img23

Securin’s Threat Intelligence – Nov 28, 2022 – Dec 2, 2022

Updated on Dec 2, 2022

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Why play catch up when you can fix this now?

Check out our podcast on the top critical threats of this week, hosted by David Rushton!

Trending Threats

Threats to watch out for

 

 Trending Threats

North Korean APT Groups use Dolphin Backdoor on South Korea

North Korean hackers are spying on South Korean targets using a new backdoor named Dolphin. This malware is capable of spying on monitoring drives and portable devices, exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. It primarily spies on cloud storage services such as Google Drive. It is even able to change the settings on Google and Gmail to lower security. Initial access and Dolphin distribution is carried out by another malware known as Bluelight.

To gain initial access, the hackers exploited CVE-2021-26411 and CVE-2020-1380.

CVE Details

 

 

A New Windows Exploit Framework is used to Deploy Spyware

Dubbed as the Heliconia framework, this exploits former zero-day vulnerabilities to deploy exploits for Chrome, Windows Defender and Firefox. Heliconia has 3 parts: Heliconia Noise (a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape), Heliconia Soft (a web framework that deploys a PDF containing a Windows Defender exploit), and Files (a set of Firefox exploits for Linux and Windows). There is no evidence of exploitation in the wild using this framework. However, it is a powerful tool for spying and can be used for digital espionage.

 

The framework has links to Variston IT, a custom security solutions provider in Spain. The vulnerabilities that this framework exploits are CVE-2021-42298 and CVE-2022-26485.

This vulnerability is actively being exploited since Nov 2021.

CVE Details

Our analysts recommend that CVE-2021-42298 be added to the CISA KEV list considering the dangerous consequences of its exploits.

CISA Adds CVE-2022-4135 and CVE-2021-35587 to the KEV Catalog

CVE-2022-4135 is a Google Chrome zero-day vulnerability which is being exploited in the wild. This is the 8th zero-day vulnerability that Chrome has fixed in 2022.

We warned our users about this vulnerability in last week’s threat intelligence blog.

 

CVE-2021-35587 is a remote code execution vulnerability in Oracle Access Manager (OAM). If exploited, it can allow an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager and use it to create users with any privileges or to execute arbitrary code on the victim’s server. Oracle fixed this vulnerability in January 2022.

New Backdoor Malware Affecting Redis Servers

The malware named Redigo is designed to target Redis vulnerability CVE-2022-0543 and exploit it to compromise the server. CVE-2022-0543 is a Lua sandbox escape flaw that allows an attacker to execute arbitrary code on the victim’s server. The attack chain starts with scans for the Redis server exposing port 6379 to the internet,  and then the threat actor runs various redis commands to connect and exploit the server. Redigo is used to elevate the permissions of the corrupt library file exp_lin.so, and execute it. This malware can be used to launch DDoS attacks on target servers and compromise resources on networks.

CVE Details

CVE: CVE-2022-0543

CVSS: 10

CWE ID: CWE-94

Exploit Type: RCE,PE,WebApp

Affected Product Count: 4

Patch Link: Download

 

 

Threats to Watch Out For

CVE-2022-40684 Critical Fortinet Vulnerability Exploited by IABs

A critical authentication vulnerability, CVE-2022-40684 is targeted by Initial Access Brokers (IABs) to compromise enterprise networks. The threat actors then sell access to the victims’ systems for a price. These threat actors were found on Russian cybercrime forums.

This vulnerability affects FortiGate firewalls and FortiProxy web proxies and was patched by the vendor in October 2022. CVE-2022-40684 can be exploited to allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. In October 2022, it was found that more than 17K Fortinet devices exposed online were vulnerable to attacks exploiting the CVE-2022-40684 flaw.  Most of them are in Germany and in the US. There are more than 100,000 instances of outdated Fortinet firewalls around the world vulnerable to attacks.

CVE Details

CVE: CVE-2022-40684

CVSS: 9.8

CWE ID: CWE-306

Exploit Type: RCE,DoS,WebApp

Affected Product Count: 6

Patch Link: Download

Windows Internet Key Exchange Vulnerability Exploited in the Wild

CVE-2022-34721, a remote code execution vulnerability, is being exploited by Chinese threat actors in the wild. The PoC for this vulnerability was published on September 16, 2022, and Microsoft patched this vulnerability during its September Patch Tuesday. However, this vulnerability continues to be exploited in weak and vulnerable Windows OS, Windows Servers, Windows protocols, and services in a campaign called “Bleed You.”

 

Our MI-based analytical platform has given this vulnerability the maximum rating, indicating that it is very dangerous.

Users of Windows are highly recommended to patch this vulnerability immediately.

Watch Out for these CISCO Vulnerabilities

5 vulnerabilities in CISCO are critical and a cause for concern.

CVE-2022-20964 and CVE-2022-20959 are XSS vulnerabilities, which when chained together can allow an attacker to easily obtain a remote root shell on the vulnerable system.

CVE-2022-20965, is an access bypass in the web-based management interface. It can expand the attack surface of the chained exploits.

CVE-2022-20966 and CVE-2022-20967,  vulnerabilities in web-based management interfaces, can store malicious HTML or script code within the application interface to be used for XSS attacks.

 

Patches for these vulnerabilities will be available in the first quarter of 2023. Meanwhile, customers can contact CISCO for hotpatches.

CVE-2022-3328: Linux Privilege Escalation in Snap-Confine

This vulnerability in snap-confine can be exploited to gain full root privileges on Linux OS. It is combined with the Leeloo Multipath vulnerabilities (CVE-2022-41974,CVE-2022-41973,CVE-2021-44731) to bypass authorization and gain access to the system. A local attacker could race against snap-confine,retain control over /tmp/snap.$SNAP_NAME, and eventually obtain full root privileges. Qualys released a security advisory for the vulnerability.

CVE Details

 

CVE-2022-4116: Critical RCE Vulnerability Affecting Quarkus Java Framework

 CVE-2022-4116 is found in the Dev UI Config Editor of the Quarkus Java Framework. The attack is initiated when an unaware developer visits a specially crafted website embedded with malicious JavaScript code designed to install or execute arbitrary payloads. The malware-laced website can be weaponized to modify the Quarkus application configuration via an HTTP POST request to trigger code execution. An unauthenticated attacker can get access to the localhost by exploiting this vulnerability. Quarkus released an advisory for this vulnerability.

CVE Details

CVE: CVE-2022-4116

CVSS: 9.8

CWE ID: CWE-94

Affected Product Count: 3

Patch Link: Download

 

 

Check out this section to track how this threat evolves!

We use our threat intelligence platform driven by Artificial Intelligence (AI) and Machine Learning (ML) models to analyze the vulnerabilities that hackers could potentially exploit. We warn our customers continuously about exposures and prioritize vulnerabilities to facilitate rapid remediation.

Follow our weekly blog and podcast to get proactive alerts on trending threats. Reach out to us if you need help managing your vulnerabilities and exposures.

Leverage our expertise and manage your threats continuously to stay safe from attackers.

Talk to Us!

Share This Post On