Aswant Solution

SECURITY
BULLETINS
Week 4 October 2023
CyberSecurity Malaysia to use RM60m allocation
to strengthen national cyber security ecosystem

PUTRAJAYA, Oct 14 — CyberSecurity Malaysia (CSM) will fully utilise the RM60 million allocation
announced by Prime Minister Datuk Seri Anwar Ibrahim in Budget 2024 yesterday to strengthen the
national cyber security ecosystem.

In a statement today, its chief executive officer, Datuk Amirudin Abdul Wahab said the allocation will be
used to implement the 5G Cyber Security Testing Framework as well as 5G Technology Local Expertise
which includes the scope of hardware, equipment, applications and advanced technology ecosystem.

As a national cyber security specialist centre and technical agency, CSM will fully benefit from this
allocation to strengthen its technical capabilities, conduct research, empower cyber security initiatives
and programmes that are preventive, proactive and responsive through identified projects, he said.

“This allocation reflects the government’s seriousness in strengthening the country’s defence system
against cyber threats and attacks, as well as ensuring the people always be in the forefront in protecting
important infrastructure and information for the sake of national security and well-being, in addition to
strengthening the sustainability of cyber security,” he said.

Amirudin also said this initiative is expected to benefit more than 120 organisations including the
government, industries, academia and mobile service providers, as well as 800 cyber security
professionals who have undergone training in 5G security testing services. — Bernama
TSplus and Kaspersky Forge Groundbreaking
Partnership to Enhance Remote Access Security
TSplus, a global leader in remote access and Application Delivery solutions, is proud to announce a
strategic partnership with Kaspersky, a renowned cybersecurity leader. This collaboration aims to
revolutionize the realm of remote access security by embedding the TSplus Remote Access
Connection client into the KasperskyOS Cyber Immune thin client.

In an era where remote work has become the new norm, the demand for secure and reliable remote
access solutions has surged. TSplus has been at the forefront of this evolution, consistently delivering
innovative solutions that empower organizations to connect to their digital assets securely,
efficiently, and with ease.

Kaspersky, on the other hand, has long been recognized for its unwavering commitment to
safeguarding businesses and individuals from cyber threats. Their world-class cybersecurity solutions
have been trusted by millions globally to protect critical data and systems.

The strategic partnership between TSplus and Kaspersky brings together the best of both worlds.
Both companies share a common vision of making remote work not only more accessible but also
more secure. This partnership signifies a significant step towards achieving that vision. It combines
the trust and expertise of two industry giants to provide a complete remote working solution that
businesses can rely on in today's digital landscape.

The TSplus and Kaspersky collaboration is set to be a game-changer for businesses looking to adapt
to the evolving workplace dynamics while ensuring the highest level of cybersecurity.

"We are thrilled to join forces with Kaspersky, a company that shares our commitment to delivering
top-notch solutions to businesses worldwide," said Dominique Benoit, CEO of TSplus. "Together, we
are ready to set a new standard for remote access security and convenience."

Commenting on the successful MoU, Andrey Suvorov, Head of KasperskyOS Business said: “With an
ever-evolving work environment, we have increasingly noted a demand for Remote Desktop solutions
around the world. We develop these kinds of solutions based on the KasperskyOS operating system.
We believe Kaspersky Thin Client has great potential, and our partnership with TSplus reinforces this
belief. It is based on our first and agile joint efforts we started in April 2023 and I am personally
satisfied with enthusiasm and profound quality of our cooperation.”

The two companies have agreed to begin the partnership with a 3-year engagement, setting the stage
for a longer-term evolution based on mutual success.
A cascade of compromise: unveiling Lazarus’ new
campaign

The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an
unnamed software vendor was compromised through the exploitation of known security flaws in
another high-profile software.

The attack sequences, according to Kaspersky, culminated in the deployment of malware families
such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for victim profiling and
payload delivery.

"The adversary demonstrated a high level of sophistication, employing advanced evasion techniques
and introducing SIGNBT malware for victim control," security researcher Seongsu Park said. "The SIGNBT
malware used in this attack employed a diverse infection chain and sophisticated techniques."

The Russian cybersecurity vendor said the company that developed the exploited software had been
a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the
software supply chain, as in the case of the 3CX supply chain attack.
Cybersecurity

The Lazarus Group "continued to exploit vulnerabilities in the company's software while targeting other
software makers," Park added. As part of the latest activity, a number of victims are said to have been
singled out as of mid-July 2023.

The victims, per the company, were targeted through a legitimate security software designed to
encrypt web communications using digital certificates. The name of the software was not disclosed
and the exact mechanism by which the software was weaponized to distribute SIGNBT remains
unknown.

Besides relying on various tactics to establish and maintain persistence on compromised systems, the
attack chains employ an in-memory loader that acts as a conduit to launch the SIGNBT malware.

The main function of SIGNBT is to establish contact with a remote server and retrieve further
commands for execution on the infected host. The malware is so named for its use of distinctive
strings that are prefixed with "SIGNBT" in its HTTP-based command-and-control (C2) communications.

Read more details [Link]

BIG-IP Configuration utility unauthenticated remote code
execution vulnerability CVE-2023-46747
F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in
unauthenticated remote code execution.

The issue, rooted in the configuration utility component, has been assigned the CVE identifier
CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP
system through the management port and/or self IP addresses to execute arbitrary system
commands," F5 said in an advisory released Thursday. "There is no data plane exposure; this is
a control plane issue only."

As mitigations, F5 has also made available a shell script for users of BIG-IP versions 14.1.0 and
later. "This script must not be used on any BIG-IP version prior to 14.1.0 or it will prevent the
Configuration utility from starting," the company warned.

Other temporary workarounds available for users are below -

Block Configuration utility access through self IP addresses

Block Configuration utility access through the management interface

Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering
and reporting the vulnerability on October 4, 2023.

The cybersecurity company, in a technical report of its own, described CVE-2023-46747 as an

authentication bypass issue that can lead to a total compromise of the F5 system by executing
arbitrary commands as root on the target system, noting it's "closely related to CVE-2022-
26377."

Praetorian is also recommending that users restrict access to the Traffic Management User
Interface (TMUI) from the internet. It's worth noting that CVE-2023-46747 is the third
unauthenticated remote code execution flaw uncovered in TMUI after CVE-2020-5902 and
CVE-2022-1388.

"A seemingly low impact request smuggling bug can become a serious issue when two
different services offload authentication responsibilities onto each other," the researchers said.
"Sending requests to the 'backend' service that assumes the 'frontend' handled authentication
can lead to some interesting behavior."

Read more details here [Link]

Threat Actors Actively Exploiting Cisco IOS XE
Zero-day Vulnerability
Threat actors exploit zero-day vulnerabilities because these flaws are unknown to the software
developers, making them highly effective for launching attacks.

Exploiting zero-days allows malicious actors to bypass security measures and gain unauthorized
access or control over systems, maximizing their chances of success.

A new Zero-day vulnerability (CVE-2023-20198) in Cisco IOS XE’s Web UI feature that affects devices
with exposed HTTP/HTTPS Server functionality when connected to the internet or untrusted networks
has been discovered by Cisco.

The web user interface (UI) is a graphical user interface (GUI) based system administration
application that simplifies system management without the need for any additional installation or
licensing. However, it is strongly advised against exposing the web UI to the internet or unreliable
networks due to potential security risks.

Cisco detected suspicious activity on a customer device starting September 18 and confirmed
related behavior by September 28.

This involved creating a ‘cisco_tac_admin’ account from an unusual IP address (5.149.249[.]74). The
activity ceased on October 1, with no additional related behavior observed.

Cisco Talos Incident Response (Talos IR) and TAC identified a related cluster of activity on October 12.
An unauthorized user created a ‘cisco_support’ account from IP address 154.53.56[.]231.

This activity included deploying an implant (‘cisco_service.conf’) to establish a new web server
endpoint for command execution at the system or IOS level. The implant is not persistent but creates
administrator-level user accounts.

CVE-2023-20198 has a critical CVSS score of 10, enabling full admin access and granting an attacker
control over the router for possible unauthorized activities.

Using an unknown method, the actor exploited CVE-2021-1435 to install the implant, even on fully
patched devices. The implant, coded in Lua with 29 lines, allows arbitrary command execution.

[Link]
webui-privesc-j22SaA4z
Octo Tempest crosses boundaries to facilitate
extortion, encryption, and destruction
The prolific threat actor known as Scattered Spider has been observed impersonating newly hired
employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts
and breach organizations across the world.

Microsoft, which disclosed the activities of the financially motivated hacking crew, described the
adversary as "one of the most dangerous financial criminal groups," calling out its operational fluidity
and its ability to incorporate SMS phishing, SIM swapping, and help desk fraud into its attack model.

"Octo Tempest is a financially motivated collective of native English-speaking threat actors known for
launching wide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM)
techniques, social engineering, and SIM swapping capabilities," the company said.

It's worth noting that the activity represented by Octo Tempest is tracked by other cybersecurity
companies under various monikers, including 0ktapus, Scatter Swine, and UNC3944, which has
repeatedly singled out Okta to obtain elevated permissions and infiltrate targeted networks.

One of the key hallmarks is the targeting of support and help desk personnel via social engineering
attacks to gain initial access to privileged accounts, tricking them into performing a reset of the
victim's password and multi-factor authentication (MFA) methods.

Other approaches entail purchasing an employee's credentials and/or session token(s) on a criminal
underground market, or calling the individual directly and socially engineering the user to either install
a Remote Monitoring and Management (RMM) utility, visit a fake login portal using an AiTM phishing
toolkit, or remove their FIDO2 token.

Initial attacks mounted by the group targeted mobile telecommunication providers and business
process outsourcing (BPO) organizations to initiate SIM swaps, before graduating to monetizing the
access for selling SIM swaps to other criminals and performing account takeovers of high-net-worth
individuals for cryptocurrency theft.

Octo Tempest has since diversified its targeting to include email and tech service providers, gaming,
hospitality, retail, managed service providers (MSPs), manufacturing, technology, and financial
sectors, while simultaneously emerging as an affiliate for the BlackCat ransomware gang in mid-2023
to extort victims.

Put differently, the end goal of the attacks vary between cryptocurrency theft and data exfiltration for
extortion and ransomware deployment.

"In late 2022 to early 2023, [...] Octo Tempest started monetizing intrusions by extorting victim
organizations for data stolen during their intrusion operations and in some cases even resorting to
physical threats," Microsoft said.

"In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals
through phone calls and texts. These actors use personal information, such as home addresses and
family names, along with physical threats to coerce victims into sharing credentials for corporate
access."

Read more details here [Link]

crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
Record-Breaking 100 Million RPS DDoS Attack Exploits
HTTP/2 Rapid Reset Flaw

Cloudflare on Thursday said it mitigated thousands of hyper-volumetric HTTP distributed denial-of-

service (DDoS) attacks that exploited a recently disclosed flaw called HTTP/2 Rapid Reset, 89 of which
exceeded 100 million requests per second (RPS).

"The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared
to the previous quarter," the web infrastructure and security company said in a report shared with The
Hacker News. "Similarly, L3/4 DDoS attacks also increased by 14%."

The total number of HTTP DDoS attack requests in the quarter surged to 8.9 trillion, up from 5.4 trillion
in Q2 2023 and 4.7 trillion in Q1 2023. The number of attack requests in Q4 2022 stood at 6.5 trillion.

HTTP/2 Rapid Reset (CVE-2023-44487) came to light earlier this month following an industry-wide
coordinated disclosure that delved into DDoS attacks orchestrated by an unknown actor by
leveraging the flaw to target various providers such as Amazon Web Services (AWS), Cloudflare, and
Google Cloud.

Fastly, in a disclosure of its own on Wednesday, said it countered a similar attack that peaked at a
volume of about 250 million RPS and a duration of approximately three minutes.

"Botnets that leverage cloud computing platforms and exploit HTTP/2 are able to generate up to
x5,000 more force per botnet node," Cloudflare noted. "This allowed them to launch hyper-volumetric
DDoS attacks with a small botnet ranging 5-20 thousand nodes alone."

Some of the top industries targeted by HTTP DDoS attacks include gaming, IT, cryptocurrency,
computer software, and telecom, with the U.S., China, Brazil, Germany, and Indonesia accounting for
the biggest sources of application layer (L7) DDoS attacks.

On the other hand, the U.S., Singapore, China, Vietnam, and Canada emerged as the main targets of
HTTP DDoS attacks.

Read more details [Link]

Winter Vivern exploits zero-day vulnerability in
Roundcube Webmail servers

The threat actor known as Winter Vivern has been observed exploiting a zero-day flaw in Roundcube
webmail software on October 11, 2023, to harvest email messages from victims' accounts.

"Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET
security researcher Matthieu Faou said in a new report published today. Previously, it was using
known vulnerabilities in Roundcube and Zimbra, for which proofs-of-concept are available online."

Winter Vivern, also known as TA473 and UAC-0114, is an adversarial collective whose objectives align
with that of Belarus and Russia. Over the past few months, it has been attributed to attacks against
Ukraine and Poland, as well as government entities across Europe and India.

The group is also assessed to have exploited another flaw Roundcube as recently as August and
September (CVE-2020-35730), making it the second nation-state group after APT28 to target the
open-source webmail software.

The new security vulnerability in question is CVE-2023-5631 (CVSS score: 5.4), a stored cross-site
scripting flaw that could allow a remote attacker to load arbitrary JavaScript code. A fix was released
on October 16, 2023.

Attack chains mounted by the group commence with a phishing message that incorporates a
Base64-encoded payload in the HTML source code that, in turn, decodes to a JavaScript injection
from a remote server by weaponizing the XSS flaw.

"In summary, by sending a specially crafted email message, attackers are able to load arbitrary
JavaScript code in the context of the Roundcube user's browser window," Faou explained. "No manual
interaction other than viewing the message in a web browser is required."

The second-stage JavaScript ([Link]) is a loader that facilitates the execution of a final
JavaScript payload that allows the threat actor to exfiltrate email messages to a command-and-
control (C2) server.

"Despite the low sophistication of the group's toolset, it is a threat to governments in Europe because
of its persistence, very regular running of phishing campaigns, and because a significant number of
internet-facing applications are not regularly updated although they are known to contain
vulnerabilities," Faou said.

Read more details [Link]

day-vulnerability-roundcube-webmail-servers/
VMware Releases Patch for Critical vCenter Server
RCE Vulnerability

VMware has released security updates to address a critical flaw in the vCenter Server that could
result in remote code execution on affected systems.

The issue, tracked as CVE-2023-34048 (CVSS score: 9.8), has been described as an out-of-bounds
write vulnerability in the implementation of the DCE/RPC protocol.

"A malicious actor with network access to vCenter Server may trigger an out-of-bounds write
potentially leading to remote code execution," VMware said in an advisory published today.

Credited with discovering and reporting the flaw is Grigory Dorodnov of Trend Micro Zero Day
Initiative.

VMware said that there are no workarounds to mitigate the shortcoming and that security updates
have been made available in the following versions of the software -

VMware vCenter Server 8.0 (8.0U1d or 8.0U2)

VMware vCenter Server 7.0 (7.0U3o)
VMware Cloud Foundation 5.x and 4.x

Given the criticality of the flaw and the lack of temporary mitigations, the virtualization services
provider said it's also making available a patch for vCenter Server 6.7U3, 6.5U3, and VCF 3.x.

The latest update further addresses CVE-2023-34056 (CVSS score: 4.3), a partial information
disclosure vulnerability impacting the vCenter Server that could enable a bad actor with non-
administrative privileges to access unauthorized data.

VMware, in a separate FAQ, said it's not aware of in-the-wild exploitation of the flaws, but has
recommended customers to act quickly to apply the patches as soon as possible to mitigate any
potential threats.

Read more details [Link]

Okta's Support System Breach Exposes Customer
Data to Unidentified Threat Actors

Identity services provider Okta on Friday disclosed a new security incident that allowed unidentified
threat actors to leverage stolen credentials to access its support case management system.

"The threat actor was able to view files uploaded by certain Okta customers as part of recent support
cases," David Bradbury, Okta's chief security officer, said. "It should be noted that the Okta support
case management system is separate from the production Okta service, which is fully operational
and has not been impacted."

The company also emphasized that its Auth0/CIC case management system was not impacted by
the breach, noting it has directly notified customers who have been affected.

However, it said that the customer support system is also used to upload HTTP Archive (HAR) files to
replicate end user or administrator errors for troubleshooting purposes.

"HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors
can use to impersonate valid users," Okta warned.

It further said it worked with impacted customers to ensure that the embedded session tokens were
revoked to prevent their abuse.

Okta did not disclose the scale of the attack, when the incident took place, and when it detected the
unauthorized access. As of March 2023, it has more than 17,000 customers and manages around 50
billion users.

That said, BeyondTrust and Cloudflare are among the two customers who have confirmed they were
targeted in the latest support system attack.

"The threat-actor was able to hijack a session token from a support ticket which was created by a
Cloudflare employee," Cloudflare said. "Using the token extracted from Okta, the threat-actor
accessed Cloudflare systems on October 18."

Describing it as a sophisticated attack, the web infrastructure and security company said the threat
actor behind the activity compromised two separate Cloudflare employee accounts within the Okta
platform. It also said that no customer information or systems were accessed as a result of the event.
 Aswant Solution
compiled by amir yusoff