This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Watch our security expert David Rushton detail the top 3 threats of this week!
Trending Threats
Vulnerabilities to Watch Out For
- CVE-2023-21554: Microsoft Vulnerability
- CVE-2023-21707: Microsoft Exchange Powershell Vulnerability
- CVE-2023-21932: Oracle Opera Vulnerability
- Vulnerabilities in Zyxel Firewall Devices
- TBK DVR Devices under Attack
- CVE-2023-28231: Vulnerability in Microsoft Windows DHCPv6 Service
- CVE-2023-20126: Critical Cisco Vulnerability
Trending Threats
CISA Adds More Vulnerabilities to the KEV Catalog
CISA added the following 3 vulnerabilities on May 1, 2023:
- CVE-2023-21839 is an unspecified vulnerability in Oracle WebLogic Server. It allows an unauthenticated attacker to access critical data and even take over the server.
- CVE-2021-45056 is the deserialization of untrusted data vulnerability in Apache Log4j2. It was exploited to launch DDoS attacks and execute code remotely. It requires user interaction for exploitation. A public exploit is already available.
- CVE-2023-1389 is an unauthenticated command injection vulnerability in the local API available via the web management interface. It is exploited by the Mirai botnet group to launch DDoS attacks.
We warned our customers regarding this vulnerability on Apr 25, 2023.
All these vulnerabilities need to be patched by May 22, 2023 according to the CISA guidelines.
APT28 Lures Targets with Fake ‘Windows Update’ Guides
Hackers are utilizing bogus Windows update guides to target the Ukrainian government. Spear-phishing emails are sent to the target that directs them to fake Microsoft websites that provide phony software downloads such as “Windows Update Assistants.” Once downloaded, the malware contained in the program enables the attackers to infiltrate the victim’s systems and steal crucial data. The threat actors use powershell commands to carry out the malicious activities. The attacks are launched by APT28, a Russian state-sponsored threat group and targets officials in the defense and security sectors of the Ukranian country.
CVE-2023-23397 and CVE-2017-6742 are two of the vulnerabilities exploited by APT28 to gain initial access.
ViperSoftX Software gets an Upgrade
ViperSoftX is a malicious software that has recently updated its tactics to steal sensitive information. The software uses an encryption technique to protect its communication and operations, making it challenging for cybersecurity professionals to detect and prevent its attacks. ViperSoftX’s malware can bypass antivirus software and steal data such as login credentials, banking information, and cryptocurrency wallets. The threat actors behind it have targeted organizations and individuals worldwide, with a significant focus on the financial sector. The attackers are known to use social engineering techniques such as phishing emails to trick victims into downloading the malware.
CVE-2023-24055 was sometimes abused to extract stored passwords in plain text.
Earth Longzhi has New Tricks up its Sleeve
Earth Longzhi has launched a sophisticated attack on multiple cybersecurity firms. In this attack they employed advanced tactics, including the use of a legitimate Windows utility named BITSAdmin, to deliver the malware and an encrypted payload that was designed to evade detection. This campaign uses a new variant of the Croxloader malware. The group used spear-phishing emails to gain initial access to the targeted companies. These emails were designed to look legitimate and were personalized to increase the likelihood of the recipient opening the email and clicking on the attachment.
Once inside the network, the group used stolen credentials to move laterally and gain access to sensitive data.
Another tool used by the group is SPHijacker which exploits CVE-2018-5713, a vulnerability in the Malwarefox Anti-Malware driver file.
1877 Team: New Kurdish Hacker Group
In July 2021, Iraqi Kurdish-founded group, the 1877 Team, took credit for conducting significant doxxing campaigns, website defacements, DDoS attacks, as well as infiltrating servers and databases. The group’s stated objectives are to exert pressure on governments, propagate public dissent, and gain notoriety. The 1877 Team maintains close connections with hacktivist groups such as Anonymous, AnonGhost, and ALtahrea.
The 1877 Team deploys a scanning technique to uncover web page vulnerabilities and uses brute force attacks to obtain administrator credentials and infiltrate foreign infrastructure. They conduct extensive reconnaissance to identify weaknesses in the system. The group’s targets include political entities, national governments, universities, telecommunication companies, defense organizations, and IT corporations.
Moreover, the 1877 Team has set up various marketplaces for trading hijacked infrastructure, modified malware, and hacking tools. The group exploits the following CVEs: CVE-2022-42805, CVE-2022-32899, CVE-2022-32948, and CVE-2022-32845.
Vulnerabilities to Watch Out For
CVE-2023-21554: Microsoft Vulnerability
This is an unauthenticated remote code execution (RCE) vulnerability in the Message Queuing (MSMQ) service. By default, the vulnerable component is not found, but it is frequently installed on Windows servers. Microsoft fixed this vulnerability and released a patch for it. Here’s how you can check if you have MSMQ enabled in your system.
CVE-2023-21707: Microsoft Exchange Powershell Vulnerability
A security flaw has been discovered in the PowerShell Remoting feature of Microsoft Exchange, which could be exploited by a malicious actor to remotely execute code on the system. The vulnerability, identified as CVE-2023-21707, arises from the deserialization of untrusted data by the Exchange PowerShell process. It impacts all versions of Microsoft Exchange that support the PowerShell feature.
It is recommended that users take measures to mitigate the risk of exploitation by installing the necessary patches.
CVE-2023-21932: Oracle Opera Vulnerability
A security flaw has been identified in Oracle Opera that could result in remote code execution. The vulnerability, tracked as CVE-2023-27131 does not require any authentication to exploit.
To avoid exploitation, users are advised to apply the recommended patch to their Oracle software.
Vulnerabilities in Zyxel Firewall Devices
Zyxel has released patches for the following vulnerabilities:
- CVE-2023-28771 – Critical RCE vulnerability. It allows an unauthenticated attacker to execute some OS commands remotely through the exploitation of improper error message handling in some firewall versions by sending crafted packets to an affected device.
- CVE-2023-27991 – Post-authentication command injection vulnerability. Allows an authenticated attacker to execute some OS commands remotely.
- CVE-2022-43389 – A buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices. It leads to arbitrary code execution and does not require authentication.
CVE-2023-22913, CVE-2023-22914, CVE-2023-22915, CVE-2023-22916, CVE-2023-22917 and CVE-2023-22918 impact several firewalls and access point (AP) devices. They allow remote code execution and can even cause a denial-of-service (DoS) condition.
Zyxel released a security advisory for these vulnerabilities.
TBK DVR Devices under Attack
CVE-2018-9995 is a 5 year old unpatched vulnerability that is actively being exploited by some threat actors. The TBK devices are deployed in government and private organizations and can easily be exploited to gain access to the organizations’ networks. CVE-2018-9995 allows attackers to bypass authentication and obtain administrative privileges, eventually leading to access to camera video feeds. There is a public proof-of-concept available which the threat actors are taking advantage of. Another vulnerability that is being exploited is CVE-2016-20016, a remote code execution vulnerability impacting MVPower TV-7104HE and TV-7108HE DVRs. It allows attackers to perform unauthenticated command execution using malicious HTTP requests. It also remains unpatched by the vendor.
CVE-2023-28231: Vulnerability in Microsoft Windows DHCPv6 Service
Microsoft DHCPv6 Server has been found to have a heap-based buffer overflow caused by the improper handling of DHCPv6 Relay-forward messages. An attacker located remotely can take advantage of this weakness by sending modified DHCPv6 Relay-forward messages to the targeted server. If successful, this could lead to the execution of arbitrary code with administrative privileges.
Microsoft released a patch for this vulnerability in April 2023 and recommends users to apply it.
CVE-2023-20126: Critical Cisco Vulnerability
The vulnerability known as CVE-2023-20126, which has been assigned a critical CVSS score of 9.8, is a result of a firmware upgrade function that lacks proper authentication. This makes it possible for an attacker to take advantage of the vulnerability by installing a manipulated version of firmware on an impacted device. If successful, the attacker would be able to run arbitrary code on the affected device with complete privileges.
CISCO addressed this vulnerability in its security advisory.
Microsoft released a patch for this vulnerability in April 2023 and recommends users to apply it.
Follow our weekly blog and podcast to get proactive alerts on trending threats.
Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!