Widespread Impact on GitLab Instances: GitLab issued an urgent security advisory on January 11, 2024, to address multiple critical vulnerabilities, including CVE-2023-7028 (CVSS score: 10), CVE-2023-5356 (CVSS score: 9.6), and CVE-2023-4812 (CVSS score: 7.6). These vulnerabilities affect both GitLab Community Edition (CE) and Enterprise Edition (EE), impacting millions of users worldwide.
CVE-2023-7028 - Zero-Click Account Hijacking: The most severe vulnerability, CVE-2023-7028, allows attackers to send password reset emails to unverified addresses, leading to potential account takeovers. This vulnerability affects versions from 16.1 prior to 16.1.6, up to 16.7 prior to 16.7.2. Despite the availability of two-factor authentication (2FA), password reset remains possible, although it doesn't directly lead to account takeover due to the second authentication factor.
Additional Critical and High-Severity Flaws: The second critical vulnerability, CVE-2023-5356, enables attackers to abuse Slack/Mattermost integrations for executing commands as another user, posing a significant risk in collaborative environments. The high-severity vulnerability CVE-2023-4812 allows bypassing CODEOWNERS approval in merge requests, potentially compromising code integrity. These vulnerabilities pose risks like intellectual property theft, data leaks, and supply chain attacks.
Urgent Call for Updates and Monitoring: GitLab strongly recommends that all installations be updated to the patched versions immediately. While there's no evidence of active exploitation, the severity and potential impact of these vulnerabilities necessitate swift action. Users should monitor logs for signs of compromise, especially regarding password reset attempts.
Widespread Exploitation of Critical Vulnerabilities: Ivanti disclosed two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in their Ivanti Connect Secure and Policy Secure gateways on January 10, 2024. These vulnerabilities, exploited in the wild, facilitated unauthenticated remote code execution (RCE) and were used in coordinated attacks to deploy webshells, capture credentials, and pivot further into victim environments.
CVE-2023-46805 and CVE-2024-21887 Details: CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure, rated with a CVSS score of 8.2. CVE-2024-21887 is a command injection vulnerability, also in the web component, with a CVSS score of 9.1. These vulnerabilities affect all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x.
UTA0178 Attribution and Malware Deployment: Security firm Volexity attributed these attacks to a threat actor referred to as UTA0178, suspected to be a Chinese nation-state level entity. The attackers deployed custom webshells, dubbed GLASSTOKEN, on both internet-facing and internal assets, enabling them to maintain persistent access and execute commands on compromised devices.
Mitigation and Detection Strategies: Ivanti has provided a mitigation script and advises customers to apply it immediately while patches are being developed. Organizations are urged to conduct network traffic analysis, VPN device log analysis, and execute the Integrity Checker Tool to detect signs of compromise. Anomalous traffic, unauthorized command executions, and tampered logs are strong indicators of a breach.
Mandos Brief GPT
Analyze any cybersecurity topic 100 times faster by focusing on key takeaways and zero noise.
New macOS Backdoor Discovered: Cybersecurity researchers have identified a novel macOS backdoor named SpectralBlur, which has functional overlaps with the KANDYKORN malware, attributed to North Korean threat actors. This backdoor exhibits a range of capabilities, such as file manipulation, shell command execution, and system control based on commands from its command-and-control server.
Capabilities and Modus Operandi: SpectralBlur is designed to upload and download files, execute shell commands, modify its configuration, and even control the host's operational state (hibernation or sleep). Its modus operandi includes hindering analysis and evading detection, notably through the use of grantpt to establish a pseudo-terminal for command execution.
Connection to North Korean Cyber Operations: The resemblance between SpectralBlur and KANDYKORN suggests that they might have been developed by different teams with similar objectives. This aligns with the ongoing trend of North Korean-affiliated threat actors increasingly targeting macOS users, especially in sectors like cryptocurrency and blockchain.
Evasion Techniques and Threat Landscape: The development of SpectralBlur underscores the evolving threat landscape for macOS users. Its sophistication in evading detection and the ability to perform a variety of remote operations make it a significant threat. The malware's discovery is a reminder of the growing focus of state-sponsored actors on macOS platforms, often targeting high-value industries.
YouTube as a Malware Distribution Channel: Threat actors are using YouTube videos promoting cracked software to distribute Lumma Stealer, an information-stealing malware. These videos, disguised as installation guides for pirated applications, contain malicious URLs, often shortened, leading unsuspecting users to download the malware.
Lumma Stealer's Capabilities and Evolution: Lumma Stealer, written in C and sold on underground forums since late 2022, is adept at harvesting and exfiltrating sensitive data. It employs anti-virtual machine and anti-debugging checks before executing its payload. The malware's development reflects the continuous evolution of cyber threats leveraging social engineering tactics.
Growing Trend of Cybercriminals Targeting Popular Platforms: This strategy exemplifies a larger trend where cybercriminals exploit popular platforms like YouTube and Discord to deploy malware. Such tactics allow them to reach a broad audience and leverage the trust users have in these platforms to propagate malicious software.
Critical Need for Vigilance and Security Awareness: The use of YouTube for malware distribution underscores the need for heightened vigilance and security awareness among users. It’s crucial to be cautious of downloading software from unofficial sources, even if they appear in seemingly legitimate YouTube videos.
New Tools for Ransomware Recovery: Cisco Talos and German cybersecurity firm SRLabs have released decryptors for the Tortilla variant of the Babuk ransomware and Black Basta ransomware, respectively. These tools enable victims to regain access to their encrypted files without paying a ransom.
Key Role of Law Enforcement and Cybersecurity Collaboration: The development of these decryptors was facilitated by threat intelligence shared with Dutch law enforcement, leading to an arrest in Amsterdam connected to the ransomware operations. This collaboration underscores the importance of cooperation between cybersecurity experts and law enforcement in combating ransomware threats.
Technical Aspects of Decryptors: For Tortilla ransomware, victims can use a single private key for decryption, shared by Avast. The Black Basta Buster decryptor exploits a cryptographic weakness to recover files, with varying degrees of success based on file size. This highlights the technical complexity and evolving nature of ransomware and corresponding decryption efforts.
Prevention and Vigilance Remain Key: Despite the availability of these decryptors, it's crucial for individuals and organizations to maintain robust cybersecurity practices. Preventing ransomware infections through education, regular backups, and updated security measures is still the most effective strategy against these threats.
Subscribe to the Mandos Way
Join security professionals, CISOs and tech leaders for cybersecurity strategies & weekly Briefs.