The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the delete functionality. This makes it possible for unauthenticated attackers to delete image lightboxes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5531: Thumbnail Slider With Lightbox <= 1.0 - Cross-Site Request Forgery — Wordfence Intelligence

Categories: Exploits and vulnerabilities
Categories: News
Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. 



(Read more...)




The post Update now! Atlassian Confluence vulnerability is being actively exploited appeared first on Malwarebytes Labs.

Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. At the time the attacks were first observed the vulnerability was a zero-day, meaning that no update was available, so defenders had "zero days" to patch the flaw.

The vulnerability has since been issued an ID, CVE-2023-22515, and rated with the highest possible severity, a CVSS score of ten. Atlassian's October 4 advisory warns that "Publicly accessible Confluence Data Center and Server versions ... are at critical risk and require immediate attention."

If you are running Confluence Data Center or Confluence Server inside your organisation and it's exposed to the public internet you should take steps to prevent exploitation, upgrade your software and look for evidence of compromise (take a look at the Atlassian advisory for detailed information about threat hunting).

Versions of Atlassian Confluence before 8.0.0 are not vulnerable. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. The fixed versions of Confluence are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later.

CVE-2023-22515 is a broken access control vulnerability that allows an attacker with network access to the server to create unauthorized Confluence administrator accounts and access Confluence instances. If your Confluence software is on the public internet than the attacker has network access over the internet.

On October 10, 2023, Atlassian updated its advisory to say that it has "evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515".

On the same day, Microsoft Threat Intelligence took to X (formerly Twitter), to say that a nation-state actor, codenamed Storm-0062, which it believes to be a nation-state actor working on behalf of China, had been exploiting CVE-2023-22515 since mid-September.

> Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023

Although the vulnerability started as a zero-day in the hands of nation state hackers, it will likely take on a second life in the hands of less sophisticated criminals.

We are now in the "patch gap," the period of time between a patch being available and it being applied. This creates a window of opportunity for mass exploitation, which could last months or even years. The arrival of a patch allows organisations to fix their systems, it also informs a wider group of criminals about the existence of the vulnerability. Criminals and researchers can then reverse engineer the patch to identify the problem, and then create their own code to exploit it, or wait for others to do it for them.

Proof-of-concept exploits for CVE-2023-22515 have already appeared on GitHub so there is not time to lose. How long the patch gap lasts is entirely down to how quickly organisations update their Confluence software. History suggests organisations may struggle to find the speed required. For example, one of 2022's most routinely exploited vulnerabilities was CVE-2021-26084, a remote code execution flaw in Confluence that was discovered in the middle of the previous year.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update now! Atlassian Confluence vulnerability is being actively exploited

A sophisticated APT known as "ToddyCat," sponsored by Beijing, is cleverly using unsophisticated malware to keep defenders off their trail.

Chinese advanced persistent threats (APTs) are known for being sophisticated, but the "ToddyCat" group is bucking the trend, compromising telecommunications organizations in Central and Southeast Asia using a constantly evolving arsenal of custom-developed, but very simple, backdoors and loaders.

ToddyCat was first discovered last year, though it has been in operation since at least 2020. According to Check Point, it has previously been linked with Chinese espionage operations.

In a blog post published this week, Check Point's researchers described how the group is staying nimble these days: by deploying, and just as quickly throwing away, cheap malware it can use to drop its payloads.

Victims of its latest "Stayin' Alive" campaign — active since at least 2021 — include telcos from Kazakhstan, Pakistan, Uzbekistan, and Vietnam. The precise extent of their reach, and whether they caused any damage, are yet unknown.

**ToddyCat's Latest Tactics**

Stayin' Alive attacks begin with spear phishing emails containing archive files. Once executed, the archive files are designed to take advantage of CVE-2022-23748, a 7.8 out of 10 "High" criticality DLL sideloading vulnerability in Dante AV systems software. ToddyCat uses such DLL sideloading — a popular technique, especially among Chinese threat actors — to drop loaders and downloaders onto targeted devices.

These loaders and downloaders are not nearly to the specs one would expect of a high-level, state-affiliated threat actor, explains Sergey Shykevich, threat intelligence group manager at Check Point.

"They have relatively basic functionality, but they're good enough to achieve initial goals, like allowing the attacker to get basic reports about infected machines: computer name, user name, system info, some directories, and so on. They also include the functionality of shelling, allowing the execution of any command the attacker wants," he explains.

"Our assumption is that via the shell, they were able to implement additional backdoors and modules," he adds, though the research didn't extend to finding out what payloads they ultimately did deploy.

**A Smart Use of Dumb Malware**

Though at first it might seem lazy or ineffectual, there is a reasoning behind using such basic tools instead of more sophisticated, multifunctional weapons of cyberwar.

"The smaller the tool, the more difficult it is to detect," Shykevich explains. "And also, when it's a small tool, it's relatively easy to adjust it to a target."

Easier to adjust, and less expensive to throw away. Typically, researchers identify and track APTs by cross-referencing details between different attacks. With ToddyCat, however, it's impossible to do that — each of its malware samples has zero discernible overlap with known malware families, or even with one another. The researchers expect that they're likely discarded for new samples even after little use. "The small changes mean that you can catch one of them, but it won't be so straightforward to catch all the others. It will require some additional work," Shykevich says.

That said, ToddyCat is undone by the fact that each sample traces back to its easily identifiable command-and-control (C2) infrastructure.

To defend against such a nimble attacker, Shykevich recommends a layered approach. "The first layer here, for example, was the email — you should have proper email protection to identify a malicious attachment," he advocates. "But another level is endpoint detection and response (EDR) endpoints, to identify for example the DLL sideloading and malicious shell activity."

Chinese 'Stayin' Alive' Attacks Dance Onto Targets With Dumb Malware

Touted for days as potentially catastrophic, the curl flaws only impact a narrow set of deployments.

For days now, the cybersecurity community has waited anxiously for the big reveal about two security flaws that, according to curl founder Daniel Stenberg, included one that was likely "the worst curl security flaw in a long time."

Curl is an open source proxy resolution tool used as a "middle man" to transfer files between various protocols, which is present in literally billions of application instances. The suggestion of a massive open source library flaw evoked memories of the catastrophic log4j flaw from 2021. As Alex Ilgayev, head of security research at Cycode, worried, "the vulnerability in the curl library might prove to be more challenging than the Log4j incident two years ago."

But following today's unveiling of patches and bug details, neither vulnerability lived up to the hype. However, it's still important for organizations to uncover whether the bugs are present in their environments (Dark Reading's latest Tech Tip covers how to scan environments for the curl vulnerabilities), and remediate accordingly.

**Impacting a Limited Number of Curl Deployments**

The first vuln, a heap-based buffer overflow flaw tracked under CVE-2023-38545, was assigned a rating of "high" due to the potential for data corruption or even remote code execution (RCE). The issue lies in the SOCKS5 proxy handoff, according to the advisory.

"When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes," the advisory stated. "If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy."

The bug could allow the wrong value to be handed off during the SOCKS5 handshake.

"Due to a bug, the local variable that means 'let the host resolve the name' could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there," the advisory added.

However, the high severity designation only applies to a fraction of deployments, cybersecurity expert Jake Williams says.

"This is only high severity in very limited circumstances," Williams says. "I think it's just an issue that when you have a library vulnerability, you know know how the library is being used. You have to assign the CVE assuming a worst case scenario for implementation."

The second curl bug, tracked under CVE-2023-38546, is a low-severity cookie injection flaw that only impacts the libcurl library, not curl itself.

"I think this is a bigger problem for security devices, and appliances (which fetch untrusted content and often use curl under the hood)," Andy Hornegold, vice president of product at Intruder, said in a statement in reaction to the release of the curl bug details. "I don't see it being a huge problem for standalone usage."

**Dangers of Hyping Up a Fix**

Beyond heartburn for cybersecurity teams, hyping up a fix before technical details are released can hand over an easy win to threat actors. In this instance, Williams points out that RedHat updated its change log ahead of the official curl release, which could have given cyberattackers important intel on unpatched targets, had the vulnerability been as dangerous as previously assumed.

Indeed, Mike McGuire with Synopsys saw the dangers of the amped up attention on the curl update and wrote about it in an Oct. 9 blog.

"Despite having no additional details about the vulnerability, threat actors will undoubtedly begin exploit attempts," McGuire wrote. "Additionally, it's not unheard of for attackers to post bogus 'fixed' versions of a project riddled with malware to take advantage of teams scrambling to patch vulnerable software."

Curl Bug Hype Fizzles After Patching Reveal

A video posted by Donald Trump Jr. showing Hamas militants attacking Israelis was falsely flagged in a Community Note as being years old, thus making X's disinformation problem worse, not better.

Yesterday afternoon, Donald Trump Jr. posted a graphic video to X (formerly Twitter) that purported to show Hamas fighters murdering Israeli citizens during the attack last Saturday morning. “You don’t negotiate with this,” Trump Jr. wrote. “There’s only one way to handle this.” The son of former US president Donald Trump added that the video had come from a “source within Israel.”

The post was shared widely, and within hours it had amassed over 4 million views.

Then X’s user-generated fact-checking system, Community Notes, appended a message to the tweet, stating: “This is an old video and is not from Israel,” accompanied by a link to the original video. The note suggested that Trump Jr. was contributing to what has been a flood of disinformation on X since Hamas militants attacked Israel on Saturday, supercharged by verified users and accompanied by other conspiracy theories pushed by the company’s owner, Elon Musk.

But WIRED has now verified that the Community Notes system appears to be wrong. According to an independent OSINT analysis published on Wednesday, the video Trump Jr. posted is real. It was recorded during Saturday’s attack and does show Hamas fighters shooting Israelis, the analysis found.

The incident highlights how Community Notes, touted this week by X as one of the crucial ways it was tackling disinformation, is still struggling to function as intended and is, in some instances, adding to the level of disinformation on X rather than correcting it.

The Community Notes system is made up of X users who volunteer to fact-check posts on the site. It is X’s primary fact-checking mechanism since Musk eradicated virtually all full-time Trust and Safety staff and part-time moderators who previously did that work.

The volunteers, who must be approved by X to contribute to Community Notes, suggest notes to add to what they believe are misleading posts. Those notes are only displayed publicly once a sufficient number of volunteers have approved them.

Once approved, notes are regarded as “helpful” and posted publicly. This is how X describes what it sees as a “helpful” note: “Enough contributors from different perspectives agreed that this note is helpful, so it’s being shown as context on the post.”

Earlier this week, X praised the Community Notes team for tackling the misinformation that has flooded the platform in the past week and said new accounts are being enrolled “in real time to propose and rate notes.” On Tuesday, an NBC investigation found the system was not functioning as proposed; of the two Israel-Hamas misinformation claims investigated by the outlet, more than a quarter had notes that remained private as they had not been approved by enough volunteers, while roughly two-thirds had no notes at all.

X replaces the names of users who suggest the notes with aliases, making it impossible to see who submits any particular note. In the case of the note on Trump Jr’s account, the note was submitted by a user pseudonymously identified as “Mellow Sun Swan” four hours after Trump Jr posted the video.

This was the eighth note the user had submitted, according to their profile, but the first to have been approved. The user has in recent days submitted multiple notes on posts related to Iranian links to the conflict.

In the case of the Trump Jr. video, the Community Notes user linked to a video posted on the Iranian social media platform Wisgoon as evidence that the video was from years ago, not this past weekend. In the post, the upload date on the video is in Persian, which, when translated, reads “15 Mehr 1402,” a date in the Persian calendar. This date translates in the Gregorian calendar to October 7, 2023—the date Hamas attacked Israel.

An open source intelligence researcher tells WIRED that they confirmed the video’s veracity by tracking the original video, which was broadcast by a Gaza civilian on a Facebook livestream on Saturday morning. The researcher, who posts anonymously on social media using the handle OSINTtechnical, is frequently cited by news outlets covering conflict zones.

Soon after the Trump Jr. note was published, an account associated with the far right that has advocated for banning the Anti-Defamation League tried to back up the claim about the video being fake, sharing a screenshot that showed the results of a reverse-image search for the thumbnail image of the original video. The results appear to show a series of links to Wisgoon featuring the same image, all of which have dates from seven or eight years ago. However, this is because the recent video was listed in the related videos list of the older videos, not proof that it is an older video.

On Wednesday afternoon, the note on Trump's tweet was updated to link to the tweet from the account linked to the far right.

X replied with an automated response to WIRED’s questions, stating: “Busy now, please check back later.” Trump Jr. did not respond to WIRED’s request for comment.

A Graphic Hamas Video Donald Trump Jr. Shared on X Is Actually Real, Research Confirms

Organizations should brace for mass exploitation of CVE-2023-22515, an uber-critical security bug that opens the door to crippling supply chain attacks on downstream victims.

A China-sponsored advanced persistent threat (APT) tracked as Storm-0062 is responsible for the in-the-wild exploitation of the recently disclosed critical bug in Atlassian Confluence Server and Confluence Data Center, Microsoft has announced. And it turns out that proof-of-concept exploits are now available for it, portending mass exploitation.

The flaw (CVE-2023-22515) was disclosed last week, with Atlassian acknowledging that it had been exploited as a zero-day in the wild prior to that. The vulnerability was at first labeled a privilege escalation problem, but it's remotely exploitable without authentication and should be seen as more akin to a code-execution tool, according to researchers — an assessment borne out by its 10 out of 10 ranking on the CVSS vulnerability-severity scale.

Accordingly, Atlassian subsequently updated its advisory to label the bug a broken access control issue.

Microsoft this week delivered additional details on the zero-day campaign, which it said has been active since Sept. 14. In a series of tweets, it identified four IP addresses that were observed sending related CVE-2023-22515 exploit traffic; also, it noted that "any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application."

In tandem with that attribution, a former computer science student and "security enthusiast" who goes by the handle s1r1us dropped a proof of concept (PoC) on GitHub; researchers at Rapid7 published a detailed analysis of the vulnerability that could offer plenty of breadcrumbs to PoC developers.

**Who Is Beijing-Sponsored Storm-0062?**

The Storm-0062 APT is also known as DarkShadow or Oro0lxy, Microsoft pointed out. Both names are aliases for Chinese state hackers Li Xiaoyu and Dong Jiazhi, who were indicted by the US Department of Justice in 2020 for probing for "vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments."

They remain at large, presumably in China, and have a history of state-sponsored hacking in tandem with various associates that goes back to at least 2009.

Microsoft offered no details on the victimology of the latest attacks but noted in its annual Digital Defense Report issued last week that Chinese state-sponsored campaigns typically reflect the Chinese Communist Party's (CCP) dual pursuit of global influence and intelligence collection, and thus cast a wide net.

"Cyber threat groups \[in China\] continue to carry out sophisticated worldwide campaigns targeting US defense and critical infrastructure, nations bordering the South China Sea, and even China's strategic partners," according to the report. "Some Chinese cyber activity may also indicate possible avenues of response in the event of a future geopolitical crisis."

**Atlassian: Open to Software Supply Chain Attack**

The stakes are high when it comes to the bug. Confluence collaboration environments can house sensitive data on both internal projects as well as its customers and partners — which means that intruders lurking inside its files can gather all the intel they need to mount follow-on attacks on those third parties.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, notes that this kind of zero-day exploit is "purpose-built to pollute the application, thus allowing these Chinese cyber spies to use Confluence as an attack vector into a myriad of organizations."

He adds, "This represents a systemic supply chain attack. A majority of businesses and government agencies use it, and it can be hijacked to facilitate island hopping."

He also warns that businesses should brace for mass exploitation waves, since there are now public road maps for leveraging this particular vulnerability, and Confluence has a history of being popular with cybercrime types.

China's "People's Liberation Army has a vast cyber-spy network, much of which focuses on arming \[the country\] with zero-days," Kellermann says. "Initially, this vulnerability required an APT to exploit, but now with the details being disclosed, a mass compromise could be ensuing."

To protect themselves, "organizations with vulnerable Confluence applications should upgrade as soon as possible to a fixed version: 8.3.3, 8.4.3, or 8.5.2 or later," Microsoft advised. "Organizations should isolate vulnerable Confluence applications from the public Internet until they are able to upgrade them."

Kellerman adds that beyond patching, businesses must increase threat hunting for evidence of this specific APT group, and says that deploying runtime security is "imperative to mitigate exploitation or zero-days."

Microsoft: Chinese APT Behind Atlassian Confluence Attacks; PoCs Appear

The Israeli-Hamas war will most assuredly impact businesses when it comes to ramped-up cyberattacks. Experts say that Israel's considerable collection of cybersecurity vendors be a major asset on the cyber-front.

Following the attacks on Israel by Hamas over the past days, when Prime Minister Benjamin Netanyahu warned Israelis "to brace themselves for a long and difficult war," attention turns to those cybersecurity vendors located in the Israeli tech hub and how they may contribute to the war effort.

Chris Pierson, CEO of BlackCloak, believes Israel's "substantive cybersecurity intelligence and strike capability" will serve it well, including having some of the best commercial cybersecurity companies in the world.

JP Castellanos, director of threat intelligence at Binary Defense, says that, particularly in light of potentially destructive attacks against IT or critical infrastructure, it is likely that Israeli cybersecurity companies will do all they can to help with the current crisis. "That means becoming more visible, not less," Castellanos says.

**Attacks Ramp Up During Wartime**

On the cyber front of the Gaza crisis, hacktivists have already begun preparing targets and offering their wares to the highest bidders, who may be looking to cause politically motivated website disruption on public-facing services. And indeed, there was a wave of notable distributed denial-of-service (DDoS) cyberattacks on Oct. 7 and Oct. 8, including one attack which reached 1.26 billion daily requests, while another other reached 346 million daily requests on Oct. 7, and 332 million daily requests the following day.

"Looking at these DDoS attacks in terms of requests per second, one of the impacted sites experienced a peak of 1.1 million requests per second," says João Tomé, content editor at Cloudflare.

But experts say they expect other kinds of attacks against companies and organizations in Israel to ramp up, carried out by both state-backed and non-state-backed operators with much larger arsenals than a DDoS botnet. Pierson for instance says the targets for attacks could be civilians as well as infrastructure and military targets.

"The most likely targets would be infrastructure as a whole - telecommunications, power, finance, and logistical transportation," he says.

It's already starting: Yossi Appleboum, CEO of Sepio Systems and a former member of the Israel Defense Force's Unit 8200, says cyberattacks against his company had increased by 100% in the last week.

Carlos Perez, research practice lead at TrustedSec, says retaliatory cyberattacks become more common during geopolitical crises, but says that many of these risks have been ongoing for Israeli companies, and they will continue to be vulnerable, as we have seen in the past. However Perez believes some companies will be ready, others will not. "It depends mainly on business buy-in and budgets: they do get targeted with a larger volume of attacks than most organizations, which puts them at a higher risk level."

**Call in the Reservists**

The Israeli military has summoned roughly 360,000 reservists — roughly four percent of Israel's 9.8 million population. Thus, the question for many companies in the region, is whether this will lead to staff leaving their day jobs, and for cybersecurity vendors, whether that will affect cyber defense.

Pierson says he expects those with special cyber intelligence training to be called to augment military teams on the ground, and expects those who have previously served their country to volunteer help and assistance for the war effort — and that could impact some operations. However, he does not foresee a change in marketing or external presence activities for most cybersecurity companies in Israel at the moment. 

Castellanos meanwhile believes with reservists being drafted, this would cause a momentary staff shortage until the conflict resolves. However, he adds that "in the case of cybersecurity vendors, I would imagine that Israel would take a balanced approach to this, because they certainly don't want to weaken the very vendors who will be playing a critical role in protecting Israel's national interests."

For his part, Sepio's Appleboum says some activities and features may be delayed or postponed due to staff shortages, but companies will prioritize what is important, "and this may affect current customers. Future planning can wait a bit."

Gaza Conflict: How Israeli Cybersecurity Will Respond

The novel technique helps hide the cybercriminal campaign's efforts to steal credit card information from visitors to major websites, and it represents an evolution for Magecart.

The collection of cybercriminal groups behind the infamous Magecart payment-card theft campaigns have come up with a previously unseen technique to hide their credit card skimming code, escaping notice for several weeks and infecting major e-commerce sites, including significant brands in the food and retail industries.

The obfuscation technique hides JavaScript code in a comment in a targeted site's 404 default page, Akamai stated in an advisory on Oct. 9. Other pages on the site have been modified only slightly to include a call to a nonexistent folder ("icons"), which triggers the 404 error, thus fetching the malicious page.

The entire attack code is contained in a comment with a specific placeholder, so the attacker's script can retrieve it, Roman Lvovsky, a security researcher at Akamai, explained in the company's advisory.

"This concealment technique is highly innovative and something we haven't seen in previous Magecart campaigns," he said. "The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion."

**Hiding in 404 Pages: A Tactics Evolution**

Magecart attacks are a category of post-exploitation techniques for skimming credit card information and other user data from websites using obfuscated JavaScript, hijacking of forms, and malicious redirects. The embedded code often escapes notice by hiding in the complexity of modern websites, which rely heavily on third-party components, open source Web frameworks, and code obfuscated to protect intellectual property. Cybercriminals groups can hide their malicious content by either inserting it among the other obfuscated code or by compromising a third-party source of code or content.

Over the summer, for example, a Chinese-speaking threat group compromised Web-facing applications to skim credit card numbers in the Asia-Pacific region, and more recently, North American and Latin America, in a campaign dubbed "Silent Skimmer."

    

The payload hides the original credit-card form, overlaying it with a fake one. Source: Akamai

Similar to techniques hiding code in CSS files and images, adding code to the comments of a default 404 page escapes notice because many of the scanners used to detect attacks today were not designed to search such pages, says Ben Baryo, a cybersecurity researcher with Human Security, a bot- and fraud-protection service.

"While most scanners might report a missing resource, it’s likely that a 404 response won’t be analyzed," he says. "This detection evasion technique is mostly useful against synthetic scanners — which tend to ignore content in requests that aren’t returning 200 OK HTTP code — and manual inspections."

**Magecart Code Obfuscation & Overlays**

The modification to the default 404 pages are part of the Magecart campaign's efforts to deliver a payload — typically, the display of a fake form to collect credit card details — and maintain persistence. The cybercriminals used a fake form overlaying an original page's credit card information form to grab financial details from the targeted user, according to Akamai's advisory.

"When the user submits data into the attacker's fake form, an error is presented, the fake form is hidden, the original payment form is displayed, and the user is prompted to re-enter their payment details," Akamai's Lvovsky said, adding: "Submitting the fake form initiates an image network request to the attacker's C2 \[command-and-control\] server, carrying all the stolen personal and credit card information as a Base64-encoded string in the query parameter."

A 404 page is typically a first-party object — meaning that it resides on the same server as the home page and not a third-party service. This helps the attacker bypass some security measures, such as Content Security Policy (CSP) headers, he said.

Yet while the technique results in hard-to-discover modifications, it is not necessarily stealthy, says Human Security's Baryo. Because the 404 attack is kicked off by a call to the nonexistent "icons" resource, the technique could be considered noisy, which Magecart groups attempt to avoid.

"We haven’t seen this particular technique in the wild," he says. "We do not generally see other groups following this approach as this delivery method attracts unwanted attention as to why a nonexistent resource is being loaded on a particular page and by which script."

**Could PCI DSS Solve Magecart?**

The Payment Card Industry (PCI) Security Standards Council has attempted to solve the problem of Magecart attacks with the latest version of its Data Security Standard (DSS), which bolsters two security requirements to protect payment pages. Requirement 6 ("Develop and Maintain Secure Systems and Software") directs e-commerce sites to use secure development and maintenance to ensure that unauthorized code can't be injected into websites, while Requirement 11 ("Test Security of Systems and Networks Regularly") charges website owners to conduct ongoing monitoring of systems and networks to detect changes.

Online merchants — even ones that outsource all storage, processing, and transmission of account data to payment service providers — will have to abide by the PCI-DSS 4.0 requirements, says Jeff Zitomer, senior director of product management for Human Security.

"Modern websites ... source code at runtime from across the Internet to deliver critical business functionality," he says. "This forever-changing Nth-party code bypasses traditional security controls and enjoys nearly unlimited access in the browser, \[allowing\] attackers \[to\] exploit this attack surface through malicious script attacks."

The standard is currently considered a best practice but will become mandatory in early 2025.

Magecart Campaign Hijacks 404 Pages to Steal Data

Red Hat Security Advisory 2023-5627-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include bypass, null pointer, out of bounds write, and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5627.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2023:5627-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5627  
Issue date:         2023-10-10  
Revision:           01  
CVE Names:          CVE-2020-36558  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: use-after-free vulnerability in the perf_group_detach function of the Linux Kernel Performance Events (CVE-2023-2235)

* kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090)

* kernel: netfilter: use-after-free due to improper element removal in nft_pipapo_remove() (CVE-2023-4004)

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* kernel: race condition in VT_RESIZEX ioctl when vc_cons[i].d is already NULL leading to NULL pointer dereference (CVE-2020-36558)

* kernel: LoadPin bypass via dm-verity table reload (CVE-2022-2503)

* kernel: an out-of-bounds vulnerability in i2c-ismt driver (CVE-2022-2873)

* kernel: xfrm_expand_policies() in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice (CVE-2022-36879)

* kernel: use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)

* kernel: netfilter: NULL pointer dereference in nf_tables due to zeroed list head (CVE-2023-1095)

* kernel: hash collisions in the IPv6 connection lookup table (CVE-2023-1206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* [HPEMC RHEL 8 REGRESSION] acpi-cpufreq: Skip initialization if a cpufreq driver exists (BZ#2186307)

* [max] RHEL8.4 Pre-Alpha - [ 4.18.0-240.4.el8.dt2.ppc64le ][ fleetwood / P9 64TB/192c ] While performing DLPAR CPU operations \"BUG: arch topology borken\" messages are observed and CPU remove operation fails for removal of 140 with 255 return (BZ#2210295)

* [Intel 8.8 BUG] [SPR] IOMMU: QAT Device Address Translation Issue with Invalidation Completion Ordering (BZ#2221098)

* avoid unnecessary page fault retires on shared memory types (BZ#2221101)

* [i40e] error: Cannot set interface MAC/vlanid to 1e:b7:e2:02:b1:aa/0 for ifname ens4f0 vf 0: Resource temporarily unavailable (BZ#2228164)

* oops on cifs_mount due to null tcon (BZ#2229129)

* kernel panic due to stack overflow on ppc64le due to deep call chain. (BZ#2230268)

* [Hyper-V][RHEL 8]incomplete fc_transport implementation in storvsc causes null dereference in fc_timed_out() (BZ#2230744)

* Withdrawal: GFS2: couldn't freeze filesystem: -16 (BZ#2231826)

* [RHEL 8][Hyper-V]Excessive hv_storvsc driver logging with srb_status  SRB_STATUS_INTERNAL_ERROR  (0x30) (BZ#2231989)

* kernel-devel RPM cross-compiled by CKI contains host-arch scripts (BZ#2232138)

* RHEL-8: crypto: rng - Fix lock imbalance in crypto_del_rng (BZ#2232216)

* [Intel 8.9] iavf: Driver Update (BZ#2232400)

* Important iavf bug fixes July 2023 (BZ#2232401)

* iavf: hang in iavf_remove() - SNO node hangs after running systemctl reboot (BZ#2232404)

* [RHEL 8.9] Proactively backport locking fixes from upstream (BZ#2235394)

* NAT sport clash in OCP causing 1 second TCP connection establishment delay. (BZ#2236515)

* xfs: mount fails when device file name is long (BZ#2236814)

* netfilter: RHEL 8.8 phase 2 backports from upstream (BZ#2236817)

* swap deadlock when attempt to charge a page to a cgroup stalls waiting on I/O plugged on another task in swap code (BZ#2237686)

Enhancement(s):

* [Intel 8.7 FEAT] TSC: Avoid clock watchdog when not needed (BZ#2216051)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-36558

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5627-01

Red Hat Security Advisory 2023-5607-01 - The linux-firmware packages contain all of the firmware files that are required by various devices to operate. Issues addressed include an information leakage vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5607.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: linux-firmware security and enhancement updateAdvisory ID:        RHSA-2023:5607-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5607Issue date:         2023-10-10Revision:           01CVE Names:          CVE-2023-20593====================================================================Summary: An update for linux-firmware is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The linux-firmware packages contain all of the firmware files that are required by various devices to operate.Security Fix(es):* hw: amd: Cross-Process Information Leak (CVE-2023-20593)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Enhancement(s):* [Intel 9.0.z] Intel QAT Update - firmware for QAT (BZ#2168390)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-20593References:https://access.redhat.com/security/updates/classification/#moderate

Tag

#intel