CSW's Threat Intelligence - January 9, 2022 - January 13, 2023
Posted on Jan 9, 2023 | Updated on Jan 17, 2023 | By Supriya Aluri
This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our podcast on the top critical threats of this week, hosted by David Rushton!
Vulnerabilities to Watch Out For
- CVE-2022-44877: Centos Web Panel Vulnerability
- CVE-2022-46169: Cacti Command Injection Vulnerability
- CVE-2022-23529: JsonWebToken Vulnerability
- CVE-2022-43473: ManageEngine XXE Injection Flaw
- CVE-2023-20025: Auth Bypass Bug in CISCO
Scattered Spider has been targeting theBPO and telecom industry since June 2022. In December 2022, they began a new campaign exploiting Windows Security Deficiencies with a Bring-Your-Own-Vulnerable-Driver (BYOVD) tactic in an attempt to bypass endpoint security. The group deploys a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver. The driver used by Scattered Spider is a small 64-bit kernel driver with 35 functions, signed by different certificates stolen from signing authorities like NVIDIA and Global Software LLC, so Windows doesn't block it. The BYOVD technique allows publicly available tools, such as KDMapper, to map non-signed drivers into memory.
CVE-2015-2291 was fixed in 2015. However, by planting an older, still vulnerable version on the breached devices, the threat actors can leverage the flaw no matter what updates the victim has applied to the system.
The Lorenz ransomware gang is employing a new technique in their attacks. They are exploiting Mitel VoIP zero-days to install malicious webshells. These webshells contain backdoors and remain in the victims’ system for a long while and the gang returns after several months to launch the ransomware attack. CVE-2022-29499 is the latest of vulnerabilities to be exploited. It could lead to remote code execution (RCE) when exploited. Most of the backdoors deployed using the zero-days can be exploited even after the vulnerabilities are patched. In a recent attack, the gang deployed backdoors five months prior to the ransomware attack.
This teaches the importance of attack surface management which can help identify malicious files in the network and eliminate them.
This APT group has been active since mid-2021 in the APAC region and occasionally in Europe. They employ spear phishing techniques to initially compromise a victim’s network. It seems that the group is also using a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups. These include a custom toolkit featuring TelePowerBot, KamiKakaBot and Cucky and Ctealer information stealers. Further, Dark Pink can also infect USB devices attached to compromised computers. They execute malicious files using a file type association and DLL Side-Loading. Dark Pink’s intent behind the attacks is cyber-espionage as they have attacked governmental and military entities.
CVE-2017-0199 is a CVE that Dark Pink has exploited in their attacks.
Kinsing malware is using new methods to target Kubernetes clusters: exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images. In the first method, a misconfigured and exposed PostgreSQL server is used to run a malicious payload. The ‘trust authentication’ setting, when improperly configured, can open attackers to several options such as brute force on the Postgresql accounts, attacking the container availability with DoS and DDoS attacks, and trying to exploit the container and the DB itself.
Kinsing malware also uses images vulnerable to remote code execution in the container to run their malicious payload. Some of the popular applications that are exploited are PHP Unit, Liferay, WebLogic, and Wordpress. CVE-2020-14882, CVE-2020-14750, CVE-2020-14883, CVE-2021-44228, and CVE-2022-26134 are some of the CVEs that Kinsing exploits.
On January 10, 2023, CISA included CVE-2022-41080 and CVE-2023-21674 in the Known Exploited Vulnerabilities (KEV) catalog.
CVE-2022-41080 is a Microsoft Exchange elevation of privileges bug that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution. The Play ransomware group exploited it as a zero-day to bypass Microsoft's ProxyNotShell URL rewrite mitigations and escalate permissions on compromised Exchange servers.
CVE-2023-21674 is another zero-day in Microsoft’s Windows Advanced Local Procedure Call (ALPC). It is a privilege escalation flaw and is actively exploited in attacks. It was patched in January’s Patch Tuesday.
Among the vulnerabilities that Microsoft patched on Jan 10, 2023, is an actively exploited zero-day CVE-2023-21674. In summary, Microsoft fixed:
- 39 Elevation of Privilege Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
- 33 Remote Code Execution Vulnerabilities
- 10 Information Disclosure Vulnerabilities
- 10 Denial of Service Vulnerabilities
- 2 Spoofing Vulnerabilities
CVE-2023-21674 is a sandbox escape vulnerability that can lead to the elevation of privileges to the system. CVE-2023-21549 is a Windows SMB Witness Service Elevation of Privilege Vulnerability that was publicly disclosed.
Microsoft users are recommended to apply these patches at the earliest.
Vulnerabilities to Watch Out For
A new vulnerability tracked as CVE-2022-44877 has been identified in Centos Web Panel 7.. The vulnerability could be exploited to gain remote code execution capabilities. It is yet to be assigned a CVSS score. You can find the proof of concept for it here.
Update: Hackers have been actively exploiting this vulnerability and deploying webshells for more than 2 weeks now. They have used this vulnerability to deploy webshells with malicious payloads in CWP servers. More than 400,000 CWP instances are accessible over the internet. The encoded payloads convert to Python commands that call the attacker’s machine and spawn a terminal on the vulnerable host using the Python pty Module.
Web Panel users are recommended to update to the latest version immediately.
CVE-2022-46169 is a command injection vulnerability that allows an unauthenticated user to execute arbitrary code on a server running Cacti. That is, if a specific data source was selected for any monitored device. The security advisory offers remediation steps to avoid falling victim to exploitation.
Update: Hackers are actively exploiting this vulnerability and there are more than 1600 instances of the Cacti device exposed to the internet. Mirai botnets are installed using this vulnerability along with the IRC botnet (PERL-based) that opens a reverse shell on the host and instructs it to run port scans.
This vulnerability is found in the JsonWebToken open source project. It is used for authentication and authorization in many applications. An attacker exploiting this vulnerability can arbitrarily execute code in a server by verifying a maliciously crafted JSON web token (JWT) request. To patch this vulnerability, a user needs to update to the JsonWebToken package version 9.0.0.
This XML External Entity (XXE) vulnerability exists in the UCS module in OpManager. Exploiting XMLs with vulnerable XML entities can lead to the access of restricted resources. ManageEngine released the patch for CVE-2022-43473 wherein you disable XML entities when parsing XML responses, so XML entities are not invoked.
OpManager users are required to apply this patch immediately.
CVE-2023-20025 is an authentication bypass vulnerability in multiple End-of-Life VPN routers. An unauthenticated attacker can exploit it remotely by sending a specially crafted HTTP request to a vulnerable router’s web-based management interface to bypass authentication. They can further execute arbitrary commands on the underlying operating system by chaining it with another vulnerability CVE-2023-2002.
Check out this section to track how these threats evolve!
We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.
Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.
Leverage our expertise and manage your threats continuously to stay safe from attackers.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!