Threat Alerts

An authentication bypass vulnerability (CVE-2023-34060) has been discovered in VMware Cloud Director Appliance (VCD Appliance) versions that were upgraded to 10.5 from an older version. VMware has evaluated the severity of this issue to be in the Critical severity range, with a maximum CVSSv3 base score of 9.8.

This vulnerability allows a malicious actor with network access to the appliance to bypass login restrictions when authenticating on port 22 (SSH) or port 5480 (appliance management console). The vulnerability is not present on port 443 (VCD provider and tenant login), or on new installations of VMware Cloud Director Appliance 10.5.

The exploitation of the vulnerability in Apache ActiveMQ (CVE-2023-46604) has been adopted by an increasing number of different threat actors and malware since it was first made public on October 27th.

This week, reports of the vulnerability being leveraged by “GoTitan”, a DDoS botnet, and “PrCtrl Rat,” a spyware with remote control capabilities, were seen coming to the forefront. This added to a list of numerous other threat actors such as Lazarus Group, Kinsing, and HelloKitty – who have also all maliciously utilized this CVE.

Organizations are advised to prioritize the patching of CVE-2023-46604.

A critical vulnerability – tracked as CVE-2023-6345 CVSS 9.6 (which has been reported by Google to be exploited in the wild) – takes advantage of an integer overflow bug in the graphics engine used in Chrome, Firefox, and other browsers. Google has not shared any details on the exploitation itself, however, they have released an advisory addressing the situation and releasing an update that covers the six latest critical vulnerabilities affecting their services (CVE-2023-6348, CVE-2023-6347, CVE-2023-6346, CVE-2023-6350, CVE-2023-6351 and CVE-2023-6345).

Apple addressed two critical zero-day vulnerabilities within WebKit, tracked as CVE-2023-42916 and CVE-2023-42917.

The first one, CVE-2023-42916 (CVSS score – 9.8), is identified as an out-of-bounds read flaw in WebKit, which allows accessible threat actors to execute a command injection attack, potentially leading to remote code execution.

The second one, CVE-2023-42917 (CVSS score – 9.1), is classified as a memory corruption vulnerability within WebKit. An accessible threat actor with valid ‘member’ role credentials could exploit this to execute a deserialization attack, ultimately resulting in remote code execution.

Cybersecurity researchers recently uncovered a series of coordinated cyberattacks targeting organizations across the Middle East, Africa, and the United States. The attacks utilized a sophisticated set of tools for various malicious purposes, including creating backdoor access, command and control operations, stealing user credentials, and exfiltrating confidential data. Researchers suggest these activities could be linked to nation-state actors, based on the specific organizations targeted, the complexity of the tactics and tools used, and the level of customization in the malware.

The primary tools identified in these attacks include a .NET framework-based backdoor named “Agent Racoon,” which uses DNS protocols for covert communication and offers multiple backdoor functionalities such as remote command execution, data exfiltration, and file manipulation. Another tool, “Ntospy,” is a Network Provider DLL module designed to steal user credentials. Additionally, a customized version of Mimikatz, named “Mimilite,” was used in these operations.

Security researchers have recently investigated the top three embedded fingerprint sensors in OEM laptops used for Windows Hello fingerprint authentication – and found several flaws that enable bypassing this technology.

The fingerprint sensors that were investigated were all “match on chip” or MoC (also known as “match in sensor”) type sensors, which store their database on-chip, and manage and perform all of its functions within the chip.

This functionality makes the biometric material highly secure from exfiltration or manipulation. However, it does not prevent a malicious sensor to spoof a legitimate communication as an authorized user that has successfully authenticated, and to reply on old traffic between the host and the sensor.

Successful exploitation of these flaws allows an attacker – in each sensor in a different way – to authenticate with their own fingerprint as a legitimate Windows user and to keep operating within the victim environment.