Critical GitLab flaw (CVE-2023-7028) exposes vulnerability in GitLab CE/EE versions 16.1 to 16.6.4, allowing attackers to reset user passwords. Two-factor authentication users are safe. The flaw, introduced on May 1, 2023, through an email verification bug, has been patched in versions 16.7.2, 16.6.4, and 16.5.6. GitLab urges immediate upgrades and enabling 2FA for all accounts, especially administrators. Additional fixes address various vulnerabilities.
A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks.
"Starting from a single compromised machine, threat actors could progress in several ways: they could move to other cloned machines with GCPW installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem," Martin Zugec, technical solutions director at Bitdefender, said in a new report.
A prerequisite for these attacks is that the bad actor has already gained access to a local machine through other means, prompting Google to mark the bug as not eligible for fixing "since it's outside of our threat model and the behavior is in line with Chrome's practices of storing local data."
However, the Romanian cybersecurity firm has warned that threat actors can exploit such gaps to extend a single endpoint compromise to a network-wide breach.
The attacks, in a nutshell, rely on an organization's use of Google Credential Provider for Windows (GCPW), which offers both mobile device management (MDM) and single sign-on (SSO) capabilities.
This enables administrators to remotely manage and control Windows devices within their Google Workspace environments, as well as allows users to access their Windows devices using the same credentials that are used to login to their Google accounts.
Atlassian warned admins that a public exploit is now available for a critical Confluence security flaw that can be used in data destruction attacks targeting Internet-exposed and unpatched instances.
Tracked as CVE-2023-22518, this is an authentication bypass vulnerability with a 9.1/10 severity rating affecting all versions of Confluence Data Center and Confluence Server software.
Atlassian warned in an update to the original advisory that it found a publicly available exploit that puts publicly accessible instances at critical risk.
"As part of Atlassian's ongoing monitoring of this CVE, we observed publicly posted critical information about the vulnerability which increases risk of exploitation," the company said.
"There are still no reports of an active exploit, though customers must take immediate action to protect their instances. If you already applied the patch, no further action is required."
While attackers can exploit the vulnerability to wipe data on impacted servers, it cannot be used to steal data stored on vulnerable instances. It's also important to mention that Atlassian Cloud sites accessed through an atlassian.net domain are unaffected, according to Atlassian.
Adobe's Patch Tuesday update for September 2023 comes with a patch for a critical actively exploited security flaw in Acrobat and Reader that could permit an attacker to execute malicious code on susceptible systems.
The vulnerability, tracked as CVE-2023-26369, is rated 7.8 for severity on the CVSS scoring system and impacts both Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020.
Described as an out-of-bounds write, successful exploitation of the bug could lead to code execution by opening a specially crafted PDF document. Adobe did not disclose any additional details about the issue or the targeting involved.
"Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company acknowledged in an advisory.
Identity services provider Okta on Friday warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions.
"In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users," the company said.
The adversary then moved to abuse the highly privileged Okta Super Administrator accounts to impersonate users within the compromised organization. The campaign, per the company, took place between July 29 and August 19, 2023.
Okta did not disclose the identity of the threat actor, but the tactics exhibit all the hallmarks of an activity cluster known as Muddled Libra, which is said to share some degree of overlap with Scattered Spider and Scatter Swine.