{"id":14983,"date":"2023-02-10T09:56:15","date_gmt":"2023-02-10T16:56:15","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=14983"},"modified":"2023-04-06T15:15:26","modified_gmt":"2023-04-06T22:15:26","slug":"securins-threat-intelligence-feb-6-2023-feb-10-2023","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/securins-threat-intelligence-feb-6-2023-feb-10-2023\/","title":{"rendered":"Securin’s Threat Intelligence – Feb 6, 2023 – Feb 10, 2023"},"content":{"rendered":"\t\t
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
The Royal Ransomware group and the new ESXiArgs ransomware group have launched massive campaigns targeting VMware ESXi servers worldwide. CVE-2021-21974<\/a>, in VMware products is exploited to gain access to the servers. This vulnerability is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. ESXi server versions before 7.0 U3i are primarily targeted through the OpenSLP port (427). The attackers seem to have used the Sosemanuk algorithm to encrypt files, which may have been derived from the Babuk (ESXi variant) source code.\u00a0<\/p> The vulnerability, CVE-2021-21974<\/a> has already been\u00a0patched<\/a>\u00a0and users should ensure that it is applied to their VMware servers immediately.<\/p> Our predictive analysis platform has estimated this vulnerability as a very critical threat two years ago.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t CVE-2017-11882<\/a> is a Microsoft Office Memory Corruption vulnerability that has been widely exploited by more than 5 ransomware groups and 20+ APT groups. One of the APT groups is the suspected Indian threat actor group, White Elephant, AKA Hangover, Patchwork, Mahacao, etc. The group targets entities in China, Pakistan, Israel and other countries and uses harpoon attacks, supplemented by a small number of watering hole attacks to carry out cyber espionage activities. CVE-2017-11882<\/a> is used for Trojan horse implantation wherein a shellcode is deployed first to release the second-order sample. Using the malware sample, victims\u2019 data is exfiltrated and accessed by the attacker.\u00a0<\/p> This vulnerability was\u00a0patched<\/a>\u00a0by Microsoft and it is important that users patch this vulnerability immediately.<\/p> Within a month of this CVE being published, our ML & AI based Predictive Analysis platform gave it the maximum rating for exploitability.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t A new variant of the Clop ransomware was recently used in a few of the group\u2019s attacks. This variant is used on Linux devices. However, the encryption algorithm that the group used in this variant is flawed and allows the victims to decrypt locked files without paying a ransom. The ELF variant of Clop ransomware was used from late December 2022 and it doesn\u2019t use a hashing algorithm, such as the Windows variant, in order to avoid encrypting specific folders and files. Researchers found that the ransomware-encryption logic contained a hardcoded RC4 \u201cmaster-key\u201d which allowed the victim to decrypt Cl0p-ELF encrypted files.<\/p> The Clop ransomware group exploits the following CVEs for initial access: CVE-2019-19781<\/a>, CVE-2020-1472<\/a>, CVE-2021-27101<\/a>, CVE-2021-27102<\/a>, CVE-2021-27103<\/a>, CVE-2021-27104<\/a>, and CVE-2021-35211<\/a>.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t Suspected Russian threat actors have been targeting Eastern Europeans with fake cryptocurrency jobs. They have been using a modified version of the Stealerium information stealer named Enigma stealer. This stealer is an open source C++ project that is used as a\u00a0 stealer, clipper, and keylogger with logging capabilities using the Telegram API. The fake employment campaign sends highly obfuscated and under-development custom loaders which then infect the victims with the Enigma stealer malware. The stealer uses two servers – one for delivering payloads, sending commands, and receiving the payload heartbeat. The other for DevOps and logging purposes.<\/p> Apart from this, the Russian threat actors also exploit\u00a0CVE-2015-2291<\/a>, an Intel driver vulnerability, to load a malicious driver designed to reduce the token integrity of Microsoft Defender.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t The Cybersecurity Advisory has\u00a0published a warning<\/a>\u00a0against various ransomware actors in the Democratic People\u2019s Republic of Korea (DPRK). There is an ongoing campaign targeting the Healthcare and Public Health Sector organizations and other critical infrastructure sector entities in the United States and South Korea. The Maui and H0lyGh0st ransomware families are the primary threat actors working against these entities. For ransom payments, they receive cryptocurrency.\u00a0CVE 2021-44228<\/a>,\u00a0CVE-2021-20038<\/a>, and\u00a0CVE-2022-24990<\/a>\u00a0are exploited in these attacks.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t GoAnywhere MFT file transfer solution has reported a CVE-unassigned zero-day vulnerability which could grant access to their administrator consoles if exploited. It is a remote code execution vulnerability. There may be more than a 1000 administrative ports exposed to the public internet. An attacker should however have administrative console access for successful exploitation.\u00a0<\/p> Forta has published an\u00a0advisory<\/a>\u00a0for this vulnerability.<\/strong><\/em><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t This authentication vulnerability allows an attacker to impersonate another user and gain access to a Jira Service Management instance when exploited. However, to carry this out, the attacker should have write access to a User Directory and outgoing email enabled on a Jira Service Management instance. CVE-2023-22501<\/a> has a CVSS score of 9.4 making it critical.\u00a0<\/p> Atlassian has released a\u00a0security advisory<\/a>\u00a0for this vulnerability.<\/em><\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t CVE-2023-21608<\/a> is a remote code execution vulnerability in the Adobe Acrobat Reader DC. A\u00a0proof of concept<\/a>\u00a0for this exploit has been released. Users should take note of this vulnerability and patch it according to the\u00a0advisory<\/a>.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t This vulnerability CVE-2023-25136<\/a> is caused by a boundary error within the sshd(8) daemon. An unauthenticated attacker can\u00a0 send specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system by exploiting the vulnerability. OpenSSH has fixed this flaw in OpenSSH 9.2<\/a>.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t Follow our weekly Threat Intelligence Series and podcast for proactive alerts on trending threats.<\/p>White Elephant APT Group Actively Exploits CVE-2017-11882<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Clop Ransomware Uses Flawed Encryption Logic in New Linux Variant<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Enigma Stealer Targets Victims in Europe with Fake Jobs<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Healthcare and Critical Infrastructure Sectors Under Attack From Korean Actors<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Vulnerabilities to Watch Out For<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
GoAnywhere MFT Zero-day Vulnerability<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
CVE-2023-22501: Jira Service Management Authentication Vulnerability<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
CVE-2023-21608: Adobe Acrobat Reader Vulnerability<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
CVE-2023-25136: OpenSSH Pre-Authentication Vulnerability<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t