Securin’s Threat Intelligence: Feb 20, 2023 – Feb 24, 2023

Updated on Feb 24, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix it now?

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

Earth Kitsune Uses New Malware, WhiskerSpy

Earth Kitsune is a new threat actor known for targeting North Korean entities. In a recent campaign, researchers have found that the group is using a new backdoor known as WhiskerSpy. This malware was delivered to the victims’ devices when they tried to watch videos on a malicious website. The attacker compromised the website and injected a malicious script that asked the victim to install a video codec for the media to run. This tactic is known as a watering hole attack. WhiskerSpy can perform a number of actions including: interactive shell, download file, upload file, delete file, list files, take screenshot, load executable and call its export, and inject shellcode into a process.

CISA Added 3 New Vulnerabilities to the KEV Catalog

On February 22, 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-47986, CVE-2022-41223, and CVE-2022-40765 to the Known Exploitable Vulnerabilities catalog. 

  • CVE-2022-47986 is the IBM Aspera Faspex remote code execution vulnerability that could allow a remote attacker to execute arbitrary code in a compromised system. There is evidence that this vulnerability is actively exploited in the wild, especially after a proof of concept for the exploit was released. 

We warned our customers regarding this vulnerability in last week’s threat intelligence blog.

  • CVE-2022-41223 and CVE-2022-40765 impact Mitel’s MiVoice Connect product. These code and command injection vulnerabilities allow an authenticated attacker with internal network access to execute arbitrary code. Mitel patched these vulnerabilities in October 2022 but they still are targeted by attackers.

Indian APT Group Sidewinder Targets Educational Institutions

Sidewinder (AKA Rattlesnake) is an Indian APT group that has been active since 2012. It carries out cyber espionage campaigns in Asian countries such as China, Pakistan, Bangladesh , etc. In a recent attack the group targeted Chinese scientific research universities and institutions using phishing emails with malicious attachments. In addition to this, they’ve also used template injection to deliver malicious documents and launched attacks on the Pakistani government, military and other units. The group is suspected to download trojan horses in every download to carry out subsequent attacks. To gain initial access, Sidewinder has exploited  CVE-2017-11882. It is a Microsoft Office memory corruption vulnerability. It has over 1500 exploits and is associated with 8 ransomware strains. 

CVE Details

CVE: CVE-2017-11882

CVSS: 9.3


Exploit Type: RCE,PE,WebApp

Affected Product Count: 4

APT Associations: Swede, Lone Wolf, and 21 others

Ransomware Associations: Zemblax, Fake Globe, and 6 others

Patch Link: Download

Vulnerabilities to Watch Out For

CVE-2022-39952 and CVE-2021-42756: Critical Flaws in Fortinet

Fortinet fixed two critical remote code execution flaws in its products.

CVE-2022-39952 affects FortiNAC. It has a critical rating of 9.8 on the CVSS scale. An external control of file name or path vulnerability [CWE-73] in FortiNAC web server may allow an unauthenticated attacker to perform arbitrary write on the system using this vulnerability.

Update: Threat actors are actively exploiting CVE-2022-39952 targeting Internet-exposed Fortinet appliances. They’ve been observed using corn jobs to open reverse shells to attackers’ IP addresses after gaining initial access. 

CVE-2021-42756 affects FortiWeb and it has 9.3 on the CVSS scale. Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiWeb’s proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests. 

CVE-2023-20858: Critical VMware Vulnerability

CVE-2023-20858 is a vulnerability in VMware’s Carbon Black App Control product. It rates 9.1 on the CVSS scale. An authenticated threat actor with access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system. VMware released a security advisory for this vulnerability and urged users to update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate potential risks.

Critical Vulnerabilities in Apple OS

CVE-2023-23530, CVE-2023-23531, and CVE-2023-23520 were recently disclosed by Apple in a security advisory

  • CVE-2023-23530 is due to a race condition in the  Crash Reporter component. If exploited, it could enable a malicious actor to read arbitrary files as root. 

  • CVE-2023-23531 and CVE-2023-23520 are present in the Foundation Framework. They could allow an attacker to remotely execute code in the compromised device.

All three are classified as medium severity vulnerabilities.

CVE-2022-36537: Vulnerability in R1Soft Server Backup Manager

CVE-2022-36537 is actively being exploited by deploying backdoors. It is a vulnerability in the ZK Java Framework that R1Soft Server Backup Manager utilizes. An attacker can exploit it to bypass authentication and even remotely execute code in R1Soft server software and its connected backup agents. In one of the recent attacks, researchers discovered that the vulnerability was used to gain initial access and drop a malicious JDBC driver. This driver can load new functionalities in memory and execute commands. ZK released a security advisory for this vulnerability and recommends users to patch it as soon as possible.

Follow our weekly Threat Intelligence Series and podcast for proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On