SharePoint Vulnerability Actively Exploited; Juniper Addresses 100+ Vulnerabilities

Details about this vulnerability, including PoC exploits, appear to have been available for a couple months now. If anything, adding it to the KEV catalog is a bit late. As with any KEV: Assume compromise at this point.

Johannes Ullrich

Any critical privilege elevation vulnerability in any product with “Share” in its name requires priority patching measured in days not multiple months to be at a due diligence level.

John Pescatore

The flaw is in SharePoint Server 2019, version 16.0.0 below 16.0.1039.20005. CVE-2023-29357 has a CVSS score of 9.8. This can be exploited over the network with a low difficulty level. Verify that you’ve deployed the update, which came out in June; this would be a good time to discover and remediate any rogue or unmanaged SharePoint servers as well as look at why you’re still hosting SharePoint locally.

Lee Neely

While adding the vulnerability to the KEV flags that it is being actively exploited, organizations should have already prioritized it for patching back in June. A RCE demonstration and separately, a POC privilege escalation attack was published shortly after the vulnerability was released. It was simply a matter of time for evildoers to work the vulnerability into their workflow and deploy an exploit.

Curtis Dukes

CVE-2024-21591, a J-WEB RC flaw, carries a CVSS score of 9.8, similar to the flaw from last August. Researchers are finding many sites didn’t deploy that update. In addition to verifying you’ve deployed the update, take another look at disabling or severely restricting access to the J-WEB interface.

Lee Neely

This is a new hacking tool, which has a lot of original work, under active development, and unlike many other tools doesn’t simply leverage existing tools such as the Androxgh0st code. The primary mitigations, at this time, are to implement MFA and monitor for adding new accounts (particularly in AWS) or email service configuration changes. Incorporate the IOCs from SentinelOne into your hunting processes. This tool targets AWS, Office365, PayPal, Twilio and Sendgrid.

Lee Neely

The five flaws: CVE-2023-7028, account takeover, CVSS score 10.0, CVE-2023-5356, Slack/Mattermost integration flaw, CVSS score 9.6, CVE-2023-4812, CODEOWNER approval bypass, CVSS score of 7.6, CVE-2023-6965, unauthorized workspace creation, CVSS score of 6.6, CVE-2023-2030, signed commit metadata altering, CVSS score of 3.5 are all addressed in the update. Three steps you need to follow here: First, upgrade all your GItLab editions to a supported version; be methodical and don’t skip steps as that can introduce instability. Second, enable 2FA for ALL your GitLab accounts, no exceptions. Third, review the GitLab security best practices. If you think you were compromised, add rotating all secrets (API keys, certificates, tokens, etc.) to your task list.

Lee Neely

It’s not a huge leap to find threat actors are leveraging trust relationships. With the number of cloud and other off-site services we’re all using, the number of these relationships we have has increased exponentially. While there is no silver bullet here, start with a mantra of smallest possible trust. Make sure that you’re limiting trust to the sites and services you’ve approved as well as monitoring those interactions.

Lee Neely

Hopefully the British Library will document and widely brief on the state of cybersecurity at the library system before the attack. Details should also be shared on what processes helped or hindered re-establishing full operating capability. Let’s turn the attack into something positive and educate users and organizations.

Curtis Dukes

While back on-line, users need to be aware that some functionality is not yet restored, and you may have to come in to utilize or access some services. The library is not planning to disclose details of the incident until after March, so it’ll be a while before we can learn from the root cause. Even so, you can make sure you’re following vendor security best practices for your online services, and verify you’ve got active monitoring and strong authentication in place.

Lee Neely

Bosch pushed the update to customer devices in October 2023, closing port 8899 which is used for this hack. Best practice here is to have a separate network for your home IoT devices. You may be able to leverage the guest network most home routers include. If you choose to use an old router you’ve been keeping, make sure that it’s not EOL, as you’re going to want to keep it updated.

Lee Neely

Bitdefender is to be applauded for its responsible vulnerability disclosure. Hopefully, Bosch’s software development team will make changes in their secure software development process going forward. The Microsoft SDL process is an excellent resource as well as recent CISA Secure-by-Design guidance.

Curtis Dukes

Cryptojacking is becoming popular as it allows the criminal to leverage your cloud resources for their crypto mining, so they don’t have to pay the IT or power costs. Activities have been observed leveraging GCP, AWS, and Azure services. Your best bet to mitigate the risk is to implement strong authentication, active monitoring, keep services updated and leverage the security services of your cloud provider.

Lee Neely

Because of their compute capabilities, cloud service providers are often targeted by crypto miners. What is surprising is that the CSP’s customers did not notice the increase in compute costs as well as failed attempts by the attacker using automated brute-force password guessing. Some lessons learned here for those companies using cloud resources.

Curtis Dukes

While the patch was released in November, it’s still being exploited, so not everyone rolled out the update. Verify it didn’t get missed during the holiday season. POC code, including screenshots, is being shared on social media and dark web sites.

Lee Neely