to realize their real-world operational and cost-saving efficiencies. All those automations that promise to eliminate late hours working on mundane stuff. All the orchestrations that promise to get things done faster.

On September 7, 2023, Apple released emergency security updates to fix a buffer overflow vulnerability (CVE-2023-41064) impacting macOS, iOS, iPadOS, and watchOS products that was used in a zero-click exploitation chain by the NSO Group. Shortly after, on September 11, 2023, Google released an update to fix a buffer overflow vulnerability (CVE-2023-4863) in Google Chrome, which was reported by Apple’s Security Engineering and Architecture (SEAR) and Citizen Lab.

On September 27, 2023, Progress Software released a security advisory detailing multiple vulnerabilities in their WS_FTP Server product, including two with a critical severity rating. CVE-2023-40044 (CVSS 10) is a deserialization vulnerability that affects the Ad Hoc Transfer module and could allow a threat actor to obtain remote code execution if successfully exploited.

On October 2, 2023, Exim released security fixes for an out-of-bounds write remote code execution (RCE) vulnerability (CVE-2023-42115, CVSS: 9.8). This vulnerability affects the Simple Mail Transfer Protocol (SMTP) service and is caused by improper validation of user input. A threat actor can remotely exploit CVE-2023-42115 by writing data beyond the boundaries of a buffer, which leads to the execution of arbitrary code.

On September 20, 2023, JetBrains published a blog detailing a critical Remote Code Execution (RCE) vulnerability that was identified in TeamCity On-Premises (CVE-2023-42793). This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8 and can allow an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform RCE. All versions of TeamCity On-Premises are affected by this vulnerability.

On September 21, 2023, Apple released emergency security updates to fix three vulnerabilities impacting macOS, iOS, iPadOS, and Safari. Citizen Lab and Google Threat Analysis Group (TAG) observed these three vulnerabilities exploited in an exploit chain against a former Egyptian Member of Parliament to deploy Predator spyware. Predator was developed by Intellexa/Cytrox to perform surveillance on targeted mobile devices.

In the last few weeks, Arctic Wolf Labs has noted an increase in threat activity targeting Okta as an attack vector. The relevant Techniques, Tools, and Procedures (TTPs) span across several different types of attacks. This bulletin will review several key aspects of these attacks.