As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.
"By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a

Endpoint Security / Malware

As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.

"By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate \[operating system\] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said.

The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O.

The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).

Of the 34 drivers, six allow kernel memory access that can be abused to elevate privilege and defeat security solutions. Twelve of the drivers could be exploited to subvert security mechanisms like kernel address space layout randomization (KASLR).

Seven of the drivers, including Intel's stdcdrv64.sys, can be utilized to erase firmware in the SPI flash memory, rendering the system unbootable. Intel has since issued a fix for the problem.

VMware said it also identified WDF drivers such as WDTKernel.sys and H2OFFT64.sys that are not vulnerable in terms of access control, but can be trivially weaponized by privileged threat actors to pull off what's called a Bring Your Own Vulnerable Driver (BYOVD) attack.

The technique has been employed by various adversaries, including the North Korea-linked Lazarus Group, as a way to gain elevated privileges and disable security software running on compromised endpoints so as to evade detection.

"The current scope of the APIs/instructions targeted by the \[IDAPython script for automating static code analysis of x64 vulnerable drivers\] is narrow and only limited to firmware access," Haruyama said.

"However, it is easy to extend the code to cover other attack vectors (e.g. terminating arbitrary processes)."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover

A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.

CVE-2023-5408

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.

Release date: November 1, 2023

Here's what's new in SolarWinds Hybrid Cloud Observability 2023.4.

SolarWinds Hybrid Cloud Observability runs on the SolarWinds Platform.

**Learn more**

*   See the Hybrid Cloud Observability 2023.4 system requirements.
*   For information about working with Hybrid Cloud Observability, see the Hybrid Cloud Observability Administrator Guides.

**New features and improvements in Hybrid Cloud Observability**

For information about new features and fixes in the SolarWinds Platform, see the SolarWinds Platform 2023.4 Release Notes.

**New Vulnerability Dashboard and Risk scorecard**

This release introduces a new vulnerability and risk dashboard, available for Hybrid Cloud Observability Advanced users. View vulnerability and risk severity, determined by imported CVE information from CVEs based on CVSS v3. Schedule CVE data imports, and match CVE information to individual nodes. See calculated risk scores for individual monitored nodes and an aggregated risk scored for your environment.

**Platform Connect supports more device types**

Platform Connect now supports sending information for more device types to SolarWinds Observability, including application and virtualization.

**Greater visibility for simplified SD-WAN monitoring**

Real-time Tunnel and WAN metrics like service provider, packet loss, latency, and jitter are now available for use in dashboard widgets and PerfStack for Meraki, VeloCloud, and Viptela SDWAN devices.

**Anomaly Based Alerts improvements**

Anomaly Based Alerts now includes a new visual representation of the normal operating range (NOR) of a device’s metrics. The entity detail page contains NOR charts for every observed metric present for the entity that is triggering an Anomaly-Based Alert.

You can now define anomaly-based alerts for virtualization entities. See the list of supported entities with their metrics below:

Orion.VIM.ClusterStatistics:

AvgCPULoad

AvgMemoryUsage

Orion.VIM.HostStatistics:

AvgCpuLoad

AvgMemUsage

AvgNetworkUtilization

Orion.VIM.VMStatistics:

AvgCPULoad

AvgIOPSRead

AvgIOPSTotal

AvgIOPSWrite

AvgMemoryUsage

AvgNetworkUsageRate

**AlertStack improvements**

AlertStack is now available under the “Alerts and Activities” menu.

The AlertStack cluster detail page now supports filtering of occurrences together with maps. Occurrences can be filtered based on the Status and Element Type. Accordingly, the map nodes reflect this filtering as well.

AlertStack now supports creation of incidents in SolarWinds Service Desk (SSD) for AlertStack clusters. This action can be done for clusters in open or suspended states only.

Return to top

**Fixes**

For information about new features and fixes in the SolarWinds Platform, see the SolarWinds Platform 2023.4 Release Notes.

 

Case number

Description

01189602, 01296329, 01268284

In deployments with additional polling engines (APEs), attempting to integrate the SolarWinds Platform with DPA would install the DPA Business Layer on the APE. This caused problems with the DPA integration, including:

*   Application relationships added on the Manage Client Application Relationships page were automatically removed.
    
*   Integration fails with the message There was an error when trying to enable the integration with the DPA server: Establishing federation with jSWIS failed.
    
*   Attempting to add a DPA server returns the message Cannot find a DPA server at this address or port. Check your DPA server details and network connection.
    

01231016

When custom properties used in alerts are created in a different SolarWinds Platform product, the associated column in the All Active Alerts page in EOC is not blank.

01354791

When you run a report that queries the SolarWinds log database, the results of the query are shown instead, not the message Query is not valid.

01288735

In a large, complex environment, network configuration management jobs and inventory jobs run as expected.

01358044

Network configuration management jobs no longer make unnecessary APE license checks, which were causing the jobs to run slowly.

00837847, 01358148, 01426785

Inventory collection was updated to prevent database blocks, which were affecting performance.

01352472

If you run a job that saves the results of a policy report to a file, and the file name includes a macro, the macro is parsed correctly and the report's content and formatting are accurate.

01336072

When SolarWinds high availability (HA) is deployed, a network configuration search performed after a failover includes all configs. The search is not limited to only the most recently downloaded configs.

01357688

A vulnerability that could expose a password has been fixed.

01350788

A misspelled word in INFO messages in the NCM.Collector.Jobs_[*].log file has been corrected.

01333319

The Config Details page shows the downloaded time based on the SolarWinds Platform time zone, not UTC time.

01288735, 01387785

When an inventory job retrieves a large Flash Size value, it records the value correctly and no longer returns the following error:

Arithmetic overflow error converting expression to data type int.

01395082

Real Time Change Notification works as expected when the IP address provided to it is not the primary IP address for the node.\*

01428683, 01330623, 01349629

In 2023.2, the default timeout value for SWJobEngineWorker2x64.exe was increased from 20 minutes to 2 hours. In deployments with a large number of jobs that did not finish before the 2-hour timeout, memory usage increased significantly. To prevent this issue, the default timeout value has been decreased to 20 minutes.

01295129, 01350421, 01428125

When the SolarWinds Platform is configured to use Windows authentication, running interface percentile traffic reports no longer returns an error.

01367640

If an interface name includes special characters, the special characters are no longer escaped on the Interfaces with High Percent Usage (no paging) resource. This behavior was preventing database maintenance from running as scheduled.

01355454

The load time for the Interface Availability widget has been significantly decreased.

01349629, 01362966

By default, network discovery enables all pollers on a device. So, if a topology poller is disabled on the List Resources or Manage Pollers page, it is enabled again when network discovery runs. A new advanced configuration option is available to enable you to override this default behavior. If do not want certain topology pollers to be enabled when network discovery runs:

1.  Open the Advanced Configuration options page by pasting the following into your browser URL field after the hostname or IP address:
    
    /Orion/Admin/AdvancedConfiguration/Global.aspx
    
2.  Under Topology, locate the PollersDiscoveryBlackList field.
    
3.  Enter a comma-separated list of topology pollers that should **not** be enabled when network discovery runs.
    

01348970, 01350142, 01361854, 01362953, 01420814, 01430172

Out-of-the-box Switch Stack alerts can be copied and edited, and they are triggered as expected.

01235174, 01401553

Universal Device Poller gauges load without errors and performance is improved.

01373033

If application data is corrupted, the Manage Applications and Service Ports page no longer attempts to list the applications. Corrupt data does not prevent the page from opening with the following message:

Unexpected Website Error  
Sequence contains no elements

Additionally, a daily maintenance task detects and removes any corrupt application data.

01323874

If a user without permission to view NetFlow data attempts to access a NetFlow page, permissions are evaluated and the Restricted page message is displayed before the page loads. The page is no longer loaded and then hidden, and attempts to refresh the page do not affect performance.

01321325

A change to the NetFlowInterfaceSources\_Metadata table in the SolarWinds Platform database prevents deadlocks in environments with a large number of VMware devices.

01400259, 01419304, 01420644

If a deployment includes more than one application template with the same name, the Configuration Wizard no longer fails with the following error:

Database configuration failed: Error while executing script- Subquery returned more than 1 value.

01360008, 01379355, 01390806, 01399847, 01400259

The SolarWinds Platform Web Console no longer becomes unresponsive or stops functioning due to missing keys in the cloud monitoring resource file.

01337117

On the Node Details Summary page, when you click Real Time Event Viewer and then click the Message column for an event, the Message Details popup opens as expected.

N/A

When you add a node with Microsoft SQL Server 2022 deployed, AppInsight for SQL is discovered.

01290468, 01305182, 01317562, 01320352, 01320666

During upgrades data from old tables is migrated successfully and the obsolete tables are removed. In a previous version, incomplete data migration could cause issues such as:

*   The Configuration Wizard failed with the message Invalid object name 'APM_ComponentStatus_Hourly.
    
*   The SolarWinds Platform database size decreased significantly.
    
*   The Application Component Details page did not consistently display messages.
    

01183556, 01337907, 01353375, 01389703

If the Configuration Wizard fails during an upgrade, attempting to rerun the wizard no longer fails with the message Error while executing script- There is already an object named 'CLM_CloudJobSettings' in the database.

01337806

When a problem occurs with the API poller, the following message was improved to provide more information about the cause of the problem:

Index was outside the bounds of the array.

01142194, 01357225, 01438644

When a node is deleted or unmanaged, Application Dependency Mapping (ADM) polling does not continue for that node. In previous versions, continuing to poll a deleted or unmanaged node for ADM data caused the ADM\_ProcessingQueue table to become very large.

01379396

Long status messages associated with an application monitor are displayed correctly after an upgrade.

00690113

Alerts on API Pollers that should be triggered when the response time exceeds a threshold are no longer triggered when the response time is below the threshold.

01142194

If ADM polling is disabled for the SolarWinds Platform, the node detail page does not display the Application Dependency Polling Enabled check box.

00990851, 01415486

If AppInsight for IIS runs for long periods, the APM\_IisBb\_Request\_Detail table no longer grows without limits, causing performance issues.

01372348, 01384875

The CreateApplication verb in SWIS for the AppInsight for SQL template now works when you are using a remote node and database. Issues with credentials and connection testing have been resolved.

01401922

The default poll no longer fails when more than one array is in a Nimble cluster.

00385337

The Vserver Status widget and the Vservers on this Cluster widget now show the same Vserver capacity data.

01382411

The Ethernet Ports Used Over Time now shows data for the selected time period instead of only the data for the current day.

01361966

When a wireless node is discovered with UDT port monitoring enabled and devices from the node are added to the Watchlist, the Watchlist widget no longer displays type conversion errors such as:

Conversion failed when converting the nvarchar value 'Vanguard_WLC' to data type int.

00814339

The Port Details widget now displays the MAC address, IP address, or Hostname for all devices.

00570890, 00582046, 00717223

The All User Log Ins widget displays data about the currently open endpoint, not the first endpoint that was opened.

01314714, 01333769, 01351695, 01365630, 01365850, 01382555, 01398156, 01412701, 01420009, 01426518, 01436135

The Port Details widget displays IP addresses even if the VLAN port is not monitored.\*

01308188, 01332779, 01380614, 01382170, 01396520, 01404094

When a node uses automatic private IP addressing (APIPA), the vendor and machine type are reported correctly.

01353982, 01401047

Database maintenance no longer fails with the following message:

SolarWinds.Data.DatabaseMaintenance.StandardTableHandlerDAL - Failed to execute procedure: VIM_dbm_Clusters_ComputeDiskDepletion System.Data.SqlClient.SqlException (0x80131904): Arithmetic overflow error converting expression to data type bigint.

Cursor is not open.

01429919

The bulk insert query no longer runs slowly and causes performance issues on the database.

01238012

The Calls by Region widgets display the correct data.

01348659, 01371344

IP SLA operations function correctly, and the ipsla.bussiness.layer log file no longer includes the message Violation of PRIMARY KEY constraint.

01238012, 01294332

The FTP server is no longer filled with failed files, and VoIP views displays call manager information correctly.

01394210

After a call manager is removed, any associated CDR files are no longer processed, which prevents putting an unnecessary load on the FTP server.

01373525, 01378655

Call managers are polled only by the assigned polling engine, not by all polling engines.

01203334

When CDR files for different call managers are stored in separate folders on the FTP server, CDR files for all call managers are processed. VNQM no longer ignores CDR files for all call managers except the last one added.

01269194, 01439830

Avaya RTCP data is collected and displayed as expected.\*

01329850

A large number of CDR or CMR files on the FTP server no longer cause an out of memory exception.\*

\*This fix was added after the RC release.

Return to top

**Installation or upgrade**

For new installations, you can download the installation file from the product page on https://www.solarwinds.com or from the Customer Portal. For more information, see Get the installer.

For upgrades, go to Settings > My Deployment to initiate the upgrade. The SolarWinds Installer upgrades your entire deployment (all SolarWinds Platform products and any scalability engines).

For more information, see the SolarWinds Platform Product Installation and Upgrade Guide.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Hybrid Cloud Observability 2023.4. If you are on a version earlier than Orion Platform 2020.2.1, first upgrade to 2020.2.6 and then upgrade to 2023.4.

Return to top

**Before you upgrade!**

If you are upgrading from a previous version, be aware of the following considerations:

Upgrading from Orion Platform 2020.2.6 or older -

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Hybrid Cloud Observability, check the SolarWinds Platform release notes for additional information.

Return to top

**Legal notices**

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-40062: SolarWinds Hybrid Cloud Observability 2023.4 Release Notes

VMware Workspace ONE UEM console contains an open redirect vulnerability.


A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.



Advisory ID: VMSA-2023-0025

CVSSv3 Range: 8.8

Issue Date: 2023-10-31

Updated On: 2023-10-31 (Initial Advisory)

CVE(s): CVE-2023-20886

Synopsis: VMware Workspace ONE UEM console updates address an open redirect vulnerability (CVE-2023-20886)

****1\. Impacted Products****

*   VMware Workspace ONE UEM console

****2\. Introduction****

An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

****3\. Advisory Details****

VMware Workspace ONE UEM console contains an open redirect vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.

To remediate CVE-2023-20886 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank D'Angelo Gonzalez of Crowdstrike for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Workspace ONE UEM

2306

Any

CVE-2023-20886

N/A

N/A

Unaffected

N/A

N/A

Workspace ONE UEM

2302

Any

CVE-2023-20886

8.8

important

23.2.0.10

None

None

Workspace ONE UEM

2212

Any

CVE-2023-20886

8.8

important

22.12.0.20

None

None

Workspace ONE UEM

2209

Any

CVE-2023-20886

8.8

important

22.9.0.29

None

None

Workspace ONE UEM

2206

Any

CVE-2023-20886

8.8

important

22.6.0.36

None

None

Workspace ONE UEM

2203

Any

CVE-2023-20886

8.8

important

22.3.0.48

None

None

****4\. References****

****5\. Change Log****

**2023-10-31: VMSA-2023-0025  
**Initial security advisory.

****6\. Contact****

CVE-2023-20886: VMSA-2023-0025

Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

October has been a security flaw-fest, with Apple, Microsoft, and Google issuing patches for vulnerabilities that are being used in real-life attacks. There were also multiple enterprise fixes during the month, with Cisco, VMWare, and Citrix fixing serious security bugs.

Some of the patches are more urgent than others, so read on to find out what you need to know about the updates released in October.

Apple iOS and iPad OS

October was a busy month for Apple, with the iPhone maker issuing its second set of fixes as part of iOS 17.1 at the end of the month. The two dozen security fixes in iOS 17.1 include patches for serious flaws in the Kernel at the heart of the iOS operating system and WebKit, the engine that underpins the Safari browser.

Tracked as CVE-2023-42849, the Kernel issue fixed in iOS 17.1 could allow an attacker that has already achieved code execution to bypass memory mitigations, Apple said on its support page. The three WebKit flaws—tracked as CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852—could lead to arbitrary code execution.

Apple has also issued iOS and iPad OS 16.7.2, fixing the same flaws for users of older devices or those who don’t want to upgrade right away. They came alongside macOS Sonoma 14.1, macOS Ventura 13.6, macOS Monterey 12.7.1, tvOS 17.1, WatchOS 10.1, and Safari 17.1.

Earlier this month, Apple released iOS 17.0.3 and iOS 16.7.1, fixing issues being used in real-life attacks. Tracked as CVE-2023-42824, the first is a Kernel bug that could allow an attacker with access to your device to elevate their privileges.

Apple also fixed CVE-2023-5217, a buffer overflow flaw that could allow an attacker to execute code. Affecting multiple browsers and platforms, the bug has already been patched in Google’s Chrome browser.

Microsoft

Microsoft’s Patch Tuesday has seen the tech giant fix over 100 flaws, including two zero-day vulnerabilities in Microsoft WordPad and Skype for Business.

CVE-2023-36563 is an information disclosure bug in the WordPad word processing program that could expose NTLM hashes and result in NTLM relay attacks. However, it requires user interaction: The attacker must send someone a malicious file and convince them to open it, Microsoft said.

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business. “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” potentially disclosing IP addresses or port numbers, Microsoft said.

Microsoft also patched a flaw in Message Queuing tracked as CVE-2023-35349 with a CVSS critical score of 9.8, which could allow an unauthenticated attacker to remotely execute code.

October’s Patch Tuesday is a particularly urgent one, so it’s important to update as soon as you can.

Google Chrome

Google has released 20 security fixes for its Chrome browser, including one patch for a flaw rated as critical. Tracked as CVE-2023-5218, the bug is a use-after-free issue in Site Isolation. Another six fixes cover inappropriate implementation vulnerabilities marked as having medium impact, while CVE-2023-5476 is a use-after-free flaw in Blink History. Another issue, CVE-2023-5474, is a heap buffer overflow in PDF, according to Google’s blog.

A further four inappropriate implementation vulnerabilities are rated as having a low impact, with Google also fixing a low severity use-after-free bug in Cast tracked as CVE-2023-5473.

None of the flaws fixed in October have been exploited, but given how actively the browser is targeted, it makes sense to update as soon as you can.

Google Android

Google’s October Android update was a major one because it fixed 53 issues, including two vulnerabilities already being used in real-life attacks. The first is CVE-2023-4863, a heap buffer overflow bug in libwebp affecting the applications that use the library to encode and decode images in the WebP format. This vulnerability impacts many applications and could be used to install spyware, security firm Malwarebytes wrote in a blog.

There are indications that the bug “may be under limited, targeted exploitation,” Google said in an advisory.

CVE-2023-4211 is an issue in Arm components rated as having a high impact, which Google said is also being used in attacks. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Malwarebytes said, adding that the vulnerability affects multiple versions of Arm Mali GPU drivers. These are used in multiple Android device models, including those made by Google, Samsung, Huawei, and Xiaomi.

Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. “The \[vulnerability\] could lead to remote code execution with no additional execution privileges needed,” Google said.

The update is available for Google’s Pixel and Samsung’s Galaxy series, so if you have an Android device, check your settings ASAP.

Cisco

Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog.

“Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access,” the researchers warned.

The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. “This allows the adversary to inject commands with elevated root privileges, giving them the ability to run arbitrary commands on the device,” said Talos Intelligence, Cisco’s cybersecurity firm.

Cisco “strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the firm wrote in an advisory.

VMWare

VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8.

At the other end of the CVSS scale but still worth mentioning is CVE-2023-34056, a partial information disclosure bug with a score of 4.3. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data,” VMWare wrote in an advisory.

Citrix

Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information.

CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. Exploits of CVE-2023-4966 on unmitigated appliances “have been observed,” Citrix said. “Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

SAP

SAP’s October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8.

With only nine new and updated security notes, SAP’s October Patch Day “belongs to the calmest of the last five years,” security firm Onapsis said.

While SAP’s October flaw count was much smaller than its peers’, attackers are still out there, so you should still keep up to date and get patching as soon as you can.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

Last week on Malwarebytes Labs: Stay safe! Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap,...

October 29, 2023 - Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating...

October 27, 2023 - Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations...

October 27, 2023 - Apple has released security updates for its phones, iPads, Macs, watches and TVs. Updates are available for these products: The important...

October 25, 2023 - VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server. Since...

October 25, 2023 - Canadian health service provider TransForm has published an update about the cyberattack at its member hospitals. TransForm is a not-for-profit, shared service organization...

 A week in security (October 23 &#8211; October 29) 

VinChin Backup and Recovery in VinChin VMWare Backup versions 5.0 through 7.0 suffers from hardcoded credential and remote code execution vulnerabilities.

    VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.VinChin has failed to acknowledge the various requests over a month period, we are thus disclosing the following vulnerabilities:CVE-2023-45499 - VinChin VMWare Backup 5.0 to 7.0During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.CVE-2023-45498 - VinChin VMWare Backup 5.0 to 7.0While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.Timeline:2023-09-22: LeakIX makes initial contact2023-09-25: VinChin request details2023-09-25: LeakIX request Safe harbour2023-09-26: No reply, LeakIX requests update2023-09-27: No reply, LeakIX sends PoC2023-09-29: No reply, LeakIX requests feedback2023-10-05: No reply, LeakIX requests feedback2023-10-10: No reply, LeakIX requests feedback from alternative email2023-10-11: No reply, LeakIX requests feedback from another alternative email2023-10-16: No reply, CVE reserved and vendor notified2023-10-18: No reply, LeakIX sent 7 day disclosure warning2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.2023-10-26: No reply, Publishing this advisory

VinChin VMWare Backup 7.0 Hardcoded Credential / Remote Code Execution

The financially motivated English-speaking threat actors use advanced social engineering techniques, SIM swapping, and even threats of violence to breach targets.

The financially motivated hacking group Octo Tempest, responsible for attacking MGM Resorts International and Caesars Entertainment in September, has been branded "one of the most dangerous financial criminal groups" by Microsoft's Incident Response and Threat Intelligence team.

The group, also known as 0ktapus, Scattered Spider, and UNC3944, has been active since early 2022, initially targeting telecom and outsourcing companies with SIM swap attacks.

It later shifted to extortion using stolen data, and by mid-2023 the group had partnered with ALPHV/BlackCat ransomware, initially leveraging the ALPHV Collections leak site and later deploying the ransomware, focusing on VMWare ESXi servers.

Microsoft's in-depth post about the group and its extensive range of tactics, techniques, and procedures (TTPs) details the evolution of Octo Tempest and the fluidity of its operations.

"In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data," the report notes. "Octo Tempest leverages tradecraft that many organizations don't have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques."

**The Multi-Armed 0ktapus Cybercrime Playbook**

The group gains initial access through advanced social advanced social engineering techniques, often targeting employees with access to network permissions, including support and help desk personnel.

The attackers call these individuals, and attempt to persuade them to reset user passwords, change or add authentication tokens, or install a remote monitoring and management (RMM) utility.

The group is not beyond leveraging personal information, such as home addresses and family names, or even making physical threats, to coerce victims into sharing corporate access credentials.

During the initial stages of the attacks, Octo Tempest conducts extensive reconnaissance, which includes gathering data on users, groups, and device information, and exploring network architecture, employee onboarding, and password policies.

The group uses tools including PingCastle and ADRecon for Active Directory reconnaissance, and the PureStorage FlashArray PowerShell SDK for enumerating storage arrays.

They reach deep into multi-cloud environments, code repositories, and server infrastructure, aiming to validate access and plan footholds for subsequent attack phases, a process that helps the group enhance their activities within targeted environments.

**Partnering With Russians: Unprecedented Fusion of Tactics, Tools**

Callie Guenther, senior manager of cyber threat research at Critical Start, says English-speaking Octo Tempest's affiliation with the Russian-speaking BlackCat group signifies an "unprecedented fusion" of resources, technical tools, and refined ransomware tactics.

"Historically, the distinct boundaries maintained between Eastern European and English-speaking cybercriminals provided some semblance of regional demarcation," she explains. "Now, this alliance allows Octo Tempest to operate on a wider canvas, both geographically and in terms of potential targets."

She notes that the convergence of Eastern European cyber expertise with the linguistic and cultural nuances of English-speaking affiliates enhances the localization and efficacy of their attacks.

From her perspective, the multifaceted approach Octo Tempest employs is particularly alarming.

"Beyond their technical prowess, they've mastered the art of social engineering, adapting their tactics to impersonate and blend seamlessly into targeted organizations," she says. "This, combined with their alignment with the formidable BlackCat ransomware group, amplifies their threat manifold."

She notes the real concern emerges when one realizes they've diversified from specific industries to a broader spectrum and are now unafraid to resort to outright physical threats, showcasing a concerning escalation in cybercriminal tactics.

Tony Goulding, cybersecurity evangelist at Delinea, agrees the blend of sophisticated techniques, broad scope of industries targeted, and their aggressive approach — even resorting to physical threats — are the most dangerous aspects of the group.

"Organizations should be very concerned," he explains. "Being native English speakers, they can more effectively launch wide-ranging social engineering campaigns compared to BlackCat."

He says this is particularly beneficial when using idiolect methods to convincingly impersonate employees during phone calls.

"Proficiency in English also helps them craft more convincing phishing messages for their signature SMS phishing and SIM swapping techniques," he adds.

**Defense In-Depth**

Guenther says defending against Octo Tempest's financial pursuits involves a series of proactive and reactive measures, adhering to the principle of least privilege to ensure restricted access.

"Cryptocurrencies should be stored in offline cold wallets to minimize online exposure," she advises. "Continual system updates and anti-ransomware solutions can thwart most ransomware deployments."

Advanced network monitoring can detect anomalous data flows, indicative of potential data exfiltration attempts.

"In case of breaches or attacks, an established incident response strategy can guide immediate actions," she adds. "Collaborative threat intelligence sharing with industry peers can also keep organizations abreast of emerging threats and countermeasures."

Goulding points out education, awareness training, and technical controls that vault privileged accounts and protect access workstations and servers are key.

"Putting obstacles in the path of threat actors all along the attack chain, to divert them from their playbook and generate noise, is super important for early detection," he says. "The more advanced and proficient the attack group, the better prepared they will be, so investing in the best tools that include modern capabilities is your best bet."

Octo Tempest Group Threatens Physical Violence as Social Engineering Tactic

Categories: News
Categories: Ransomware
Tags: ALPHV

Tags:  Octo Tempest

Tags:  RaaS

Tags:  LOTL

Tags:  social engineering

Tags:  SIM swapping

A group of cybercriminals known for advanced social engineering attacks has joined one of the biggest ransomware groups as an affiliate.



(Read more...)




The post Octo Tempest cybercriminal group is "a growing concern"—Microsoft appeared first on Malwarebytes Labs.

Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations all over the world.

Initially the group made a name for itself by SIM swapping. SIM swapping, also known as SIM jacking, is the act of illegally taking over a target's cell phone number. This can be done in a number of ways, but the most common ones involve social engineering attacks on the victim's carrier.

In a security blog about Octo Tempest Microsoft states:

> “Octo Tempest monetized their intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.”

Since then the group has expanded its range of activities to include targeting organizations providing cable telecommunications, email, and tech services, and partnering with the ALPHV/BlackCat ransomware group.

In our monthly ransomware reviews you will typically see ALPHV as the world's third most used ransomware-as-a-service (RaaS).

ALPHV was the third most used RaaS between October 2022 - September 2023

ALPHV is a typical RaaS group where several criminal organizations work together to extort victims for data theft and/or encryption of important files. ALPHV provides the ransomware, the infrastructure for negotiating ransoms, and a dark web site where stolen data is leaked. The service is used by criminal gangs called affiliates who actually carry out attacks.

As an ALPHV affiliate, Octo Tempest focused its deployments primarily on VMWare ESXi servers and other complex hybrid environments.

Microsoft reports that in doing so, Octo Tempest progressively broadened the number of industries it targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services. 

Having Octo Tempest as an affiliate brings specialized knowledge to ALPHV, such as SMS phishing, SIM swapping, and advanced social engineering techniques. The group includes members with extensive technical knowledge and multiple hand-on-keyboard operators.

Its social engineering attacks target accounts that have sufficient administrator rights to build out an impactful attack. For example, to keep their tracks hidden, Octo Tempest will target the accounts of security personnel, which allows them to disable security products and features.

The group uses all kinds of social engineering attacks and, as a last resort, they do not shy away from threatening targets with physical violence if they fail to comply.

A unique technique used by Octo Tempest is to use the data movement platform Azure Data Factory, and automated pipelines, to extract data to external servers, aiming to blend in with typical big data operations.

Similar to that the group uses many Living off the land (LOTL) techniques that make it hard to spot its activities. One of Microsoft’s recommendations is to keep close tabs on administrative changes in your environment.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

TRY NOW

Octo Tempest cybercriminal group is "a growing concern"—Microsoft

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

Tag

#vmware