Advisory ID: ngCERT-2024-0014

Summary: 

Vulnerability assessment revealed the presence of a security flaw in SSH transport protocol found in versions of OpenSSH older than 9.6 and other products. The weakness could allow remote attackers to bypass integrity checks, leading to downgraded or disabled security features within a client and server connection, also known as a Terrapin Attack. This could lead to unauthorized access to sensitive information or compromise of network security. Accordingly, users and systems administrators are advised to take proactive steps to guard against exploits by threat actors.

Threat Type(s): Terrapin Attack

Impact/Vulnerability: CRITICAL/HIGH

Product(s): OpenSSH, LibSSH, PuTTY, AsyncSSH, Dropbear SSH, Transmit, paramiko and golang-go.crypto

Platform(s): SSH Transport Protocol 

Version(s): OpenSSH before 9.6 and All versions of SSH software and libraries

Description: 

The SSH transport protocol found in OpenSSH before 9.6 and other SSH software and libraries allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), causing security features to be downgraded or disabled within a client and server connection (a Terrapin Attack). This allows attackers to exploit the SSH protocol, potentially gaining unauthorized access to sensitive information or compromising network security. Notably, Terrapin method of attack alters SSH data during the handshake between servers and devices, functioning as a Man-in-the-middle (MITM) between connections that exist between remote administrators and their core, or on-prem, network. While this CVE is classified as moderate because the attack requires an active MITM to intercept and modifies a connection’s traffic at the TCP/IP layer, it does allow attackers to delete consecutive messages. Some of the vulnerable products and versions include, OpenSSH versions before 9.6 and other software and libraries, such as LibSSH, PuTTY, AsyncSSH, Dropbear SSH, Transmit, paramiko and golang-go.crypto.

Solution:  

The following are recommended:

• System administrators should carry out organizations inventory and scan all systems with vulnerable SSH versions.
• Organizations should patch their SSH implementations with the latest security updates.
• System administrators and users should carry out regular review and update of SSH key management practices.
• Regular security audits and adopting a layered security approach.
• Implementation of robust firewalls, intrusion detection systems, and rigorous access controls to significantly reduce the risk of such vulnerabilities.

References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-48795

• https://nvd.nist.gov/vuln/detail/CVE-2023-48795

• https://www.fortiguard.com/psirt/FG-IR-23-490

• https://blog.qualys.com/vulnerabilities-threat-research/2023/12/21/ssh-attack-surface-cve-2023-48795-find-and-patch-before-the-grinch-arrives-with-cybersecurity-asset-management

Advisory ID: ngCERT-2024-0033

Summary: 

ngCERT is issuing an urgent security advisory regarding a high-severity vulnerability in Veeam Backup and Replication (VBR) software, recently exploited by ransomware groups. The flaw is designated CVE-2023-27532, affecting VBR versions 12 and below. Threat actors exploit this weakness by obtaining encrypted and plaintext credentials stored in the configuration database, which is further used to elevate privileges and execute arbitrary code on affected systems. The successful exploitation of the vulnerability may result in malware installation, system takeover, data exfiltration and ultimately ransomware attacks. It is pertinent to note that, the Phobos ransomware group recently exploited this flaw in a ransomware attack on a cloud infrastructure, within the Nigerian Cyberspace. Accordingly, users are strongly advised to implement the latest security patches from VBR, and other mitigation steps recommended herein.

Threat Type(s): Ransomware

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Microsoft Exchange server, SQL Server, Windows Server, Linux Server, Oracle, Azure, AWS, VMware, Hyper-V

Platform(s): WIndows and Linux Operating Systems

Version(s): All Versions

Description: 

The CVE-2023-27532 is a critical vulnerability in Veeam Backup & Replication (VBR) software, which allows unauthorized users to access sensitive information, including encrypted credentials. Cybercriminals exploit this flaw by connecting to the exposed Veeam services (C:\ProgramFiles\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe) on port TCP 9401, where they can issue requests to extract confidential data from backup infrastructure without proper authentication. To exploit CVE-2023-27532, attackers typically scan for unpatched Veeam instances exposed to the internet. Once they locate a vulnerable system, they bypass authentication mechanisms by sending crafted requests directly to the service, allowing them to obtain critical information, such as administrative credentials. With this information, attackers can escalate privileges, gain unauthorized access to the backup environment, and even compromise the entire network. Such an exploit can lead to severe consequences, including data breaches, ransomware deployment, or malicious data manipulation, as the backup servers often store highly sensitive and valuable information.

Solution: 

•  Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.
• Block the malicious external IP addresses and other malicious IP addresses on your network.
• Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.
• Activate built-in security features on endpoint devices which scan applications for malware.
• Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solution, endpoint detection    and response solution including anti-malware software.
• Enforce a strong password policy, implement regular password changes.
• Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

References:

• https://thehackernews.com/2024/07/new-ransomware-group-exploiting-veeam.html

• https://cisometric.com/articles/ransomware-alert-estateransomware-exploits-veeam-backup-software

• https://cirt.gy/article/al2024_15-veeam-backup-replication-software-security-flaw-exploited-by-new-ransomware-group-estateransomware-15th-july-2024/

Advisory ID: NCC-CSIRT-170924-009

Summary: 

Researchers from Trend Micro's Zero Day Initiative have discovered a newly identified Windows vulnerability, exploited as a zero-day to execute code via the disabled Internet Explorer browser. This vulnerability, tracked as CVE-2024-43461, is classified as a high-severity issue. It was addressed in a patch released on Tuesday, September 10, 2024, over two months after it had already been exploited in the wild.

Threat Type(s): Vulnerability, Zero-Day Attack

Impact/Vulnerability: CRITICAL/HIGH

Product(s): MS Windows

Platform(s): Internet Explorer bowser

Version(s): All Versions

Description: 

The research revealed that the security flaw is a spoofing vulnerability in a component of Internet Explorer’s Web Archive file format. This format combines HTML code and its related resources (such as images) into a single file, even when these resources are linked externally in the webpage's HTML. Despite Internet Explorer being disabled, the platform remains in Windows and is still utilized by certain applications in specific scenarios.

The vulnerability arises from how Internet Explorer handles user prompts after a file download. A maliciously crafted file name can conceal the true file extension, tricking users into thinking the file is safe. Exploiting this flaw, an attacker could execute code under the current user’s privileges.

Solution: 

The vulnerability identified as CVE-2024-43461 was exploited as part of an attack chain involving the CVE-2024-38112 flaw prior to July 2024. To ensure complete protection against this threat, users are advised to install both the Windows July 2024 security updates, which addressed CVE-2024-38112, as well as the Windows September 2024 updates. Links to the relevant security updates are provided below:

https://support.microsoft.com/en-us/topic/july-9-2024-kb5040437-os-build-20348-2582-5b28d9b8-fcba-43bb-91e6-062f43c7ec7c

https://support.microsoft.com/en-us/topic/september-10-2024-kb5043076-os-builds-22621-4169-and-22631-4169-215aad1e-3f3f-44bd-9868-91a2bd450a07

References:

• https://www.securityweek.com/microsoft-says-recent-windows-vulnerability-exploited-as-zero-day/

• https://www.securityweek.com/apt-exploits-windows-zero-day-to-execute-code-via-disabled-internet-explorer/

• https://www.securityweek.com/microsoft-says-windows-update-zero-day-being-exploited-to-undo-security-fixes/

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43461

• https://www.zerodayinitiative.com/advisories/ZDI-24-1207/

Advisory ID: NCC-CSIRT-110924-008

Summary: 

Researchers from anti-malware vendor ESET have identified a sophisticated phishing technique targeting iOS and Android users. The tactic involves using web applications that imitate legitimate banking software, enabling cybercriminals to bypass security measures and steal users' login credentials.

These fraudulent web apps closely replicate the interfaces of well-known financial institutions, making it difficult for users to detect the deception. Once victims enter their credentials, the information is transmitted to attackers, granting them unauthorized access to sensitive banking accounts.

Threat Type(s): Phishing, and Malvertising

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Apple and Android based Mobile Devices

Platform(s): iOS and Android OS

Version(s): All Versions

Description: 

According to the researchers, attackers leveraged Progressive Web Applications (PWAs) on Apple devices—websites packaged to resemble standalone apps. These PWAs, built using web technologies, are platform-agnostic and do not require users to enable third-party app installations. On Android devices, the attackers utilized WebAPKs, a technology that allows web apps to be installed as native applications, appearing as if they were downloaded from Google Play.

In the observed attacks, iOS users were instructed to add the PWA to their home screens, while Android users were prompted to approve custom pop-ups before installing the WebAPK. WebAPKs, considered enhanced versions of PWAs, mimic native apps and do not trigger warnings on Android devices, even when installation from third-party sources is disabled. Moreover, the apps’ information pages falsely indicated that they were downloaded from Google Play.

When users opened the phishing link, they were redirected to a webpage mimicking the official Google Play or Apple Store, or the targeted bank’s website. They were then prompted to install an updated version of the banking app, which led to the installation of the malicious software without triggering any security alerts. Once installed, the PWA or WebAPK placed an icon on the home screen, and opening it led directly to a phishing login page designed to steal users' credentials.

Solution: 

•  Users should avoid installing apps that are not available on official platforms like the Play Store or Apple App Store.
• Always verify any messages received via SMS, email, or social media before taking action.
• If prompted to update an app via text message, visit the official website or app store to confirm the update before proceeding.
• Be cautious when dealing with Progressive Web Applications (PWAs) and avoid installing them from untrusted or suspicious websites.
• Utilize a reliable security solution that can detect and block websites using PWAs and WebAPKs for phishing attacks.
• Multi-factor authentication and user education on phishing threats are essential to enhance security.

References:

• https://www.bleepingcomputer.com/news/security/hackers-steal-banking-creds-from-ios-android-users-via-pwa-apps/ 

• https://www.securityweek.com/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/ 

• https://www.show.it/en/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/ 

• https://news.ycombinator.com/item?id=41312984 

• https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/