Advisories on Critical ownCloud Vulnerabilities, Critical FortiSIEM Vulnerability and Emotet Malware Threat

HC3 Alerts HPH Sector Regarding Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat

The Health Sector Cybersecurity Coordination Center (HC3) has alerted healthcare companies that utilize Fortinet’s FortiSIEM platform to fix a critical vulnerability that is probably exploited by malicious actors and has released a threat summary on Emotet malware.

FortiSIEM Command Injection Vulnerability – CVE-2023-36553

Fortinet identified a critical vulnerability in its FortiSIEM platform. The vulnerability has a designated CVSS v3.1 severity score of 9.8/10 and malicious actors could exploit this vulnerability remotely to implement arbitrary commands. The vulnerability is connected to a bug CVE-2023-34992, which Fortinet identified and patched in October 2023. Although there were no identified cases that exploited the vulnerability in attacks, malicious actors actively targeted Fortinet vulnerabilities, and exploitation of the vulnerability is probable.

The vulnerability impacts these FortiSIEM versions: 5.4, 5.3, 5.3, 5.1, 5.0, 4.10, 4.9 and 4.7. Users ought to upgrade to a corrected version immediately. The vulnerability is already corrected in versions: 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.

Emotet Malware – A Persistent Threat to the HPH Sector

As a banking Trojan, Emotet malware first appeared in 2014. The malware has developed over time and is currently popular as a first-level malware for delivering malware payloads like banking Trojans, data stealers, multi-purpose malware, and ransomware, which include the notorious TrickBot Trojan. Devices attacked with Emotet are put in a botnet controlled by the malware operator, a group monitored as Mummy Spider, also called TA542, Mealybug, and GOLD CABIN, which is thought to be from Ukraine.

At its peak, Europol referred to Emotet as the world’s most threatening malware. Check Point information indicates one in every 5 companies around the world has been attacked by Emotet. Emotet activity has a rhythm of about 2-3 months of attacks then an interval of little to zero activity, which could last from 3 to 12 months. In January 2021, control of the botnet’s infrastructure was taken over by an international law enforcement group, which uninstalled the malware from all attacked devices. After 10 months, the botnet was recreated.

Although activity didn’t recover to the same level as at the peak of its success, the botnet continually develops and still presents a substantial threat. There were activity surges at the end of spring 2022 before activity declined, and activity increased once more in Spring 2022. As per Check Point, the botnet currently includes about 130,000 unique devices in 179 nations and Emotet was the most respected variant of malware in February 2023. Emotet is employed to get preliminary access to systems, can raise privileges, avoid defenses, steal credentials, go laterally, exfiltrate information, and get other malware payloads, and still is, one of the most powerful weapons against the health industry. Current activity consists of the delivery of ransomware variants like BlackCat and Quantum.

Emotet malware is most often delivered through phishing emails that contain malicious URLs that connect to a document that contains a malicious macro that installs the Emotet payload. The malware attains persistence via Windows registry keys that make sure the malware completes on every reboot. The malware could also attain persistence through the Windows Startup folder or scheduled tasks and could additionally operate as a Windows service that is implemented automatically. HC3’s Emotet Threat Summary includes suggestions for medical care and public health industry institutions on defense and mitigations.

Urgent Action Needed to Deal with Critical ownCloud Vulnerabilities

There were three critical vulnerabilities found in the ownCloud platform. Malicious actors are actively exploiting one of the three. Immediate action is needed to deal with the vulnerabilities to safeguard sensitive systems and sensitive information.

The ownCloud platform is employed extensively in medical care for keeping, synchronizing, and sharing data files and collaborating and combining work procedures. Therefore, the platform is a perfect target for attackers as it enables them to gain access to highly sensitive information. The Clop hacking groups showed how problematic vulnerabilities can be in file-sharing platforms. The mass exploitation of vulnerabilities in Progress Software’s MOVEit Transfer solution and Fortra’s GoAnywhere MFT this year proves it.

ownCloud issued security alerts on November 21, 2023 regarding three vulnerabilities, with one critical vulnerability having a CVSS v3.1 severity score of 10. The other two vulnerabilities have CVSS scores of 9.8 and 9. The cybersecurity company Greynoise found evidence of active exploitation of the vulnerabilities from November 25, 2023. The malicious activity started from 32 unique IP addresses.

Critical vulnerability CVE-2023-49103 identified in versions 0.2.0 – 0.3.0 of the graphapi app enables disclosure of sensitive information and settings in containerized deployments. The graphapi application uses a third-party library that has a URL. When accessing the URL, the configuration information of the PHP environment is revealed, which consists of the web server’s environment factors. In containerized deployments, the disclosed data can consist of the ownCloud admin password, mail server information, and license key. The vulnerability’s CVSS severity score is 10 out of 10.

Critical WebDAV API authentication bypass vulnerability CVE-2023-49105 using pre-signed URLs impacts core 10.6.0 – 10.13.0 and could be taken advantage of to access, change, or erase any file with no authentication when the victim’s username is identified and the victim has no signing-key setting, which is the default setting. The vulnerability’s CVSS severity score is 9.8 out of 10.

Critical subdomain validation bypass vulnerability CVE-2023-49104 is found in oauth2 < 0.6.1. A malicious actor could pass in a particularly created redirect-URL that gets around the validation code, enabling the attacker to reroute callbacks to a TLD controlled by the attacker. The vulnerability has a CVSS severity score of 9.0 out of 10.

The Health Sector Cybersecurity Coordination Center (HC3) released an alert on December 5, 2023 https://www.hhs.gov/sites/default/files/owncloud-vulnerability-white-paper-tlpclear.pdf, informing HPH sector groups to take action quickly and implement the actions suggested by ownCloud. The nature of this system is such that it must be incorporated into the data infrastructure of a client company to function, which gives attackers a target that can give access to sensitive data, and a staging position for more attacks explained HC3.

Currently, the actively exploited vulnerability in attacks in the wild is CVE-2023-49103. This vulnerability must be handled with great care; nevertheless, the other vulnerabilities must likewise be dealt with immediately as exploitation is probable.

ownCloud states that although the graphapi app could be deactivated, that won’t entirely resolve the CVE-2023-49103 vulnerability. The owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file must likewise be cleared and the phpinfo function must be deactivated in Docker containers. Owncloud likewise suggests modifying potentially exposed data like the details for ownCloud admin, the database, the mail server, and the Object-Store/S3 access key. The mitigations suggested by Owncloud for the vulnerabilities are available on these links:

CVE-2023-49103 mitigations

CVE-2023-49104 mitigations

CVE-2023-49105 mitigations