Cisa Warns Agencies Of Fourth Flaw Used In Triangulation Spyware Attacks
The U.S. Cybersecurity and Infrastructure Security Agency has added to its to the Known Exploited Vulnerabilities catalog six vulnerabilities that impact products from Apple, Adobe, Apache, D-Link, and Joomla.
The Known Exploited Vulnerabilities catalog, or KEV for short, contains security issues that have been actively exploited in the wild. It is a valuable resource for organizations across the globe in the vulnerability management and prioritization process.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” reads CISA’s notice.
CISA has given federal agencies until January 29 to patch the six actively exploited flaws or stop using the vulnerable products.
The six vulnerabilities highlighted this time are the following:
- CVE-2023-27524 – Insecure default initialization of resource impacting Apache Superset versions up to 2.0.1. The vulnerability exists when the default configured SECRET_KEY is not altered, allowing an attacker to authenticate and access unauthorized resources. (8.9 “high severity” score)
- CVE-2023-23752 – Improper access check on Joomla! 4.0.0 through 4.2.7 allowing unauthorized access to web service endpoints. (5.3 “medium severity” score)
- CVE-2023-41990 – Remote code execution flaw in the processing of a font file sent as an iMessage attachment, leading to arbitrary code execution on Apple iPhone devices running iOS 16.2 and older. (7.8 “high severity” score)
- CVE-2023-38203 – Deserialization of untrusted data in Adobe ColdFusion versions 2018u17 and earlier, 2021u7 and earlier, and 2023u1 and earlier, leading to arbitrary code execution without user interaction. (9.8 “critical severity” score)
- CVE-2023-29300 – Deserialization of untrusted data in Adobe ColdFusion versions 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier, leading to arbitrary code execution without user interaction. (9.8 “critical severity” score)
- CVE-2016-20017 – Remote unauthenticated command injection vulnerability in D-Link DSL-2750B devices before 1.05, actively exploited from 2016 through 2022. (9.8 “critical severity” score)
Some of the listed flaws have been leveraged in attacks that were disclosed only recently.
For example, CVE-2023-41990 was used in the ‘Operation Triangulation’ campaign active since 2019 and discovered only in June 2023 by Kaspersky when some of its researchers’ devices were infected.
This is the last in the set of four vulnerabilities a threat actor exploited to bypass security measures in iPhones belonging to several targets around the world, including Europe.
CVE-2023-38203 and CVE-2023-29300 were leveraged by hackers since mid-2023 after security researchers demonstrated that the vendor’s patches could be bypassed.
For others, like CVE-2023-27524, proof-of-concept (PoC) exploits were released last September, laying the ground for widespread exploitation by malicious actors.
Organizations and federal agencies are urged to check their assets for the above flaws, and other vulnerabilities listed in the KEV catalog, and apply the available security updates or mitigation steps as required.