Hackers are actively exploiting vulnerabilities in Citrix's NetScaler ADC and NetScaler Gateway platforms, known as 'CitrixBleed', leading to a wave of mass cyberattacks. This vulnerability allows remote unauthenticated attackers to extract sensitive information from the memory of vulnerable Citrix devices [a2697f3d]. At least four threat groups are exploiting this bug, with one group automating the attack process. The LockBit gang recently targeted the U.S. branch of Industrial and Commercial Bank of China (ICBC) by compromising an unpatched Citrix Netscaler box, and ICBC reportedly paid the ransom demand. Other affected organizations include Boeing and international law firm Allen & Overy [21c32a0d]. Citrix has urged its customers to update to the latest versions of NetScaler ADC and NetScaler Gateway to prevent active exploitation of vulnerabilities that could lead to information disclosure and denial of service (DoS) attacks [45eac12b].
In addition to the CitrixBleed vulnerability, Atlassian has released security advisories for four critical remote code execution (RCE) vulnerabilities affecting Confluence, Jira, Bitbucket servers, and a companion app for macOS. The vulnerabilities have a severity score of at least 9.0 out of 10. While none of the issues have been exploited in the wild, Atlassian advises system administrators to prioritize applying the available updates due to the popularity of their products [d1774f7a].
The vulnerabilities include a template injection flaw in Confluence, a privileged RCE in the Assets Discovery agent in Jira Service Management, a bypass of blocklist and macOS Gatekeeper in the Confluence companion app for macOS, and an RCE in the SnakeYAML library affecting multiple versions of Jira, Bitbucket, and Confluence. Atlassian has provided patches for the affected versions and recommends temporary mitigations for some vulnerabilities [d1774f7a].
Atlassian's Chief Information Security Officer emphasizes the potential for significant data loss if the Confluence vulnerability is exploited, but reassures that it does not enable data theft [a75c1047].
Furthermore, a critical vulnerability, known as CVE-2023-46604, has been discovered in Apache ActiveMQ, posing a significant threat to users. The vulnerability allows remote attackers to execute arbitrary shell commands by manipulating serialized class types within the OpenWire protocol. Attackers proceed to load remote binaries and execute a payload. The exploit code for CVE-2023-46604 is publicly available on GitHub, increasing the risk. Apache has issued an advisory recommending specific steps for mitigation. Staying informed about the vulnerability and utilizing up-to-date detection methods is crucial. SOC Prime's Threat Detection Marketplace provides resources for this purpose. The Hello Kitty ransomware group has exploited the vulnerability, emphasizing the need for proactive cybersecurity measures [b0fdda34].
CISA has added a critical vulnerability (CVE-2023-1671) in Sophos Web Appliance to its Known Exploited Vulnerabilities catalog. The vulnerability is a pre-auth command injection vulnerability that allows attackers to execute arbitrary code. The vulnerability was disclosed in April 2023 and affects all versions of the appliances prior to version 4.3.10.4. Sophos released a patch for the vulnerability and advised customers to keep the device behind a firewall. Sophos Web Appliance will reach end of life on July 20, 2023, and organizations are urged to switch to using Sophos Firewall. The delay in attackers exploiting the vulnerability may be due to the default automatic updating setting reducing the potential pool of targets [07d39bff].
A report by Veracode reveals that almost two in five applications are currently running vulnerable versions of Log4j, a popular logging library. This includes 2.8% of applications running Log4j with the Log4Shell vulnerabilities, 3.8% running a patched version with a different vulnerability, and 32% using an outdated version that is no longer supported. The report highlights the need for businesses to be more diligent in patching their endpoints and adopting stringent open-source security practices. Another report by the same firm found that developers rarely update third-party libraries after including them in a code base, which could explain the prevalence of outdated Log4j code. The article emphasizes the importance of addressing these vulnerabilities to protect against potential security breaches [4d371bbc].