This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix it now?
Vulnerabilities to Watch Out For
New Backdoor from Lazarus APT
The notorious Lazarus APT group (origin: North Korea) is found to have been using a new backdoor, WinorDLL64 in a recent attack campaign in South Korea. WinorDLL64 can perform file manipulation, such as exfiltrating, overwriting, and removing files. Apart from this, it can also execute additional commands and acquire extensive system information. The group exploited CVE-2021-21551, Dell dbutil Driver’s insufficient access control vulnerability to gain initial access. The WinorDLL64 campaign technique overlaps with Lazarus’ previous attack campaign Operation GhostSecret. The loader for it is virtualized by the Oreans’ Code Virtualizer, which is a commercial protector that is used frequently by Lazarus.
CWE ID: CWE-285
Exploit Type: RCE,PE,WebApp
Affected Product Count: 1
Patch Link: Download
CISA Adds CVE-2022-36537 to the KEV Catalog
On February 27, 2023, CISA added the R1Soft Server Backup Manager vulnerability CVE-2022-36537 to the Known Exploitable Vulnerabilities database. This vulnerability allows an attacker to bypass authentication and even remotely execute code in R1Soft server software and its connected backup agents. It is currently being exploited by the attackers in the wild prompting the CISA to take notice of this and add it to the KEV list.
We had warned you about this threat in our last week’s threat intelligence blog. We again urge users to patch this vulnerability as soon as possible.
The Very Active RIG Exploit Kit
Ares Hacking Group uses Kaiji Botnet in Attacks
Kaiji is a botnet written in the GO language. It was discovered in 2020 and its variant is called Chaos. Recently, it was discovered that this botnet is related to Ares, a hacking group that rents botnets. Some of their popular botnets are Mirai, Moobot, and Lucifer. They’ve been used to launch DDoS attacks and crypto-mining activities (by distributing XMRig). Chaos uses stolen SSH keys to infect vulnerable devices with brute force attacks. It can run on both Linux and Windows devices. Chaos establishes persistence and connects to an embedded command and control (C&C) server. Next, it receives staging commands, such as to start propagation via known CVEs or SSH, or to begin IP spoofing. On infected Windows systems, the malware first creates a mutex by binding to a UDP port that it shields from analysis. If the binding fails, the malware exits its process. It also executes a number of commands to further comprise the infected device, launch DDoS attacks and mine crypto currency.
BlackLotus Bypasses UEFI Secure Boot
It was recently discovered that BlackLotus, a UEFI bootkit can bypass UEFI Secure Boot on fully updated systems. This is the first instance of a malware that can perform this action.
BlackLotus exploits a security flaw CVE-2022-21894 (aka Baton Drop) which allows arbitrary code execution during early boot phases, permitting a threat actor to carry out malicious actions on a system with UEFI Secure Boot enabled without having physical access to it. It also enables Bring Your Own Vulnerable Driver (BYOVD) attacks by bringing own copies of legitimate and vulnerable binaries to the system in order to exploit CVE-2022-21894. Validly signed binaries have still not been added to the UEFI revocation list which makes it possible for BlackLotus to carry out BYOVD attacks.
CVE-2022-21894 was fixed in Microsoft’s January Patch Tuesday.
Vulnerabilities to Watch Out For
Critical Flaws in WordPress
CVE-2023-26540 and CVE-2023-26009 are vulnerabilities in the Houzez Theme plugin used in WordPress. The plugin is used primarily in real estate websites for easy listing management and customer experience enhancement.
CVE-2023-26540 (CVSS v3.1: 9.8) occurs because of a security misconfiguration in the plugin and allows privilege escalation to an unauthenticated attacker.
CVE-2023-26009 (CVSS v3.1: 9.8) also allows unauthenticated attackers to perform privilege escalation on sites using the plugin.
PatchStack has fixed these vulnerabilities in the plugin versions 2.7.2 and higher.
CVE-2022-38108: SolarWinds Vulnerability
This vulnerability impacts SolarWinds Network Performance Monitor. It allows a remote, authenticated attacker to execute arbitrary code under the security context of SYSTEM by sending crafted requests to an affected server. It has been patched by SolarWinds.
Critical Vulnerabilities in CISCO
- CVE-2023-20078: Allows attackers to inject arbitrary commands that will be executed with root privileges.
- CVE-2023-20079: Can be exploited to trigger denial-of-service (DoS) conditions.
Both these vulnerabilities are caused by insufficient validation of user-supplied input and can be exploited using maliciously crafted requests sent to the targeted device’s web-based management interface.
Users of CISCO IP Phones should ensure that these vulnerabilities are patched immediately.