The Australian software services provider has addressed four high-severity flaws in recent updates. These include:

• CVE-2022-25647 (CVSS score: 7.5) – A deserialization vulnerability in the Google Gson package affecting Patch Management in Jira Service Management Data Center and Server.
• CVE-2023-22512 (CVSS score: 7.5) – A DoS vulnerability in Confluence Data Center and Server.
• CVE-2023-22513 (CVSS score: 8.5) – A remote code execution vulnerability in Bitbucket Data Center and Server.
• CVE-2023-28709 (CVSS score: 7.5) – A DoS vulnerability in Apache Tomcat server affecting Bamboo Data Center and Server.

These vulnerabilities have been addressed in the following versions:

• Jira Service Management Server and Data Center (versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0, or later).
• Confluence Server and Data Center (versions 7.19.13, 7.19.14, 8.5.1, 8.6.0, or later).
• Bitbucket Server and Data Center (versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, or later).
• Bamboo Server and Data Center (versions 9.2.4, 9.3.1, or later).

In a related update, ISC has released fixes for two high-severity vulnerabilities affecting the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite, potentially leading to DoS conditions:

• CVE-2023-3341 (CVSS score: 7.5) – A stack exhaustion vulnerability in control channel code that may cause named to terminate unexpectedly (fixed in versions 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1, and 9.18.19-S1).
• CVE-2023-4236 (CVSS score: 7.5) – The named service may terminate unexpectedly under high DNS-over-TLS query load (fixed in versions 9.18.19 and 9.18.19-S1).

These patches come after ISC previously addressed three other vulnerabilities (CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, CVSS scores: 7.5) that could result in a DoS condition, three months prior.

Subsequent releases in August unveiled additional functionalities, including the ability to override credentials stored in configuration files extracted from compromised systems through new command-line arguments.

In August, Microsoft disclosed the integration of Impacket and Remcom tools in this variant, enabling credential dumping, remote service execution, and the exploitation of compromised credentials for lateral movement and further propagation of ransomware.

Microsoft’s tweet highlighted the embedding of the Remcom hacktool within the executable, facilitating remote code execution, alongside the inclusion of hardcoded compromised credentials for lateral movement and ransomware distribution.

Threat actors exploited Azure Portal access to pilfer Azure keys, encoding them in base64 format and embedding them within the ransomware binary for execution via command line instructions. Using the ‘-o’ argument, they targeted Azure storage accounts, subsequently encrypting 39 unique accounts with ransomware.

During these operations, threat actors leveraged tools like AnyDesk, SplashTop, Atera, and the Chrome browser, coupled with the LastPass vault browser extension, to access and manipulate credentials, including OTPs for Sophos Central account access.

Further investigation revealed that threat actors altered security policies and tampered with protection measures before encrypting systems and Azure Storage accounts using IzBEIHCMxAuKmis6.exe, appending the extension ‘.zk09cvt’.

Notably, the Sphynx variant observed by IBM no longer employs the ‘-access-token’ parameter; instead, it utilizes complex key sets and a revised array of arguments.

Sophos has provided comprehensive insights into the operation, source code, and indicators of compromise associated with this BlackCat variant.

Organizations are strongly advised to implement and uphold necessary precautions and countermeasures to effectively mitigate the risks posed by ransomware attacks. Proactive measures and vigilant defense strategies are pivotal in mitigating the potential devastating impacts of such malicious activities.

In a specific instance, victims initially encountered a malware strain designed for data theft, which was signed with Extended Validation (EV) code signing certificates. However, over time, they also fell victim to ransomware attacks through the same delivery method.

Further examination during the period between July and August uncovered more than 30 samples signed with EV code certificates, all associated with the info-stealing malware TrojanSpy.Win32.VIDAR.SMA. Each of these samples exhibited unique characteristics, complicating their detection.

Regarding the attribution to RedLine and Vidar, researchers suspect that the individual responsible for signing these EV certificates likely possesses either physical access to the security token or has control over the computer linked to it.

Initially, victims received info-stealing malware through various campaigns starting around July 10. Subsequently, on August 9, they experienced a ransomware assault. This ransomware was deployed after the victims unwittingly downloaded and opened a fraudulent email attachment masquerading as a complaint from TripAdvisor.

Tactics, Techniques, and Procedures (TTPs) employed by RedLine and Vidar operators include:

1. Crafting spear-phishing emails with compelling language, urging recipients to take immediate action, often relating to health or hotel-related matters.
2. Utilizing double file extensions to deceive users, such as making files appear as PDFs or JPEGs when, in fact, they are executable (EXE) files triggering the infection upon opening.
3. Deploying LNK files containing instructions to execute the malicious file, thereby evading detection.

Dubbed AMBERSQUID by cloud and container security firm Sysdig, this malicious cyber activity has managed to exploit cloud services without triggering the typical AWS resource approval process, circumventing measures that would typically be activated if they were solely spamming EC2 instances.

Sysdig’s security researcher Alessandro Brucato explained in a report shared with The Hacker News, “The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances.” He further added, “Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service.”

The discovery of this campaign came after Sysdig analyzed 1.7 million images on Docker Hub. They attribute the operation with moderate confidence to Indonesian attackers based on the utilization of the Indonesian language in scripts and usernames.

The modus operandi involves the deployment of cryptocurrency miners downloaded from actor-controlled GitHub repositories within some Docker images, while other images run shell scripts that target AWS services.

One notable tactic involves the misuse of AWS CodeCommit, a service used to host private Git repositories. Attackers generate a private repository, which they then deploy across various services as a source. This repository contains the source code of an AWS Amplify app, which is utilized by a shell script to create an Amplify web app, ultimately facilitating the launch of the cryptocurrency miner.

The threat actors have also been observed utilizing shell scripts to execute cryptojacking in AWS Fargate and SageMaker instances, resulting in substantial compute costs for the victims.

Sysdig estimates that if scaled to target all AWS regions, AMBERSQUID could incur losses of over $10,000 per day. An analysis of the wallet addresses associated with the attacks reveals that the perpetrators have earned over $18,300 in revenues to date.

This isn’t the first time Indonesian threat actors have been implicated in cryptojacking campaigns. In May 2023, Permiso P0 Labs detailed an actor named GUI-vil, which leveraged Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances for crypto mining operations.

Michael Clark, director of threat research at Sysdig, noted, “there doesn’t appear to be much cross-over between the TTPs of the two attacks,” suggesting they are likely carried out by distinct groups. He also highlighted the thriving community around cryptojacking in Indonesia.

“While most financially motivated attackers target compute services, such as EC2,” Brucato emphasized, “it is important to remember that many other services also provide access to compute resources (albeit more indirectly).” He stressed the importance of not overlooking these services from a security perspective, given the lesser visibility compared to runtime threat detection available.

Stored XSS vulnerabilities comprised 6 instances, along with 2 instances of Reflected XSS, as reported by Cyber Security News. Among these, 4 Stored XSS vulnerabilities were identified in Apache Ambari, concerning YARN Configurations, YARN Queue Manager, Background Operations, and Managed Notifications, all under CVE-2023-36881. The remaining Stored XSS instances were found in Jupyter Notebooks and Apache Oozie, under CVE-2023-35394 and CVE-2023-36877, respectively. CVE-2023-35394 pertained to Code Execution in Jupyter Notebooks with a severity of 4.6 (Medium), while CVE-2023-36877 related to Web Console Stored XSS with a severity of 4.5 (Medium).

Regarding Reflected XSS, two vulnerabilities were identified in Apache Hadoop and Apache Hive 2, categorized under CVE-2023-38188 and CVE-2023-35393, both with a severity of 4.5 (Medium), and exploitable via endpoint manipulation.

Orca Security has released a comprehensive report detailing the exploitation and proof-of-concept of these vulnerabilities. Users are advised to update their products to the latest version to mitigate the risk of exploitation.