Latest Security Update from Oracle Weblogic

If you haven’t already read about it, Oracle has released its Critical Patch Update for April 2019 to address 297 vulnerabilities across multiple products on April 16, 2019.

On Friday, April 26, 2019, Oracle released an important fix (what they refer to as an “overlay”) for Oracle WebLogic Server component of Oracle Fusion Middleware. Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. This is not to be confused by the update that came out in 2018. This is a net-new vulnerability and patch. This is identified by CVE-2019-2725. Was just listening to the SANS ISC StormCast (April 29, 2019) this morning and they made mention of it. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The exploit has been confirmed as The Storm Center has noted that their honeypot has seen exploitation using this bug and successful install of cryptocoin miners.

Download the latest exploit code – https://www.exploit-db.com/exploits/46450

Here is the ISC’s write-up of the vulnerability – https://isc.sans.edu/forums/diary/Update+about+Weblogic+CVE20192725+Exploits+Used+in+the+Wild+Patch+Status/24890/

Update to PuTTY to Fix 8 High Severity Flaws

Hello All. Many of us who have to interact with a Linux or Unix host use PuTTY for SSH, etc. PuTTY developers have just released an update to the 0.70 release from July 2017 with version 0.71 which corrects the following issues:

  1. Authentication Prompt Spoofing — Since PuTTY doesn’t have a way to indicate whether a piece of terminal output is genuine, the user-interface issue could be exploited by a malicious server to generate a fake authentication prompt at the client side, prompting victims to enter their private key passphrases.
  2. Code Execution via CHM Hijacking — When a user launches the online help within the PuTTY GUI tools, the software tries to locate its help file alongside its own executable.
  3. Buffer Overflow in Unix PuTTY Tools — According to the advisory, if a server opens too many port forwardings, PuTTY for Unix does not bounds-check the input file descriptor it collects while monitoring the collections of active Unix file descriptors for activity, leading to a buffer overflow issue.
    “We don’t know if this was remotely exploitable, but it could at least be remotely triggered by a
  4. Reusing Cryptographic Random Numbers — This issue resides in the way cryptographic random number generator in PuTTY, occasionally using the same batch of random bytes twice.
  5. Integer Overflow Flaw — All prior versions of PuTTY suffers an Integer overflow issue due to missing key-size check-in RSA key exchange.
  6. and 7 and 8. Terminal DoS Attacks — Last three vulnerabilities in PuTTY allows a server to crash, or slow down client’s terminal by sending different text outputs.

Update to 0.71 as soon as possible. The PuTTY development team seem pretty serious about this one – https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.70.html

Bad Day for Citrix…

On March 8, it was confirmed through a statement posted by Citrix that the company’s internal network had been breached by hackers who had used password spraying, successfully using a short list of passwords on a wide range of systems to eventually identify credentials that worked. Apparently, the attackers made off with 6 TB to 10 TB of data from internal systems.

It wasn’t a surprise to hear that Citrix initially found out about the breach from law enforcement (specifically the FBI) on March 6 that it had evidence that Citrix had potentially been breached. I think the stats are still pretty high regarding organizations that are informed regarding a potential breach by law enforcement. Specifically when they are gathering intelligence on some organized crime campaign or some other organization that had been breach and come across evidence such as source IPs to indicate another organization was also hacked.

As per folks at Citrix, the attackers appear to have downloaded business documents, but the company said it’s not sure which data was breached. “At this time, there is no indication that the security of any Citrix product or service was compromised,” Stan Black, Citrix CSIO.

Interestingly enough, security firm Resecurity claims that the attack against Citrix began on October 15, 2018, used a list of nearly 32,000 user accounts, and is connected to Iranian interests.  Resecurity claim, the Iranian-linked group known as IRIDIUM has hit more than 200 government agencies, oil and gas companies and technology companies including Citrix.

Resecurity has provided a number of IOCs, including the following IPs:

Source IPs:

  • 178.131.21[].19[] (Iran)
  • 5.115.23[].11[] (Iran)
  • 5.52.14[].23[] (Iran)

Used proxies:

  • 23.237.104.90 – Canada (VPN)
  • 194.59.251.12 – USA (VPN)
  • 185.244.214.198 – Poland
  • 138.201.142.113 – Germany
  • 92.222.252.193 – France (Nov 29, 2018)
  • 51.15.240.100 – France (Dec 7, 2018) x 3 times
  • 185.220.70.135 – Germany (Dec 7, 2018) x 5 times

To read the complete Resecurity blog post, which is quote good and full of great IOCs, please visit – https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/

 

Stryker not fit for combat?

A recent report released by the US Department of Defense Office of the Director of Test and Evaluation (DOT&E) has issued a report detailing vulnerabilities in the Stryker Dragoon war-fighting platform. Recommendations from the DOT&E are to ‘Correct or mitigate cyber vulnerabilities for the platform and government-furnished equipment.’

My Recommendation: Immediately pull all affected rolling stock from active utility until any contemplated investigation is completed along with full remediation and/or mitigation. Thoroughly investigate all systems with or without connectivity, and test for any form of vulnerability from standalone sabotage to suspected electronic warfare perspectives (including ‘cyberattacks’, network attacks, radio-telephony and coherent light attacks, or stand-alone one-off opportunistic aggressor-delivered attacks) utilizing both automated and non-automated code review, network packet analysis, operating system examination, etcetera. All of this accomplished with the full rigor that can be brought to bear on this problematic deployment by the most powerful defense organization on Earth. Time to get this platform squared-away before letting or most valueable assets (our warfighters) loose on these lethal machines.”

Apparently, the platform, which includes the much anticipated 30mm canon was hacked during a recent NATO exercise. It is most likely that the hack was directed at the Stryker’s data-sharing, navigation, or digital communications capabilities. Affecting any of these systems, or adding false or confusing information into the networks, could greatly affect US forces in combat. These vehicles use GPS, as well as a GPS-enabled systems referred to as Blue Force Trackers that provide their relative position to hostile forces, but more importantly when they are in proximity to friendly forces, which can help prevent blue-on-blue or friendly fire incidents.