This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix it now?
Trending Threats
Vulnerabilities to Watch Out For
Trending Threats
Active Spear-Phishing Campaign Against the Maritime Industry
A spear-phishing campaign spanning over multiple years has been targeting entities in the maritime industry. The threat actors seem to have a financial motivation in carrying out these attacks. The emails contain malicious files which exploit CVE-2017-0199, a Microsoft Office vulnerability. Once initial access is gained, the threat actor uses remote access trojans (RATs) such as Agent Tesla and Formbook to harvest sensitive information like credentials, session tokens, and email lists. This information is used to either launch more attacks or sold to provide initial access to other operators. Since the maritime industry holds sensitive information regarding shipping, it needs to step up cyber security measures.
CISA Adds Three Vulnerabilities to the KEV
CVE-2022-35914, CVE-2022-33891, and CVE-2022-28810 were added to the CISA KEV catalog on 7 March, 2022.
- CVE-2022-28810 is a Zoho ManageEngine ADSelfService Plus remote code execution vulnerability. Attackers can gain access to the ADSelfService Plus platform easily if a default administrator password is used by the customers. A remote, partially authenticated attacker can also send malicious scripts and inject arbitrary commands by exploiting this vulnerability.
ManageEngine fixed CVE-2022-28810 in builds 6122 and above.
- CVE-2022-33891 is an Apache Spark command injection vulnerability. An attacker can exploit this vulnerability to build a Unix shell command based on their input, and execute it as the user.
Apache has asked its users to patch this vulnerability as soon as possible.
- CVE-2022-35914 is a Teclib GLPI remote code execution vulnerability that allows an attacker to inject PHP code. It affects glpi-project versions up to (including) 10.0.2.
Here is the patch for this vulnerability.
All Federal agencies are required to patch these vulnerabilities before 28-03-3023.
Vulnerabilities to Watch Out For
Proof of Concept (PoC) Released for Oracle Vulnerability
The proof of concept for the exploit of CVE-2023-21839 has been released publicly. This Oracle WebLogic vulnerability will allow an unauthenticated attacker to gain network access via T3, IIOP and execute code remotely. Oracle has already patched this vulnerability.
Proof of Concept (PoC) Released for CVE-2023-21716
CVE-2023-21716 is a vulnerability in Microsoft Office’s “wwlib.dll”. It has a score of 9.8 on the CVSS scale. It allows a remote attacker to execute code with the same privileges as the victim that opens a malicious .RTF document. Microsoft addressed this vulnerability in the February Patch Tuesday. The proof of concept for its exploit was released recently.
VMware NSX Manager Vulnerabilities Actively Exploited In The Wild
CVE-2023-21716 is a vulnerability in Microsoft Office’s “wwlib.dll”. It has a score of 9.8 on the CVSS scale. It allows a remote attacker to execute code with the same privileges as the victim that opens a malicious .RTF document. Microsoft addressed this vulnerability in the February Patch Tuesday. The proof of concept for its exploit was released recently.
CVE-2023-25610: Fortinet Vulnerability
CVE-2023-25610 impacts FortiOS and FortiProxy. It rates 9.3 on the CVSS scale and can allow an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) on the GUI of vulnerable devices using specially crafted requests. Fortinet has released a security advisory for this vulnerability and urges users to patch it immediately.
CVE-2023-27532: Veeam Vulnerability Fixed
A high-severity vulnerability, CVE-2023-27532 is found in Veeam’s Backup & Replication software. It allows unauthenticated attackers to access backup infrastructure hosts after obtaining encrypted credentials stored in the VeeamVBR configuration database. Veeam provides a temporary workaround and also a patch for the vulnerability in versions V11 and V12.
Workaround: As a temporary workaround you can block access to TCP port 9401 on your Veeam Backup & Replication server. This will affect the connection of mount servers to the VBR server, so only use this if you don’t have a distributed Veeam environment. And still apply the patch as soon as possible.
Users are recommended to upgrade to the V11 or V12 immediately.
CVE-2023-21768: Windows Vulnerability
This Windows Ancillary Function Driver vulnerability, CVE-2023-21768, can lead to privilege escalation if exploited. A proof of concept has been released for this exploit. Since Microsoft already patched this vulnerability in the January Patch Tuesday, users should apply it immediately in their respective devices before attackers exploit it.
Follow our weekly Threat Intelligence Series and podcast for proactive alerts on trending threats.
Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!