In this week’s Threat Digest, we delve into a series of pressing threats that yet again underscore the need for vigilance and timely updates. From the critical vulnerabilities in F5’s BIG-IP suite and Cisco’s IOS XE, which are actively being exploited, to another alarming flaw in Atlassian’s Confluence and the exploitation of Apache ActiveMQ for ransomware attacks, organizations are urged to patch up. Additionally, we explore the evolving tactics of the MuddyWater group, shedding light on new threats and emphasizing the importance of staying a step ahead in the cybersecurity landscape. Stay informed and stay safe.

F5 has issued an urgent security advisory to BIG-IP administrators following the discovery and active exploitation of two significant vulnerabilities in its platform. F5 BIG-IP, a suite widely used by large enterprises and government agencies, faces a critical authentication bypass flaw (CVE-2023-46747) and a high-severity SQL injection flaw (CVE-2023-46748). These vulnerabilities could enable attackers to access the Configuration utility and execute arbitrary code or commands. Despite the availability of security updates, evidence of compromised devices and exploitation in the wild has been observed. The Cybersecurity & Infrastructure Security Agency (CISA) has emphasized the importance of government agencies, in particular, applying these updates by November 21, 2023. Given the stealthy nature of these exploits, any unpatched BIG-IP endpoints should be considered potentially compromised and administrators are advised to move directly to the system clean up and restoration phase.

A critical vulnerability in Cisco IOS XE, identified as CVE-2023-20198 combined with CVE-2023-20273, has been patched after public exploit code was released. Security researchers from Horizon3.ai have outlined the exploit method that allows attackers to bypass authentication, granting them full control by creating a user with the highest level of privileges. This exploit was crafted using data from a honeypot established by SECUINFRA’s team. While Cisco has released patches addressing this flaw in several IOS XE software versions, many devices remain at risk. Threat actors began exploiting this vulnerability as a zero-day, with upwards of 60,000 compromised devices at its peak. It is essential for organizations to apply the necessary patches immediately.

Atlassian has issued a warning concerning a new, critical security vulnerability in Confluence Data Center and Server, identified as CVE-2023-22518, that may lead to significant data loss if exploited by unauthenticated actors. The flaw, categorized as an “improper authorization vulnerability,” has a severity rating of 9.1 on the CVSS scale. It affects all Confluence Data Center and Server versions but has been rectified these ones:

• 7.19.16 or later
• 8.3.4 or later
• 8.4.4 or later
• 8.5.3 or later
• 8.6.1 or later

Importantly, the vulnerability doesn’t compromise data confidentiality and Atlassian Cloud is not affected. Atlassian advises customers to promptly secure their on-premise Confluence data center or servers, particularly those accessible online, and to apply patches, especially as critical details about the vulnerability were publicly released on November 2, 2023. While no active exploits have been reported, previous vulnerabilities in the software have been utilized by malicious actors.

Recently, Apache ActiveMQ’s CVE-2023-46604 vulnerability has been identified as a potential avenue for attackers to deploy the HelloKitty ransomware on target systems, especially those with outdated versions of Apache ActiveMQ. This remote code execution (RCE) flaw allows cyber adversaries to run arbitrary shell commands due to insecure deserialization in the OpenWire protocol. Rapid7 linked the activity to the HelloKitty ransomware family after its source code was publicly disclosed. Successful exploitation results in specific file extensions being encrypted and appended with the “.locked” suffix. Organizations are strongly advised to update their ActiveMQ installations and remain vigilant for potential indicators of compromise (IoCs).

A new cyber campaign by the MuddyWater group, showcasing evolved tactics, techniques, and procedures (TTPs), was detected by Deep Instinct’s team. This recent activity leverages a multistage infection mechanism, starting most likely with spear-phishing emails. The victims are lured into downloading archives from a new file sharing platform, “Storyblok.” These archives contain deceptive files and executables, particularly an LNK file, which, when opened, triggers the infection process. Furthermore, this campaign introduces the use of a previously unreported remote monitoring and management (RMM) tool from N-able. After infection, the MuddyWater operators can gain access, carry out reconnaissance, and potentially command the compromised system to connect to a new command and control (C2) framework, named MuddyC2Go. Customers are advised to exercise caution particularly with email attachments.

For real-time intel and updates, don’t forget to follow APG on Twitter and Reddit.