Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Remember that patch management is a moving target
This week’s news articles provide a reminder that vulnerability management is often more complex than “just applying a patch”. Once technical details of vulnerabilities have been published in company forums or researcher blogs, threat actors are always quick to explore novel ways of exploiting those bugs. By all means react quickly to take mitigation steps and apply patches, but be sure to follow up on current exploits to see if threat vectors may have changed.
Microsoft issues warning about zero-day vulnerability in Internet Explorer component
Microsoft has issued a bulletin warning about a zero-day remote code execution vulnerability in MSHTML (the main HTML component of the Internet Explorer browser). In a blog post on September 7, Microsoft cautioned that the flaw could be leveraged by remote, unauthenticated attackers to execute code on a target system.
Attackers have developed Microsoft Office documents – primarily Word, Excel, and RTF files – containing malicious ActiveX controls as delivery mechanisms to exploit the vulnerabilities in the wild. Worse yet, as technical details of the bug have circulated in recent days, researchers have determined ways to launch attacks even without using ActiveX.
Microsoft Defender now provides detection and protection for the vulnerability. Until a patch is released, Microsoft has advised system administrators to disable ActiveX in Internet Explorer to mitigate the risk, and a current article in Bleeping Computer outlines additional measures to be taken as defensive measures as new exploit methods emerge.
Zoho issues critical patch advisory for ManageEngine
On September 9, software manufacturer Zoho issued an urgent patch advisory for its ADSelfService Plus software. Characterizing the bug as “critical”, Zoho urged customers to patch their installations as soon as possible, as the vulnerability is actively being exploited in the wild.
Tracked as CVE-2021-40539, the bug in the software resides in the REST API URLs in ADSelfService Plus, and could allow an attacker to exploit an authentication bypass vulnerability to enable remote code execution (RCE) and even take full control of a compromised system.
The flaw affects all versions of ADSelfService Plus release 6113 release and prior. The bug has been fixed in release 6114 and all subsequent versions. The Zoho advisory provides complete details and IOCs for the vulnerability.
Thousands of Confluence servers remain unpatched after critical vulnerability announcement
Despite announcements from Atlassian and the U.S. Cyber Command (USCYBERCOM), thousands of Confluence servers remain unpatched and exposed on the Internet.
As of September 8, over 8100 server instances worldwide still remained vulnerable to a critical flaw in Atlassian’s Confluence software, according to the most recent scans by security firm Censys.
The vulnerability is described as “an OGNL injection vulnerability”; because OGNL has the ability to create or change executable code, the bug offers the potential for threat actors to compromise unpatched Atlassian Confluence Server and Confluence Data Centre products, even without local authentication.
The vulnerability, which has been assigned a critical CVSS severity rating of 9.8 out of 10, affects Confluence Server and Data Centre versions up to version 6.13.23; from version 6.14.0 to before 7.4.11; from version 7.5.0 before 7.11.6; and from version 7.12.0 before 7.12.5. Only on-premises instances of Confluence are affected – Confluence Cloud implementations are not affected.
While the vulnerability was first announced in July, the scope and potential impact of the bug were not fully communicated until an update to the bulletin in late August. “This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately,” warn Atlassian in their latest announcement.
REvil ransomware gang returns
Dormant for about two months, the REvil ransomware gang looks to be back in business. The threat actors, in operation since 2019, appeared to have shut down operations after compromising Kaseya’s VSA remote monitoring and network management software. REvil’s July 2 attack via VSA affected some 1500 businesses around the world, most of them through managed service providers using the software. At the time, REvil had demanded $50 million (all figures USD) for a universal decryption key for all Kaseya victims, $5 million to decrypt an individual MSP’s operation, and a single ransom payment of $44,999 for any individual, downstream victim.
The attack drew so much global attention that the REvil gang shut down operations on July 13, ostensibly to avoid prosecution by international law enforcement. Shortly afterwards, Kaseya announced that they had secured a decryption key from an unidentified third party.
On September 7, however, REvil’s dark web payment and data leak sites suddenly came back to life. By September 8, all prior victims had their timers reset, and it appeared that their ransom demands remained unchanged from when the ransomware gang shut down in July. On September 9, new REvil ransomware samples began appearing on anti-malware services, and on September 11, the gang published screenshots of data allegedly stolen from a new victim on their data leak site.
For security administrators interested in a deeper dive on the REvil gang and their tactics, Palo Alto has published a comprehensive reference guide.