Cyber Security News Summary : 24-Oct-2023

Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection

Product: Cisco IOS XE

CVE: CVE-2023–20198 & CVE-2023–20273

Update:

1. Infected Cisco IOS XE devices will be “responds if the correct Authorization HTTP header is set”

2. Updated Curl command to “check for the presence of the implant on the devices” (If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present) — Cisco

curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1"

Link: https://thehackernews.com/2023/10/backdoor-implant-on-hacked-cisco.html

1Password Detects Suspicious Activity Following Okta Support Breach

1Password detected suspicious activity on its Okta instance on September 29 following the support system breach. threat actor performing the below set of actions:

• Attempted to access the IT team member’s user dashboard, but was blocked by Okta
• Updated an existing IDP tied to our production Google environment
• Activated the IDP
• Requested a report of administrative users

Link: https://thehackernews.com/2023/10/1password-detects-suspicious-activity.html

VMware warns admins of public exploit for vRealize RCE flaw

Product: VMware Aria Operations for Logs

CVE: CVE-2023–34051

Update:

1. VMware has confirmed that exploit code for CVE-2023–34051 has been published.
2. CVE-2023–34051 : it allows unauthenticated attackers to execute code remotely with root permissions if certain conditions are met.
3. Horizon3 published a technical root cause analysis for this security flaw on Friday with additional information on how CVE-2023–34051 can be used to gain remote code execution as root on unpatched VMware appliances.

Link: https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-public-exploit-for-vrealize-rce-flaw/