InfoSec News 20230621
Top News
-
VMware warns of critical vRealize flaw exploited in attacks
"VMware updated a security advisory published two weeks ago to warn customers that a now-patched critical vulnerability allowing remote code execution is being actively exploited in attacks.
"VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild," the company said today.
This notice follows multiple warnings from cybersecurity firm GreyNoise, the first issued one week after VMware patched the security flaw on June 15 and just two days after security researcher Sina Kheirkhah shared technical details and proof-of-concept exploit code.
"We have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell which connects back to an attacker controlled server in order to receive further commands," GreyNoise research analyst Jacob Fisher said."
TLP1 : Green
-
New Tsunami botnet targets Linux SSH servers
"Researchers from AhnLab Security Emergency response Center (ASEC) have uncovered an ongoing hacking campaign, aimed at poorly protected Linux SSH servers, to install the Tsunami DDoS botnet (aka Kaiten). The threat actors behind these attacks were also observed installing other malware families, including ShellBot, XMRig CoinMiner, and Log Cleaner.
The Tsunami DDoS botnet operates as an IRC bot and relies on IRC for C2 communication.
The researchers pointed out that the source code of the Tsunami bot is publicly available allowing multiple threat actors to create their own botnet. The bot primarily targets IoT devices along with Linux servers with brute force attacks."
TLP1 : Green
Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism
-
Biden Discusses Risks and Promises of Artificial Intelligence With Tech Leaders in San Francisco
"President Joe Biden convened a group of technology leaders on Tuesday to debate what he called the “risks and enormous promises” of artificial intelligence.
The Biden administration is seeking to figure out how to regulate the emergent field of AI, looking for ways to nurture its potential for economic growth and national security and protect against its potential dangers.
“We’ll see more technological change in the next 10 years that we saw in the last 50 years,” Biden said as the meeting with eight technology experts from academia and advocacy groups kicked off.
“AI is already driving that change,” Biden said."
TLP1 : Green
-
New Condi malware builds DDoS botnet out of TP-Link AX21 routers
"A new DDoS-as-a-Service botnet called "Condi" emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks.
AX1800 is a popular Linux-based dual-band (2.4GHz + 5GHz) Wi-Fi 6 router with 1.8 Gbps bandwidth, used primarily by home users, small offices, shops, cafes, etc.
Condi aims to enlist new devices to create a powerful DDoS (distributed denial of service) botnet that can be rented to launch attacks on websites and services.
Moreover, the threat actors behind Condi sell the malware's source code, which is an unusually aggressive monetization method destined to result in numerous project forks with different features."
TLP1 : Green
-
Russian APT28 hackers breach Ukrainian govt email servers
"A threat group tracked as APT28 and linked to Russia's General Staff Main Intelligence Directorate (GRU) has breached Roundcube email servers belonging to multiple Ukrainian organizations, including government entities.
In these attacks, the cyber-espionage group (also known as BlueDelta, Fancy Bear, Sednit, and Sofacy) leveraged news about the ongoing conflict between Russia and Ukraine to trick recipients into opening malicious emails that would exploit Roundcube Webmail vulnerabilities to hack into unpatched servers.
After breaching the email servers, the Russian military intelligence hackers deployed malicious scripts that redirected the incoming emails of targeted individuals to an email address under the attackers' control."
TLP1 : Green
Breaches: Data Breaches and Hacks
-
3CX data exposed, third-party to blame
"While victims of cyberattacks should not be ridiculed, there’s a reason that sayings like “fool me once, shame on you; fool me twice, shame on me” resonate so well.
Earlier this year, suspected North Korean hackers exploited 3CX for supply-chain attacks, spreading malware to devices using the company’s software.
Despite this prior experience with data breaches, the Cybernews research team recently discovered open Elasticsearch (distributed search and analytics engine) and Kibana (data visualization and exploration tool) instances belonging to a third-party vendor of 3CX. The instances, containing sensitive 3CX data, were discovered on May 15th, nearly two months after the initial attacks became public knowledge."
TLP1 : Green
-
Russian APT Group Caught Hacking Roundcube Email Servers
"A prolific APT group linked to the Russian government has been caught exploiting security flaws in the open-source Roundcube webmail software to spy on organizations in Ukraine, including government institutions and military entities involved in aircraft infrastructure.
According to an advisory [PDF] from threat intelligence firm Recorded Future, the Roundcube server infections are being used to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books.
Recorded Future teamed up with Ukraine’s Computer Emergency Response Team (CERT-UA) to document the activity, which is being attributed to Russia’s GRU military spy unit."
TLP1 : Green
-
Hackers warn University of Manchester students’ of imminent data leak
"The ransomware operation behind a cyberattack on the University of Manchester has begun to email students, warning that their data will soon be leaked after an extortion demand was not paid.
The threat actors claim to have stolen 7 TB of data from the University of Manchester during a June 6th cyberattack in an email sent to students and shared with BleepingComputer.
"We would like to inform all students, lecturers, administration, and staff that we have successfully hacked manchester.ac.uk network on June 6 2023," reads the email.
"We have stolen 7TB of data, including confidential personal information from students and staff, research data, medical data, police reports, drug test results, databases, HR documents, finance documents, and more. and more.""
TLP1 : Green
-
Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack
"Gen Digital (NASDAQ: GEN), the company behind known cybersecurity brands such as Avast, Avira, AVG, Norton, and LifeLock, has confirmed that employee’s personal information was compromised in the recent MOVEit ransomware attack.
The attack exploited a zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) software that Progress Software disclosed on May 31.
Mass exploitation of the bug, which is tracked as CVE-2023-34362 and described as a critical-severity SQL injection, started in late May, but evidence suggests that the attackers knew about the flaw or tested it since 2021."
TLP1 : Green
Vulnerabilities: Vulnerability Advisories, Zero-Days, Patches and Exploits
-
Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices
"Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems.
Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability.
"The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today."
TLP1 : Green
-
Microsoft fixes Azure AD auth flaw enabling account takeover
"Microsoft has addressed an Azure Active Directory (Azure AD) authentication flaw that could allow threat actors to escalate privileges and potentially fully take over the target's account.
This misconfiguration (named nOAuth by the Descope security team who discovered it) could be abused in account and privilege escalation attacks against Azure AD OAuth applications configured to use the email claim from access tokens for authorization.
An attacker only had to change the email on their Azure AD admin account to the victim's email address and use the "Log in with Microsoft" feature for authorization on the vulnerable app or website.
This lets them take complete control over the target's account if the targeted resources allowed using email addresses as unique identifiers during the authorization process."
TLP1 : Green
-
OT:Icefall: Vulnerabilities Identified in Wago Controllers
"Forescout Technologies has disclosed the details of three vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.
The flaws were identified as part of the OT:Icefall research that has led to the public disclosure of 61 vulnerabilities impacting more than 100 OT products from 13 vendors.
After an initial set of 56 vulnerabilities disclosed in June 2022, Forescout shared the details of three more flaws in November 2022, and is now adding two new bugs to the list, while also sharing information on a previously identified but not disclosed issue.
Tracked as CVE-2023-1619 and CVE-2023-1620, the new vulnerabilities impact Wago 750 controllers using the Codesys v2 runtime and could be exploited by an authenticated attacker to cause a denial-of-service (DoS) condition, Forescout says."
TLP1 : Green
Incident Response: Infrastructure, Training, SIEM and Incident Handling
-
Keep it, Tweak it, Trash it – What to do with Aging Tech in an Era of Consolidation
"Consolidating security tools is a growing industry trend. In fact, a survey by Gartner found that 75% of organizations were pursuing security vendor consolidation in 2022, up from 29% in 2020.
IT is often viewed as a cost center and security is part of that. No one has unlimited budgets, and the pressure is on to justify costs and do more with less. The situation gets worse when earnings are down and there’s a looming specter of a slowdown in the economy."
TLP1 : Green
Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography
-
Chinese APT15 hackers resurface with new Graphican malware
"The Chinese state-sponsored hacking group tracked as APT15 has been observed using a novel backdoor named 'Graphican' in a new campaign between late 2022 and early 2023.
APT15, also known as Nickel, Flea, Ke3Chang, and Vixen Panda, are Chinese state hackers targeting important public and private organizations worldwide since at least 2004.
The group has used various malware implants and custom backdoors throughout the years, including RoyalCLI and RoyalDNS, Okrum, Ketrum, and Android spyware named SilkBean and Moonshine.
Today, the Threat Hunter Team at Symantec, part of Broadcom, reports that APT15's latest campaign targets foreign affairs ministries in Central and South American countries."
TLP1 : Green
-
Inside Win32k Exploitation: Analysis of CVE-2022-21882 and CVE-2021-1732
"After seeing reports of two similar privilege escalation vulnerabilities in Microsoft Windows – CVE-2021-1732 and CVE-2022-21882 – we decided to analyze both to better understand the code involved in each. This is a continuation of Inside Win32k Exploitation, in which we discussed the Win32k internals and exploitation in general as background information to explore the issues surrounding CVE-2021-1732 and CVE-2022-21882.
Here, we will dig deeper into CVE-2021-1732 and CVE-2022-21882 and their related proof-of-concept (PoC) exploits. We’ll walk through an analysis of these two exploits, and thus see why the patch for CVE-2021-1732 was not sufficient to prevent CVE-2022-21882.
Both vulnerabilities discussed in this series are detected and blocked by the Cortex XDR Anti-LPE protection module. Both vulnerabilities are data-only exploits that copy the NT/Authority System privilege token to that of the current (exploit) process for privilege escalation. The XDR Anti-LPE modules monitor for this specific type of privilege escalation technique."
TLP1 : Green
-
Microsoft shares workaround for Outlook freezes, slow starts
"Microsoft is working to address a known issue affecting Outlook for Microsoft 365 customers, causing slow starts and freezes as if Offline Outlook Data Files (OST) are being synced right after launch.
However, no new OST files are being created, and no new entries associated with this behavior are added to the Application event log, according to Redmond's investigation.
Many customers impacted by this issue have also reported that Outlook will open promptly, without delay, if they hit cancel after opening the application.
Microsoft says that affected customers may also see that the application will refuse to start on systems where Airplane mode is enabled."
TLP1 : Green
1Traffic Light Protocol (TLP) [1] for information sharing:
- Red:Not for disclosure, restricted to participants only.
- Amber: Limited disclosure, restricted to participants organizations.
- Green: Limited disclosure, restricted to the community.