Exposures, Exposed! Weekly Round-up November 19-24

Step into the world of “Exposures, Exposed!’ - your weekly Guide for the Perplexed in the constantly-shifting landscape of cyber risk. Our team delves into the depths of cybersecurity, handpicking the latest and most pertinent exposure incidents to present to you each week.

Here's what we’ve got for you this week:

Citrix Bleed 1: LockBit and Others Exploit Flaw, Hijack Sessions

Multiple threat actors are actively exploiting a critical security flaw in Citrix NetScaler ADC and Gateway appliances. A joint advisory issued by CISA, FBI, MS-ISAC, and ASD's ACSC highlights the vulnerability, which has been dubbed Citrix Bleed. The flaw has already been used by LockBit 3.0 affiliates to bypass passwords and multifactor authentication (MFA) and hijack legitimate user sessions.

This exploit allows malicious actors to elevate permissions, harvest credentials, and access data. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix after being weaponized as a zero-day since August 2023.?

CISA warns of the ease with which the vulnerability can enable authentication bypass – leading to session hijacking, elevated access and data compromise. LockBit 3.0 affiliates have already exploited this flaw when targeting major entities like Boeing, DP World, and ICBC.

Citrix Bleed 2: Citrix Urges Session Termination Post-Patching Critical Vulnerability

Citrix has advised administrators to terminate all active and persistent user sessions on NetScaler appliances after patching against the Citrix Bleed vulnerability. The company urges immediate upgrades to fixed versions and recommends executing specific commands to clear sessions post-upgrade.

The vulnerability allows session hijacking via bypass of multifactor authentication. Mandiant observed its exploitation as a zero-day since August 2023, and warned that hijacked sessions might persist even after patching. The reason? Threat actors stole session data pre-patch and continued exploitation post-update, potentially gaining further access within affected environments.

Both CISA and Citrix reiterated that patching alone isn't sufficient; removing active sessions post-upgrade is crucial to nullifying latent vulnerabilities. This highlights the prevalence of unpatched vulnerabilities even after attempted fixes.

?

Kinsing Exploits Critical Apache ActiveMQ Flaw, Targets Linux

The Kinsing threat actors are actively leveraging a critical vulnerability in Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits, causing significant damage and performance issues.?

Kinsing, known for targeting misconfigured containerized environments, adapts quickly to exploit new flaws in web applications – usually with the goals of breaching networks or installing crypto miners. Recently, the group exploited CVE-2023-46604 in Apache ActiveMQ, allowing remote code execution to download and install malware. This malware would then fetch more payloads from an actor-controlled domain, while removing existing cryptocurrency miners from the infected system.

Kinsing intensifies its compromises by loading its rootkit in /etc/ld.so.preload, which can completely take over a system. Organizations using affected Apache ActiveMQ versions are strongly advised to update to patched versions promptly to mitigate potential threats.

Check out our article on this same vulnerability and how XM Cyber is addressing it here.

CISA Lists Looney Tunables Flaw; Kinsing Exploit Evolves

The U.S. CISA has included the Looney Tunables Linux vulnerability (CVE-2023-4911) in its Known Exploited Vulnerabilities catalog due to its potential for buffer overflow, enabling attackers to execute code with elevated privileges. Researchers at Qualys disclosed this flaw, which is found in the GNU C Library’s dynamic loader ld.so and triggered by the GLIBC_TUNABLES environment variable.

The vulnerability affects numerous Linux distributions like Debian, Fedora, and Ubuntu, and could allow local privilege escalation to gain full root access. The CISA directive mandates that federal agencies address these vulnerabilities by December 12, 2023.

Kinsing actors have already been observed attempting to exploit this vulnerability in cloud environments. This signals an expansion in their tactics, broadening their targets beyond previous exploits like PHPUnit (CVE-2017-9841) and automated cryptocurrency mining. Kinsing’s shift to manual testing, deviation from their usual methods, and the use of a Python-based Linux local privilege escalation exploit showcase their evolving strategies.?

That’s all for this week – have any exposues to add to our list? Let us know!

Ready to learn more about how to get started with your own CTEM program??Download the whitepaper today!