| title | date | draft | logo |
|---|---|---|---|
November 5, 2023 |
2023-11-05 00:00:00 +0545 |
false |
images/infosec/default.png |
{{< toc >}}
In a recent development in the ever-evolving landscape of state-sponsored cyber espionage, Iran's MuddyWater, a known nation-state actor, has launched a spear-phishing campaign with a twist, targeting two Israeli entities. What sets this campaign apart is the use of a new infection vector that deploys a legitimate remote administration tool known as Advanced Monitoring Agent, provided by N-able. Cybersecurity firm Deep Instinct recently disclosed the details of this campaign, shedding light on the group's updated Tactics, Techniques, and Procedures (TTPs).
MuddyWater is no stranger to the cybersecurity community. This cyber espionage crew, believed to operate under the auspices of Iran's Ministry of Intelligence and Security (MOIS), has been active since at least 2017. Over the years, it has been responsible for various campaigns, often utilizing spear-phishing emails with direct links or attachments that lead to the deployment of remote access tools. Previous tools utilized by MuddyWater include ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
The spear-phishing campaign targeted Israeli entities, exploiting a multi-stage infection vector that involved the use of a new file-sharing service, Storyblok, to deliver the Advanced Monitoring Agent remote administration tool.
https://thehackernews.com/2023/11/irans-muddywater-targets-israel-in-new.html
Implement robust email security solutions to detect and block spear-phishing attempts.
Recent security flaws in Microsoft Edge (Chromium-based) have been identified, posing risks of remote code execution and spoofing attacks.An unauthenticated, remote attacker can potentially exploit this vulnerability to remotely execute commands on Microsoft Edge versions that are affected. However, Microsoft clarifies that to exploit this vulnerability, user interaction is necessary beforehand.
In the case of the Microsoft Edge spoofing vulnerability, it can be exploited by an unauthenticated attacker with network access, but specific user interactions are needed for it to work. However, there is no additional information available about this vulnerability at this time.
• Microsoft Edge (Chromium-based)
• Microsoft Edge (Chromium-based) Extended Stable.
• Microsoft Edge for Android
• Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.
CVE-2023-36022, CVE-2023-36029, and CVE-2023-36034.
More than 3,000 Apache ActiveMQ servers exposed to the internet are at risk due to a critical remote code execution (RCE) vulnerability identified as CVE-2023-46604. Apache ActiveMQ is an open-source, multi-protocol, Java-based message broker. The vulnerability is a critical severity RCE with a CVSS v3 score of 10.0, allowing attackers to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. Approximately 7,249 servers with ActiveMQ services are exposed, with 3,329 using vulnerable ActiveMQ versions. Vulnerable versions include Apache ActiveMQ 5.18.0 before 5.18.3, Apache ActiveMQ 5.17.0 before 5.17.6, Apache ActiveMQ 5.16.0 before 5.16.7, and Apache ActiveMQ before 5.15.16.
Apache ActiveMQ servers
https://cybersecuritynews.com/3000-apache-activemq-servers/
Upgrade to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3
CVE-2023-46604
Atlassian has issued a warning about a critical security vulnerability in Confluence Data Center and Server, identified as CVE-2023-22518, with a high CVSS score of 9.1, which could result in significant data loss when exploited by an unauthenticated attacker. This improper authorization vulnerability affects all versions of Confluence Data Center and Server and has been addressed in specific versions. Although it does not impact data confidentiality, Atlassian has urged immediate action to secure instances and recommends disconnecting publicly accessible instances until the patch is applied. Users outside of the support window are advised to upgrade, while Atlassian Cloud sites are unaffected. While there is no evidence of active exploitation, Atlassian has emphasized the importance of applying the patches to prevent potential exploitation, particularly following the release of critical information about the vulnerability.
Confluence Data Center and Server
https://thehackernews.com/2023/10/atlassian-warns-of-new-critical.html
Update to the lastest patched version.
CVE-2023-22518