Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label System Vulnerability. Show all posts
System Vulnerability
Automation Jenkins malware Ransomware System Vulnerability

Critical Jenkins RCE Vulnerability: A New Target for Ransomware Attacks


Recently, the CISA (Cybersecurity and Infrastructure Security Agency) warned about a critical remote code execution (RCE) vulnerability in Jenkins, a widely used open-source automation server. This vulnerability, CVE-2024-23897, has been actively exploited in ransomware attacks, posing a significant risk to organizations relying on Jenkins for their continuous integration and continuous delivery (CI/CD) processes.

Understanding the Vulnerability

The Jenkins RCE vulnerability stems from a flaw in the args4j command parser, a library used by Jenkins to parse command-line arguments. This flaw allows attackers to execute arbitrary code on the Jenkins server by sending specially crafted requests. The vulnerability can also be exploited to read arbitrary files on the server, potentially exposing sensitive information.

The args4j library is integral to Jenkins’ functionality, making this vulnerability particularly concerning. Attackers exploiting this flaw can gain full control over the Jenkins server, enabling them to deploy ransomware, steal data, or disrupt CI/CD pipelines. Given Jenkins’ widespread use in automating software development processes, the impact of such an exploit can be far-reaching.

The Impact of Exploitation

The exploitation of the Jenkins RCE vulnerability has already been observed in several ransomware attacks. Ransomware, a type of malware that encrypts a victim’s data and demands payment for its release, has become a prevalent threat in recent years. By exploiting the Jenkins vulnerability, attackers can access critical infrastructure, encrypt valuable data, and demand ransom payments from affected organizations.

The consequences of a successful ransomware attack can be devastating. Organizations may face significant financial losses, operational disruptions, and reputational damage. In some cases, the recovery process can be lengthy and costly, further exacerbating the impact of the attack. As such, it is crucial for organizations using Jenkins to take immediate action to mitigate the risk posed by this vulnerability.

What to do?

  • Ensure that Jenkins and all installed plugins are updated to the latest versions. The Jenkins community regularly releases security updates that address known vulnerabilities. Keeping the software up-to-date is a critical step in protecting against exploitation.
  • Apply any available security patches for the args4j library and other components used by Jenkins. These patches are designed to fix vulnerabilities and should be applied as soon as they are released.
  • Limit network access to Jenkins servers to only trusted IP addresses. By restricting access, organizations can reduce the attack surface and prevent unauthorized users from exploiting the vulnerability.
  • Use strong authentication mechanisms, such as multi-factor authentication (MFA), to secure access to Jenkins servers. MFA adds an additional layer of security, making it more difficult for attackers to gain unauthorized access.
  • Regularly monitor Jenkins logs and network traffic for signs of suspicious activity. Early detection of potential exploitation attempts can help organizations respond quickly and mitigate the impact of an attack.
  • Ensure that critical data is regularly backed up and stored securely. In the event of a ransomware attack, having reliable backups can facilitate data recovery without paying the ransom.

Read more »
System Vulnerability
Atlassian Confluence Server Cyber Security Device Security System Vulnerability

Critical Flaw in Atlassian's Confluence Server Allows Hackers to Run Commands


According to experts, a severe flaw in Atlassian's Confluence corporate server program that permits malicious commands and resets servers is actively exploited by threat actors in cyber attacks that install ransomware.

Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, said on Mastodon on Sunday, "Widespread exploitation of the CVE-2023-22518 authentication bypass vulnerability in Atlassian Confluence Server has begun, posing a risk of significant data loss."  He continued, "So far, the attacking IPs all include Ukraine in their target."

He referred to a page that showed three separate IP addresses that began exploiting the major vulnerability, which allows attackers to restore a database and execute malicious commands, between 12 a.m. and 8 a.m. Sunday UTC (about 5 p.m. Saturday to 1 a.m. Sunday Pacific Time). The IPs have now discontinued the attacks, but he believes the exploits are still active.

It just takes one request

The DFIR Report posted screenshots of data collected while witnessing the attacks. One revealed a demand from the C3RB3R ransomware organization.

Meanwhile, security firms Rapid7 and Tenable confirmed that attacks began over the weekend as well.

Business researchers Daniel Lydon and Conor Quinn  said "As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing Atlassian Confluence exploitation in multiple customer environments, including for ransomware deployment." They continued "We have confirmed that at least some of the exploits target CVE-2023-22518, a Confluence Data Center and Confluence Server improper authorization vulnerability."

The discovery 

Rapid7 discovered exploits that were basically the same across different situations, indicating "mass exploitation" of on-premises Confluence servers. "In various exploit chains, Rapid7 saw post-exploitation command execution for downloading a malicious payload located at 193.43.72[.]11 and/or 193.176.179[.]41, which, if effective, resulted in single-system Cerber ransomware installation on the exploited Confluence server."

CVE-2023-22518 is known for a vulnerability in wrong authorization that can be abused on Internet-facing Confluence servers via tailored requests to setup-restore endpoints. Atlassian's cloud infrastructure does not affect Confluence accounts. Atlassian exposed the flaw in a blog post last Tuesday. Atlassian Chief Information Security Officer Bala Sathiamurthy cautioned in it that the flaw can end in "critical data loss if exploited" and that "users must take action right away to secure their cases."

What next?

Atlassian updated the post on Thursday to say that many reports released in the interim days offered "critical information about the vulnerability, which raises the possibility of exploitation." The update seemed to be connected to blogs like this one, which provided the findings of an analysis that contrasted the susceptible and fixed versions in order to pinpoint technical information. Another possible source was a Mastodon post:

“Just one request is all it takes to reset the server and gain admin access,” the post said in a video showing how the exploit works.

Atlassian updated the page again on Friday, stating that active exploitation was occurring. "Customers must take immediate action to protect their instances," said the statement.

Threat groups are likely racing to capitalize on the vulnerability before targets patch it now that word has spread that attacks are simple and effective. Any organization that has an on-premises Confluence server that is accessible to the Internet should fix quickly, and if that isn't possible, remove it from the Internet temporarily. Another riskier solution would be to turn off the following endpoints:

For nearly a week, Atlassian's senior management has practically begged affected customers to fix. Vulnerable organizations dismiss suggestions at their own risk.

Read more »
Subscribe to: Posts (Atom)