This week’s Threat Digest covers a range of emerging cyberthreats, from Qakbot’s resurgence in the hospitality industry, to sophisticated attacks exploiting vulnerabilities in Apache Struts and JetBrains TeamCity. We delve into Silverpeas’ numerous vulnerabilities and Microsoft’s significant year-end patch update. Additionally, we highlight the Lazarus Group’s resurrection of the Log4Shell vulnerability.
Qakbot Strikes Back: The Malware’s New Chapter
The latest cybersecurity update from Microsoft highlights the resurgence of Qakbot malware, now targeting the hospitality industry with novel tactics. This malware campaign involves phishing messages with a PDF pretending to be from an IRS employee. The PDF contains a URL that downloads a Windows Installer, which then executes Qakbot via an embedded DLL. Notably, this version of Qakbot is a new, digitally signed variant. Previously disrupted by law enforcement, Qakbot’s comeback mirrors that of other enduring threats like Emotet, emphasizing the ongoing need for vigilance against such sophisticated malware campaigns.
Apache Struts Vulnerability: Attacks from Multiple Angles
A critical vulnerability in Apache Struts 2, identified as CVE-2023-50164 with a CVSS score of 9.8, is being exploited in global cyberattacks. According to Malwarebytes Labs, this path traversal flaw in Struts’ file upload functionality enables attackers to execute remote code by manipulating file paths. The vulnerability, which affects multiple Struts versions, allows attackers to implant web shells for persistent access and control over compromised servers. Organizations are urged to update to Struts versions 2.5.33 or 18.104.22.168 and implement additional security measures. Warnings about active exploitation have been issued by various international cybersecurity agencies.
CISA Advisory: APT29 and the JetBrain’s Jigsaw
The joint cybersecurity advisory by CISA warns of APT29, linked to Russia’s SVR, exploiting CVE-2023-42793 to target JetBrains TeamCity servers since September 2023. The sophisticated group, noted for the 2020 SolarWinds breach, utilizes this vulnerability for escalating privileges, lateral movements, and distributing backdoors, thereby enabling long-term surveillance and data exfiltration. They employ a “Bring Your Own Vulnerable Driver” technique to evade EDR and AV detection and disable security software. Users are advised to update to TeamCity 2023.05.04 and consider deploying true Managed Detection and Response (MDR) for effective defense.
Read Blackpoint Cyber’s original cyberthreat notice on LinkedIn.
Silverpeas Vulnerability Overload
Rhino Security Labs discovered eight vulnerabilities in Silverpeas Core, an open-source collaboration platform. The most critical, CVE-2023-47324, is a Stored Cross-Site Scripting (XSS) vulnerability in the messaging feature. This flaw allows attackers to gain administrative access and perform a full file read on the server, potentially accessing sensitive data. Users are advised to update to Silverpeas version 6.3.2.
Wrapping up the Year with Microsoft’s Final Patch Tuesday
Microsoft’s final 2023 Patch Tuesday update addressed 33 vulnerabilities, including four critical and 29 important ones according to a report from Zero Day Initiative. This update follows 18 fixes for the Chromium-based Edge browser since November. The year 2023 saw Microsoft patch over 900 flaws, slightly less than 2022’s 917. Notable vulnerabilities include CVE-2023-35628 and CVE-2023-36019, with the latter posing a significant risk through malicious URLs. Microsoft also resolved three DHCP server vulnerabilities. Additionally, Akamai reported new attacks exploiting Microsoft DHCP servers, leading to possible Active Directory compromises.
Lazarus Group Sheds Light back on Log4Shell
North Korean hackers, particularly the group Andariel within the Lazarus collective, are exploiting the Log4Shell vulnerability, CVE-2021-44228, to attack organizations globally. They’re deploying novel remote access Trojans (RATs) written in the D programming language, aiming for persistence and espionage. According to Dark Reading, recent targets include organizations in agriculture, manufacturing, and physical security across South America, Europe, and the US. These attacks underscore the need for vigilance against sophisticated, bespoke malware, and the importance of patching known vulnerabilities like Log4Shell.