QNAP NAS Vulnerabilities
QNAP Systems recently addressed a series of vulnerabilities in its products.
- CVE-2023-39296: This is a prototype pollution flaw that could allow remote attackers to crash the system by overriding existing attributes with incompatible types. It affects QTS and QuTS hero versions.
- CVE-2022-43634: This vulnerability in Netatalk could enable attackers to execute arbitrary code remotely without authentication.
- CVE-2023-41287: An SQL injection vulnerability in Video Station, exploitable over the network, which could allow unauthorized database access or manipulation.
- CVE-2023-41288: An OS command injection vulnerability in Video Station that could be exploited over the network, potentially allowing attackers to execute arbitrary commands on the system.
- CVE-2023-47559: A cross-site scripting (XSS) flaw in QuMagie, which attackers could use to inject malicious scripts into web pages viewed by other users.
- CVE-2023-47560: An OS command injection defect in QuMagie, which could allow remote attackers to execute arbitrary commands on the system.
If your device is accessible to the public, it’s advisable to disconnect it from public-facing networks until you can apply the necessary patches.
Apache OFBiz zero-day
SonicWall has reported consistent daily attempts to exploit a severe zero-day vulnerability in Apache OFBiz, an open-source ERP system. Despite an initial patch, the core issue remained in OFBiz’s login functionality, leading to widespread vulnerability.
- CVE-2023-51467: An Authentication Bypass Flaw. Attackers can circumvent authentication processes. Exploiting this flaw would enable them to remotely execute arbitrary code on the system, potentially leading to unauthorized access and exposure of sensitive information.
Atlassian is known to use this in Apache OFBiz however they are not using the vulnerable code in their build.
Religious Organizations Targeted in Christmas Cyberattack by Rhysida Ransomware Gang
The World Council of Churches (WCC) and the Lutheran World Federation experienced a ransomware attack during the Christmas season, which was later claimed by the Rhysida ransomware gang. The WCC, representing half a billion Christians globally, was contacted by hackers on December 26, demanding a ransom for accessed information. All WCC systems went down, and the incident was reported to local law enforcement. Rhysida is demanding a ransom of 6 bitcoin, approximately $280,000, for the data theft from the Lutheran group. While the ransom demand and the details of the attack are well-documented, the available sources do not confirm whether the affected organizations actually paid the ransom. However, there is a quote from WCC general secretary Rev. Prof. Dr Jerry Pillay saying, “The WCC will never give in to such threats. These people must be investigated and stopped.”
LockBit Ransomware Attack Disrupts Operations at Capital Health Hospitals
The LockBit ransomware gang claimed responsibility for a November attack on Capital Health, a hospital system in New Jersey and Pennsylvania. This attack led to the cancellation of appointments and forced the hospitals to operate without patient files. LockBit threatened to leak seven terabytes of data stolen from Capital Health, targeting specifically the Regional Medical Center in Trenton. The attack caused network outages, leading to the rescheduling of elective surgeries, radiology appointments, and some medical tests. By December, Capital Health reported that their systems were restored, but they are still assessing risks to patient and employee data. Despite rules against hospital attacks, LockBit has a history of targeting healthcare facilities, including a notable attack on Toronto’s Hospital for Sick Children in 2022