CSW's Threat Intelligence - January 30, 2022 - February 3, 2022
Posted on Jan 30, 2023 | Updated on Feb 3, 2023 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
- CISA Adds 4 New CVEs to the KEV Catalog
- HeadCrab Malware Infects Redis Servers
- Lazarus Ransomware Group Targets Unpatched Zimbra Devices
Vulnerabilities to Watch Out For
- Exploits Available for Multiple VMWare vRealize Flaws
- Exploit Available for CVE-2022-34689
- CVE-2022-38023: Samba Logon Bug
- CVE-2023-24055: Unaddressed KeePass Vulnerability
- CVE-2022-27596: Critical QNAP Vulnerability
- CVE-2022-42856: Apple’s RCE Vulnerability
- CVE-2023-22374: F5 BIG-IP Format String Vulnerability
CISA Adds 4 New CVEs to the KEV Catalog
The CISA added CVE-2022-47966 to the KEV catalog on Jan 23rd, 2023. It is a ManageEngine vulnerability that is caused by the dependency of Apache Santuario in several ManageEngine products. This is a highly-critical vulnerability as it can allow admin access to multiple ManageEngine products if SSO is enabled in the initial access product.
CVE-2017-11357 is a vulnerability in Telerik's User Interface (UI) for ASP.NET AJAX. If exploited, it can allow remote code execution in the host device. CISA has recommended that all federal agencies patch this vulnerability by Feb 16, 2023.
CISA also added CVE-2023-22952 and CVE-2022-21587 on Feb 2, 2023.
CVE-2023-22952 is a SugarCRM zero-day vulnerability that allows authentication bypass and remote code execution. This vulnerability impacts more than 3000 internet-exposed SugarCRM instances which may already have been compromised. Attackers deploy a webshell to gain access to the servers.
CVE-2022-21587 is a vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. It has a CVSS score of 9.8 (critical). A proof of concept for this vulnerability is already published and Oracle released a patch for it in October.
HeadCrab Malware Infects Redis Servers
Headcrab is a new malware that targets the open-source Redis database management system. It exploits vulnerabilities in Redis installations to gain unauthorized access to the system and use it as a launchpad for further attacks or to mine cryptocurrencies. At least 1200 redis servers that were exposed to the internet may have been compromised. Headcrab scopes out for intentionally and accidentally configured internet-exposed servers to infect and exploit. It then uses the SLAVEOF command, to make it a Slave server of another Redis server controlled by the attacker. To protect against Headcrab and other threats, it's recommended to keep your Redis server and software up to date and to secure your Redis installation by properly configuring authentication and firewalls.
CVE-2022-0543 is exploited to gain initial access.
Lazarus Ransomware Group Targets Unpatched Zimbra Devices
In a recent campaign named ‘No Pineapple’, the Lazarus group targeted vulnerabilities in Zimbra devices to attack public and private sector research organizations, the medical research and energy sector as well as their supply chain. CVE-2022-27925 and CVE-2022-37042 were exploited to gain initial access to the victims’ networks. Both the vulnerabilities allow unauthenticated remote code execution in the network. The Lazarus group used off the shelf webshells and custom binaries, as well as abused legitimate Windows and Unix tools (Living Off the Land) proxying, tunneling and relaying connections within the host network. In one instance, CVE-2021-4034 was also exploited. It is a Red Hat Polkit out-of-bounds read and write vulnerability.
Zimbra users are recommended to immediately patch any vulnerabilities in their devices.
Vulnerabilities to Watch Out For
Exploits Available for Multiple VMWare vRealize Flaws
CVE-2022-31704, CVE-2022-31706, CVE-2022-31710 and CVE-2022-31711 impact VMware vRealize Log Insight appliances. An exploit targeting a vulnerability chain for gaining remote code execution is expected to be released this week.
CVE-2022-31706 is a directory traversal vulnerability that can be abused to inject files into the operating system of impacted appliances.
CVE-2022-31704 is a broken access control flaw that can also be exploited by injecting maliciously crafted files in RCE attacks.
CVE-2022-31710 triggers denial of service states.
CVE-2022-31711 is an information disclosure bug that can be exploited to access sensitive session and application information.
All four vulnerabilities are rated critical on the CVSS(v3) scale and needs immediate attention.
VMware released a security advisory addressing all 4 vulnerabilities and recommends its users to patch them immediately.
Exploit Available for CVE-2022-34689
CVE-2022-34689 is a critical Windows CryptoAPI spoofing bug that can be exploited to perform actions such as authentication or code signing as the targeted certificate. Attackers will also be able to perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software, such as web browsers that use Windows' CryptoAPI cryptography library. This vulnerability impacts old versions of Chrome (v48 and earlier) and Chromium-based applications.
An exploit for this vulnerability was released recently.
Users are recommended to update their Chromium applications to the latest version immediately.
CVE-2022-38023: Samba Logon Bug
If exploited, CVE-2022-38023 can allow an attacker to change the content of some network data packets without getting detected, despite the use of cryptographic MACs (message authentication codes) intended to prevent spoofing and tampering. Attackers can also pull off an elevation-of-privilege (EoP) attack by manipulating data at logon time.
This vulnerability was patched in November 2022 and users need to ensure that they are using the latest version.
CVE-2023-24055: Unaddressed KeePass Vulnerability
CVE-2023-24055 enables threat actors with write access to a target's system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The user will not be aware of this as the export process will be performed in the background. An exploit for this vulnerability is already publicly available.
However, KeePass is unwilling to classify this vulnerability as a bug and address this issue. As a workaround, KeePass suggests that the regular system users do not have write access to any files/folders in KeePass' app directory before using an enforced config file.
CVE-2022-27596: Critical QNAP Vulnerability
CVE-2022-27596 affects QNAP devices running QTS 5.0.1 and QuTS hero h5.0.1. If exploited, this SQL injection vulnerability allows remote attackers to inject malicious code by sending specially crafted requests on vulnerable devices. It is given a CVSS scale rating og 9.8, classifying it as critical.
QNAP has patched this vulnerability and released a security advisory.
CVE-2022-42856: Apple’s RCE Vulnerability
CVE-2022-42856 is present in Apple's Webkit web browser on older versions of iPads and iPhones. It was actively exploited as a zero-day vulnerability. Attackers can use maliciously crafted websites to execute commands on the underlying operating system, deploy additional malware or spyware payloads, or trigger other malicious activities. Apple has fixed this vulnerability in the latest versions of the iPads and iPhones.
CVE-2023-22374: F5 BIG-IP Format String Vulnerability
CVE-2023-22374 affects BIG-IP products and has a CVSS score of 7.5. Exploiting this vulnerability can allow remote code execution and also cause the server process to fail. However, it can be done only by authenticated users. There is no patch yet for this vulnerability but F5 has promised a workaround for it. Meanwhile, it is recommended that end users restrict access to the management port to only trusted individuals.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!