A 9.4 CVSS score security vulnerability unearthed in Jira Server and Data Center

SISA Weekly Threat Watch - 13 February 2023

Security researchers claim that organizations all over the world need to be on the lookout for threat actors’ increasing “flexibility” to create new malware based on the environments they are targeting and the privileges they have access to at any given stage of the attack. Threat actors have recently increased their use of alternative malware distribution techniques, such as Windows Shortcuts (LNK files), malvertising, and ISO files, demonstrating the great lengths they will go to avoid detection and impede analysis.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft Visual Studio tools for Office weaponized to push malware

Security researchers have recently discovered multiple campaigns where Microsoft Visual Studio Tools for Office (VSTO) are being used as a method of achieving persistence and executing remote code on the target machine via malicious Office add-ins. The attackers accomplish this by creating malware that is .NET-based and inserting it inside these Office add-ins. Threat actors use the local VSTO approach since it eliminates the need to run the add-in code, bypassing trust-related security protocols.

The inclusion of the “custom.xml” parameter, which instructs the Office application where to find and install the add-in, is a sign that a document contains a data packet. They are then executed when launching a document with the associated office application, which displays a prompt for the user to confirm that they want to install the add-in. To protect against phishing, it is recommended to provide sufficient user training and education, as well as implementing an email security solution to monitor emails. Proactive detection is also critical to monitor VSTO file creations during the same time an Office document is created on the same host.

2. VMware finds no evidence of zero-day in ongoing ESXiArgs ransomware spree

Unpatched VMware ESXi servers are being actively targeted by attackers to deploy a new ESXiArgs ransomware against a two-year-old remote code execution vulnerability. VMware researchers said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of this ongoing ransomware attack spree worldwide. An unauthenticated threat actor could exploit the vulnerability, identified as CVE-2021-21974, an OpenSLP heap-based buffer overflow vulnerability, to obtain remote code execution.

The attacks appear to target ESXi servers that are accessible via OpenSLP port 427 and tell their victims to pay 2.01 Bitcoin to obtain the encryption key required to decrypt their files. The majority of concerns indicate that known vulnerabilities that have been resolved and publicized in VMware Security Advisories (VMSAs) are being targeted towards End of General Support (EoGS) and/or severely out-of-date products. To address known issues and disable the OpenSLP service in ESXi, the company is further advising users to upgrade to the most recent supported releases of vSphere components.

3. Jira Service Management Server and Data Center vulnerability (CVE-2023-22501)

A security flaw has been uncovered in Jira Service Management Server and Data Center that lets an attacker assume the identity of another user and enter a Jira Service Management instance in specific conditions. The vulnerability, tracked as CVE-2023-22501, has been assigned a critical severity rating with a CVSS score of 9.4 and is characterized by weak authentication allowing for easy exploitation. An attacker with ‘write’ access to a User Directory and with outgoing email enabled on a Jira Service Management instance could obtain signup tokens sent to users with accounts that have never been accessed.

This vulnerability may affect bot accounts as well as external customer accounts on instances with single sign-in. This risk is present in projects where individuals can create their own accounts. This vulnerability affects Jira Service Management Server and Data Center versions 5.3.0 to 5.3.1, 5.3.2, 5.4.0, 5.4.1 to 5.5.0. Updates to Jira Service Management Server and Data Center have been made to address the vulnerability and make sure it is fixed in version 5.3.3, 5.4.2, 5.5.1, and 5.6.0 or later.

4. Fortra patches actively exploited zero-day in GoAnywhere MFT

GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files. An emergency fix has been released by its developer Fortra to address an actively exploited zero-day vulnerability in the GoAnywhere MFT secure file transfer tool.

The vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT instances whose administrative console is exposed online. The attack vector of the exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses. All GoAnywhere MFT customers are advised to apply the patch as soon as possible. The patch version prevents the deserialization of illegitimate data sent to the GoAnywhere server. Additionally, evaluate all the Audit Logs for suspicious activity such as, a non-existent or disabled super user creating an unexpected account.

5. FormBook malware spreading through malvertising

An active malicious advertising campaign is currently distributing .NET loaders that are built to install the FormBook data-stealing malware. The .NET loaders appear to be from well-known companies like Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA, but they use invalid signatures or certificates that are not trusted by the system and stored in the Trusted Root Certification Authorities store.

The presence of virtual machine or sandbox environments is determined by checking specific registry keys and drivers on the victim system, such as HKEY_LOCAL_MACHINESOFTWAREOracleVirtualBox Guest and HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.VMware Tools, and the existence of vboxmouse.sys, vmmouse.sys, and vmhgfs.sys drivers. To protect against phishing attacks, it is advised to exercise caution when opening emails and attachments, especially if they come from unknown or untrusted sources. It is also recommended to use robust anti-malware software that can detect and prevent FormBook infections. Educating employees about safe computing practices and social engineering tactics used in phishing attacks, is also critical.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider