Ransomware Spotlight Report 2023 is live!

CSW's Threat Intelligence - March 6, 2023 - March10, 2023

Posted on Mar 6, 2023 | Updated on Mar 9, 2023 | By Supriya Aluri

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

Active Spear-Phishing Campaign Against the Maritime Industry

A spear-phishing campaign spanning over multiple years has been targeting entities in the maritime industry. The threat actors seem to have a financial motivation in carrying out these attacks. The emails contain malicious files which exploit CVE-2017-0199, a Microsoft Office vulnerability. Once initial access is gained, the threat actor uses remote access trojans (RATs) such as Agent Tesla and Formbook to harvest sensitive information like credentials, session tokens, and email lists. This information is used to either launch more attacks or sold to provide initial access to other operators. Since the maritime industry holds sensitive information regarding shipping, it needs to step up cyber security measures.


CISA Adds Three Vulnerabilities to the KEV

CVE-2022-35914, CVE-2022-33891, and CVE-2022-28810 were added to the CISA KEV catalog on 7 March, 2022. 

  • CVE-2022-28810 is a Zoho ManageEngine ADSelfService Plus remote code execution vulnerability. Attackers can gain access to the ADSelfService Plus platform easily if a  default administrator password is used by the customers. A remote, partially authenticated attacker can also send malicious scripts and inject arbitrary commands by exploiting this vulnerability.

ManageEngine fixed CVE-2022-28810 in builds 6122 and above

  • CVE-2022-33891 is an Apache Spark command injection vulnerability. An attacker can exploit this vulnerability to build a Unix shell command based on their input, and execute it as the user. 

Apache has asked its users to patch this vulnerability as soon as possible.

  • CVE-2022-35914 is a Teclib GLPI remote code execution vulnerability that allows an attacker to inject PHP code. It affects glpi-project versions up to (including) 10.0.2. 

Here is the patch for this vulnerability.

All Federal agencies are required to patch these vulnerabilities before 28-03-3023.


Vulnerabilities to Watch Out For

PoC Released for Oracle Vulnerability

The proof of concept for the exploit of CVE-2023-21839 has been released publicly. This Oracle WebLogic vulnerability will allow an unauthenticated attacker to gain network access via T3, IIOP and execute code remotely.  Oracle has already patched this vulnerability.


PoC Released for CVE-2023-21716

CVE-2023-21716 is a vulnerability in Microsoft Office’s “wwlib.dll”. It has a score of 9.8 on the CVSS scale. It allows a remote attacker to execute code with the same privileges as the victim that opens a malicious .RTF document. Microsoft addressed this vulnerability in the February Patch Tuesday. The proof of concept for its exploit was released recently.


VMware NSX Manager Vulnerabilities Actively Exploited In The Wild

CVE-2022-31678 and CVE-2021-39144 are VMware NSX Manager vulnerabilities that can allow pre-authenticated attackers to execute arbitrary code, steal data, and take control of the network infrastructure. These vulnerabilities have been exploited over 40,000 times in the last 2 months with most of the attacks concentrated on data centers in Linode and Digital Ocean. VMware recommends organizations to urgently patch these vulnerabilities to avoid falling victim to these threat actors.


CVE-2023-25610: Fortinet Vulnerability

CVE-2023-25610 impacts FortiOS and FortiProxy. It rates 9.3 on the CVSS scale and can allow an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) on the GUI of vulnerable devices using specially crafted requests. Fortinet has released a security advisory for this vulnerability and urges users to patch it immediately.


CVE-2023-27532: Veeam Vulnerability Fixed

A high-severity vulnerability,  CVE-2023-27532 is found in Veeam's Backup & Replication software. It allows unauthenticated attackers to access backup infrastructure hosts after obtaining encrypted credentials stored in the VeeamVBR configuration database. Veeam provides a temporary workaround and also a patch for the vulnerability in versions V11 and V12. 


Workaround: As a temporary workaround you can block access to TCP port 9401 on your Veeam Backup & Replication server. This will affect the connection of mount servers to the VBR server, so only use this if you don't have a distributed Veeam environment. And still apply the patch as soon as possible.


Users are recommended to upgrade to the V11 or V12 immediately.


CVE-2023-21768: Windows Vulnerability

This Windows Ancillary Function Driver vulnerability can lead to privilege escalation if exploited. A proof of concept has been released for this exploit. Since Microsoft already patched this vulnerability in the January Patch Tuesday, users should apply it immediately in their respective devices before attackers exploit it. 


Check out this section to track how these threats evolve!


We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.


Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!


Secure your environment from cyber-attacks!

Know How