Redigo - The Redis backdoor Malware

A new Go-based malware, Redigo, is used in an attack targeting Redis servers. Threat actors are exploiting a critical vulnerability, tracked as CVE-2022-0543, in Redis servers. The CVE-2022-0543 vulnerability affects Debian and Linux distributions and is a Lua sandbox escape vulnerability. The vulnerability, which was given a severity rating of 10, might be used by a remote attacker who can run any Lua script to potentially bypass the Lua sandbox and execute arbitrary code.

Threat actors attempt to connect to the Redis server through port 6379 in the first step of the attack chain to learn more about the CPU architecture. The second use of the command is to download the newly discovered Redigo Malware. After downloading the malware file, the attackers elevate the permissions of the file to execute it.

The Redigo malware, according to researchers, is being used by threat actors to infect Redis servers and add them to a botnet that they may then deploy to perform denial-of-service (DDoS) attacks, run cryptocurrency miners, or steal information from the servers. All the users who run Redis on Debian, Ubuntu, and possibly other Debian-based distros are advised to update their Redis package to the latest available version, as the vulnerability has already been fixed.

Accorian is happy to assist you for any assistance you may require. Please feel free to reach out to us.

Source: https://blog.aquasec.com/redigo-redis-backdoor-malware

Threat Advisory Team

Accorian

Article

WordPress - Critical Vulnerabilities in WS_FTP Server Expose High-Risk Exploitation

Multiple exploitable flaws have been found in numerous versions of the WS_FTP Server, built by Progress Software. One of the most serious is present in WS_FTP Server versions prior to 8.7.4 and 8.8.2, in a module for sending files person-to-person. The module, marketed by Progress Software as the Ad Hoc Transfer Module, is vulnerable to an attack that converts a hypertext transfer protocol message into a malicious object that can execute arbitrary code, a technique known as deserialization. The identified flaw is a deserialization flaw in WS_FTP, a popular FTP server software. This vulnerability allows malicious actors to execute arbitrary code on affected servers potentially. About 2,900 hosts on the internet were found to be running WS_FTP and had their web servers exposed, making them vulnerable to exploitation. These instances primarily belonged to large enterprises, governments, and educational institutions. Progress Software has since released patches for eight vulnerabilities and strongly recommends that all users update their WS_FTP installations to protect against potential attacks. The updates include a patch for the .NET deserialization vulnerability, tracked as CVE-2023-40044, through which attackers can remotely execute arbitrary code. The U.S. Health Sector Cybersecurity Coordination Center, or HC3, in a Friday alert, said it "strongly encourages all users to follow the manufacturer's recommendation and upgrade to the highest version available - 8.8.2 - to prevent any damage from occurring." Security experts have warned all organizations that use secure file transfer tools to review their documentation to identify how such software can be locked down. Accorian strongly recommends that all users update their WS_FTP installations to protect against potential attacks. Source: https://www.databreachtoday.com/alert-attackers-actively-exploiting-wsftp-vulnerabilities-a-23200 For any further assistance, kindly reachout to us on info@accorian.com Threat Advisory Team Accorian

Article

Critical Vulnerability in Ivanti’s Avalanche Enterprise MDM Solution

Ivanti, a leading technology company that offers IT asset management, security, endpoint, and supply chain solutions has released patches for seven critical and high-severity vulnerabilities in Avalanche, its Enterprise Mobile Device Management (MDM) solution. Among the vulnerabilities is the directory traversal flaw tracked down as CVE-2023-32563. It’s the most severe of the flaws with a CVSS score of 9.8. The MDM solution's updateSkin function has this directory traversal flaw that can be exploited without authentication. The problem arises from a user-supplied path not being properly validated before being used in file operations. This vulnerability can be misused by an attacker to execute remote codes.The release also addressed multiple stack-based buffer overflow bugs collectively tracked down as CVE-2023-32560 with a CVSS score of 8.8. These were discovered in the Wavelink Avalance Manager, which processes data using a fixed-size stack-based buffer. By delivering a specially written message to the service, an adversary can take advantage of this and potentially cause code execution or disrupt the service. In addition, two other high-severity remote code execution vulnerabilities CVE-2023-32562 and CVE-2023-32564 and three authentication bypass flaws CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566 present in various components of the MDM solution were patched.Although none of these problems have been reported as being exploited in the wild, Accorian strongly recommends that all users of Avalanche update it to version 6.4.1.207, released earlier this month. For any further assistance, kindly reachout to us on info@accorian.com Source: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution - SecurityWeek Threat Advisory Team Accorian

Article

Microsoft RCE & EOP Vulnerability in August Patch Release

Microsoft addressed 74 CVEs in its August Patch Tuesday release, out of which 6 were rated “Critical” and 67 were rated “Important”. Remote code execution (RCE) vulnerabilities made up 31.5% of the vulnerabilities patched, with elevation of privilege (EoP) vulnerabilities making up 24.7%. One zero-day vulnerability was also addressed in the release. Among the RCE vulnerabilities are the CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 which have been assigned a CVSSv3 score of 9.8 and are “Critical”. The vulnerabilities are found in the Microsoft Message Queuing (MSMQ) component of the Windows operating system. An unauthenticated remote attacker can exploit this flaw by sending malicious MSMQ packets to a vulnerable MSMQ server, which leads to arbitrary code execution. Yet, to exploit this weakness, the susceptible server's Message Queuing service must be activated. According to Microsoft, if the service is enabled, it runs as "Message Queuing" and listens on TCP port 1801. Another “Important” rated vulnerability is CVE-2023-21709 which is an EoP vulnerability found in Microsoft Exchange Server. An adversary could exploit this flaw by trying to brute force the password for valid user accounts. If exploited, the adversary can login as another user. According to Microsoft, a PowerShell script must be run after the patch has been applied. Microsoft addressed five other vulnerabilities in Microsoft Exchange Server which are tracked down as CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182 and CVE-2023-35388. The CVE-2023-38181 is a Spoofing Vulnerability which is assigned a CVSSv3 score of 8.8. If exploited, an attacker might acquire access to a user's Net-NTLMv2 hash, which could then be used to launch an NTLM Relay attack against another service to authenticate as the user. The rest are RCE vulnerabilities with scores 8.8, 8.8, 8.0 and 8.0 respectively. The CVE-2023-3182 and CVE-2023-35388 are rated “Exploitation More Likely” by Microsoft. If exploited, an adversary could execute a code using PowerShell remoting session. To successfully exploit, the adversary would need to have LAN access and valid credentials for an Exchange user. Accorian strongly recommends patching systems as soon as they can be and routinely scanning your environment to find any systems that need to be patched. Organizations are encouraged to apply the latest Windows updates for August. Source: https://msrc.microsoft.com/update-guide/releaseNote/2023-Aug Threat Advisory Team Accorian

Article

Critical Security Zero Day Vulnerabilities in Critix products - NetScaler ADC and NetScaler Gateway

Citrix, a leading technology company, has issued a warning to its customers about a critical-severity RCE vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway products. The severity of the issue is highlighted as critical and a CVSS score of 9.8. The exploits for this vulnerability are out in the wild and an adversary can use it to exploit Critix ADC versions up to 13.1 build 48.47.1. If this vulnerability is not fixed, adversaries would be able to exploit it to execute remote code without any authentication. The vulnerable appliance must, however, be set up as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy), or as an authentication virtual server (often known as the AAA server), for attackers to take advantage of this security weakness. Along with this Critix also addressed two other vulnerabilities: Reflected Cross-Site Scripting (CVE-2023-3466) and Privilege Escalation (CVE-2023-3467). Both being critical vulnerabilities, have a severity score of 8.3 and 8.0 respectively. The reflected cross-site scripting (XSS) issue requires a victim to load a link from an attacker on the same network. The Privilege Escalation vulnerability enables attackers to elevate privileges to those of a root administrator if they have authenticated access to the NetScaler appliances IP address (NSIP) or a SubNet IP (SNIP) with access to the management interface. Accorian strongly recommends the users of NetScaler ADC and NetScaler Gateway to update to the latest versions to fix all three issues at hand. The recommended versions are: NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP Source: New critical Citrix ADC and Gateway flaw exploited as zero-day (bleepingcomputer.com) Threat Advisory Team Accorian

Article

Critical Flaw Uncovered in WordPress Plugin Used by 30,000 Websites

WordPress, the world's most popular website builder has recently published a critical vulnerability in one of their plugins, Abandoned Cart Lite for WooCommerce. The plugin is used by approximately 30,000 websites. The vulnerability has been tracked as CVE-2023-2986 and has been assigned a CVSS score of 9.8. The vulnerability revolves around a broken access mechanism, which allows an adversary to gain unauthorized access to the accounts of users who have left their carts without completing the process of purchase basically, abandoned carts. According to the configuration of the Abandoned Cart Lite for WooCommerce plugin, a notification will be sent to customers who have not completed the process of purchasing. The notification has a link that automatically logs in the customer to the website to continue the process. Although this link contains an encrypted value that identifies the abandoned cart, the encryption key for this encrypted value is hardcoded in the plugin. This flaw allows adversaries to manipulate the abandoned cart id and gain access to the account associated with the abandoned cart. To mitigate this vulnerability, Accorian strongly recommends organizations to update the Abandoned Cart Lite for WooCommerce plugin to the latest version 5.15.1. By applying this update, users can ensure that the encryption key is no longer hardcoded, thereby preventing unauthorized access to user accounts through manipulated abandoned cart identifiers. It is also recommended to keep the site up to date with all the future updates. Source: https://www.wordfence.com/blog/2023/06/tyche-softwares-addresses-authentication-bypass-vulnerability-in-abandoned-cart-lite-for-woocommerce-wordpress-plugin/ Threat Advisory Team Accorian

Threat Advisory