Securin’s Threat Intelligence: Apr 10, 2023 – Apr 14, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Check out our Threat Intelligence Podcast hosted by David Rushton!​

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

CISA Adds More Vulnerabilities to the KEV Catalog

CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878 are Veritas Backup Exec Agent vulnerabilities that are actively exploited by UNC4466, an affiliate of the ALPHV ransomware group. All three vulnerabilities allow unauthenticated attackers to gain access and escalate privileges.

CVE-2019-1388 is a high-severity privilege escalation vulnerability in Windows UAC (User Account Control). UAC helps prevent unauthorized changes to the operating system. When exploited, an unauthenticated attacker can launch a highly-privileged web browser on the normal desktop to install code and other malicious activities.

CVE-2023-26083 is a vulnerability that affects the Mali GPU driver from Arm. It is part of an exploit chain (CVE-2022-4135, CVE-2022-38181, and CVE-2022-3723) that delivers commercial spyware to popular platforms such as Google, iOS, Microsoft, etc.

Guide to Protect Against BlackLotus Attacks

Microsoft released a guide for investigating the BlackLotus campaign, which utilizes a bootkit for persistence and defense evasion. BlackLotus has several techniques and processes such as bootloader files, custom directories, modified registry keys, event log entries, etc., that can be used for detecting its presence. BlackLotus is found to be exploiting CVE-2022-21894, a Secure Boot Security Feature Bypass vulnerability. Despite the fact that Microsoft fixed the vulnerability in its January 2022 update, it is still possible to exploit it because the affected binaries, which are validly signed, have not yet been added to the UEFI revocation list. BlackLotus exploits this situation by introducing its own copies of legitimate but vulnerable binaries into the system to take advantage of the vulnerability.

Vulnerabilities to Watch Out For

Multiple Vulnerabilities in Sophos

CVE-2023-1671 is an unauthenticated command injection vulnerability in the warn-proceed handler. Exploiting this will allow an attacker to execute arbitrary code. 

CVE-2022-4934 is also a high severity vulnerability in the exception wizard. The command injection flaw requires authentication for successful exploitation. 

CVE-2020-36692 is a medium-severity cross-site scripting (XSS) vulnerability in the report scheduler. An attacker could exploit it to execute JavaScript code in the victim’s browser.

Sophos patched the three vulnerabilities in Sophos Web Appliance

CVE-2023-29017: VM2 JavaScript Bug

CVE-2023-29017 is a critical vulnerability in the VM2 library, a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. Exploiting it can lead to bypassing sandbox protections and gaining remote code execution on the host. A proof of concept has been released for this bug’s exploitation.

Users of the VM2 library should immediately patch this vulnerability.

Multiple Vulnerabilities in CISCO

There are multiple vulnerabilities in CISCO:

CVE-2023-20102 is an insufficient sanitization of user-provided data vulnerability. An authenticated, remote attacker could send crafted HTTP requests to an affected device to achieve arbitrary code execution.

CVE-2023-20122 is caused by improper validation of parameters. An authenticated, local attacker could exploit the issue by sending crafted CLI commands, allowing them to escape the restricted shell and gain root privileges on the operating system.

CVE-2023-20121 is another improper validation of parameters flaw that impacts the restricted shell of Evolved Programmable Network Manager (EPNM), ISE, and Prime Infrastructure. It requires administrator privileges exploitation.

CVE-2022-20812 impacts the cluster database API of the affected products and allows an authenticated, remote attacker to overwrite files on the affected device with root privileges. 

CVE-2023-20117 and CVE-2023-20128 are high-severity vulnerabilities that impact Small Business RV320 and RV325 routers. They could allow an authenticated, remote attacker to execute arbitrary commands on the affected devices.Since the vulnerabilities are in  end-of-life (EoL) devices, CISCO has not released patches for them.

Apple Zero-Days

CVE-2023-28206 is an IOSurfaceAccelerator out-of-bounds write that could lead to corruption of data, a crash, or code execution. Attackers use a maliciously crafted app to execute arbitrary code with kernel privileges on targeted devices.

CVE-2023-28205  is a WebKit use after free weakness that allows data corruption or arbitrary code execution when reusing freed memory. Attackers can exploit this to execute code remotely.

Apple fixed these two zero-day vulnerabilities and is urging its customers to patch them.

Critical Vulnerabilities in SAP

SAP addressed several vulnerabilities in their products with fixes. Three of the critical ones are:

CVE-2023-27267: An insufficient input validation and missing authentication issue impacting the OSCommand Bridge of SAP Diagnostics Agent. It allows an attacker to execute scripts on connected agents and fully compromise the system. 

CVE-2023-28765: Another critical flaw that affects SAP BusinessObjects Business Intelligence Platform (Promotion Management). It allows attackers with basic privileges to gain access to the lcmbiar file and decrypt it. Attackers will also be able to access the platforms users’ passwords and take over their accounts to perform additional malicious actions.

CVE-2023-29186: A directory traversal flaw impacting SAP NetWeaver. It allows an attacker to upload and overwrite files on the vulnerable SAP server.

CVE-2023-28252: Windows Common Log File System Vulnerability

CVE-2023-28252 impacts all supported versions of Windows servers and clients, and it can be exploited by local attackers in simple attacks without requiring any user interaction. If successfully exploited, threat actors can obtain SYSTEM privileges and completely compromise targeted Windows systems. As part of this month’s Patch Tuesday, Microsoft has fixed this zero-day vulnerability. 

Since June 2022, the Nokoyawa ransomware gang has employed other exploits that target the Common Log File System (CLFS) driver, and these exploits have similar yet distinct features that connect them to a single exploit developer. The group has utilized at least five additional CLFS exploits to attack various industries, such as retail and wholesale, energy, manufacturing, healthcare, and software development, among others.

Microsoft Patch Tuesday

Microsoft’s April 2023 Patch Tuesday has arrived, and it includes fixes for 97 security flaws, one of which is a zero-day vulnerability. The most severe of these vulnerabilities are remote code execution vulnerabilities.

CVE-2023-28252, the zero-day vulnerability impacted all supported versions of Windows servers and clients, and it could be exploited by local attackers in low-complexity attacks without user interaction.

In addition to the zero-day fix, Microsoft has also patched 96 other security bugs, 45 of which were remote code execution vulnerabilities. Among these are vulnerabilities in Microsoft Office, Word, and Publisher, tracked as CVE-2023-28285, CVE-2023-28295, CVE-2023-28287, and CVE-2023-28311. Since these types of vulnerabilities are commonly used in phishing campaigns, threat actors are expected to investigate ways to exploit them for distributing malware. However, there are no reports of active exploitation.

Users are advised to install these updates as soon as possible to protect their systems from potential exploitation.

Vulnerabilities in SharePoint

Recently, a proof of concept for three Microsoft SharePoint Web Parts property traversal vulnerabilities was released. The analysis revealed that the root cause of these vulnerabilities lies in the Parameter Class named Microsoft.SharePoint.WebPartPages.DataFormParameter. To prevent exposure, the presence of the character “.” needs to be checked and blocked in the XML attributes. Failure to do so can result in property traversal during the rendering process, which can be exploited by attackers. The three vulnerabilities are CVE-2023–21742, CVE-2022-38053, and CVE- 2023-21717.

Follow our weekly blog and podcast to get proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On