In this week's Security Advisory:
- SQL Injection Vulnerability in 3CX SQL Database Integrations
- Critical Remote Code Execution Vulnerability in Perforce Helix Core Server
- MongoDB Confirms Data Breach
- Threat Actors Abuse Google Forms to Carry Out Phishing Campaign
- FBI Disrupts ALPHV Ransomware Group
SQL Injection Vulnerability in 3CX SQL Database Integrations
3CX is urging customers to temporarily disable SQL Database integrations to mitigate a vulnerability found in certain configurations. CVE-2023-49954 is a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to the 3CX server and execute malicious code. CVE-2023-49954 impacts customers using MSSQL, MySQL, and PostgreSQL databases and can be exploited if the 3CX server is exposed to the Internet and not behind a Web application firewall.
The following versions are affected:
- 3CX versions 18 and 20
Of note, this vulnerability does not affect Web-based CRM integration templates or customers using MongoDB.
More Reading/Information:
- https://www.3cx.com/blog/news/sql-database-integration/
- https://www.3cx.com/blog/news/sql-database-integration-update/
- https://www.bleepingcomputer.com/news/security/3cx-warns-customers-to-disable-sql-database-integrations/
- https://www.securityweek.com/3cx-urges-customers-to-disable-integration-due-to-potential-vulnerability/
- https://cve-2023-49954.github.io/
Critical Remote Code Execution Vulnerability in Perforce Helix Core Server
Four (4) critical vulnerabilities were found in Perforce Helix Core Server, a source code management platform, that could allow for remote code execution. The most severe of these vulnerabilities is being tracked as CVE-2023-45849 and has a CVSS score of 9.8 out of a possible 10. CVE-2023-45849 could allow an unauthenticated attacker to execute code from 'LocalSystem,' a highly privileged WindowsOS account designated for system functions. Successful exploitation could lead to an attacker gaining full control over the affected system.
- https://www.microsoft.com/en-us/security/blog/2023/12/15/patching-perforce-perforations-critical-rce-vulnerability-discovered-in-perforce-helix-core-server/
- https://www.bleepingcomputer.com/news/security/microsoft-discovers-critical-rce-flaw-in-perforce-helix-core-server/
- https://socradar.io/microsoft-alerts-of-rce-and-dos-vulnerabilities-in-perforce-server-cve-2023-45849-cve-2023-35767-cve-2023-45319-cve-2023-5759/
- https://nvd.nist.gov/vuln/detail/CVE-2023-45849
MongoDB Confirms Data Breach
MongoDB, a database management firm, has confirmed that they were a victim of a digital breach that took place on December 13th, 2023. MongoDB states that customer account metadata and contact information were exposed. MongoDB does not believe the attackers accessed any data that customers store in MongoDB Atlas.
More Reading/Information:
- https://www.mongodb.com/alerts
- https://www.bleepingcomputer.com/news/security/mongodb-says-customer-data-was-exposed-in-a-cyberattack/
- https://www.scmagazine.com/brief/mongodb-hack-compromises-customer-data
Threat Actors Abuse Google Forms to Carry Out Phishing Campaign
Threat actors are abusing Google Forms in a recent phishing campaign to deliver malware onto a victim's host. Attackers are able to create quizzes in Google Forms and abuse a feature called "Release scores" which is designed to deliver the Google Form to a person's email address from Google's own servers. These emails are claiming that the user has been charged for an expensive subscription and the only way for a user to cancel is to call a customer service agent. The customer service agent is a threat actor pretending to be customer support and ultimately tricks the user into downloading malware onto the victim's host. Because the attacker is sending the phish from Google's own servers, it is less likely to be blocked or flagged, effectively allowing the attacker to bypass secure email gateways and filtering rules.
Threat actors are always going to evolve and find new techniques to carry out phishing campaigns which is why organizations should not solely rely on email protection solutions. It is important to use caution when clicking on any attachments as this can contain malware and to always verify the legitimacy of a phone number provided in an email before calling since this often leads right back to the attacker.
More Reading/Information:
- https://www.bleepingcomputer.com/news/security/bazarcall-attacks-abuse-google-forms-to-legitimize-phishing-emails/
- https://blog.talosintelligence.com/google-forms-quiz-spam/
FBI Disrupts ALPHV Ransomware Group
You may have read about the recent situation regarding ALPHV (AKA BlackCat) ransomware group which was compromised by the FBI. ALPHV has affected over 1,000 victims worldwide and received nearly $300 million in ransom payments. The FBI has stated that they are making a decryption tool available to victims of the group. It is certainly worth submitting a request for the tool if previously a victim of the group.
While reports of the takedown are circulating, it's not expected the FBI's activity will have a long-lasting or material impact on ransomware operations. Members of these groups have proven agile in the past and can quickly pivot to other organizations or simply re-brand with unseen infrastructure. Please remain vigilant as this does not signify the end of the threat.
More Reading/Information:
- https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant
- https://www.bleepingcomputer.com/news/security/fbi-disrupts-blackcat-ransomware-operation-creates-decryption-tool/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
