Threat Advisory – February 15-22

OPIA Labs - Threat Advisory

FEBRUARY 15-22


CYSEC NEWS


WordPress has taken the rare step of force-updating the UpdraftPlus plugin on all sites to fix a high-severity vulnerability allowing website subscribers to download the latest database backups, which often contain credentials and PII. The vulnerability affects UpdraftPlus versions 1.16.7 to 1.22.2, and the developers fixed it with the release of 1.22.3 or 2.22.3 for the (paid) Premium version.


Reference: https://www.bleepingcomputer.com/news/security/wordpress-force-installs-updraftplus-patch-on-3-million-sites/


Security researchers have created exploit code for CVE-2022-24086, the critical vulnerability affecting Adobe Commerce and Magento Open Source that Adobe patched in an out-of-band update last Sunday. The vulnerability, which Adobe saw being “exploited in the wild in very limited attacks,” received a severity score of 9.8 out of 10, and adversaries exploiting it can achieve remote code execution on affected systems without the need to authenticate. Earlier today, Adobe updated its security advisory for CVE-2022-24086 adding a new issue that is now tracked as CVE-2022-24087, which has the same severity score and can lead to the same result when leveraged in attacks.


Reference: https://www.bleepingcomputer.com/news/security/researchers-create-exploit-for-critical-magento-bug-adobe-updates-advisory/


Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages The security flaw (tracked as CVE-2022-20653) was found in DNS-based Authentication of Named Entities (DANE), a Cisco AsyncOS Software component used by Cisco Secure Email to check emails for spam, phishing, malware, and other threats. While the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default. Admins can check if DANE is configured by going to the Mail Policies > Destination Controls > Add Destination web UI page and confirming whether the DANE Support option is toggled on. Cisco has also confirmed that CVE-2022-20653 does not impact Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled. The company also provided a workaround requiring customers to configure bounce messages from Cisco ESA instead of from downstream dependent mail servers to block exploitation attempts.


Reference: https://www.bleepingcomputer.com/news/security/hackers-can-crash-cisco-secure-email-gateways-using-malicious-emails/


VMware on Tuesday patched several high-severity vulnerabilities impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition.


Reference: https://thehackernews.com/2022/02/vmware-issues-security-patches-for-high.html


Microsoft announced the general availability of hotpatching for Windows Server Azure Edition core virtual machines allowing admins to install Windows security updates on supported VMs without requiring server restarts. The feature works with newly deployed Azure virtual machines running Windows Server 2022 Datacenter: Azure Edition Core Gen2 images and is available in all global Azure regions.


Reference: https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-hotpatching-for-windows-server-azure-vms/


Researchers at Avanan, a Check Point company that secures cloud email and collaboration platforms, found that hackers started to drop malicious executable files in conversations on Microsoft Teams communication platform. The attacks started in January and the company detected thousands of them. From the data available, most attacks were recorded at organizations in the Great Lakes region in the U.S., local media outlets in particular. In a report today, Avanan says that the threat actor inserts in a chat an executable file called “User Centric” to trick the user into running it. Once executed, the malware writes data into the system registry installs DLLs and establishes persistence on the Windows machine.


Reference: https://www.bleepingcomputer.com/news/security/hackers-slip-into-microsoft-teams-chats-to-distribute-malware/


Xenomorph, like Alien and ERMAC, is yet another example of an Android banking trojan that’s focused on circumventing Google Play Store’s security protections by masquerading as productivity apps such as “Fast Cleaner” to trick unaware victims into installing the malware.


Reference: https://thehackernews.com/2022/02/xenomorph-android-banking.html


An analysis of SMS phone-verified account (PVA) services has led to the discovery of a rogue platform built atop a botnet involving thousands of infected Android phones, once again underscoring the flaws with relying on SMS for account validation.


Reference: https://thehackernews.com/2022/02/hackers-exploit-bug-in-sms-verification.html


FortiGuard Labs has identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government. After tracking this campaign for the last several months FortiGuard Labs found that the group has been using a custom multi-component toolset for the purpose of conducting espionage against its victims. This campaign exclusively targets Israeli organizations. Close examination reveals that the group has been active for over a year, much earlier than the group’s first official public exposure, managing to stay under the radar with an extremely low detection rate. FortiGuard Labs covers the Techniques, Tactics, and Procedures (TTPs) used by Moses Staff and reveal a new backdoor used by them to download files, execute payloads, and exfiltrate data from target networks, along with threat intelligence data on their activities.


Reference: https://otx.alienvault.com/pulse/620ce6762c243df4fb194d83


In the first month of 2022, the Apache Log4j2 vulnerability outbreak that began in December has also come to an end, and the number of related attack sources has decreased significantly. However, the number of cloud server attack source IPs of old vulnerabilities, such as Docker Remote API unauthorized access vulnerability and Fortinet FortiOS unauthorized arbitrary file reading vulnerability, suddenly increased significantly compared with December.


Reference: https://otx.alienvault.com/pulse/6213b203dd1fae0e1c1e389c


In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot payload, the malware established C2 connectivity and created persistence on the beachhead. Successful exploitation of the Zerologon vulnerability (CVE-2020-1472) allowed the threat actors to obtain domain admin privileges. This level of access was abused to deploy additional Cobalt Strike beacons and consequently pivot to other sensitive hosts within the network. The threat actor then exfiltrated sensitive documents from the environment before being evicted from the network.


Reference: https://otx.alienvault.com/pulse/6213b41428f6075711b0261d


As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. Emotet is high-volume malware that often changes and modifies its attack patterns. This latest modification of the Emotet attack follows suit. The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload.

Reference: https://otx.alienvault.com/pulse/620d05df6542c4412e8ff9f7


HAVE ANY QUESTIONS?
Do not hesitate to contact us!


Address: Mesogeion Ave. 41, 11524 Athens, Greece
Phone: (+30) 211 800 5 800
Email: [email protected]
Website: www.devoq.gr

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.