Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release

Cyber Mayhem - Attackers Actively Exploit Vulnerable Confluence Servers, while 500,000 Fortinet VPNs See Passwords Leaked

September 13, 2021 By Ax Sharma

Last week was all about patching severe zero-days in leading products from Atlassian Confluence to Fortinet devices to Microsoft Office—all of which are being actively exploited.

These vulnerabilities are:

  • CVE-2021-26084: a critical OGNL vulnerability in Atlassian Confluence and Data Center
  • CVE-2021-40444: an MSHTML Remote Code Execution vulnerability in Microsoft Office
  • CVE-2018-13379: years old Path Traversal flaw in Fortinet VPN firewall devices. The vulnerability has previously been and continues to be exploited to date.

The Confluence of Cryptominers

On August 25th this year, Atlassian released a security advisory on the recently patched OGNL-based remote code execution vulnerability affecting its Confluence and Data Center products. Within a week, however, proof-of-concept (PoC) exploits began emerging from different security researchers [1, 2, 3]. And soon enough, adversaries began their mass scanning activities and actively exploiting this vulnerability.

Soon enough, Jenkins announced attackers had breached their Confluence server to install crypto-mining malware, and an incident response investigation was started.

“Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure,” stated Jenkins in a blog post

As of now, the Jenkins infrastructure team permanently disabled the Confluence service, rotated credentials, and implemented further protective measures to safeguard the infrastructure.

But, analysis by OSINT firm Censys suggests over 8,000 internet-facing Confluence servers remain vulnerable around the world. Atlassian customers should refer to their security advisory and upgrade their Confluence and Data Center products to fixed versions ASAP.

Fortunately, Sonatype’s Ops and Information Security teams have been proactive and stayed on top of the development. As soon as the security advisory was shared by Confluence with their customers, we took immediate action to update our Confluence server (screenshot below of v. 7.13.0) and apply the necessary workarounds to other Atlassian systems, where applicable.

Image highlighting Atlassian Confluence versions

The cursed firewall

The notorious, path traversal flaw in Fortinet FortiOS devices is back!

In November 2020, I had reported on hackers leaking plaintext credentials from 50,000 Fortinet VPN firewalls vulnerable to this years-old flaw. Many of these devices belonged to prominent government agencies, telecoms, banks, and finance organizations around the world.

Despite repeated attempts by the vendor— multiple corporate blog posts on this issue, advisories, bulletins, and direct communication to convince customers to upgrade their FortiOS, many Fortinet VPN devices remained vulnerable due to a lack of action.

In fact, over time, cyber threat intel firm Bad Packets has reported seeing mass-scanning activity targeting Fortinet devices vulnerable to CVE-2018-13379 on numerous occasions [1, 2, 3, 4].

Fast forward to this month, usernames and passwords from half a million Fortinet VPNs have reportedly been leaked by a threat actor on RAMP cybercrime forums:

If you haven’t already, it would be wise to audit your firewall devices and upgrade your FortiOS version ASAP by following the steps in the official advisory.

The loaded Word

CISA urges Microsoft Office customers to patch zero-day 

If all this chaos in the cybersecurity land wasn’t enough, Microsoft identified a limited number of targeted attacks because of an MSHTML zero-day identified recently.

Tracked as CVE-2021-40444, the severe vulnerability has to do with how attackers can craft malicious Microsoft Office documents loaded with ActiveX browser controls to execute arbitrary code on the victim’s machine.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” states Microsoft in the security advisory.

Although, the success of the attack depends on the user opening the malicious document. Therefore, some level of social engineering effort, such as sending a convincing phishing email, is a prerequisite—but not always:

CISA had been urging users and organizations to review Microsoft’s mitigations and workarounds to address CVE-2021-40444, but in an interesting twist, the defenses for the zero-day could be bypassed after newer information emerged.

What are the takeaways from these incidents?

In all these cases, there are three things to learn:

  • Active exploitation of assets begins almost immediately after vulnerability disclosures, even the most well-coordinated ones, are made public, as we can see in Atlassian’s case.
  • Attackers eye public exploits and constantly mass scan networks for applications vulnerable to even years-old, but popular flaws, such as the Fortinet vulnerability.
  • Not every fix may be sufficient: something the Sonatype Security Research team has seen time and time again. Just because, a vendor claims to release a fix for a vulnerability doesn’t always mean the fix is adequate or complete. As we see in the case of this Microsoft Office zero-day, clever threat actors can sometimes find a workaround to bypass a security fix.

As such, while the traditional advice to regularly update your applications to properly vetted fixed versions remains applicable, security professionals are constantly racing against cybercriminals and time to be proactive.

And the same goes for developers building world-class software applications.

Manually monitoring CVE feeds and hard-to-find vulnerability disclosures, and then applying mitigations are no longer feasible, when your time should be going towards doing what you love: building kick-ass software.

Put simply, it’s just easier for an automated tool, such as Sonatype Lift, to block vulnerable libraries, or even a simple vulnerable line of code, from entering your software releases. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from vulnerabilities and malware.

Tags: vulnerabilities, featured

Written by Ax Sharma

Endorsed an Exceptional Talent (‘a recognized leader’) in technology by the British Government, Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets like Fortune, The Register, TechRepublic, CSO Online, BleepingComputer, etc. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.