Securin’s Threat Intelligence: Mar 20, 2023 – Mar 24, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

Enhanced Capabilities of the Chaos Malware

As seen before, Chaos is a Go-based malware and a variant of Kaiji botnet malware. It is being used as a ransomware strain, a remote access trojan (RAT), and also a DDoS malware variant. There have been wide sightings of multiple variants of this malware in the wild. It is constantly upgraded with the threat actors trying to develop a variant that persists even after a container reboot. Thus far, the malware is powerful in terms of persistence but is unable to survive a container reboot. Chaos is deployed in devices that are compromised after exploiting CVE-2017-17215, CVE-2022-30525, and CVE-2022-1388. To avoid falling victim to Chaos, users are recommended to patch the mentioned vulnerabilities.

New Botnet: Hinata

Hinata is a new malware botnet that is targeting  Realtek SDK, Huawei routers, and Hadoop YARN servers. It is used by threat actors to launch powerful DDoS attacks. It is even capable of  sending HTTP packets of size range between 484 and 589 bytes. The UDP packets generated by HinataBot are particularly large (65,549 bytes) and consist of null bytes capable of overwhelming the target with a large traffic volume. Hinata may be based on the Mirai botnet and is developed using the Go language. This malware was discovered exploiting old CVEs such as CVE-2014-8361 and CVE-2017-17215. CVE-2014-8361 is a vulnerability in the Realtek SDK that can be exploited to perform  arbitrary code execution. It has 7 publicly exposed exploits. Given below is the timeline of the CVE. From this, we can see that our analysis tool marked this as highly exploitable in Dec 2017 itself.

CVE-2017-17215 is a vulnerability in Huawei HG532.  An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.

Our ML based analytical tool has been mapping the exploits of this CVE. The predictive VRS of this vulnerability has been continuously at the highest range since Jul 2020.

QakBot's Latest Campaign Exploits OneNote

Following the exploitation of the Mark-of-the-Web vulnerability (CVE-2022-41091), Microsoft had blocked Excel-4 and VBA macros downloaded from unknown sources on the internet. The threat actors behind QakBot found a way to bypass this restriction by using OneNote attachments with malicious files. In the latest phishing campaign, OneNote attachments were initially embedded with HTML Application (.HTA) files, capable of executing JavaScript, Jscript and VBScript. They were then used to deploy malware samples and further exploit the compromised systems. 

QakBot’s campaign is a reminder for us to verify the legitimacy of emails and attachments before downloading them onto our devices.

UNC961: New Threat Actor with Financial Motives

A new threat actor tracked as UNC961 was found targeting organizations between December 2021 and July 2022. They were exploiting internet-facing servers and vulnerabilities for which the exploits were already publicly available. One of their famous exploits is the Log4Shell (CVE-2021-44228) vulnerability. UNC961 has also targeted Atlassian Confluence (CVE-2021-26084), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750), Gitlab (CVE-2021-22205). After initial access was achieved, they exfiltrated sensitive data, including network reconnaissance and credential information that could be sold or used in support of follow-on missions. The attacks were usually followed by MAZE and EGREGOR ransomware deployments. The threat actors seem financially motivated and are also going for low-hanging fruits in terms of exploits. 

All the above mentioned vulnerabilities have patches and organizations should ensure that they are applied.

Vulnerabilities to Watch Out For

CVE-2023-0179: Linux Vulnerability

CVE-2023-0179 is a local privilege escalation vulnerability in the Linux kernel. An attacker can exploit this vulnerability to execute code on vulnerable computers with elevated rights if the kernel is installed on those systems. A proof of concept has also been released for this vulnerability. Ubuntu has patched this CVE in the latest release.

Android Zero-Days

4 new vulnerabilities have been discovered in the special mobile phone networking firmware that runs on the phone’s baseband chip. An attacker can break into the phone network system as well as the phone’s main operating system to control it. One of the bugs is tracked as CVE-2023-24033 and could allow remote code execution without user interaction. 

Google has fixed these bugs in the latest update and recommends users to apply it immediately.

CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability

CloudPanel has 3 issues reported in its software. The first issue is regarding the authenticity verification of the installation script provided by the vendor. Since it is not properly verified, an attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.

The second bug allows the installer to overwrite local firewall rules and use an excess number of allowed inputs during setup.

The third issue, CVE-2023-0391 in the CloudPanel software allows all installations to share the same SSL certificate private key which the attackers can use to gain access to the victim’s account. 

The firewall bug and the private key bug can be chained together and exploited to take over new CloudPanel instances as they are being deployed. 

CloudPanel is yet to address these issues and release fixes.

CVE-2023-23397: Microsoft Outlook Vulnerability

The Microsoft zero-day vulnerability CVE-2023-23397 is a cause for concern as it is very easy to exploit. Moreover, it allows the hackers access to Net-NTLMv2 hashes, which enable authentication in Windows environments. Attackers can use this to authenticate themselves as the victims, escalate privileges, or further compromise the environment. This vulnerability impacts all supported versions of Microsoft Outlook for Windows including the locally installed Outlook from M365. Other versions of Microsoft Outlook such as Android, iOS, Mac as well as Outlook on the web and other M365 services on the web are not affected.

Users need to immediately patch this vulnerability if they use Microsoft Outlook for emails and calendar.

PoC Released for Netgear Vulnerabilities

Proof-of-concept exploits for 4 vulnerabilities in Netgear’s Orbi 750 series router and extender satellites have been released. 

CVE-2022-37337 is a remotely exploitable command execution vulnerability in the access control functionality of the Netgear Orbi router. An attacker can exploit publicly accessible admin consoles by sending a specially-crafted HTTP request to the vulnerable router to execute arbitrary commands on the device.

CVE-2022-38452 is a high-severity remote command execution vulnerability in the router’s telnet service. The flaw’s exploitation requires valid credentials and a MAC address. 

CVE-2022-36429, a high-severity command injection in the backend communications functionality of the Netgear Orbi Satellite, which links to the router to extend the network coverage. An attacker can exploit this flaw by sending a sequence of specially-crafted JSON objects to the device. However, retrieving an admin token is required for the attack to work.

 CVE-2022-38458, a cleartext transmission problem impacting the Remote Management functionality of the Netgear Orbi router, enabling man-in-the-middle attacks that can lead to sensitive information disclosure.

Follow our weekly blog and podcast to get proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On