VMware Workspace ONE UEM console contains an open redirect vulnerability.


A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.



Advisory ID: VMSA-2023-0025

CVSSv3 Range: 8.8

Issue Date: 2023-10-31

Updated On: 2023-10-31 (Initial Advisory)

CVE(s): CVE-2023-20886

Synopsis: VMware Workspace ONE UEM console updates address an open redirect vulnerability (CVE-2023-20886)

****1\. Impacted Products****

*   VMware Workspace ONE UEM console

****2\. Introduction****

An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

****3\. Advisory Details****

VMware Workspace ONE UEM console contains an open redirect vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.

To remediate CVE-2023-20886 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank D'Angelo Gonzalez of Crowdstrike for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Workspace ONE UEM

2306

Any

CVE-2023-20886

N/A

N/A

Unaffected

N/A

N/A

Workspace ONE UEM

2302

Any

CVE-2023-20886

8.8

important

23.2.0.10

None

None

Workspace ONE UEM

2212

Any

CVE-2023-20886

8.8

important

22.12.0.20

None

None

Workspace ONE UEM

2209

Any

CVE-2023-20886

8.8

important

22.9.0.29

None

None

Workspace ONE UEM

2206

Any

CVE-2023-20886

8.8

important

22.6.0.36

None

None

Workspace ONE UEM

2203

Any

CVE-2023-20886

8.8

important

22.3.0.48

None

None

****4\. References****

****5\. Change Log****

**2023-10-31: VMSA-2023-0025  
**Initial security advisory.

****6\. Contact****

CVE-2023-20886: VMSA-2023-0025

Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

October has been a security flaw-fest, with Apple, Microsoft, and Google issuing patches for vulnerabilities that are being used in real-life attacks. There were also multiple enterprise fixes during the month, with Cisco, VMWare, and Citrix fixing serious security bugs.

Some of the patches are more urgent than others, so read on to find out what you need to know about the updates released in October.

Apple iOS and iPad OS

October was a busy month for Apple, with the iPhone maker issuing its second set of fixes as part of iOS 17.1 at the end of the month. The two dozen security fixes in iOS 17.1 include patches for serious flaws in the Kernel at the heart of the iOS operating system and WebKit, the engine that underpins the Safari browser.

Tracked as CVE-2023-42849, the Kernel issue fixed in iOS 17.1 could allow an attacker that has already achieved code execution to bypass memory mitigations, Apple said on its support page. The three WebKit flaws—tracked as CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852—could lead to arbitrary code execution.

Apple has also issued iOS and iPad OS 16.7.2, fixing the same flaws for users of older devices or those who don’t want to upgrade right away. They came alongside macOS Sonoma 14.1, macOS Ventura 13.6, macOS Monterey 12.7.1, tvOS 17.1, WatchOS 10.1, and Safari 17.1.

Earlier this month, Apple released iOS 17.0.3 and iOS 16.7.1, fixing issues being used in real-life attacks. Tracked as CVE-2023-42824, the first is a Kernel bug that could allow an attacker with access to your device to elevate their privileges.

Apple also fixed CVE-2023-5217, a buffer overflow flaw that could allow an attacker to execute code. Affecting multiple browsers and platforms, the bug has already been patched in Google’s Chrome browser.

Microsoft

Microsoft’s Patch Tuesday has seen the tech giant fix over 100 flaws, including two zero-day vulnerabilities in Microsoft WordPad and Skype for Business.

CVE-2023-36563 is an information disclosure bug in the WordPad word processing program that could expose NTLM hashes and result in NTLM relay attacks. However, it requires user interaction: The attacker must send someone a malicious file and convince them to open it, Microsoft said.

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business. “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” potentially disclosing IP addresses or port numbers, Microsoft said.

Microsoft also patched a flaw in Message Queuing tracked as CVE-2023-35349 with a CVSS critical score of 9.8, which could allow an unauthenticated attacker to remotely execute code.

October’s Patch Tuesday is a particularly urgent one, so it’s important to update as soon as you can.

Google Chrome

Google has released 20 security fixes for its Chrome browser, including one patch for a flaw rated as critical. Tracked as CVE-2023-5218, the bug is a use-after-free issue in Site Isolation. Another six fixes cover inappropriate implementation vulnerabilities marked as having medium impact, while CVE-2023-5476 is a use-after-free flaw in Blink History. Another issue, CVE-2023-5474, is a heap buffer overflow in PDF, according to Google’s blog.

A further four inappropriate implementation vulnerabilities are rated as having a low impact, with Google also fixing a low severity use-after-free bug in Cast tracked as CVE-2023-5473.

None of the flaws fixed in October have been exploited, but given how actively the browser is targeted, it makes sense to update as soon as you can.

Google Android

Google’s October Android update was a major one because it fixed 53 issues, including two vulnerabilities already being used in real-life attacks. The first is CVE-2023-4863, a heap buffer overflow bug in libwebp affecting the applications that use the library to encode and decode images in the WebP format. This vulnerability impacts many applications and could be used to install spyware, security firm Malwarebytes wrote in a blog.

There are indications that the bug “may be under limited, targeted exploitation,” Google said in an advisory.

CVE-2023-4211 is an issue in Arm components rated as having a high impact, which Google said is also being used in attacks. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Malwarebytes said, adding that the vulnerability affects multiple versions of Arm Mali GPU drivers. These are used in multiple Android device models, including those made by Google, Samsung, Huawei, and Xiaomi.

Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. “The \[vulnerability\] could lead to remote code execution with no additional execution privileges needed,” Google said.

The update is available for Google’s Pixel and Samsung’s Galaxy series, so if you have an Android device, check your settings ASAP.

Cisco

Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog.

“Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access,” the researchers warned.

The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. “This allows the adversary to inject commands with elevated root privileges, giving them the ability to run arbitrary commands on the device,” said Talos Intelligence, Cisco’s cybersecurity firm.

Cisco “strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the firm wrote in an advisory.

VMWare

VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8.

At the other end of the CVSS scale but still worth mentioning is CVE-2023-34056, a partial information disclosure bug with a score of 4.3. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data,” VMWare wrote in an advisory.

Citrix

Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information.

CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. Exploits of CVE-2023-4966 on unmitigated appliances “have been observed,” Citrix said. “Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

SAP

SAP’s October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8.

With only nine new and updated security notes, SAP’s October Patch Day “belongs to the calmest of the last five years,” security firm Onapsis said.

While SAP’s October flaw count was much smaller than its peers’, attackers are still out there, so you should still keep up to date and get patching as soon as you can.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

Last week on Malwarebytes Labs: Stay safe! Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap,...

October 29, 2023 - Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating...

October 27, 2023 - Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations...

October 27, 2023 - Apple has released security updates for its phones, iPads, Macs, watches and TVs. Updates are available for these products: The important...

October 25, 2023 - VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server. Since...

October 25, 2023 - Canadian health service provider TransForm has published an update about the cyberattack at its member hospitals. TransForm is a not-for-profit, shared service organization...

 A week in security (October 23 &#8211; October 29) 

VinChin Backup and Recovery in VinChin VMWare Backup versions 5.0 through 7.0 suffers from hardcoded credential and remote code execution vulnerabilities.

    VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.VinChin has failed to acknowledge the various requests over a month period, we are thus disclosing the following vulnerabilities:CVE-2023-45499 - VinChin VMWare Backup 5.0 to 7.0During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.CVE-2023-45498 - VinChin VMWare Backup 5.0 to 7.0While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.Timeline:2023-09-22: LeakIX makes initial contact2023-09-25: VinChin request details2023-09-25: LeakIX request Safe harbour2023-09-26: No reply, LeakIX requests update2023-09-27: No reply, LeakIX sends PoC2023-09-29: No reply, LeakIX requests feedback2023-10-05: No reply, LeakIX requests feedback2023-10-10: No reply, LeakIX requests feedback from alternative email2023-10-11: No reply, LeakIX requests feedback from another alternative email2023-10-16: No reply, CVE reserved and vendor notified2023-10-18: No reply, LeakIX sent 7 day disclosure warning2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.2023-10-26: No reply, Publishing this advisory

VinChin VMWare Backup 7.0 Hardcoded Credential / Remote Code Execution

The financially motivated English-speaking threat actors use advanced social engineering techniques, SIM swapping, and even threats of violence to breach targets.

The financially motivated hacking group Octo Tempest, responsible for attacking MGM Resorts International and Caesars Entertainment in September, has been branded "one of the most dangerous financial criminal groups" by Microsoft's Incident Response and Threat Intelligence team.

The group, also known as 0ktapus, Scattered Spider, and UNC3944, has been active since early 2022, initially targeting telecom and outsourcing companies with SIM swap attacks.

It later shifted to extortion using stolen data, and by mid-2023 the group had partnered with ALPHV/BlackCat ransomware, initially leveraging the ALPHV Collections leak site and later deploying the ransomware, focusing on VMWare ESXi servers.

Microsoft's in-depth post about the group and its extensive range of tactics, techniques, and procedures (TTPs) details the evolution of Octo Tempest and the fluidity of its operations.

"In recent campaigns, we observed Octo Tempest leverage a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data," the report notes. "Octo Tempest leverages tradecraft that many organizations don't have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques."

**The Multi-Armed 0ktapus Cybercrime Playbook**

The group gains initial access through advanced social advanced social engineering techniques, often targeting employees with access to network permissions, including support and help desk personnel.

The attackers call these individuals, and attempt to persuade them to reset user passwords, change or add authentication tokens, or install a remote monitoring and management (RMM) utility.

The group is not beyond leveraging personal information, such as home addresses and family names, or even making physical threats, to coerce victims into sharing corporate access credentials.

During the initial stages of the attacks, Octo Tempest conducts extensive reconnaissance, which includes gathering data on users, groups, and device information, and exploring network architecture, employee onboarding, and password policies.

The group uses tools including PingCastle and ADRecon for Active Directory reconnaissance, and the PureStorage FlashArray PowerShell SDK for enumerating storage arrays.

They reach deep into multi-cloud environments, code repositories, and server infrastructure, aiming to validate access and plan footholds for subsequent attack phases, a process that helps the group enhance their activities within targeted environments.

**Partnering With Russians: Unprecedented Fusion of Tactics, Tools**

Callie Guenther, senior manager of cyber threat research at Critical Start, says English-speaking Octo Tempest's affiliation with the Russian-speaking BlackCat group signifies an "unprecedented fusion" of resources, technical tools, and refined ransomware tactics.

"Historically, the distinct boundaries maintained between Eastern European and English-speaking cybercriminals provided some semblance of regional demarcation," she explains. "Now, this alliance allows Octo Tempest to operate on a wider canvas, both geographically and in terms of potential targets."

She notes that the convergence of Eastern European cyber expertise with the linguistic and cultural nuances of English-speaking affiliates enhances the localization and efficacy of their attacks.

From her perspective, the multifaceted approach Octo Tempest employs is particularly alarming.

"Beyond their technical prowess, they've mastered the art of social engineering, adapting their tactics to impersonate and blend seamlessly into targeted organizations," she says. "This, combined with their alignment with the formidable BlackCat ransomware group, amplifies their threat manifold."

She notes the real concern emerges when one realizes they've diversified from specific industries to a broader spectrum and are now unafraid to resort to outright physical threats, showcasing a concerning escalation in cybercriminal tactics.

Tony Goulding, cybersecurity evangelist at Delinea, agrees the blend of sophisticated techniques, broad scope of industries targeted, and their aggressive approach — even resorting to physical threats — are the most dangerous aspects of the group.

"Organizations should be very concerned," he explains. "Being native English speakers, they can more effectively launch wide-ranging social engineering campaigns compared to BlackCat."

He says this is particularly beneficial when using idiolect methods to convincingly impersonate employees during phone calls.

"Proficiency in English also helps them craft more convincing phishing messages for their signature SMS phishing and SIM swapping techniques," he adds.

**Defense In-Depth**

Guenther says defending against Octo Tempest's financial pursuits involves a series of proactive and reactive measures, adhering to the principle of least privilege to ensure restricted access.

"Cryptocurrencies should be stored in offline cold wallets to minimize online exposure," she advises. "Continual system updates and anti-ransomware solutions can thwart most ransomware deployments."

Advanced network monitoring can detect anomalous data flows, indicative of potential data exfiltration attempts.

"In case of breaches or attacks, an established incident response strategy can guide immediate actions," she adds. "Collaborative threat intelligence sharing with industry peers can also keep organizations abreast of emerging threats and countermeasures."

Goulding points out education, awareness training, and technical controls that vault privileged accounts and protect access workstations and servers are key.

"Putting obstacles in the path of threat actors all along the attack chain, to divert them from their playbook and generate noise, is super important for early detection," he says. "The more advanced and proficient the attack group, the better prepared they will be, so investing in the best tools that include modern capabilities is your best bet."

Octo Tempest Group Threatens Physical Violence as Social Engineering Tactic

Categories: News
Categories: Ransomware
Tags: ALPHV

Tags:  Octo Tempest

Tags:  RaaS

Tags:  LOTL

Tags:  social engineering

Tags:  SIM swapping

A group of cybercriminals known for advanced social engineering attacks has joined one of the biggest ransomware groups as an affiliate.



(Read more...)




The post Octo Tempest cybercriminal group is "a growing concern"—Microsoft appeared first on Malwarebytes Labs.

Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations all over the world.

Initially the group made a name for itself by SIM swapping. SIM swapping, also known as SIM jacking, is the act of illegally taking over a target's cell phone number. This can be done in a number of ways, but the most common ones involve social engineering attacks on the victim's carrier.

In a security blog about Octo Tempest Microsoft states:

> “Octo Tempest monetized their intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.”

Since then the group has expanded its range of activities to include targeting organizations providing cable telecommunications, email, and tech services, and partnering with the ALPHV/BlackCat ransomware group.

In our monthly ransomware reviews you will typically see ALPHV as the world's third most used ransomware-as-a-service (RaaS).

ALPHV was the third most used RaaS between October 2022 - September 2023

ALPHV is a typical RaaS group where several criminal organizations work together to extort victims for data theft and/or encryption of important files. ALPHV provides the ransomware, the infrastructure for negotiating ransoms, and a dark web site where stolen data is leaked. The service is used by criminal gangs called affiliates who actually carry out attacks.

As an ALPHV affiliate, Octo Tempest focused its deployments primarily on VMWare ESXi servers and other complex hybrid environments.

Microsoft reports that in doing so, Octo Tempest progressively broadened the number of industries it targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services. 

Having Octo Tempest as an affiliate brings specialized knowledge to ALPHV, such as SMS phishing, SIM swapping, and advanced social engineering techniques. The group includes members with extensive technical knowledge and multiple hand-on-keyboard operators.

Its social engineering attacks target accounts that have sufficient administrator rights to build out an impactful attack. For example, to keep their tracks hidden, Octo Tempest will target the accounts of security personnel, which allows them to disable security products and features.

The group uses all kinds of social engineering attacks and, as a last resort, they do not shy away from threatening targets with physical violence if they fail to comply.

A unique technique used by Octo Tempest is to use the data movement platform Azure Data Factory, and automated pipelines, to extract data to external servers, aiming to blend in with typical big data operations.

Similar to that the group uses many Living off the land (LOTL) techniques that make it hard to spot its activities. One of Microsoft’s recommendations is to keep close tabs on administrative changes in your environment.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap, reduces your risk of unknown threats, and increases your security efficiency exponentially. Malwarebytes MDR staffs highly experienced Tier 2 and Tier 3 analysts who are hands-on with customer endpoints, ensuring critical threats are quickly identified and a thorough response is rapidly deployed.

Want to learn more about MDR? Get a free trial below.

TRY NOW

Octo Tempest cybercriminal group is "a growing concern"—Microsoft

open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

CVE-2023-34059: VMSA-2023-0024

VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

Sun Oct 15, 2023 by BloodyShell in  vulnerability, research, LeakIX  vulnerability, research, LeakIX

**Vulnerability research**

At LeakIX we analyse new vulnerabilities discovered by other researchers every day.

Our goal is to understand them, discover non-intrusive ways to detect them and provide our customers with a list of vulnerable assets.

While researching what others have already found is always an exciting challenge and provides valuable experience, it was time for us to go through the research and disclosure process first hand and get our first CVE on the board.

We decided to look for issues in critical software. It was natural for us to select the “Infrastructure Backup” category. Such software will hold an entire organisation’s data but also credentials to critical points of the network, including:

*   Servers
*   Hypervisors
*   Storage
*   Cloud accounts

**VinChin Backup**

VinChin Backup & Recovery is an **all-in-one backup solution for virtual infrastructures** supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.

It is used by companies like Sony, Guizhou Power Grid, and while its main market is located in Asia, it has decent adoption on other continents and protects over 10,000 clients.

**CVE-2023-45499**

During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.

The privileges granted are high since ACLs are bypassed for this authentication method.

The list of actions available from the API includes:

*   View/Edit/Add/Delete storage
*   View/Delete backups
*   View/Edit/Add/Delete jobs
*   View/Edit/Add/Delete cloud accounts
*   View/Edit/Add/Delete hypervisors
*   View/Edit/Add/Delete users
*   Query various information such as:
    *   Services status
    *   System information
    *   Licensing

The list is non-exhaustive.

**CVE-2023-45498**

While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.

**Demo**

**Affected versions**

During our routine scans we identified vulnerable products starting from 5.0 up until the last known version.

**IOC**

Any requests made to /api/ from an untrusted IP should be considered suspicious. The log can be found in /var/log/nginx/access.log.

**Mitigation**

At this point VinChin has not acknowledged the issue despite our multiple requests, we can only recommend to remove all exposed instances from untrusted network.

**Timeline**

    2023-09-22: LeakIX makes initial contact
    2023-09-25: VinChin request details
    2023-09-25: LeakIX request Safe harbour
    2023-09-26: No reply, LeakIX requests update
    2023-09-27: No reply, LeakIX sends PoC
    2023-09-29: No reply, LeakIX requests feedback
    2023-10-05: No reply, LeakIX requests feedback
    2023-10-10: No reply, LeakIX requests feedback from alternative email
    2023-10-11: No reply, LeakIX requests feedback from another alternative email
    2023-10-16: No reply, CVE reserved and vendor notified
    2023-10-18: No reply, LeakIX sent 7 day disclosure warning
    2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.
    2023-10-26: No reply, Publishing this advisory

CVE-2023-45499: CVE-2023-45498: RCE in VinChin Backup

The prolific threat actor known as Scattered Spider has been observed impersonating newly hired employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts and breach organizations across the world.
Microsoft, which disclosed the activities of the financially motivated hacking crew, described the adversary as "one of the most dangerous financial criminal

The prolific threat actor known as **Scattered Spider** has been observed impersonating newly hired employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts and breach organizations across the world.

Microsoft, which disclosed the activities of the financially motivated hacking crew, described the adversary as "one of the most dangerous financial criminal groups," calling out its operational fluidity and its ability to incorporate SMS phishing, SIM swapping, and help desk fraud into its attack model.

"Octo Tempest is a financially motivated collective of native English-speaking threat actors known for launching wide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM) techniques, social engineering, and SIM swapping capabilities," the company said.

It's worth noting that the activity represented by Octo Tempest is tracked by other cybersecurity companies under various monikers, including 0ktapus, Scatter Swine, and UNC3944, which has repeatedly singled out Okta to obtain elevated permissions and infiltrate targeted networks.

One of the key hallmarks is the targeting of support and help desk personnel via social engineering attacks to gain initial access to privileged accounts, tricking them into performing a reset of the victim's password and multi-factor authentication (MFA) methods.

Other approaches entail purchasing an employee's credentials and/or session token(s) on a criminal underground market, or calling the individual directly and socially engineering the user to either install a Remote Monitoring and Management (RMM) utility, visit a fake login portal using an AiTM phishing toolkit, or remove their FIDO2 token.

Initial attacks mounted by the group targeted mobile telecommunication providers and business process outsourcing (BPO) organizations to initiate SIM swaps, before graduating to monetizing the access for selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals for cryptocurrency theft.

Octo Tempest has since diversified its targeting to include email and tech service providers, gaming, hospitality, retail, managed service providers (MSPs), manufacturing, technology, and financial sectors, while simultaneously emerging as an affiliate for the BlackCat ransomware gang in mid-2023 to extort victims.

Put differently, the end goal of the attacks vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.

"In late 2022 to early 2023, \[...\] Octo Tempest started monetizing intrusions by extorting victim organizations for data stolen during their intrusion operations and in some cases even resorting to physical threats," Microsoft said.

"In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts. These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access."

A successful foothold is followed by the attackers carrying out reconnaissance of the environment and privilege escalation, the latter of which is accomplished by means of stolen password policy procedures, bulk downloads of user, group, and role exports.

Another noteworthy tradecraft is use of compromised security personnel accounts within victim organizations to impair the functioning security products in an attempt to fly under the radar, in addition to tampering with the security staff mailbox rules to automatically delete emails from vendors.

The broad arsenal of tools and tactics employed by Octo Tempest, including enrolling actor-controlled devices into device management software to bypass controls and replaying harvested tokens with satisfied MFA claims to bypass MFA, is indicative of its extensive technical expertise and its ability to navigate complex hybrid environments, Redmond said.

"A unique technique Octo Tempest uses is compromising VMware ESXi infrastructure, installing the open-source Linux backdoor Bedevil, and then launching VMware Python scripts to run arbitrary commands against housed virtual machines," the company further explained.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns as Scattered Spider Expands from SIM Swaps to Ransomware

VMware vCenter Servers need immediate patch against critical RCE bug as race against threat actors begins.

VMware urged customers to update VMware vCenter Servers against a critical flaw that could potentially lead to remote code execution (RCE) and assigned a CVSS severity score of 9.8.

The vCenter Server flaw, tracked under CVE-2023-34048, could allow an attacker with network access the ability to trigger an out-of-bounds write, the VMware advisory explained. Software for "vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol," the vendor added.

The vCenter Server platform is used for managing vSphere installations in hybrid cloud environments.

John Gallagher, vice president with Viakoo Labs, characterized the bug in a statement as "serious as it gets," because it's both dangerous and impacts VMware vCenter Servers, which are widely used across a variety of organizations and industry sectors.

"The reason for it having a severity score of 9.8 is in how it devastates the entire CIA Triad of confidentiality, integrity, and availability," Gallgher explained. "Successful exploit of this CVE gives complete access to the environment, and enables remote code execution for further exploitation."

Another sure sign of the severity is VMware taking the unusual step of offering up patches for old versions, Mayuresh Dani, security research manager at Qualys, explained in a statement.

"The fact that VMware released patches for end of life (EOL) versions that are affected by this vulnerability speaks to how critical it is, since EOL software seldom gets patched," Dani added.

The advisory said patches will be issued for vCenter Server 6.7U3, 6.5U3, and VCF 3.x, as well as vCenter Server 8.0U1.

**Second Patch for VMware Cloud Foundation**

An additional flaw was reported by VMware in its VMware Cloud Foundation, but this bug, tracked under CVE-2023-34056, has been assigned a less urgent CVSS score of 4.3. The vulnerability could allow an unauthorized user access data, the advisory explained.

Both flaws were responsibly reported by researchers, VMware added in its advisory, however as organizations rush to patch, there will be an inevitable "window of vulnerability" for threat actors to take advantage of unpatched systems, Gallagher added.

"Organizations using vCenter Server should ensure they have a current inventory of its usage, and a plan to patch," Gallagher advised. "Mitigation for this directly appears limited, but using network access control and monitoring might catch lateral movement once a threat actor uses this to gain a foothold."

Tag

#vmware