BU-CERT – Page 15 – Bournemouth University Computer Emergency Response Team

Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit – CVE-2024-4323)

Posted on 21 May 2024

From tenable.com

Key takeaways

Fluent Bit is a logging utility heavily used by all major cloud providers.
Tenable Research discovered a critical vulnerability dubbed Linguistic Lumberjack (CVE-2024-4323) within Fluent Bit’s built-in HTTP server that could potentially allow for denial of service, information disclosure, or remote code execution.
The vulnerability was introduced in version 2.0.7 and exists thru 3.0.3. It is fixed in the main source branch and is expected in release 3.0.4.
The issue can be resolved by …
- … upgrading to the latest version of Fluent Bit.
- … appropriately limiting access to the vulnerable endpoint.

An overview of Fluent Bit and of the Linguistic Lumberjack vulnerability

Fluent Bit is a lightweight, open-source data collector and processor that can handle large volumes of log data from various sources. It was designed to be highly scalable and easy to use, making it an ideal choice for collecting and processing logs in cloud-based environments. The project boasts upwards of 3 billion downloads as of 2022 and continues to see more than 10 million deployments each day. It is used heavily in almost every major cloud provider’s infrastructure.

Multiple Vulnerabilities in Honeywell VirtualUOC Let Attackers Execute Remote Code

Posted on 21 May 2024

From gbhackers.com

Team82 has uncovered multiple critical vulnerabilities in Honeywell’s ControlEdge Virtual Unit Operations Center (UOC).

These vulnerabilities within the EpicMo protocol implementation could potentially allow attackers to execute remote code without authentication.

Honeywell has since addressed these issues, but the discovery underscores the ongoing challenges in securing industrial control systems (ICS).

Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox

Posted on 21 May 2024

From thehackernews.com

A critical security flaw has been disclosed in the llama_cpp_python Python package that could be exploited by threat actors to achieve arbitrary code execution.

Tracked as CVE-2024-34359 (CVSS score: 9.7), the flaw has been codenamed Llama Drama by software supply chain security firm Checkmarx.

“If exploited, it could allow attackers to execute arbitrary code on your system, compromising data and operations,” security researcher Guy Nachshon said.

llama_cpp_python, a Python binding for the llama.cpp library, is a popular package with over 3 million downloads to date, allowing developers to integrate AI models with Python.

CVE-2023-34992: Fortinet FortiSIEM Command Injection Deep-Dive

Posted on 20 May 2024

From horizon3.ai

In early 2023, given some early success in auditing Fortinet appliances, I continued the effort and landed upon the Fortinet FortiSIEM. Several issues were discovered during this audit that ultimately lead to unauthenticated remote code execution in the context of the root user. The vulnerabilities were assigned CVE-2023-34992 with a CVSS3.0 score of 10.0 given that the access allowed reading of secrets for integrated systems, allowing for pivoting into those systems.

FortiSIEM Overview

The FortiSIEM allows customers to do many of the expected functions of a typical SIEM solution such as log collection, correlation, automated response, and remediation. It also allows for simple and complex deployments ranging from a standalone appliance to scaled out solutions for enterprises and MSPs.

Drs-Malware-Scan – Perform File-Based Malware Scan On Your On-Prem Servers With AWS

Posted on 20 May 2024

From kitploit.com

Perform malware scan analysis of on-prem servers using AWS services

Challenges with on-premises malware detection

It can be difficult for security teams to continuously monitor all on-premises servers due to budget and resource constraints. Signature-based antivirus alone is insufficient as modern malware uses various obfuscation techniques. Server admins may lack visibility into security events across all servers historically. Determining compromised systems and safe backups to restore from during incidents is challenging without centralized monitoring and alerting. It is onerous for server admins to setup and maintain additional security tools for advanced threat detection. The rapid mean time to detect and remediate infections is critical but difficult to achieve without the right automated solution.

Determining which backup image is safe to restore from during incidents without comprehensive threat intelligence is another hard problem. Even if backups are available, without knowing when exactly a system got compromised, it is risky to blindly restore from backups. This increases the chance of restoring malware and losing even more valuable data and systems during incident response. There is a need for an automated solution that can pinpoint the timeline of infiltration and recommend safe backups for restoration.

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Posted on 20 May 2024

From thehackernews.com

The cryptojacking group known as Kinsing has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet.

The findings come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019.

Kinsing (aka H2Miner), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was first documented by TrustedSec in January 2020.

In recent years, campaigns involving the Golang-based malware have weaponized various flaws in Apache ActiveMQ, Apache Log4j, Apache NiFi, Atlassian Confluence, Citrix, Liferay Portal, Linux, Openfire, Oracle WebLogic Server, and SaltStack to breach vulnerable systems.

Other methods have also involved exploiting misconfigured Docker, PostgreSQL, and Redis instances to obtain initial access, after which the endpoints are marshaled into a botnet for crypto-mining, but not before disabling security services and removing rival miners already installed on the hosts.

Subsequent analysis by CyberArk in 2021 unearthed commonalities between Kinsing and another malware called NSPPS, concluding that both the strains “represent the same family.”

Akira Ransomware Escalates Privilege To Exfiltrate Domain Controller Files

Posted on 20 May 2024

From gbhackers.com

In a recent encounter, the Akira ransomware group exploited a novel privilege escalation technique, where the attackers infiltrated the victim’s virtual environment to steal the NTDS.dit file, a critical file containing domain user accounts and passwords stored on domain controllers.

The stolen information likely granted them escalated privileges within the network, potentially allowing them to move laterally and launch a ransomware attack more quickly.

Akira, a cyber threat actor active since March 2023, targets SMEs globally to infiltrate networks by exploiting weak VPNs (compromised credentials or vulnerabilities), as it breached an agricultural company through an unpatched single-factor VPN.