Last week was all about patching severe zero-days in leading products from Atlassian Confluence to Fortinet devices to Microsoft Office — all of which are being actively exploited.
These vulnerabilities are:
On August 25, 2021, Atlassian released a security advisory on the recently patched OGNL-based remote code execution vulnerability affecting its Confluence and Data Center products. Within a week, however, proof-of-concept (PoC) exploits began emerging from different security researchers [1, 2, 3]. And soon enough, adversaries began their mass scanning activities and actively exploiting this vulnerability.
Soon enough, Jenkins announced attackers had breached their Confluence server to install crypto-mining malware, and an incident response investigation was started.
"Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure," stated Jenkins in a blog post.
As of now, the Jenkins infrastructure team permanently disabled the Confluence service, rotated credentials, and implemented further protective measures to safeguard the infrastructure.
But, analysis by OSINT firm Censys suggests over 8,000 internet-facing Confluence servers remain vulnerable around the world. Atlassian customers should refer to their security advisory and upgrade their Confluence and Data Center products to fixed versions ASAP.
Fortunately, Sonatype's Ops and Information Security teams have been proactive and stayed on top of the development. As soon as the security advisory was shared by Confluence with their customers, we took immediate action to update our Confluence server (screenshot below of v. 7.13.0) and apply the necessary workarounds to other Atlassian systems, where applicable.
The notorious, path traversal flaw in Fortinet FortiOS devices is back!
In November 2020, I had reported on hackers leaking plaintext credentials from 50,000 Fortinet VPN firewalls vulnerable to this years-old flaw. Many of these devices belonged to prominent government agencies, telecoms, banks, and finance organizations around the world.
Despite repeated attempts by the vendor — multiple corporate blog posts on this issue, advisories, bulletins, and direct communication to convince customers to upgrade their FortiOS, many Fortinet VPN devices remained vulnerable due to a lack of action.
In fact, over time, cyber threat intel firm Bad Packets has reported seeing mass-scanning activity targeting Fortinet devices vulnerable to CVE-2018-13379 on numerous occasions [1, 2, 3, 4].
Fast forward to this month, usernames and passwords from half a million Fortinet VPNs have reportedly been leaked by a threat actor on RAMP cybercrime forums:
If you haven't already, it would be wise to audit your firewall devices and upgrade your FortiOS version ASAP by following the steps in the official advisory.
CISA urges Microsoft Office customers to patch zero-day.
If all this chaos in the cybersecurity land wasn't enough, Microsoft identified a limited number of targeted attacks because of an MSHTML zero-day identified recently.
Tracked as CVE-2021-40444, the severe vulnerability has to do with how attackers can craft malicious Microsoft Office documents loaded with ActiveX browser controls to execute arbitrary code on the victim’s machine.
"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," states Microsoft in the security advisory.
Although, the success of the attack depends on the user opening the malicious document. Therefore, some level of social engineering effort, such as sending a convincing phishing email, is a prerequisite — but not always:
CISA had been urging users and organizations to review Microsoft's mitigations and workarounds to address CVE-2021-40444, but in an interesting twist, the defenses for the zero-day could be bypassed after newer information emerged.
In all these cases, there are three things to learn:
As such, while the traditional advice to regularly update your applications to properly vetted fixed versions remains applicable, security professionals are constantly racing against cybercriminals and time to be proactive.
And the same goes for developers building world-class software applications.
Manually monitoring CVE feeds and hard-to-find vulnerability disclosures, and then applying mitigations are no longer feasible, when your time should be going towards doing what you love: building kick-ass software.
Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from vulnerabilities and malware.