This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Check out our Threat Intelligence Podcast hosted by David Rushton!
- CISA Adds Two Vulnerabilities to the KEV Catalog
- Sandbox Escape PoC Exploits Available for VM2 Library
- Nation-State Threat Actor APT 35 Refines Tradecraft, Attacks High-Value Targets
- CVE-2020-1054 & CVE-2021-1732: Raspberry Robin
- CVE-2017-6742: Jaguar Tooth Leveraging Cisco IOS Vulnerability
- Microsoft SQL Servers Hacked to Deploy Trigona Ransomware
- Hacktivist Threat Actor Group Targets South Korea and Taiwan
Vulnerabilities to Watch Out For
CISA Adds Two Vulnerabilities to the KEV Catalog
CVE-2019-8526 is a use-after-free memory management issue in Apple. An attacker can gain elevated privileges by exploiting this vulnerability. It is one of the vulnerabilities exploited by the DazzleSpy APT group. It was fixed in the macOS Mojave update.
CISA added this vulnerability to the KEV Catalog on April 18, 2023.
CVE-2023-2033 is covered in the Vulnerabilities to Watch Out For section in this blog.
Sandbox Escape PoC Exploits Available for VM2 Library
A new sandbox escape proof of concept exploit was recently released that makes it possible to execute unsafe code on a host running VM2 sandbox.
- CVE-2023-29017 – This vulnerability can bypass sandbox protections to gain remote code execution rights on the host machine that is running the sandbox. It impacts all versions of VM2 from 3.9.14 and older. While no workaround is available for the vulnerability, it was patched in early April 2023.
- CVE-2023-29199 – This is a source code transformer (exception sanitization logic) of VM2 for versions up to 3.9.15, and allows attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.
- CVE-2023-30547 – This is a critical exception sanitization vulnerability of the VM2 for versions up to 3.9.16 and carries a CVSS v3 score of 9.8. The vulnerability allows attackers to raise an unsanitized host exception in handleException() which can then be used to escape the sandbox and run arbitrary code in the host context.
Nation-State Threat Actor APT 35 Refines Tradecraft, Attacks High-Value Targets
A subgroup of the Iranian nation-state threat actor, PHOSPHORUS (also tagged as APT 35) called Mint Sandstorm, has begun refining their arsenal. They have weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing attacks to infiltrate environments of interest. The subgroup targets both private and public sectors, including political parties, activists, individuals protesting about regimes in the Middle East, journalists and employees of government agencies and the Defense Industrial Base (DIB).
APT 35 has been observed exploiting the following CVEs in their attacks:
CVE-2020-1054 & CVE-2021-1732: Raspberry Robin
Raspberry Robin has become one of the most distributed malware that is presently active, and has been leveraged by many threat actors such as IcedID and Cl0p ransomware to distribute their own malware.
As the malware has continued to evolve, Raspberry Robin has developed an arsenal of unique tricks and evasive techniques. The malware affects Windows and Mac systems alike and leverages two vulnerabilities.
- CVE-2021-1732 – A Win32K window object type confusion that leads to an OOB (out-of-bounds) write. It was a zero-day in the wild and was used by Bitter APT. It runs on Windows 10, with a specific targeted build number range.
- CVE-2020-1054 – This vulnerability checks if the package KB4601319 is present or not. It gets the HMValidateHandle from searching inside the IsMenu code for Oxe8 opcode. It then searches in the first 0x20 bytes for the opcode.
CVE-2017-6742: Jaguar Tooth Leveraging Cisco IOS Vulnerability
A joint report by US Cybersecurity and Infrastructure Security Agency (CISA), UK National Cyber Security Centre (NCSC), the NSA and the FBI, alongside Cisco was issued warning about Russian APT 28 hackers deploying a custom malware called Jaguar Tooth on Cisco IOS Routers, allowing them unauthenticated access to the device.
Jaguar Tooth has been observed being deployed and executed by exploiting CVE-2017-6742, a now patched SNMP (Simple Network Management Protocol) vulnerability. Jaguar Tooth malware targets Cisco IOS and IOS XE routers running firmware C5350-ISM and Version 12.3(6). The malware collects device information, which it then exfiltrates over TFTP (Trivial File Transfer Protocol), allowing unauthenticated backdoor access to the APT 28 operators.
CISA added this vulnerability to the KEV catalog on April 19, 2023, a day after Securin threat intelligence flagged the same.
Microsoft SQL Servers Hacked to Deploy Trigona Ransomware
Threat actors are hacking into poorly secured internet-facing Microsoft SQL servers to deploy Trigona ransomware payloads to encrypt all files. Most of the servers were breached via brute-force attacks that took advantage of easy-to-guess account credentials.
Securin experts observed that the Trigona ransomware gang exploits the Zoho ManageEngine ADSelfService Plus vulnerability, CVE-2021-40539. We recommend security teams to patch the vulnerability as soon as possible to avoid future attacks
Hacktivist Threat Actor Group Targets South Korea and Taiwan
Xiaoqiying, a Chinese hacktivist group, has recently launched attacks on South Korean and Taiwanese organizations. The group, also known as Genesis Day, operates on two Telegram channels and has been operational throughout 2022, allegedly gaining unauthorized access to networks in various countries. Through exploiting flaws in internet-connected devices and remote access utilities, the group distributes hacked penetration tools and malware on its channels, indicating an advanced level of cyber risk. They have been exploiting the following vulnerabilities:
CVE-2022-34305: An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability which affects multiple Apache Tomcat versions.
CVE-2022-20006: A concurrent execution using shared resources with improper synchronization (‘race condition’) vulnerability. Affects Android versions 10, 11, 12, and 12.1.
CVE-2022-34918: Access of resource using incompatible type (‘type confusion’) vulnerability. Affects several Linux, Debian, Ubuntu, and NetApp products.
CVE-2021-23017: A Nginx Resolver Off-by-one error which affects Nginix, Fedora, and Oracle products.
We recommend that organizations look out for these vulnerabilities and patch them immediately.
Vulnerabilities to Watch Out For
CVE-2023-2136: Google Chrome Zero-Day
Google released a security update for the recently discovered Chrome web browser zero-day vulnerability that was found to be exploited in attacks.
CVE-2023-2136 is a high-severity integer overflow vulnerability in Skia, an open-source multi-platform 2D graphics library written in C++ owned by Google. The bug might lead to incorrect rendering, memory corruption or arbitrary code execution leading to unauthorized system access.
CVE-2023-2033: Chrome Vulnerability
CVE-2023-25135: vBulletin Vulnerability
CVE-2023-29084: ManageEngine Vulnerability
CVE-2023-29084 is a command injection remote code execution vulnerability found in ManageEngine ADManager Plus. It allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine ADManager Plus. However, authentication is required to exploit this vulnerability.
ManageEngine fixed this vulnerability in its latest update.
Critical RCE bug in PaperCut Servers Exploited by Attackers
PaperCut, a print management software developer, working with all major brands and platforms, warned its customers about hackers actively exploiting two flaws to gain access to vulnerable servers.
The vulnerabilities are yet to get a CVE number and are presently tagged as such:
- ZDI-CAN-18987 / PO-1216: An unauthenticated remote code execution flaw with a CVSS v3 score of 9.8 (critical) impacting all PaperCut MF and NG versions 8.0 and later on both application and site server OS platforms.
- ZDI-CAN-19226 / PO-1219: An unauthenticated information disclosure flaw with a CVSS v3 score of 8.2 (high) impacting all PaperCut MF and NG versions 8.0 and later on application OS platforms.
CVE-2022-29844: Western Digital Vulnerability
CVE-2022-29844 is a memory corruption vulnerability impacting the FTP service of the My Cloud Pro Series PR4100. It allows unauthenticated attackers to read and write arbitrary files. This vulnerability could also allow the full compromise of the NAS and give remote command execution capabilities.
Western Digital patched CVE-2022-29844 in the firmware version 5.26.119.
VMware vRealize Vulnerabilities
CVE-2023-20864 and CVE-2023-20865 are deserialization vulnerabilities in VMware vRealize Log Insight. CVE-2023-20864 can be exploited remotely by unauthenticated threat actors in low-complexity attacks. It doesn’t require user interaction for exploitation. Attackers run arbitrary code as root on compromised systems.
CVE-2023-20865 enables remote attackers with administrative privileges to execute arbitrary commands as root.
VMware fixed both the vulnerabilities and urged users to patch them immediately.