Threat and Vulnerability Roundup for the week of August 20th to 26th

Welcome to the Threat and Vulnerability Roundup, a weekly publication from Cyber Writes that provides the most recent news on cybersecurity. Use our wide coverage to stay up to date.

Critical flaws, exploits, and recent techniques for attacking have all been highlighted. We also offer the most latest software upgrades to keep your devices safe.

This provides an overview of the specific risks that your business faces due to the technology at its core and serves as a guide for enhancing security strategy.

Vulnerability

Cisco NX-OS Software Flaw

A high-severity vulnerability in TACACS+ and RADIUS remote authentication for Cisco NX-OS Software might allow an unauthenticated local attacker to force an affected device to unintentionally reload.

NX-OS is a network operating system for Cisco Systems’ Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network devices. It originated from the SAN-OS operating system developed by Cisco for their MDS switches.

With a CVSS score of 7.1, this vulnerability is tagged as CVE-2023-20168.  If the exploit is successful, the attacker may be able to trigger an unexpected device reload that would create a denial of service (DoS) attack.

Apache XML Graphics Batik Flaw

Two Server-Side Request Forgery (SSRF) vulnerabilities were found in Apache Batik, which could allow a threat actor to access sensitive information in Apache Batik.

These vulnerabilities exist in the Apache XML Graphics Batik and are given CVE IDs CVE-2022-44729 and CVE-2022-44730.

It is a Java-based application toolkit that is used for rendering, generating, and manipulating of SVG (Scalable Vector Graphics) format.

Ivanti Sentry Flaw

An unauthenticated critical API access vulnerability was found in the Ivanti Sentry interface, which could allow a threat actor to gain access to sensitive APIs that can be used to access the Ivanti administrator portal and configure Ivanti Sentry.

If an attacker succeeds in exploitation, the attacker will be able to configure Ivnati Sentry, execute system commands, or write files onto the system.

Apache Ivy Injection Flaw

A blind XPath injection vulnerability was discovered in Apache Software Foundation Apache Ivy, which allows threat actors to exfiltrate data and access sensitive information that is restricted to only the machine that runs Apache Ivy.

This vulnerability exists in the parsing of XML files in versions lesser than 2.5.2 while parsing its own configuration, Maven POMs (Project Object Models), which allows external document downloading and expansion of any entity references.

Junos OS Flaw

Multiple vulnerabilities have been discovered on Junos OS, which can be combined to execute a preAuth remote code execution vulnerability on Junos OS on SRX and EX Series. An unauthenticated network-based attacker can exploit these vulnerabilities by chaining them.

Junos OS SRX is a firewall that is used to protect remote offices, branches, campuses, or data centers by extending to every point. EX series is a high-performance access and distribution/core-layer device for enterprise branches.

Juniper Networks has released a security advisory for fixing these vulnerabilities.

Chrome Feature to Alert Malicious Extensions

Chrome has released an announcement about its version 117, in which a new feature has been introduced regarding removed extensions from the Chrome web store.

Going forward, Chrome will highlight the extensions that have been removed from the Chrome web store due to various reasons, which include,

  • The developer has unpublished the extension
  • The extension has been removed due to policy violation or
  • The extension has been marked as malware.

WinRAR Flaw

An arbitrary code execution vulnerability was discovered in WinRAR, which can be exploited by opening a specially crafted RAR file. The CVE for this vulnerability is given as CVE-2023-40477, and the severity is 7.8 (High) as per Zero Day Initiative.

This vulnerability was reported to WinRAR by security researcher “goodbyeselene”. It is an archive manager for the Windows Platform, used by millions of users worldwide.

New Releases

Wireshark 4.0.8

The most widely used network protocol analyzer in the world, Wireshark, has released version 4.0.8. It is employed for network analysis, troubleshooting, software and communications protocol development, and education.

This new version includes bug fixes, improved protocol support, and a few other improvements.

Kali Linux 2023.3

Kali Linux 2023.3 is now available, and it includes a variety of new packages and tools, as well as the usual upgrades. The release of Kali Linux 2023.3 arrives three months after Kali Linux 2023.2. 

This upgrades the kernel from Debian Bookworm’s long-term supported LiLinux 6.1 LTS to Linux kernel 6.3, which reached the end of life in early July 2023. Still, the updated kernel ought to provide better hardware assistance.

The Kali Linux 2023.3 version includes nine new tools in particular.

Smart Bulbs can be Hacked

The current rise of the Internet of Things (IoT) is at its peak and rapidly expanding its abilities by transforming basic items into controllable smart devices via smartphones, including light bulbs and plugs.

In 2021, the IoT devices exceeded the count of 13.8 billion; by 2025, it’s set to double. However, this huge surge also creates vast attack possibilities for the threat actors, posing security challenges for security analysts.

Federated Learning Based IDS

In today’s digital era, AI (Artificial Intelligence) and ML (Machine Learning) applications are one of the key developments. 

But, global initiatives like the EU AI Act and U.S. AI Strategy highlight the importance of ethical AI regulation, especially in cybersecurity.

A report shared with Cyber Security News by a group of cybersecurity analysts consisting of Jose L. Hernandez-Ramos, GeorgiosKaropoulos, EfstratiosChatzoglou, VasileiosKouliaridis, Enrique Marmol, Aurora Gonzalez-Vidal, and GeorgiosKambourakis, revealed the latest development in the cybersecurity field, which is the decentralized learning approach known as “Federated Learning (FL).”

Data Breach

Tesla Data Breach

Tesla designs and manufactures several EV products, but what sets it apart from others is its cars, which are feature loaded. Among its exceptional characteristics, Tesla offers outstanding quality in its “Auto Pilot” mode car models. 

This feature enables a Tesla Car to auto-drive itself without any human intervention. However, with such magnificent engineering, Tesla is not entirely perfect.

Recently, Tesla reported a data breach that exposed more than 75,000 users’ information. But, It has been confirmed that this exposure is not a data breach but results from “insider wrongdoing.”

SEIKO Data Breach

The well-known watch manufacturing company Seiko disclosed the data breach notification recently on Aug 2023, targeted by the notorious threat group BlackCat/ALPHV.

BlackCat/ALPHV Group has been active since 2021 and targets multiple firms across the industry. It has been operated as ransomware as a service.

On August 10, the company notified its customers about a data breach after they detected unauthorized access to its server.

Cyber Attack

Cloud Host Lost All Data 

There has been a cyber attack on two cloud hosting providers, namely CloudNordic and Azero Cloud, which Certiqa Holding owns. The cyberattack has resulted in complete data loss for all their customers.

The cloud attack was reportedly on Friday, April 18, 2023, at around 4 AM when CloudNordic and Azero cloud were exposed to a ransomware attack in which the threat actors shut down all the systems, including customer systems, e-mail systems, customers’ websites, and everything they gained access to.

Both companies mentioned that they could not and didn’t want to pay the ransom demanded by the threat actors. 

Hackers Exploiting Barracuda Zero-Day Flaw

The recent discovery of a zero-day vulnerability (CVE-2023-2868) in Barracuda Networks Email Security Gateway (ESG) appliances has brought significant concern. 

CVE-2023-2868 is a remote command injection vulnerability that grants unauthorized execution of system commands with administrator privileges on Barracuda ESG appliances. 

Notably, this vulnerability affects ESG versions 5.1.3.001-9.2.0.006 in the appliance form factor. The vulnerability is exploited during the email attachment screening process. 

NoFilter Tool: Windows Privilege Escalation

Privilege escalation is a commonly employed attack vector in the Windows operating system environment.

Attackers often leverage offensive tools such as Meterpreter, CobaltStrike, or Potato tools to execute code such as “NT AUTHORITY\SYSTEM.” 

These tools typically employ token duplication and service manipulation techniques to perform attacks like LSASS tinkering.

Hackers Threaten Patients Following Cyberattack

One of the renowned hospitals in Israel became the victim of a data breach, and patients were blackmailed with a financial motive.

According to an Israel Hayom report, MaayaneiHaYeshua Medical Center in BneiBrak was attacked, and the sensitive data of most prominent politicians and others was breached.

The attack happened at the beginning of August, and now the cybercriminals are threatening the patients with their private medical records.

Carderbee Hacking Group

For a supply chain attack and to plant the Korplug backdoor (aka PlugX) on the systems of the targeted victims, an unknown APT group was found to be using the “Cobra DocGuard.” 

Cobra DocGuard is a legit software package that enables users to manage their Consolidated Omnibus Budget Reconciliation Act documents, and it’s designed by “EsafeNet,” a Chinese company.

Cybersecurity experts at Symantec discovered that threat actors behind this unknown APT group, which is dubbed as “Carderbee” was found to be using the legitimate Microsoft certificate to sign malware.

Malware Developer Uncovered

Researchers have identified a new Malware-as-a-Service (MaaS) operator called ‘EVLF DEV’ as being behind the creation of CypherRAT and CraxsRAT.

EVLF has been selling CraxsRAT, one of the most extremely dangerous Android RATs accessible today, for the past three years, with at least 100 lifetime licenses sold to date.

The CYFIRMA research team reports that “RATs can be used by attackers to remotely control a victim’s camera, location, and microphone”.

Over 3,000+ Android Malware Evading Detection with Unique Tactics

Android Smartphones play a vital role in our daily lives, as they help us stay connected and, not only that, they also help in performing several daily tasks like:

  • Shopping
  • Banking
  • Browsing
  • Connections

But, besides this, it also attracts the attention of cybercriminals or threat actors since smartphones hold our valuable and confidential data.

Lazarus Group Exploiting ManageEngine Flaw

According to Cisco Talos, the Lazarus Group, backed by North Korea, is actively attacking the backbone infrastructure of the internet and entities in the healthcare sector across Europe and the US.

This event clearly shows how they are active and consistently leveraging the same infrastructure, as it marks their third campaign in under a year.

Recently, in a report shared with Cyber Security News, security analysts at Cisco Talos found and confirmed that the North Korean state-sponsored threat actor Lazarus Group is actively exploiting the ManageEngine flaw (CVE-2022-47966) to deploy MagicRAT malware.

Raccoon Malware Resurfaces

It has recently come to light that the individuals responsible for developing and distributing the infamous Raccoon Stealer malware have returned to online hacker forums.

This news follows a period of six months where the perpetrators had ceased all activity and remained silent.

The Raccoon Stealer malware works by stealing sensitive information from unsuspecting victims, making this development a cause for concern among cybersecurity professionals and the general public alike.

Flax Typhoon Exploiting OS Tools for Malware Deployment

With the rapid evolution of technology, the threat actors, along with their attacks, are also getting more sophisticated and evolving at an increasing pace, posing a growing threat to vital infrastructure and sensitive data.

The organizations that are based in Taiwan have been actively targeted with a set of techniques under a new campaign in which unusual attack patterns were detected recently by Microsoft that could be applied globally across several sectors.

In a report shared with Cyber Security News, the cybersecurity analysts at Microsoft have linked this campaign to ‘Flax Typhoon,’ a Chinese nation-state actor that has links with ‘ETHEREAL PANDA.’

Weaponized LNK Files

Threat actors have shifted from using malicious macros to malicious LNK files for initial access. This is due to Microsoft’s announcement in 2022 to disable macros by default for Office documents downloaded from unknown sources or the internet.

The current attack vector uses the Microsoft Connection Manager Profile, which runs the process cmstp.exe for proxying the execution of malicious payloads.

This current campaign was found to be similar to the Invicta stealer infection method, but the infection chain seems to be varying. This concludes that threat actors have changed their TTPs (Tactics, Techniques, and Procedures).

Roblox Developers Targeted

In a striking parallel to a 2021 attack, researchers have uncovered a resurgence of malicious packages on the npm repository, targeting developers using the Roblox API. 

These malicious packages deploy the notorious Luna Grabber, an open-source information-stealing malware, adding yet another layer of sophistication to a campaign that raises red flags for software supply chain security. 

XLoader malware Attacking macOS

XLoader has been serving as a particularly persistent and adaptable threat since 2015. With its roots deeply ingrained in the digital landscape, XLoader has undergone a transformative evolution that demands the attention of security experts. 

In this comprehensive analysis, SentinelOne dissects the latest iteration of XLoader—a macOS variant posing as the innocuous ‘OfficeNote’ app. 

This new version, developed natively in C and Objective C programming languages, flaunts its insidious sophistication through strategic distribution, intricate obfuscation techniques, and advanced evasion maneuvers. 

Weaponizing QR Codes to Steal Microsoft Credentials

A recent discovery highlights a significant QR code phishing campaign that targets Microsoft credentials across various industries. 

Notably, a major energy company based in the US is at the forefront of this attack, underscoring the importance of robust security practices to combat evolving threats. 

This article provides an in-depth analysis of the campaign, its targets, tactics, and potential countermeasures.

Phishing Attack Target Zimbra Email Users

A group of researchers recently published a significant mass-spreading phishing campaign. It targets Zimbra account users, shedding light on a campaign that has been active since April 2023.

This article delves into the intricate details of this operation, highlighting its targets, methodology, and geographic impact.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.