By Sergiu Gatlan June 23, 2023 02:06 PM

Federal agencies ordered to patch by July 14th

Today, CISA ordered federal agencies to patch recently patched security vulnerabilities exploited as zero-days to deploy Triangulation spyware on iPhones via iMessage zero-click exploits.

The warning comes after Kaspersky published a report detailing a Triangulation malware component used in a campaign it tracks as “Operation Triangulation.”

Kaspersky says it found the spyware on iPhones belonging to employees in its Moscow office and from other countries. The attacks started in 2019 and are still ongoing, according to the company, and they use iMessage zero-click exploits that exploit the now-patched iOS zero-day bugs.

Russia’s FSB intelligence agency also claimed that Apple collaborated with the NSA to create a backdoor, facilitating the infiltration of iPhones in Russia. The FSB also said it allegedly found thousands of infected iPhones owned by Russian government officials and embassy staff in Israel, China, and NATO member nations.

“We have never worked with any government to insert a backdoor into any Apple product and never will,” an Apple spokesperson told BleepingComputer.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7,” the company said on Wednesday when describing the two Kernel and WebKit vulnerabilities (CVE-2023-32434 and CVE-2023-32435) exploited in the attacks.

The company also fixed a WebKit zero-day (CVE-2023-32439) this week that can let attackers gain arbitrary code execution on unpatched devices. This was also tagged by CISA today as an actively exploited flaw.

The list of affected devices is extensive, as the zero-day affects older and newer models, and it includes:

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
Macs running macOS Big Sur, Monterey, and Ventura
Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE
On Thursday, Apple sent another round of threat notifications alerting customers they were targeted in state-sponsored attacks, one day after patching the zero-days exploited to deploy Triangulation spyware. However, it’s not clear to what incidents these new warnings are related to, according to CNN reporter Chris Bing.

Article Link (https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-iphone-bugs-abused-in-skspyware-attac/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

By Lawrence Abrams June 9, 2023 11:52 AM

Update at 6/9/23 1:33 PM ET added below

The Microsoft Azure Portal is down on the web as a threat actor known as Anonymous Suda claims to be targeting the site with a DDoS attack.

Attempting to access the portal at https://portal.azure.com displays an error message stating, “Our services aren’t available right now. We’re working to restore all services as soon as possible. Please check back soon.” The mobile app appears unaffected at this time.

“Azure Portal – Errors accessing the Azure Portal – Applying Mitigation

Impact Statement: Starting at approximately 15:00 UTC on 9 Jun 2023, Azure customers may experience error notifications when trying to access the Azure Portal (portal.azure.com).

Current Status: We have determined a potential root cause and are actively engaged in different workstreams applying load balancing processes in order to mitigate the issue. The next update will be provided within 60 minutes or as events warrant.

This message was last updated at 16:35 UTC on 09 June 2023″

At the same time, a threat actor known as Anonymous Sudan claims to be conducting a DDoS attack against the Microsoft Azure portal, sharing an image of the page not working.

Regardless of the threat actor’s origins, this has not been a good week for Microsoft, with the threat actor conducting DDoS attacks on other Microsoft web portals for Outlook.com and OneDrive, which also suffered outages at the same time.

Link (https://www.bleepingcomputer.com/news/microsoft/microsofts-azure-portal-down-following-new-claims-of-ddos-attacks/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

By Elizabeth Montalbano
Three vulnerabilities in the platform’s API Management Service could allow access sensitive data, mount further attacks, and even hijack developer portals.

Microsoft has patched three vulnerabilities in its Azure cloud platform that could have allowed attackers to access sensitive info on a targeted service, deny access to the server, or scan the internal network to mount further attacks, researchers have found.

Researchers from the Ermetic Research Team discovered the flaws in the Azure API Management Service, which allows organizations to create, manage, secure, and monitor APIs across all of their environments, they revealed in a blog post published May 4.

The flaws — all rated high-risk — include two Server-Side Request Forgery (SSRF) vulnerabilities and a file upload path traversal on an internal Azure workload.

SSRF allows an attacker to send a crafted request from a vulnerable server to a targeted external or internal server or service, or even target it in a denial-of-service (DoS) attack. Abusing these flaws means an attacker can access sensitive data stored on the targeted server, overload targeted servers using DoS attacks, and scan the internal network and identify potential targets for further attacks.

The third flaw is one in which Azure does not validate the file type and path of uploaded files. Typically in the case of this type of flaw, authenticated users can traverse the path specified to upload malicious files to the developer portal server and possibly execute code on it using DLL hijacking, IISNode config swapping, or any other similar attack vectors, the researchers said.

Microsoft responded quickly to Ermetic’s disclosure of the flaws and has fully patched them, according to the researchers, and no further action is necessary for Azure customers.
Details on the Bugs

Specifically, the Ermetic researchers discovered two separate SSRF flaws: one that affected the Azure API Management CORS Proxy and another that affected the Azure API Management Hosting Proxy.

They discovered the former on Dec. 21, 2022, and at first believed it was the same flaw that was first reported to Microsoft by another cloud security company on Nov. 12, and fixed a few days later on Nov. 16. However, the researchers later realized that the flaw they found actually bypasses that initial fix. Microsoft ultimately patched the vulnerability fully in January, the initial researchers reported later, according to Ermetic.

Together, the Azure SSRF flaws that researchers discovered affected central servers that “masses of users and organizations depend on for day-to-day operations,” says Liv Matan, cloud security researcher at Ermetic.

“Using them, attackers could fake requests from these legitimate servers, access internal services that may contain sensitive information belonging to Azure customers, and even prevent the availability of the vulnerable servers,” he says.

The path-traversal flaw found in Azure API Management Service allowed for an unrestricted file upload to the Azure developer portal server, the researchers said. The developer portal’s authenticated mode allowed someone to upload static files and images that would be shown on a developer’s dedicated portal, they said.

The flaw could have allowed attackers to take advantage of Microsoft’s self-hosted developer portal as well as weaponize the vulnerability against end users, Matan explains.

“Additionally, the Azure-hosted developer portal contains customer information that would have been at risk if the vulnerability had fallen into the wrong hands,” he says.
How to Protect the Enterprise

While API flaws like the ones Ermetic researchers discovered are uncommon, awareness of these types of vulnerabilities has grown in the past few years, Matan says.

Moreover, “blind SSRFs” — SSRF flaws that do not necessarily return any data but rather focus on performing unauthorized actions on the server’s backend — are fairly common, especially in cloud platforms that offer a wide range of services, he says.

Microsoft already had previously patched four SSRF flaws in four separate services of its Azure cloud platform, two of which could have allowed attackers to perform a server-side request forgery (SSRF) attack — and thus potentially execute remote code execution — even without authentication to a legitimate account.

“In the end, vulnerabilities can be discovered in any cloud platform, at any time,” Matan says.

There’s certainly been evidence of this, as — aside from SSRF flaws — researchers already have found a number of other flaws in Azure as well as other cloud platforms that could have threatened enterprise environments.

In one instance, Microsoft patched what researchers called a “dangerous” flaw in its Azure Service Fabric component that, if exploited, would have allowed an unauthenticated, malicious actor to execute code on a container hosted on the platform.

Because it’s difficult for an enterprise deploying a cloud to have control over or even be aware of a flaw on the underlying cloud-hosting infrastructure, it’s important for organizations to be vigilant in their own security practices so they are prepared if a flaw is eventually discovered or exploited, the researchers said.

In the case of avoiding compromising in the recently discovered Azure API Management, Matan recommends that organizations should practice proper input-validation hygiene and configure their servers to not follow redirects.

“To avoid a compromise in these cases, organizations should validate all input received from untrusted sources, such as user inputs or HTTP requests,” he says.

Other steps organizations can take to avoid compromise in these cases, Matan adds, include using a whitelist approach, implementing a strong firewall to restrict outgoing traffic from the application to only necessary services and ports, isolating data, and managing permissions on the server in cloud environments using IMDSv2.

Link (https://www.darkreading.com/cloud/microsoft-patches-serious-azure-cloud-security-flaws?_mc=NL_DR_EDT_DR_weekly_20230504&cid=NL_DR_EDT_DR_weekly_20230504&sp_aid=116363&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_cid=48484)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”