Cyber Intelligence Weekly

Cyber Intelligence Weekly (July 9, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here:

Before we get started on this week’s CIW, I’d like to highlight a great article by two of our talented consultants on network pivoting skills for the eCPPT exam and penetration testing. In this latest article written by Kristofer Johnson and Evan Isaac, they dive deep into the world of network pivoting, simplifying the concept and providing valuable insights into essential tools and techniques.

Read the full article here:

No alt text provided for this image

Away we go!

1. New Truebot Malware Variants Target US and Canadian Organizations via Netwrix Auditor RCE Bug

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning regarding the exploitation of a critical remote code execution (RCE) vulnerability in Netwrix Auditor software. The vulnerability, known as CVE-2022-31199, allows unauthorized attackers to execute malicious code with the privileges of the SYSTEM user. Truebot malware, associated with the Russian-speaking Silence cybercrime group and the TA505 hackers linked to the FIN11 group, has been observed using this vulnerability to compromise networks in the United States and Canada.

No alt text provided for this image

Once the attackers gain access to the compromised networks, they deploy the TrueBot malware downloader and the FlawedGrace Remote Access Trojan (RAT), which escalates privileges and establishes persistence on the hacked systems. The attackers also install Cobalt Strike beacons, enabling them to carry out various post-exploitation tasks such as data theft and the deployment of additional malware, including ransomware. The primary objective of the threat actors behind Truebot is to steal sensitive information for financial gain.

Organizations are advised to follow the guidelines outlined in the joint advisory by CISA, the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security. These include monitoring for signs of Truebot infection, applying patches to address the CVE-2022-31199 vulnerability, updating Netwrix Auditor to version 10.5, and implementing phishing-resistant multifactor authentication (MFA) to block unauthorized access. Netwrix Auditor software is widely used by over 13,000 organizations globally, including prominent entities like Airbus, Allianz, the UK's NHS, and Virgin.

It is crucial for organizations to take immediate action to protect their networks and systems from these attacks by applying necessary patches, updating software versions, and enhancing security measures such as MFA. The collaboration between CISA, the FBI, and other cybersecurity agencies underscores the seriousness of this threat and highlights the need for collective defense against sophisticated cybercriminals.

2. New Critical SQL Injection Vulnerability Discovered in MOVEit Transfer Software

In what seems to be a weekly column related to the MOVEit Transfer Software, the hits keep coming. This time it is a recent discovery and subsequent patching of a critical SQL injection vulnerability. This vulnerability was discovered by Guy Lederfein of Trend Micro Security Research and it reportedly allows remote attackers to execute arbitrary code on affected installations of Progress Software MOVEit Transfer. Authentication is not required to exploit this vulnerability. The specific flaw exists within the human.aspx endpoint. A specific crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the moveitsvc user.

The vulnerability, identified as CVE-2023-36934, poses a significant risk as it allows unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database. Exploiting this flaw, attackers can manipulate databases and potentially expose or modify sensitive data. While no active exploitation has been reported yet, this vulnerability does not require valid credentials, enabling unauthorized access.

This finding follows a series of recent cyberattacks that targeted MOVEit Transfer using a separate SQL injection vulnerability (CVE-2023-34362) to deliver Clop ransomware, resulting in data breaches and financial extortion.

Alongside CVE-2023-36934, Progress Software has also addressed two other high-severity vulnerabilities in this latest round: CVE-2023-36932, enabling unauthorized database access for logged-in attackers, and CVE-2023-36933, which allows attackers to unexpectedly shut down the MOVEit Transfer program. These vulnerabilities impact various versions of MOVEit Transfer, and users are strongly urged to update to the latest version available to mitigate the associated risks.

To ensure the security and integrity of their systems, organizations using MOVEit Transfer should promptly apply the provided updates. The patch for this latest vulnerability is included in the July 2023 service pack. Additionally, it is crucial to remain vigilant and maintain robust security measures to defend against potential cyber threats in trusted software systems.

3. Critical FortiGate Vulnerability Leaves Over 300,000 Devices Exposed

A recent critical vulnerability in the FortiOS that runs Fortinet firewalls has left approximately 336,000 devices exposed to the Internet vulnerable to attacks. The flaw, known as CVE-2023-27997, is a remote code execution vulnerability in FortiGate VPNs, and it received a severity rating of 9.8 out of 10. Fortinet released patches for the vulnerability on June 8 but a recent research article has found that many administrators have failed to install the suggested updates.

The U.S. Cybersecurity and Infrastructure Security Administration added the vulnerability to its list of known exploited vulnerabilities and provided federal agencies with a deadline to patch the issue. However, as per the report, 69% of affected devices reachable over the public internet remained unpatched.

Fellow security firm Bishop Fox discovered that of the 489,337 affected devices exposed on the Internet, some 335,923 devices appear to remain unpatched. Some vulnerable devices were found to be running outdated FortiGate software that hadn't been updated since 2015. Bishop Fox developed an exploit to test customer devices and found that it took just one second for the exploit to corrupt the heap and inject malicious code, granting remote access to attackers. The slow response to patching this critical vulnerability raises concerns about the security practices of the many organizations using these firewalls.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here:

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.