This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Check out our Threat Intelligence Podcast hosted by David Rushton!
Vulnerabilities to Watch Out For
Windows Vulnerability Exploited in 3CX App Compromise
Last week, we saw how a trojanized version of the 3CX application is being exploited in a supply chain attack. It has now come to light that an old windows vulnerability is used by attackers to mark the executables as legitimately signed. CVE-2013-3900 is a WinVerifyTrust Signature Validation Vulnerability that does not alert users when an executable is modified and does not have a valid signature. In the supply chain attack, two DLLs used by the 3CX application were replaced with malicious versions that download additional malware to computers, including an information-stealing trojan.
Microsoft had fixed this vulnerability but left it as an opt-in (users may apply the fix if needed). However, Windows versions 11 and up do not have this fix.
We recommend that Microsoft make this fix a critical patch and warn users to apply it at the earliest.
CISA Adds CVE-2022-27926 to its Known Vulnerabilities Catalog
CVE-2022-27926 is a Zimbra vulnerability that is actively exploited by a hacking group known as Winter Vivern. European entities are targeted by Winter Vivern using phishing emails that lead to the exploit of CVE-2022-27926. CISA added this to the KEV catalog on April 4, 2023 and recommended that all federal agencies patch it by April 24, 2023.
Our cybersecurity experts called out this vulnerability as critical in last week’s threat intelligence blog and also warned our customers regarding it.
UNC4466 Targets Vulnerable Backup Installations to Gain Initial Access
CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878 are vulnerabilities in Veritas Backup Exec installations. They allow unauthenticated attackers to gain access and escalate privileges. An ALPHV (aka BlackCat ransomware) ransomware affiliate known as UNC4466 is exploiting these vulnerabilities to gain initial access. There are about 8000 instances of internet-exposed servers running Symantec/Veritas Backup Exec ndmp services. UNC4466 made use of ADRecon to gather network, account, and host information in the victim’s environment. It also used tools such as Background Intelligent Transfer Service (BITS), LAZAGNE, LIGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor. LIGOLO and REVSOCKS were used to run commands on the compromised server and also evade detection.
Veritas has patched these vulnerabilities and users should update their software versions immediately.
Vulnerabilities to Watch Out For
Multiple Vulnerabilities in UniRPC Server
There are multiple vulnerabilities in Rocket Software’s UniData and UniVerse UniRPC server (and related services) running on the Linux platform.
- CVE-2023-28501: Pre-authentication heap buffer overflow in unirpcd service
- CVE-2023-28502: Pre-authentication stack buffer overflow in udadmin_server service
- CVE-2023-28504: Pre-authentication stack buffer overflow in libunidata.so’s U_rep_rpc_server_submain()
- CVE-2023-28507: Pre-authentication memory exhaustion in LZ4 decompression in unirpcd service
- CVE-2023-28503: Authentication bypass in libunidata.so’s do_log_on_user() function
- CVE-2023-28505: Post-authentication buffer overflow in libunidata.so’s U_get_string_value() function
- CVE-2023-28506: Post-authentication stack buffer overflow in udapi_slave executable
- CVE-2023-28508: Post-authentication heap overflow in udsub service
- CVE-2023-28509: Weak encryption
CVE-2023-28505, CVE-2023-28506, CVE-2023-28508 do not need any authentication details to be exploited because of CVE-2023-28503 (authentication bypass vulnerability).
Rocket Software has fixed these vulnerabilities in hotfix version 188.8.131.5203 and recommends all users to apply it immediately.
CVE-2023-1707: HP Printer Vulnerability
The vulnerability CVE-2023-1707 affects more than 50 HP Enterprise LaserJet and HP LaserJet Managed Printers models. It has a 9.1 rating on the CVSS scale making it a critical vulnerability. This vulnerability can be exploited by attackers if vulnerable machines run the FutureSmart firmware version 5.6 and have IPsec enabled. The attacker will be able to access sensitive information transmitted between the compromised HP printers and other devices on the network.
HP, however, has not addressed this vulnerability yet and informed that a patch will be available within 90 days.
Meanwhile, customers running FutureSmart 5.6 can downgrade their firmware version to FS 184.108.40.206. as a mitigation measure.
Google Patches Three Vulnerabilities
Google released a security bulletin in April addressing Android vulnerabilities. Three of them are critical vulnerabilities:
CVE-2023-21085 enables a remote attacker to execute arbitrary code. The vulnerability is caused by inadequate input validation in the System component. By using a specially crafted file, an attacker can deceive the victim into opening it and running arbitrary code remotely.
CVE-2023-21096, a system component vulnerability that permits a remote attacker to execute arbitrary code. This vulnerability arises from inadequate input validation in the system component. By enticing the victim to open a specially crafted file, a remote attacker can run arbitrary code.
The Arm Mali GPU kernel driver has a vulnerability, CVE-2022-38181 that enables unprivileged users to access memory that has been freed, as a result of mishandled GPU memory operations. This vulnerability, known as use-after-free (UAF), enables a local application to escalate its privileges on the system. By triggering memory corruption, a local application can execute arbitrary code with elevated privileges. This vulnerability has been observed to be used in targeted attacks and was initially detected in November 2022.
Android users should patch these vulnerabilities immediately.