CCTR.2.JAN.24

Monday morning Cyber coffee read CCTR.2.JAN.24.

Keep Bypassing Authentication

SonicWall has identified an Authentication Bypass vulnerability, CVE-2023-51467, with a CVSS score of 9.8 in Apache OfBiz, enabling command execution. This discovery emerged during an investigation into the root cause of the previously disclosed CVE-2023-49070. Despite security measures taken to address CVE-2023-49070, the underlying issue persisted, resulting in the continued presence of the authentication bypass. Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system, is utilized in widespread software applications like Atlassian’s JIRA within the software supply chain. Given its broad adoption, the impact of this vulnerability could be severe. Shadowserver has observed potential exploitation of CVE-2023-49070 in the wild, and SonicWall has also noted a number of attempts to exploit CVE-2023-51467.

Not your regular cookie monster CloudSEK has discovered that the information-stealing malware exploits OAuth2 API functionality to steal authentication tokens from Google Chrome. As long as the user remains logged into Google Chrome or has not revoked all sessions linked to their accounts, threat actors can use the special "Refresh" token to generate new authentication tokens when the previous ones expire. The Lumma Infostealer, incorporating this exploit, was deployed in November. Subsequently, Rhadamanthys, Risepro, Meduza, and Stealc Stealer adopted the same technique. Later in December, White Snake also integrated the exploit. Eternity Stealer is actively working on an update, indicating an interesting trend among various Infostealer groups. Google's current recommended solution to this issue is for users to log out of their Chrome browser on the affected device or terminate all active sessions. This action invalidates the Refresh token, rendering it unusable with the API.

Why DDoS when you can just login and BGP reroute?

Earlier this week, a threat actor known as "Ms_Snow_OwO" announced on Twitter that they had successfully infiltrated a RIPE administrator account associated with Orange Spain. The RIPE Network Coordination Centre is one of five Regional Internet Registries (RIRs) providing Internet resource allocations, registration services, and co-ordination activities that support the operation of the Internet globally for Europe, the Middle East, and parts of Central Asia. Exploiting the compromised account, the threat actor changed the AS number linked to Orange's IP address, resulting in significant disruptions for Orange and a ~50% reduction in traffic.

The Orange employee's computer fell victim to a Raccoon stealer on September 4, 2023. Among the corporate credentials found on the compromised machine were specific login details for the RIPE access control panel. It's noteworthy that the password used for Orange's RIPE administrator account was "ripeadmin," which highlights a significant security culture flaw. This incident emphasizes the serious impact a single stealer malware infection can have on any organisation. Regularly checking your organisation's exposure to stealer infections is crucial, as they are a key method for threat actors to gain easy access to target organisations.

Read on https://www.infostealers.com/article/infostealer-infection-of-an-orange-employee-results-in-bgp-disruptions/