The past week saw fewer cybersecurity vulnerabilities than the onslaught we saw earlier this month, but the latest ones affected thousands of products, proving that a single vulnerability can have massive repercussions.
A Cisco operating system vulnerability hits more than 50,000 systems. SolarWinds fixed eight flaws with a high severity rating that could allow system control. Okta experienced a breach in its support case management system. And older vulnerabilities continue to be hit by threat actors, underscoring the need for effective, risk-based patch and vulnerability management.
We also highlight a study by Outpost24 that reveals startling password weaknesses in admin-level IT accounts. The lesson: don’t forget about the basics of security in the midst of patching. There’s plenty to consider in this vulnerability roundup, even if it’s just your IT team’s password habits.
See the Top Patch and Vulnerability Management tools
October 16, 2023
Cisco vulnerability could affect over 40,000 pieces of networking equipment
Type of attack: Zero-day vulnerability in IOS XE.
The problem: Cisco Talos notified users of a zero-day vulnerability in IOS XE software, which runs on both physical and virtual Cisco devices. More than 50,000 devices appear to have been infected with a malicious implant vulnerability via a pair of vulnerabilities — CVE-2023-20198, with a highest-possible CVSS Score of 10.0, and CVE-2023-20273 with a CVSS Score of 7.2.
The fix: Cisco recommends that for any systems running IOS XE, the HTTP Server feature should be disabled for internet-facing systems or access should be restricted to only trusted addresses. Cisco states that this fix should result in effective mitigation.
A reboot will remove the implant, but new user accounts created under it will persist. The number of infected devices has plummeted in recent days, and some security researchers have concluded that hackers are trying to hide their traces and that the devices remain infected.
Atlassian Confluence vulnerability persists
Type of attack: Broken access control vulnerability.
The problem: Atlassian Confluence has a broken access control vulnerability that we wrote about two weeks ago in Confluence Data Center and Server. Attackers have exploited this vulnerability (CVE-2023-22515) in unpatched instances to create unauthorized admin accounts and then access instances of Confluence, according to Atlassian.
CISA added these vulnerabilities to its catalog of known exploited vulnerabilities in early October, but it’s reissuing the patch recommendation based on the ongoing exploits. CISA issued the updated announcement on October 16, along with the FBI and Multi-State Information Sharing and Analysis Center (MS-ISAC).
The fix: Atlassian recommends updating all affected versions, listed in the bulletin, to versions 8.3.3, 8.4.3, or 8.5.2 of Confluence Data Center and Confluence Server.
October 17, 2023
Outpost24 publishes surprising data on IT admins’ security behavior
Area of research: Extremely weak IT admin passwords.
The problem: Security vendor Outpost24 compiled a list of the most-used IT admin passwords from January to September 2023, surveying a set of 1.8 million passwords compiled from the Threat Compass backend. Included in the top 20 are all of the following:
- admin
- 123456
- demo
- 123123
- 111111
- admin123
Passwords like this are often the default and are simple to guess, but even if they’re challenging for some threat actors to guess, they can still be brute-forced. Admins should be leaders in the security field and examples of good password hygiene, so the report isn’t encouraging. And as many organizations include password strength in their IT security policies, it suggests that admins are failing to implement best practices in the simplest and most important of places.
The fix: Perform audits of existing passwords. It’s not a bad idea to do a complete admin password overhaul, having your IT admins replace every password with hard-to-guess credentials. And make sure IT admins not only understand security procedures but also properly implement them. It might be worth retraining staff on cybersecurity basics.
See the Top Employee Cybersecurity Training Programs
October 18, 2023
SolarWinds sees critical remote code execution vulnerability in Access Rights Manager
Type of attack: Remote code execution (RCE) vulnerabilities using SYSTEM privileges.
The problem: Trend Micro researchers found vulnerabilities in SolarWinds’ Access Rights Manager (ARM) software, including remote code execution vulnerabilities that could allow an authenticated attacker to elevate privileges and conduct attacks using SYSTEM privileges. SolarWinds ARM is a tool for Active Directory provisioning and reporting, audit preparation, and file server access.
The fix: Update 2023.2.1 of the Access Rights Manager software patches eight high-severity flaws found by the researchers.
Also read: A PowerShell Script to Mitigate Active Directory Security Risks
North Korean threat groups attack TeamCity servers
Type of attack: Remote code execution vulnerability.
The problem: Beginning in early October, Microsoft observed two North Korean state-sponsored threat groups exploiting a remote code execution vulnerability on JetBrains’ TeamCity servers (CVE-2023-42793, which we reported two weeks ago). TeamCity is a developer tool for continuous integration and deployment (CI/CD). In previous attacks, these two groups — known as Diamond Sleet and Onyx Sleet — have breached software build environments, according to Microsoft.
The fix: JetBrains released an update for TeamCity — version 2023.05.4 — late last month that should be updated as soon as possible to prevent further exploitation by threat groups. Aside from implementing this update, Microsoft also recommends using the provided indicators of compromise to assess whether the threat groups have infiltrated your team’s security environment already.
October 20, 2023
Okta’s customer support system breached
Type of attack: Stolen credential used to access Okta’s support system.
The problem: A breach in Okta’s technical support case management system allowed the threat actor to view files uploaded to support cases, according to Okta. HAR files, which Okta asks customers to upload for troubleshooting issues, also store information like cookies and session tokens. If compromised, the cookies and tokens can be used to impersonate legitimate users, Okta says.
Security vendor BeyondTrust encountered the issue when it found an attacker attempting to use a stolen session cookie to breach an admin account. BeyondTrust fixed the issue on its own and claimed it contacted Okta on October 2, but said that it didn’t receive acknowledgement of a breach until October 19, when Okta confirmed BeyondTrust was an affected customer.
Okta said that all affected customers had already been notified, and that no notification meant no impact to support tickets or environments.
The fix: Okta shared a list of indicators of compromise with customers and made note of some user-agents that, while legitimate, aren’t common to see in Chrome environments.
In his Unsupervised Learning report, ethical hacker Daniel Miessler wondered if the issues could have been caught earlier through pentesting:
“Security is hard, so I’m not throwing shade here, but I wonder how thoroughly these support workflows were looked at by their pentesters / red team, etc.,” Miessler wrote. “One technique I like to use when I look at a company is to start with their most sensitive data and ask, ‘Which business processes … handle this data using which workflows?’ And then map those as flows with touchpoints. In this case that would have been customer session tokens, and the business process would have included the support function. And if a stolen credential was used to get into the support system, what about password hygiene? And was 2FA not used? Still early though; we might have more answers soon.”
Read next:
