eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Critical GitLab Vulnerabilities
Bottom Line: Given the closed-source nature of businesses operating in the software industry, mitigation of CVE-2023-7028 plays a crucial role in safeguarding Intellectual Property (IP) from threat actors. Organizations utilizing GitLab should take preventive measures and employ defensive in depth tactics to prevent further abuse.
On January 11th, GitLab disclosed multiple vulnerabilities, including one which received the maximum criticality rating of CVSS: 10, tracked as CVE-2023-7028. This vulnerability allows for a user account’s password reset emails to be delivered to an unverified email address, enabling account takeover. Proof-of-Concept (PoC) exploit code was publicly released on January 13th.
Additional vulnerabilities from the release include:
- CVE-2023-5356 (CVSS: 9.6) - Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user
- CVE-2023-4812 (CVSS: 7.6) - Bypass CODEOWNERS approval removal
- CVE-2023-6955 (CVSS: 6.6) - Workspaces able to be created under different root namespace
- CVE-2023-2030 (CVSS: 3.5) - Commit signature validation ignores headers after signature
In response to the disclosure of this information, eSentire released a public security advisory on January 15th. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all the recently disclosed GitLab vulnerabilities and eSentire MDR for Network has rules in place to identify CVE-2023-7028 exploitation attempts.
eSentire Threat Intelligence Analysis:
The criticality of CVE-2023-7028 and the availability of Proof-of-Concept (PoC) exploit code, make it almost certain that exploitation of this vulnerability will occur in the immediate future. As such, it is critical that organizations apply the relevant security patches immediately.
GitLab, known for its comprehensive suite of tools covering the entire software lifecycle is key in many organizations' DevOps processes. It is a widely adopted tool across not just small and medium businesses but significantly in large-scale enterprise environments. Securing GitLab is vital because it often contains sensitive codebases, proprietary software, and key operational workflows. Any vulnerability in GitLab can lead to significant risks such as intellectual property theft, disruption of critical software delivery pipelines, and potential for broader network compromise. Regular updates and proactive security measures are not just best practices but essential components of enterprise risk management in the modern digital landscape.
Users who have Multi-Factor Authentication (MFA) enabled remain vulnerable to a password reset, however, account takeover is not possible as the additional authentication factor is required to login. If an unrecognized password reset email is triggered or if a user is suddenly redirected to login, it is recommended to reset the password.
Critical Confluence Vulnerability
Bottom Line: CVE-2023-22527 poses a significant risk to organizations using outdated Confluence Data Center and Server versions, potentially allowing attackers to gain unauthorized access and control. An immediate update to the latest patched versions is crucial to safeguard against this critical vulnerability.
2024-01-22 Update: As of January 21st, there are reports of real-world exploitation of CVE-2023-22527.
On January 16th, Atlassian disclosed a new critical vulnerability that impacts multiple versions of Confluence Data Center and Servers. The vulnerability, tracked as CVE-2023-22527 (CVSS: 10), allows a remote and unauthenticated threat actor to execute arbitrary code on impacted systems. In an attack scenario, threat actors may exploit the vulnerability to gain initial access into victim organizations, enabling lateral movement and the deployment of additional malicious tools. It should be noted that CVE-2023-22527 does not impact Atlassian Cloud sites. Confluence sites, accessible via the Atlassian.net domain, are not vulnerable to exploitation.
At the time of writing, there is no indication of real-world exploitation or publicly available Proof-of-Concept (PoC) exploit code. The eSentire Threat Intelligence team assesses with high confidence that real-world exploitation will occur in the near future. Applying the available security patches before exploitation occurs in the wild is critical to prevent abuse. If patching is not immediately possible, Atlassian recommends taking impacted systems offline and backing up data to a secure location outside of Confluence.
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities; a public advisory was released on January 17th. Additionally, eSentire Managed Vulnerability Service (MVS) has plugins in place to detect versions of Confluence vulnerable to CVE-2023-22527.
eSentire Threat Intelligence Analysis:
Due to the scope and impact of CVE-2023-22527, it is critical that organizations immediately update to the latest patched versions to safeguard against this critical vulnerability. As CVE-2023-22527 has a maximum severity rating and enables unauthenticated RCE, it will attract significant attention from both security researchers and threat actors. As technical details surrounding the security patch are publicly available, threat actors are almost certainly attempting to reverse engineer the changes to develop an exploit. Due to these details, there is only a short time window for defenders to deploy the patches before exploitation occurs.
Unauthenticated Remote Code Execution (RCE) vulnerabilities in Internet facing applications are highly concerning as they may allow direct access to protected networks. Whenever possible, these systems should be made internal only, reducing the risk of exploitation for initial access. Confluence vulnerabilities have been heavily targeted in the past; in 2023, Confluence was impacted by two separate critical vulnerabilities that were actively exploited in real-world attacks (CVE-2023-22515, CVE-2023-22518). Widespread exploitation of Confluence in the past may indicate increased attacker attention on the platform.
Volt Typhoon Targets Cisco Routers
Bottom Line: Threat actors of varying skill levels, including APTs such as Volt Typhoon, are known to target End-of-Life devices that no longer receive critical security updates. Organizations need to ensure these devices are removed from their networks and replaced with maintained alternatives.
On January 11th, SecurityScorecard’s STRIKE Team released a new report outlining attacks on End-of-Life (EoL) Cisco routers; this activity has been attributed to the Chinese state-sponsored APT group Volt Typhoon (aka. Bronze Silhouette). Historically, the group’s primary focus has been espionage and information gathering. In these latest attacks, Volt Typhoon is suspected to have targeted two Cisco vulnerabilities that were initially disclosed in 2019: CVE-2019-1653 and CVE-2019-1652. These vulnerabilities impact Cisco RV320/325 routers which are EoL, meaning that no security patches or software updates will be made available.
SecurityScorecard estimates that approximately 30% of the Cisco RV320/325 routers that they observed were compromised by Volt Typhoon in a 37-day period. Historically, the ‘China Chopper’ is the most prevalent webshell utilized by Chinese APT groups, however, researchers uncovered a previously unknown webshell on Cisco routers targeted by the group. The recent campaign has impacted government assets in the U.S., U.K., and Australia, where the newly discovered webshell was identified.
While the specific goal of recent Volt Typhoon activity has not been publicized, the targeting of government infrastructure in a complex attack indicates a high probability of espionage. The publication of this campaign by SecurityScorecard may prompt a change in tactics by the group, but similar activity is expected to continue.
eSentire Threat Intelligence Analysis:
The Volt Typhoon campaign's exploitation of vulnerabilities in end-of-life Cisco devices underscores the critical importance of timely patch management, network monitoring, and the urgent need to replace or upgrade outdated technology in modern cyber defense strategies. This approach is especially crucial for entities handling sensitive information, as unsupported and unpatched hardware can become prime targets for state-sponsored espionage and cyber-attacks.
In May 2023, Microsoft released a technical report on Volt Typhoon. According to Microsoft, the campaign aimed to disrupt critical communications infrastructure between the United States and the Asia region during future crises. Additionally, the National Security Agency (NSA) in coordination with Five Eye’s partners published a Cybersecurity Advisory containing a hunting guide for the Tactics, Techniques, and Procedures (TTPs) discussed in the report. In addition to communication, the campaign targeted a variety of other sectors including manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
Organizations must prioritize upgrading end-of-life devices and continuously monitor their network infrastructure. Regularly updating network assets and implementing robust security protocols are essential to defend against sophisticated threats like Volt Typhoon. The use of webshells for espionage and the targeting of government assets highlights the need for heightened security measures in critical national infrastructure.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
