Threat Intel

CVE-2022-26134 – Confluence Zero Day RCE

We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.

THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged

https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d/community

XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.

This is a fast publish

POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

https://github.com/jbaines-r7/through_the_wire

keep checking vendor guidance and keep checking this for updates… use at own risk etc.

Workaround/Hotfixes have been published by Atlassian:

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

https://jira.atlassian.com/browse/CONFSERVER-79000

GreyNoise Tag is online: GreyNoise Trends

Also check this out for scanners: GreyNoise

Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!

IT MAY BE WISE TO ASSUME BREACH

The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar

Background

Velocity discovers a zero-day in confluence 03/06/2022 (GMT)

Read more “CVE-2022-26134 – Confluence Zero Day RCE”
Defence

Office Microsoft Support Diagnostic Tool (MSDT) Vulnerability “Follina”

This is a fast publish!

Confirmed all Office (ISO Install/PRO and 365) when using the Rich Text Format (RTF) method.

Office 365 has some sort of patch against the .DOCX format.

WGET Execution

Read more “Office Microsoft Support Diagnostic Tool (MSDT) Vulnerability “Follina””
A screenshot of a computer Description automatically generated with medium confidence Threat Intel

CVE-2021-38647 – Open Management Infrastructure (OMI) RCE – Linux…

Situation

Ok so the situation is as per usual a bit fluid, when this first dropped I was looking at this with a “azure” lense, however as time goes on it appears this likely also covers any Linux distro with the Azure/SCOM/OMS agents installed. This may change the profile of risk considerable, not only from a public facing attack surafce but highly likely from a lateral movement persspective. I’m going to keep updating this as more intel comes in. (sorry I’d be clearer if I had a clearer picture myself)

This week 4 vulnerabilities were disclosed which affect Azure virtual machines running the Open Management Infrastructure (OMI) agent (think PowerShell remoting). As above the scope seems to be slightly wider with regard to SCOM/AZURE and OMS/Sentinel etc. agents for Linux (I want to confirm all of this but for now it seems this is the position)

Essentially these vulnerabilities allow for both network-based remove code execution (RCE) and local privilege escalation (LPE).

  • There is evidence of exploitation in honeypots.
  • There is a public proof of concept available for the RCE.
  • The internet facing attack surface from a global perspective seems low based on the data in Shodan and Censys however I’m not convinced this is currently giving a clear picture.
    • So, check your azure networks, Vms and firewalls would be a sensible idea

Read more “CVE-2021-38647 – Open Management Infrastructure (OMI) RCE – Linux hosts”

Defense

ProxyLogon (CVE-2021-26855) PoC and Metasploit Module Released

The last two weeks we’ve seen major activity around the world with defenders and criminals rushing to respond to the recent zero day vulnerability patches and then the race to reverse engineer the kill chain to create an explot. We saw a PoC fairly early but it required that you reverse engineer some exchange DLLs and/or TAP the 443 to 444 interface on an exchange server to work out how to weaponise it. Things however have progressed, 8 hours ago we saw a metasploit module go online:

Read more “ProxyLogon (CVE-2021-26855) PoC and Metasploit Module Released”
Copyright (c) Xservus Limited