Issue 03: Android and Linux Devices Exposed, ConnectWise ScreenConnect Flaws and Akira Strikes Again

Welcome to Critical Chatter, CloudGuard’s weekly cyber news update. This week’s news flash has been curated by Martin Vondrous (SOC Analyst).

Top stories – 23 February 2024

• New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers
• Critical Flaws Found in ConnectWise ScreenConnect Software
• CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

Two authentication bypass flaws have been uncovered in open-source Wi-Fi software used across Android, Linux, and ChromeOS systems. These vulnerabilities, named CVE-2023-52160 and CVE-2023-52161, were detected in wpa_supplicant and Intel’s iNet Wireless Daemon (IWD) respectively.

These flaws enable attackers to deceive users into connecting to malicious networks or gaining entry to trusted networks without passwords. The research was conducted by Top10VPN in collaboration with Mathy Vanhoef, renowned for revealing Wi-Fi attacks like KRACK. CVE-2023-52161 permits unauthorised access to secured Wi-Fi networks, potentially resulting in malware infections and data breaches. However, CVE-2023-52160, which affects wpa_supplicant, is considered more severe as it is the default software for network logins in Android devices.

Exploiting CVE-2023-52160 necessitates prior knowledge of the SSID from a previous connection and physical proximity to the target. Several Linux distributions, including Debian, Red Hat, SUSE, and Ubuntu, have issued advisories with fixes available for ChromeOS but still pending for Android. As a precautionary measure, Android users are advised to manually configure CA certificates for saved enterprise networks.

Article Link: New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers (thehackernews.com)

Critical Flaws Found in ConnectWise ScreenConnect Software

ConnectWise has addressed two security vulnerabilities in its ScreenConnect remote desktop software, including a critical bug with potential remote code execution.

The vulnerabilities are:

· CVE-2024-1708: Path traversal flaw

· CVE-2024-1709: Authentication bypass

Deemed critical, these flaws impact ScreenConnect versions 23.9.7 and earlier, with fixes available in version 23.9.8, released after reports on February 13, 2024. While there’s no evidence of exploitation yet, users of self-hosted or on-premise versions are urged to update promptly. ConnectWise will also offer updates for versions 22.4 through 23.9.7.

HuntressLabs discovered over 8,800 vulnerable servers, with a proof-of-concept exploit demonstrated. ConnectWise revised its advisory after detecting attacks from specific IP addresses, suggesting active exploitation. Huntress warned of easy exploitation, facilitating the deployment of Cobalt Strike for post-exploitation activities. These flaws could allow the creation of rogue administrator accounts, granting full control over ScreenConnect, and access to other directories, enabling arbitrary code execution.

WatchTowr Labs and Horizon3 ai released proof-of-concept exploits for the authentication bypass, exploiting vulnerabilities in the SetupWizard component to create administrative users. These vulnerabilities follow a trend of recent flaws allowing attackers to reinitialise applications or create initial users post-setup.

Article Link: Critical Flaws Found in ConnectWise ScreenConnect Software – Patch Now (thehackernews.com)

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a now-patched security flaw, CVE-2020-3259, affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, in its Known Exploited Vulnerabilities catalogue.

This vulnerability, with a CVSS score of 7.5, permits high-severity information disclosure, patched by Cisco in May 2020. Reports suggest the vulnerability has likely been exploited in Akira ransomware attacks. Although no public exploit code is available, Akira ransomware actors may have weaponised it to compromise Cisco Anyconnect SSL VPN appliances. Akira ransomware is linked to approximately 200 public victims, with connections to the Conti syndicate.

Federal Civilian Executive Branch agencies must address identified vulnerabilities by March 7, 2024, to fortify network security. CVE-2020-3259 is among flaws exploited for ransomware delivery. Recently, CVE-2023-22527 in Atlassian Confluence Data Center and Confluence Server was abused to distribute C3RB3R ransomware.

The U.S. State Department offers rewards for information on BlackCat ransomware gang members, highlighting the lucrative ransomware market. New players like Alpha, potentially linked to NetWalker, have emerged, prompting calls for enhanced oversight into ransomware mitigation practices across critical sectors.

Article Link: CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability (thehackernews.com)

If you like what you’ve read, subscribe on LinkedIn so you don’t miss next week’s roundup!