Securin’s Threat Intelligence: May 15, 2023 – May 19, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context.

Find out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Watch our security expert David Rushton detail the top 3 threats of this week!

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

CISA Adds 7 CVEs to the KEV Catalog

CVE-2023-25717 is a RCE vulnerability and impacts multiple Ruckus Wireless Products CSRF. An attacker does not require authentication to carry out these attacks and can gain access through crafted HTTP requests. 

CVE-2021-3560 is a Red Hat Polkit Incorrect Authorization vulnerability. Polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. 

CVE-2014-0196 is a Linux Kernel Race Condition vulnerability that gives an unauthenticated attacker elevated privileges when exploited. Exploiting CVE-2014-0196 also allows an attacker to execute arbitrary code or perform a denial-of-service (DoS) attack by sending specially crafted network packets to a vulnerable system.

CVE-2010-3904 is a Linux Kernel Improper Input Validation vulnerability. The vulnerability specifically affects the Apache HTTP Server versions 1.3.x and 2.x when configured with the mod_deflate module and the DEFLATE option enabled. The mod_deflate module is responsible for compressing server responses before sending them to the client, thereby reducing bandwidth usage. When a specially crafted request is sent to a vulnerable server, it can cause the server process to consume excessive CPU resources, leading to a denial of service condition. This can result in the server becoming unresponsive or crashing, preventing legitimate users from accessing the affected services.

CVE-2015-5317 Jenkins User Interface (UI) Information Disclosure vulnerability. The vulnerability arises from a misconfiguration in CGI implementations that allow an attacker to set a malicious HTTP “Proxy” header, which can overwrite the HTTP_PROXY environment variable. This can lead to the proxying of subsequent HTTP requests made by the application, potentially resulting in sensitive information leakage or other malicious activities.

CVE-2016-3427 Oracle Java SE and JRockit Unspecified vulnerability. The vulnerability allows an attacker to send a specially crafted query to a vulnerable BIND server, resulting in excessive memory consumption and potential resource exhaustion. This can lead to a denial of service condition, where the server becomes unresponsive or crashes.

CVE-2016-8735 Apache Tomcat Remote Code Execution vulnerability. It is a privilege escalation vulnerability that allows an attacker to gain write access to read-only memory mappings in the Linux kernel. By exploiting this vulnerability, an attacker can modify read-only files, such as binaries or system libraries, and execute arbitrary code with elevated privileges.

All these vulnerabilities need to be patched by June 2, 2023.

BianLian Targets Educational Organizations

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) have collaborated to release a joint advisory providing information on the activities of the BianLian ransomware and data extortion group. BianLian is a cybercriminal group that has been targeting organizations operating in critical infrastructure sectors in the United States and Australia since June 2022. To gain initial access to victim systems, BianLian exploits compromised Remote Desktop Protocol (RDP) credentials or employs phishing attacks. The group relies on open-source tools and command-line scripting to discover and harvest credentials from targeted systems. They exfiltrate the stolen data using various methods, including File Transfer Protocol (FTP), Rclone, or Mega.

BianLian employs customized backdoors and utilizes remote management software such as TeamViewer, Atera Agent, SplashTop, or AnyDesk for persistence and command and control of compromised systems. They also leverage PowerShell and Windows Command Shell to evade detection and carry out activities such as reconnaissance and lateral movement within the victim’s network. In addition to their primary tactics, BianLian employs additional techniques to pressure victims into meeting their ransom demands. These include printing ransom notes on compromised network printers and making threatening phone calls to employees of the victim organizations.

BianLian exploits CVE-2020-1472, CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 to gain initial access.

XMWorm Attack Campaign Exploiting Follina

A recent attack campaign had unusual methods involving meme-filled PowerShell code and an obfuscated XWorm payload. The attack starts with phishing emails distributing Microsoft Word documents that exploit the Follina vulnerability (CVE-2022-30190) to deploy an obfuscated PowerShell script, instead of using macros. The PowerShell script is abused by the threat actors to bypass Antimalware Scan Interface (AMSI), disable Microsoft Defender, establish persistence, and launch a .NET binary containing XWorm. The use of the variable “$CHOTAbheem” suggests a possible Middle Eastern/Indian background of the attackers, although this attribution is yet to be confirmed. 

XWorm is a commodity malware sold on underground forums with various capabilities, including stealing sensitive information, performing clipper, DDoS, and ransomware operations, spreading through USB, and dropping additional malware. The origin of the threat actor is unclear, but the attack methodology shares similarities with TA558, a group known for targeting the hospitality industry. Despite the general avoidance of Microsoft Office documents in phishing emails due to disabled macros, this case highlights the importance of remaining vigilant and cautious with malicious document files.

The FBI and CISA have jointly issued an advisory warning that the Bl00dy Ransomware gang is actively exploiting a remote-code execution vulnerability in PaperCut software to gain initial access to networks. The attacks by the threat actor have primarily targeted the education sector, which has a significant number of exposed vulnerabilities. The Bl00dy Ransomware gang gained access to education facility networks where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet, resulting in data exfiltration and system encryption. The vulnerability has been under active exploitation since at least April 18, 2023, and organizations have been slow to install the necessary updates, leaving them vulnerable to attacks.

Bl00dy Ransomware Takes on Educational Organizations

The FBI and CISA have jointly issued an advisory warning that the Bl00dy Ransomware gang is actively exploiting a remote-code execution vulnerability in PaperCut software to gain initial access to networks in the education sector. There are several PaperCut servers vulnerable to CVE-2023-27350 exposed to the internet, resulting in data exfiltration and system encryption.

CVE-2023-27350 is a critical-severity remote code execution vulnerability affecting PaperCut MF and PaperCut NG, popular printing management software used by thousands of organizations globally. The attacks exploit the vulnerability to bypass user authentication, gain administrative access, spread laterally through the network, steal data, and encrypt target systems. Iranian hacking groups including ‘Muddywater,’ have also joined in exploiting CVE-2023-27350 to achieve remote execution on their targets.

The recommended action is to promptly apply available security updates for PaperCut MF and NG servers to address the exploited vulnerabilities.

Vulnerabilities to Watch Out For

WordPress Plugin Vulnerabilities

Advanced Custom Fields: Hackers are actively exploiting a recently fixed vulnerability, CVE-2023-30777 in the WordPress Advanced Custom Fields plugin shortly after a proof-of-concept (PoC) exploit was made public. It  is a high-severity reflected cross-site scripting (XSS) flaw that allows unauthenticated attackers to steal sensitive information and escalate privileges on affected WordPress sites. The exploit targets logged-in users with access to the plugin, requiring them to run malicious code on their browser, granting high-privileged access to the site. The exploit works on default configurations of the affected plugin versions, making it easier for attackers to succeed without additional effort.

WordPress site administrators are urged to apply the available patch immediately to protect against ongoing scanning and exploitation. The recommended action is to upgrade the ‘Advanced Custom Fields’ free and pro plugins to version 5.12.6 (backported) and 6.1.6.

Essential Addons for Elementor: CVE-2023-32243 is an unauthenticated privilege escalation vulnerability in  Essential Addons for Elementor, allowing any unauthenticated user to escalate their privileges to match any user on the WordPress site. The vulnerability enables an attacker to reset the password of any user if they know the username, including the administrator’s account, granting unauthorized access.

The vulnerability arises from a lack of validation in the password reset function, which directly changes the password of the specified user without verifying a password reset key.

The issue was addressed and fixed in version 5.7.2 of the plugin.

CVE-2023-2156: Linux IPv6 Zero-Day

CVE-2023-2156 relates to the implementation of the Routing Protocol for Low-Power and Lossy Networks (RPL) in the IPv6 code section responsible for handling Routing headers. In IPv6, optional Extension Headers contain packet details and routing information. This critical bug arises from the interaction between the RPL implementation and the Linux Kernel’s code. An attacker can exploit it to trigger a kernel panic instead of allowing out-of-bounds access, thereby reducing vulnerabilities to denial-of-service bugs.

There is no patch for it yet, although a proof-of-concept exists.

Critical Cisco Vulnerabilities

Cisco has issued a warning to its customers regarding four critical vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) that could allow remote code execution on multiple Small Business Series Switches. These vulnerabilities have received near-maximum severity ratings, with a CVSS base score of 9.8/10.

If successfully exploited, these vulnerabilities enable unauthenticated attackers to execute arbitrary code with root privileges on compromised devices. The vulnerabilities are independent of each other, meaning the exploitation of one vulnerability is not contingent on exploiting another. Additionally, a software release affected by one vulnerability may not necessarily be affected by the others.

Firmware updates have been provided by Cisco to address the vulnerabilities in certain switch models, while others, such as the Small Business 200, 300, and 500 Series, will not receive patches due to being in the end-of-life phase.

Zero-Day Vulnerabilities in Apple Products

Apple has fixed three newly discovered zero-day vulnerabilities that were exploited in attacks aimed at hacking into iPhones, Macs, and iPads.

The security bugs were found in the WebKit browser engine, which is used across multiple platforms. CVE-2023-32409 allows remote attackers to break out of Web Content sandboxes.

CVE-2023-28204 and CVE-2023-32373 enable attackers to gain access to sensitive information and execute arbitrary code on compromised devices by tricking users into visiting maliciously crafted web pages.

To address these zero-day vulnerabilities, Apple released updates for macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5. The updates include improved bounds checks, input validation, and memory management.

Follow our weekly blog and podcast to get proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On