Securin’s Threat Intelligence: Feb 27, 2023 – Mar 3, 2023

Updated on Mar 2, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix it now?

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

New Backdoor from Lazarus APT

The notorious Lazarus APT group (origin: North Korea) is found to have been using a new backdoor, WinorDLL64 in a recent attack campaign in South Korea. WinorDLL64 can perform file manipulation, such as exfiltrating, overwriting, and removing files. Apart from this, it can also execute additional commands and acquire extensive system information. The group exploited CVE-2021-21551, Dell dbutil Driver’s insufficient access control vulnerability to gain initial access. The WinorDLL64 campaign technique overlaps with Lazarus’ previous attack campaign Operation GhostSecret. The loader for it is virtualized by the Oreans’ Code Virtualizer, which is a commercial protector that is used frequently by Lazarus.

CVE Details

CVE: CVE-2021-21551

CVSS: 7.8


Exploit Type: RCE,PE,WebApp

Affected Product Count: 1

Patch Link: Download

CISA Adds CVE-2022-36537 to the KEV Catalog

On February 27, 2023, CISA added the R1Soft Server Backup Manager vulnerability CVE-2022-36537 to the Known Exploitable Vulnerabilities database. This vulnerability allows an attacker to bypass authentication and even remotely execute code in R1Soft server software and its connected backup agents. It is currently being exploited by the attackers in the wild prompting the CISA to take notice of this and add it to the KEV list.

We had warned you about this threat in our last week’s threat intelligence blog. We again urge users to patch this vulnerability as soon as possible. 

The Very Active RIG Exploit Kit

RIG exploit kit was first released in 2014 and has been used as a malware distributor since then. It is a set of malicious JavaScript scripts embedded in compromised or malicious websites by the threat actors, which are then promoted through malvertising. The RIG kit was taken down in 2017 and most of its operations were halted. However, in 2019, RIG began ransomware distribution for Sodinokibi (REvil), Nemty, and ERIS ransomware. It also exploited CVE-2020-0674 and CVE-2021-26411 in Internet Explorer to achieve this. Now, the RIG kit is found to be dropping the Redline information-stealer malware onto victims. It is targeting enterprise devices that still use Internet Explorer. The RIG exploit is also distributing Dridex, SmokeLoader, RaccoonStealer, Zloader, Truebot, and IcedID malware. Enterprises that use the outdated Internet Explorer browser should immediately switch to another browser to avoid falling victim to ransomware attacks.

Ares Hacking Group uses Kaiji Botnet in Attacks

Kaiji is a botnet written in the GO language. It was discovered in 2020 and its variant is called Chaos. Recently, it was discovered that this botnet is related to Ares, a hacking group that rents botnets. Some of their popular botnets are  Mirai, Moobot, and Lucifer. They’ve been used to launch DDoS attacks and crypto-mining activities (by distributing XMRig). Chaos uses stolen SSH keys to infect vulnerable devices with brute force attacks. It can run on both Linux and Windows devices. Chaos establishes persistence and connects to an embedded command and control (C&C) server. Next, it receives staging commands, such as to start propagation via known CVEs or SSH, or to begin IP spoofing. On infected Windows systems, the malware first creates a mutex by binding to a UDP port that it shields from analysis. If the binding fails, the malware exits its process. It also executes a number of commands to further comprise the infected device, launch DDoS attacks and mine crypto currency. 

BlackLotus Bypasses UEFI Secure Boot

It was recently discovered that BlackLotus, a UEFI bootkit can bypass UEFI Secure Boot on fully updated systems. This is the first instance of a malware that can perform this action.  

BlackLotus exploits a security flaw CVE-2022-21894 (aka Baton Drop) which allows arbitrary code execution during early boot phases, permitting a threat actor to carry out malicious actions on a system with UEFI Secure Boot enabled without having physical access to it. It also enables Bring Your Own Vulnerable Driver (BYOVD) attacks by bringing own copies of legitimate  and vulnerable binaries to the system in order to exploit CVE-2022-21894. Validly signed binaries have still not been added to the UEFI revocation list which makes it possible for BlackLotus to carry out BYOVD attacks. 

CVE-2022-21894 was fixed in Microsoft’s January Patch Tuesday.

Vulnerabilities to Watch Out For

Critical Flaws in WordPress

CVE-2023-26540 and CVE-2023-26009 are vulnerabilities in the Houzez Theme plugin used in WordPress. The plugin is used primarily in real estate websites for easy listing management and customer experience enhancement. 

CVE-2023-26540 (CVSS v3.1: 9.8) occurs because of a security misconfiguration in the plugin and allows privilege escalation to an unauthenticated attacker.

CVE-2023-26009  (CVSS v3.1: 9.8) also allows unauthenticated attackers to perform privilege escalation on sites using the plugin. 

PatchStack has fixed these vulnerabilities in the plugin versions 2.7.2 and higher.

CVE-2022-38108: SolarWinds Vulnerability

This vulnerability impacts SolarWinds Network Performance Monitor. It allows a remote,  authenticated attacker to  execute arbitrary code under the security context of SYSTEM by sending crafted requests to an affected server. It has been patched by SolarWinds.

Critical Vulnerabilities in CISCO

CISCO addressed CVE-2023-20078 and CVE-2023-20079 that impacts multiple IP Phone models.

  • CVE-2023-20078: Allows attackers to inject arbitrary commands that will be executed with root privileges.
  • CVE-2023-20079: Can be exploited to trigger denial-of-service (DoS) conditions.

Both these vulnerabilities are caused by insufficient validation of user-supplied input and can be exploited using maliciously crafted requests sent to the targeted device’s web-based management interface.

Users of CISCO  IP Phones should ensure that these vulnerabilities are patched immediately.

Follow our weekly Threat Intelligence Series and podcast for proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On