Decoding CISA Known Exploited Vulnerabilities

CSW's Threat Intelligence - January 02, 2023 - January 06, 2023

Posted on Jan 3, 2023 | Updated on Jan 5, 2023 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our Threat Intelligence Podcast featuring Top Three Threats of the Week!

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

 

Miuuti’s Campaign Against the Gaming Industry

Miuuti Group has recently set its sights on the gaming industry. Since 2015 this group has exploited multiple zero-day vulnerabilities to infiltrate communication software. In recent years, however, they have used two zero-day vulnerabilities to attack several gaming companies - a CVE-unassigned vulnerability and CVE-2021-21220. The first vulnerability allows direct execution of arbitrary codes so attackers can gain a foothold inside the gaming company and conduct further lateral penetration.

CVE-2021-21220 allows the realization of asar hijacking to trigger remote code execution and eventually the takeover of the command center. Both the vulnerabilities have been fixed by the respective companies.

Usually, third-party downloads of gaming software allow such attacks to happen. Gamers need to ensure that they download only the legitimate versions of online games.

 

 

Malware Affecting MacOS in 2022

A recent report details the malware that impacted macOS in 2022. Given below are the details of the malware:

 

Malware Name

Description

Month of Origin

CVEs Associated

SysJoker

A Simple cross-platform backdoor with download and execute capabilities

Jan 2022

 

DazzleSpy

A cyber-espionage implant deployed via Safari exploits.  

Jan 2022

CVE-2021-30869, CVE-2019-8526, CVE-2021-1789

CoinMiner

A crypto-currency miner using open source components 

Mar 2022

 

Gimmick

A multi-platform backdoor using cloud providers for command & control

Mar 2022

 

oRat

An APT group malware backdoor with the ability to construct a custom command & control server

Apr 2022

 

CrateDepression

A malware spread through "typosquatting" of a Rust Crate. Installs persistent Poseidon agent

May 2022

 

Pymafka

A malware spread through "typosquatting" of a Python package. Installs compiled Cobalt Strike agent 

May 2022

 

VPN Trojan (“COVID”)

A persistent backdoor downloading and executing 2nd-stage payloads from memory

Jul 2022

 

CloudMensis

A malware using cloud providers for command & control.  Exfiltrates documents, keystrokes, and screenshots

Jul 2022

 

rShell

A backdoor delivered via supply-chain attacks. Offers basic capabilities to the remote attacker

Aug 2022

 

Insekt

The Alchimist attack framework deploys cross-platform "Insekt" payloads including macOS variants.

Oct 2022

CVE-2021-4034

KeySteal

A keychain stealer embedded in the trojanized copy of ResignTool

Nov 2022

 

SentinelSneak

A malicious Python package targeting developers and exfiltrating sensitive data through "typosquatting"

Dec 2022

 

 

 

Vulnerabilities to Watch Out For

 

CVE-2022-43931: Critical Vulnerability in Synology

Synology is a Taiwanese Network-Attached Storage device maker. Recently they fixed a vulnerability that affected their routers configured to run as VPN servers. CVE-2022-43931 occurs in the VPN Plus Server that allows administrators to set up Synology routers as a VPN server to allow remote access to resources behind the router. It can be exploited in low-complexity attacks without requiring privileges on the targeted routers or user interaction and leads to remote code execution..

 

Synology published a security advisory to patch this vulnerability.

 

CVE-2022-47523: Critical ManageEngine Bug

ManageEngine urges all their customers to patch a critical security flaw affecting multiple products. CVE-2022-47523 is a SQL injection vulnerability in Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution. Exploiting this vulnerability will allow unauthenticated access to the backend database. 

ManageEngine released a security advisory to patch this bug.

 

Multiple Command Injection Vulnerabilities in Fortinet Products

CVE-2022-39947 and CVE-2022-35845 are two critical vulnerabilities in FortiADC web interface and FortiTester respectively. 

CVE-2022-39947 can allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests. Fortinet released the patches in an  advisory.

CVE-2022-35845 could lead to arbitrary command execution in the underlying shell. However, to exploit this vulnerability an attacker needs authentication. Here is the security advisory for this vulnerability.

 

Check out this section to track how these threats evolve!

 

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

 

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito