In this week’s Threat Digest, we dive into a range of emerging threats and critical advisories that underline the persistent evolution of the cybersecurity landscape. From unveiling the menacing Menorah malware by APT34, to alarming vulnerabilities in prominent software like WS_FTP Server and Atlassian’s Confluence, the urgency for robust cybersecurity measures is clearer than ever. Additionally, a glaring data exposure by Really Simple Systems and a notable joint advisory by the NSA and CISA on prevalent cyber misconfigurations highlight the importance of continuous vigilance, timely patching, and embracing secure-by-design principles.

Cybersecurity firm Trend Micro has identified a new malware strain, dubbed “Menorah,” attributed to the notorious APT group APT34, amidst a phishing attack investigation. Embedded within a deceptive document, this malware signifies a potential Saudi Arabian target, showcasing APT34’s persistent cyber espionage activities in the Middle East. Menorah employs a unique mechanism of dropping a .NET-based payload and creating a scheduled task for persistence, highlighting an evolving threat landscape. This method underscores the critical importance of monitoring scheduled tasks to detect signs of malicious activity. The malware’s resemblance to a previously known APT34 tool, SideTwist, and its ability to communicate with a command and control (C2) server, albeit inactive, accentuates the need for robust monitoring tools and continuous vigilance.

The disclosure of the severe CVE-2023-40044 vulnerability in Progress Software’s WS_FTP Server has escalated with the release of a proof-of-concept (PoC) exploit by security researchers from Assetnote, enabling unauthenticated attackers to remotely commandeer affected systems. Rapid7 has reported real-world exploitations of this flaw, suggesting possible mass exploitation by a single threat actor. Predominantly large enterprises, governments, and educational institutions, with about 2.9k hosts exposed online, are at risk. This development underscores the critical need for organizations to either upgrade to the advised version 8.8.2 or disable the vulnerable Ad Hoc Transfer Module to bolster their IT infrastructure’s security. This new threat landscape emphasizes the continuous evolution of cyberthreats, making it imperative for customers to take swift action to mitigate risks and ensure secure file transfer operations within their networks.

Atlassian has revealed a critical privilege escalation vulnerability, CVE-2023-22515, impacting its Confluence Data Center and Server products, following reports of external exploitation which led to unauthorized administrator account creations. This flaw spans several versions from 8.0.0 to 8.5.1, prompting an advisory for users to upgrade to the rectified versions: 8.3.3, 8.4.3, or 8.5.2 (Long Term Support release) or later to prevent unauthorized access. For those who cannot upgrade immediately, it’s recommended to restrict external network access and block access to the “/setup/*” endpoints on Confluence instances to mitigate known attack vectors. Besides upgrading, Atlassian emphasizes the importance of engaging security teams to inspect for indicators of compromise (IoCs) such as unexpected members in the confluence-administrator group or unusual network requests in access logs.

Cybersecurity researcher Jeremiah Fowler discovered a non-password protected database of Really Simple Systems, a global B2B CRM provider, exposing over 3 million records. The exposed data encompassed internal communications, invoices, and customer CRM files from various organizations worldwide, revealing a significant amount of Personally Identifiable Information (PII). The exposed data presents potential risks including invoice fraud and targeted phishing attacks, highlighting the vulnerability of unsecured CRM databases. Upon discovery, some corrective actions were taken, yet the incident underscores the crucial need for robust cybersecurity measures like encryption and regular penetration testing to prevent unauthorized access, safeguarding sensitive business and customer information against cyberthreats.

The NSA and CISA have issued a joint advisory outlining ten prevalent cybersecurity misconfigurations in large organizations, underlining a systemic trend of weaknesses even among entities with mature cybersecurity stances. These misconfigurations, ranging from poor patch management to insufficient network monitoring, expose organizations to exploitation by malicious actors. The advisory emphasizes the critical role of adopting secure-by-design principles for software manufacturers and underscores the importance of well-resourced network security teams in implementing known mitigations. The advisory also provides specific recommendations to bolster security postures, urging a collaborative effort between network defenders and software manufacturers to enhance cybersecurity outcomes.

To stay up to date on all APG intel, follow them on Twitter and Reddit.