This past week in cybersecurity saw a wide range of vulnerabilities, from Apple product patches to several flaws that hit DevSecOps teams. The Akira ransomware group made news too, expanding its attacks to include Linux-based systems, and Trend Micro issued a fix for a zero-day vulnerability in its Apex One endpoint security tools.
Read about the following vulnerabilities and bugs to know what your business and security team should address, as these flaws and attacks can apply to startups and large enterprises alike.
Sept. 18, 2023
GitLab tells community and enterprise users to update their instances
Type of attack: Improper access control: Attackers can exploit GitLab’s scanning policies by acting as a legitimate user.
The problem: Open-source vendor GitLab has released a security notice calling on users to update to a new version of GitLab due to a exploitable scan policy, recorded as CVE-2023-5009, with a 9.8 severity rating. An attacker can use policies for scheduled security scans to run a pipeline in GitLab, posing as another user. The vulnerability was reported by a user in GitLab’s bug bounty program. The vulnerability affects every version of the software from 13.12 before 16.2.7 and from 16.3 before 16.3.4. When both direct transfers and security policies are enabled in GitLab, the instance is open to attack.
The fix: 16.2.7 and 16.3.4 are the new version updates, available for both GitLab Community Edition and Enterprise Edition. While the updates solve this issue, the new versions also patch non-security functions of the software.
Sept. 19, 2023
Trend Micro releases patches and updates for Apex One zero-day vulnerability
Type of attack: Zero-day vulnerability
The problem: Trend Micro released a security bulletin with instructions for fixing a zero-day vulnerability present in its Apex One endpoint security product. The flaw (CVE-2023-41179) carries a 7.2 severity rating and is a Windows vulnerability within the third-party antivirus uninstaller present in the endpoint product, and it’s also present in the Worry Free Business Security and Worry Free Business Security Services products. Trend Micro noted that there’s been at least one attempt to exploit the vulnerability in the wild.
The fix: Trend Micro has released patches and new version updates for all of the vulnerabilities. Users of the products are encouraged to update to the latest version possible, even if it’s a newer version than the one listed in the bulletin.
Atlassian releases information on four different bugs
Type of attack: Denial of service attack on Confluence Data Center and Server (CVE-2023-22512), a patch management flaw in Jira Service Management Data Center and Server (CVE-2022-25647), remote code execution in Bitbucket (CVE-2023-22513), and a third-party dependency flaw in Bamboo Data Center and Server (CVE-2023-28709).
The problem: Atlassian has reported four high-severity vulnerabilities for multiple products. Atlassian says these vulnerabilities were discovered via its bug bounty program, penetration testing procedures, and third-party scans.
These vulnerabilities render businesses that use the affected products susceptible to slowed operations, edited or stolen code, and unpatched Jira data.
The fix: Update all instances of these products to the latest version available. If you aren’t able to update to the newest version, Atlassian provides the minimum version to which you should upgrade to be safe:
- Jira Service Management Data Center and Server: 4.20.25, 5.4.9, 5.9.2, 5.10.1, or 5.11.0
- Confluence Data Center and Server: 7.19.13, 7.19.14, 8.5.1, or 8.6.0
- Bitbucket Data Center and Server: 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, or 8.14.0
- Bamboo Data Center and Server: 9.2.4 or 9.3.1
Sept. 20, 2023
Akira ransomware group strikes again – this time, they’re targeting Linux
Type of attack: Double-extortion ransomware attacks against Windows systems and now Linux-based VMware virtual machines.
The problem: The Akira ransomware group is back in the headlines. SIEM vendor LogPoint just released a report on Akira’s tactics, noting that Akira has recently begun targeting Linux systems, specifically VMware ESXi virtual environments.
Akira is a recent variant of ransomware and has had 110 reported victims so far, according to LogPoint. It uses double extortion techniques, which puts victims in more danger if they decide not to pay a ransom because their data could be exposed on the dark web.
The fix: LogPoint uses sandboxes like vmray and Any.Run to dissect the tactics and procedures used by the Akira software. Unfortunately, because Akira is a sophisticated threat, there’s no single patch or product that will prevent it. Protecting data and systems against Akira requires security teams to use advanced threat detection and endpoint protection tools that will notify them when Akira variants are detected.
Also read: Building a Ransomware Resilient Architecture
Sept. 21, 2023
Apple releases a slew of security updates for multiple products
Type of attack: Elevated privileges, certificate validation bypass, and arbitrary code execution.
The problem: On September 21, Apple pushed a set of updates to multiple products, including Macs running Monterrey and Big Sur and multiple iPhones and iPads. These fixed three zero-day vulnerabilities that were initially intended for iPhones, though they affected other Apple operating systems.
One patch included in the updates fixed a vulnerability that allowed local attackers to elevate their privileges on these devices. The vulnerability (CVE-2023-41992) is still undergoing analysis and has not yet been given a base score. NIST noted that Apple is aware that this vulnerability may have been exploited prior to iOS 16.7’s release.
The fix: If your Apple device is able to update to the following operating systems, update it immediately:
- iOS 16.7
- iPadOS 16.7
- OS 17.0.1
- iPadOS 17.0.1
- watchOS 9.6.3
- watchOS 10.0.1
- macOS Monterey 12.7
- macOS Ventura 13.6
Two other vulnerabilities affected many of the same operating systems. One flaw (CVE-2023-41991) allows a malicious application to bypass certificate validation, and another (CVE-2023-41993) allows arbitrary code to be executed when a device processes web content.
SentinelOne researches new threat Sandman
Type of attack: New threat actor exploits a novel backdoor in LuaJIT to attack mainly telecom companies.
The problem: SentinelOne recently released research on a new threat actor, known as Sandman, that’s been targeting telecommunication providers. The majority of victims have been in southern Asia, the Middle East, and western Europe, according to SentinelOne.
Sandman exploits a backdoor in the LuaJIT platform, a just-in-time compiler for the Lua programming language. SentinelOne reported its observations on the threat actor’s movements, noting that it often avoided engagement and used lateral movement to reach its targets. SentinelOne guessed that the threat actor, named LuaDream, is trying to avoid detection, gather user and system information to better tailor attacks, and install plugins that give LuaDream more functionality for future attacks. SentinelOne suspects a contractor threat group to be responsible, though it’s currently unsure of the source.
The fix: SentinelOne provides indicators of compromise, including file names that indicate LuaDream’s presence in a system. The security vendor also provides folder file paths that LuaDream might take. However, there’s no specific patch or update to protect systems from LuaDream. Make sure that you’re regularly monitoring your systems for the IOCs given by SentinelOne if you use LuaJIT.
- What is Virtual Patching and How Does It Work?
- Network Protection: How to Secure a Network
- Weekly Vulnerability Recap — September 18, 2023
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.