Securin’s Threat Intelligence: May 8, 2023 – May 12, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context.

Find out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Watch our security expert David Rushton detail the top 3 threats of this week!

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

Microsoft Patch Tuesday

Microsoft released patches for 38 vulnerabilities on Tuesday May 9, 2023. Among these are 3 zero-day vulnerabilities: 

CVE-2023-29336: Win32k Elevation of Privilege Vulnerability

  • Microsoft has addressed a privilege elevation vulnerability in the Win32k Kernel driver, which allows the attacker to gain SYSTEM privileges.
  • The bug is actively exploited, although specific details about the exploitation method are not provided.

CISA added this vulnerability to the Known Exploitable Vulnerabilities on May 9, 2023. Federal organizations are expected to patch it by May 30, 2023. 

CVE-2023-24932: Secure Boot Security Feature Bypass Vulnerability

  • Microsoft has patched a Secure Boot bypass flaw that was utilized by a threat actor to install the BlackLotus UEFI bootkit.
  • This bootkit is a hidden malware embedded in the system firmware, making it undetectable by security software.
  • The BlackLotus bootkit has been available for sale on hacker forums since October 2022 and has continued to evolve its features.
  • Microsoft has released guidance on how to detect BlackLotus UEFI bootkit attacks and has fixed the vulnerability used by the bootkit in the latest patch. However, the fix is not enabled by default, and additional steps are required to mitigate the vulnerability.

CVE-2023-29325: Windows OLE Remote Code Execution Vulnerability

  • Microsoft has resolved a Windows OLE flaw found in Microsoft Outlook that can be exploited through specially crafted emails.
  • An attacker can exploit this vulnerability by sending a specially crafted email or by the victim previewing or opening the email in an affected version of Microsoft Outlook.
  • Successful exploitation could lead to remote code execution on the victim’s machine.
  • To exploit the flaw, an attacker must win a ‘race’ condition and perform additional actions.
  • Users can mitigate this vulnerability by reading all messages in plain text format.
  • Microsoft has also released a security update for one publicly disclosed zero-day vulnerability that was not actively exploited.

Vulnerabilities to Watch Out For

CVE-2022-37985: Windows Graphics Vulnerability

CVE-2022-37985 is in the Windows Graphics Component allows a remote attacker to extract sensitive information, like a memory address, using a native networking mechanism within the vulnerable component itself. This particular capability proves valuable in specific scenarios where exploiting a memory corruption vulnerability in Microsoft Word is desired. 

Microsoft addressed this vulnerability in a security advisory.

CVE-2023-20126: Cisco Vulnerability

Cisco has recently disclosed a vulnerability found in the web-based management interface of Cisco SPA112 2-Port Phone Adapters. This security flaw enables an unauthenticated remote attacker to execute arbitrary code on the affected devices. Tracked as CVE-2023-20126 and assigned a “critical” CVSS score of 9.8, the vulnerability is caused by a lack of authentication during the firmware upgrade process. An attacker can exploit this vulnerability by installing a manipulated version of firmware onto a vulnerable device. If successful, the attacker would gain full privileges to execute arbitrary code. There is no mitigation for this vulnerability.

To address this issue, Cisco’s security bulletin emphasizes the importance of replacing the affected phone adapters or implementing additional security measures to safeguard them against potential attacks. The recommended replacement model is the Cisco ATA 190 Series Analog Telephone Adapter, which is scheduled to reach its end-of-life on March 31, 2024.

CVE-2023-30777: Vulnerability in WordPress Plugin

Advanced Custom Fields and Advanced Custom Fields Pro plugins are vulnerable to cross-site scripting attacks (XSS) because of a vulnerability, CVE-2023-30777. There are more than  2,000,000 active installs of these plugins in wordpress sites. It could allow an unauthenticated attacker to steal sensitive information and escalate their privileges on an impacted WordPress site.

A patch has been provided for this plugin.

Kernel Bugs in Android

The Linux Kernel sound subsystem contains a security vulnerability known as CVE-2023-0266. This flaw is classified as a use-after-free weakness, which can be exploited by attackers to escalate their privileges without needing any user interaction. Attackers are exploiting this vulnerability in a complex chain of multiple 0-days and n-days in a spyware campaign targeting Samsung Android phones. Within the exploit chain, there is an additional zero-day vulnerability (tracked as CVE-2022-4262) discovered in the Chrome web browser. Alongside that, the chain also involved a Chrome sandbox escape, as well as vulnerabilities found in the Mali GPU Kernel Driver and the Linux Kernel.

The attackers successfully compromised various devices and installed a comprehensive spyware suite. This suite possesses the capability to decrypt and extract data from both chat and browser applications. The attacks are attributed to  attacks to the Spanish mercenary spyware vendor Variston, known for its Heliconia exploit framework that targets the Windows platform.

Google addressed this vulnerability in their security bulletin.

CVE-2023-32233: Linux Kernel Flaw

This is a vulnerability, CVE-2023-32233, in the Linux kernel NetFilter. The security issue arises from the acceptance of invalid updates to the configuration of Netfilter nf_tables. This flaw enables certain scenarios in which invalid batch requests can result in the corruption of the internal state of the subsystem. By exploiting this vulnerability, unprivileged local users can elevate their privileges to the root level, thereby gaining complete control over a system.

The proof of concept for this exploit will soon be released to the public.

CVE-2023-25717: Ruckus Flaw

CVE-2023-25717 affects all versions of Ruckus Wireless Admin panels up to 10.4. It enables remote attackers to execute code by sending unauthenticated HTTP GET requests to vulnerable devices. End-of-Life models affected by this security issue will not receive a patch.

An emerging malware botnet named ‘AndoryuBot’ is actively exploiting this vulnerability to infect unpatched Wi-Fi access points. Its primary objective is to  recruit vulnerable devices into its DDoS swarm, which it operates with the intention of generating profits. AndoryuBot was initially detected in the wild in February 2023, but a more recent variant specifically targeting Ruckus devices surfaced in mid-April.

This flaw was fixed by the vendor in February 2023.

CVE-2023-0386: Ubuntu Vulnerability

A vulnerability was discovered in the Linux kernel involving unauthorized access to the execution of a setuid file with capabilities within the OverlayFS subsystem names as CVE-2023-0386. This flaw occurs when a user copies a capable file from a nosuid mount to another mount. Due to a uid mapping bug, a local user can exploit this issue to escalate their privileges on the system.

Ubuntu addressed the vulnerability in a security advisory.

CVE-2023-29324: Windows API Flaw

The vulnerability enables an attacker to force an Outlook client to connect to the attacker’s server, leading the client to send NTLM credentials to the attacker’s machine. This allows the attacker to crack the password offline or use it for a relay attack. CVE-2023-29324 can be exploited remotely over the internet without requiring any user interaction (zero-click).

A Russian threat actor that has been actively exploiting this vulnerability in targeted attacks against various European government, transportation, energy, and military organizations for approximately a year.

Microsoft addressed this vulnerability in a security advisory and urges users to patch it.

5 Flaws That can be Chained to Hack Netgear Routers

CVE-2023-27357, CVE-2023-27367, CVE-2023-27368, CVE-2023-27369, and CVE-2023-27370 are vulnerabilities in NETGEAR’s Nighthawk RAX30 routers. Researchers have developed a series of exploits that utilize all five vulnerabilities to target specific versions of NETGEAR routers, effectively circumventing protective measures like stack canaries. If successfully exploited, malicious actors could potentially observe users’ online activities, seize control of their internet connections, and redirect traffic towards harmful websites or inject malware into the network traffic. Furthermore, these vulnerabilities could be leveraged by attackers to gain unauthorized access to and manipulate network-connected smart devices such as security cameras, thermostats, and smart locks. They could also manipulate router settings, including credentials and DNS configurations, or exploit a compromised network to launch attacks against other devices or networks

Follow  NETGEAR’s security advisory  to patch these vulnerabilities.

Follow our weekly blog and podcast to get proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On