Securin’s Threat Intelligence: Mar 13, 2023 – Mar 17, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

IceFire Ransomware Targets Linux Devices

IceFire ransomware, previously focused on Windows exploits, has released a malware that infects Linux devices. The ransomware gang has already deployed these malware samples in a number of organizations worldwide. The new ransomware encrypts files on the Linux system but not all of them. Specific paths remain unencrypted allowing critical system parts to remain operational. CVE-2022-47986, the IBM Aspera vulnerability is targeted by IceFire to gain initial access. There are more than 150 Aspera servers exposed online. Aspera users must fix this Vulnerabilities to avoid falling victim to IceFire ransomware.

CISA Adds More CVEs to the KEV List

CVE-2021-39144 is a critical VMware XStream flaw that can allow attackers to execute code remotely. It has a 9.8 score on the CVSS scale. This bug can be exploited in low-complexity attacks without user interaction necessary to execute arbitrary code with root privileges. 

A proof of concept is already available publicly and there is evidence that this vulnerability is exploited in the wild.

CVE-2020-5741 is the Plex bug that was exploited in the LastPass breach. It allows attackers with admin privileges to execute arbitrary code remotely in low-complexity attacks. The attackers do not need user interaction for exploitation. LastPass was hacked in 2022 using this vulnerability and installing a keylogger.

CISA added both these vulnerabilities to the Known Exploitable Vulnerabilities list on Mar 10, 2023 and requires the federal organizations to patch them by March 31, 2023.

Telerik Vulnerability Under Active Exploitation

One of the US federal branches was recently breached by unknown threat actors who exploited the deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX. The vulnerability can allow attackers to remotely execute code in the compromised servers. The attack occurred sometime between November 2022 and early January 2023. Malicious payloads were deployed once the threat actors gained initial access, which was then used to steal data from the device, and evade detection. Microsoft fixed this vulnerability in November 2021 but since the federal agency did not patch it, it was the victim of this attack. 

Vulnerabilities to Watch Out For

Several Vulnerabilities in Jenkins Server

A chain of vulnerabilities in Jenkins Server and Update Center was recently discovered. An attacker can execute arbitrary code in a compromised server by exploiting these vulnerabilities.

Tracked as CVE-2023-27898 and CVE-2023-27905, they are called CorePlague and can also allow attackers to impact self-hosted Jenkins servers.

Jenkins patched these vulnerabilities on Feb 15, 2023 and recommends users to apply it to mitigate risks.

FortiOS Zero-Day Vulnerability

CVE-2022-41328 is a high-severity vulnerability in FortiOS that is actively exploited by threat actors.  An authenticated attacker can exploit it to read and write arbitrary files by sending crafted CLI commands. Forti has patched this vulnerability in FortiOS version 6.4.12 and above.

 Threat actors are targeting Government networks which use unpatched versions of FortiOS.

Follow our weekly blog and podcast to get proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On