This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
- Glupteba Malware is Back in Action
- Play Ransomware Targets Microsoft Exchange Vulnerabilities to Breach Servers
- Apache Vulnerabilities are Exploited to Spread ZeroBot Malware
- FIN7 Creates Auto-Attack Platform To Breach Exchange Servers
Vulnerabilities to Watch Out For
- Old CISCO Vulnerabilities Targeted in Latest Attacks
- CVE-2022-42821: Apple’s Critical Severity Bug
- Multiple High Severity Vulnerabilities in Samba
- CVE-2022-38733: Authentication Bypass Vulnerability in OnCommand Insight
Glupteba Malware is Back in Action
Glupteba is a botnet that can be used to infect Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices. It is distributed through malvertising campaigns for software, videos, and movies. This malware is enabled by blockchain technology and is hard to take down. Google caused a massive disruption to the botnet’s infrastructure in December 2021, after which the botnet infections were not seen until June 2022. There are more than 1500 Glupteba samples which collect wallet address and decrypt transaction payload data using keys associated with the malware. From observation it looks like the new campaign is highly resilient and much more difficult to crack down on.
CVE-2018-14847 and CVE-2019-3978 are exploited by Glupteba for initial access.
Play Ransomware Targets Microsoft Exchange Vulnerabilities to Breach Servers
The ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) were mitigated in the November 2022 Patch Tuesday security updates. However, a new exploit chain by the Play ransomware threat actors bypass these mitigations to gain remote code access to the servers. The exploit chain is named OWASSRF and it involves a SSRF equivalent to the Autodiscover technique and the exploit used in the second step of ProxyNotShell. CVE-2022-41080 is also likely to be exploited in such attacks. It is a high-severity privilege escalation flaw impacting Exchange Server 2016 and 2019. The proof of concept for OWASSRF is publicly exposed via a leak and all Microsoft Exchange server users are recommended to patch these vulnerabilities immediately to avoid falling victim to Play ransomware.
Apache Vulnerabilities are Exploited to Spread ZeroBot Malware
Last week, we saw the emergence of Zerobot, a Go-based malware. This botnet is now exploiting several Apache vulnerabilities to gain initial access and distribute the malware. CVE-2022-33891, and CVE-2021-42013 are the Apache vulnerabilities targeted in these attacks. Both these bugs do not have sufficient vendor patches and can lead to privilege escalation and remote code execution. This version of Zerobot is said to have additional distributed denial-of-service attack capabilities, including functions that allow the threat actors to target resources and make them inaccessible. Zerobot is primarily infecting IoT and is offered as part of a malware-as-a-service scheme.operational-technology devices.
Apart from Apache vulnerabilities, Zerobot is also exploiting CVE-2022-30023 and CVE-2020-25223.
FIN7 Creates Auto-Attack Platform To Breach Exchange Servers
FIN7 is a Russian hacking group active since 2012. They have created an auto-attack system named “Checkmarks” which finds and exploits vulnerabilities in Microsoft Exchange Servers, notably, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. These vulnerabilities can lead to remote code execution and privilege elevation. Checkmarks can gain initial access to networks automatically by dropping web shells via PowerShell and distribute malware to further compromise the network. The platform also automatically adds new victims’ details to a central panel where FIN7 operators can see additional details about the compromised endpoint. Based on several factors such as victims’ current revenue, number of employees, domain, headquarters details, etc, FIN7 launches ransomware attacks on the victims.
The US is currently the primary target of FIN7.
Microsoft Exchange Servers are also targeted by several threat actors in recent times. Hence, organizations are recommended to patch all vulnerabilities immediately.
Vulnerabilities to Watch Out For
Old CISCO Vulnerabilities Targeted in Latest Attacks
Multiple vulnerabilities, some dating back to 2017 are being exploited in attacks as recent as March 2022. They are:
CVE-2017-12240 and CVE-2018-0171 – Are RCE vulnerabilities that can give an authenticated attacker full control over a vulnerable system and even cause DoS.
CVE-2018-0125 and CVE-2018-0147– These vulnerabilities allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges.
CVE-2021-1497 – This vulnerability leads to command injection attacks when exploited.
We recommend that all CISCO users patch these vulnerabilities on priority immediately.
CVE-2022-42821: Apple’s Critical Severity Bug
CVE-2022-42821, dubbed as Achilles, is the equivalent of the Mark-of-the-Web vulnerability in Windows. This security flaw allows files downloaded from unknown sources to be executed without a warning. Attackers can exploit this vulnerability to deploy malware on vulnerable macOS devices and execute them without restrictions.
Apple fixed this vulnerability in macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur) one week ago, on December 13.
Multiple High Severity Vulnerabilities in Samba
CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141 are high severity flaws in the open source Windows interoperability suite, Samba. It offers file server, printing, and Active Directory services for Linux, Unix, and macOS operating systems.
CVE-2022-37966 and CVE-2022-37967 are privilege escalation vulnerabilities that were disclosed and fixed in December Patch Tuesday.
CVE-2022-38023 is caused by the use of weak RC4-HMAC Kerberos encryption type in the NetLogon Secure Channel
CVE-2022-45141 is a vulnerability in Samba AD DC which can be forced to issue rc4-hmac encrypted Kerberos tickets using Heimdal.
CVE-2022-38733: Authentication Bypass Vulnerability in OnCommand Insight
This vulnerability could allow an unauthenticated attacker to gain admin privileges and lead to disruption of service of the OnCommand Insight Data Warehouse. However, exploiting it would not provide the attacker access to any collected data, provide the ability to manage or view other Data Warehouse users or access any other OnCommand Insight components.
NetApp has released the remediation measures for the CVE-2022-38733 and recommends that users apply them promptly.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.