CSW's Threat Intelligence - Mar 13, 2023 - Mar 17, 2023

Trending Threats

IceFire Ransomware Targets Linux Devices

IceFire ransomware, previously focused on Windows exploits, has released a malware that infects Linux devices. The ransomware gang has already deployed these malware samples in a number of organizations worldwide. The new ransomware encrypts files on the Linux system but not all of them. Specific paths remain unencrypted allowing critical system parts to remain operational. CVE-2022-47986, the IBM Aspera vulnerability is targeted by IceFire to gain initial access. There are more than 150 Aspera servers exposed online. Aspera users must fix this Vulnerabilities to avoid falling victim to IceFire ransomware.

CISA Adds CVE-2021-39144 and CVE-2020-5741 to the KEV list

CVE-2021-39144 is a critical VMware XStream flaw that can allow attackers to execute code remotely. It has a 9.8 score on the CVSS scale. This bug can be exploited in low-complexity attacks without user interaction necessary to execute arbitrary code with root privileges. 

A proof of concept is already available publicly and there is evidence that this vulnerability is exploited in the wild.

CVE-2020-5741 is the Plex bug that was exploited in the LastPass breach. It allows attackers with admin privileges to execute arbitrary code remotely in low-complexity attacks. The attackers do not need user interaction for exploitation. LastPass was hacked in 2022 using this vulnerability and installing a keylogger.

CISA added both these vulnerabilities to the Known Exploitable Vulnerabilities list on Mar 10, 2023 and requires the federal organizations to patch them by March 31, 2023.

CVE-2023-23397 is a Microsoft zero-day for which new exploits are springing up every day. This critical Outlook vulnerability  requires no user interaction to exploit and lets attackers capture the Net-NTLMv2 hash (challenge response protocols used for authentication in Windows environments) of the recipient and thereby authenticate as the victim. 

This needs to be patched by March 4, 2023.

CVE-2023-24880 is again a Microsoft vulnerability that allows attackers to bypass the Windows SmartScreen feature. It can be exploited by crafting a malicious file that will evade the MOTW defenses. There is evidence that it is actively exploited in the wild.

This needs to be patched by March 4, 2023.

CVE-2022-41328 is a FortiOS zero-day which is  exploited in attacks targeting government and large organizations. It allows threat actors to execute unauthorized code or commands leading to OS and file corruption and data loss. 

This needs to be patched by March 4, 2023.

CVE-2023-26360, a security vulnerability impacting Adobe ColdFusion allows remote code execution in compromised devices. CISA has issued a warning to organizations to identify and patch this vulnerability immediately.

This needs to be patched by March 5, 2023.

Telerik Vulnerability Under Active Exploitation

One of the US federal branches was recently breached by unknown threat actors who exploited the deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX. The vulnerability can allow attackers to remotely execute code in the compromised servers. The attack occurred sometime between November 2022 and early January 2023. Malicious payloads were deployed once the threat actors gained initial access, which was then used to steal data from the device, and evade detection. Microsoft fixed this vulnerability in November 2021 but since the federal agency did not patch it, it was the victim of this attack. 

Apart from CVE-2019-18935, the threat actors also target CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248.

North Korean Threat Actors Exploit ASUS Vulnerability

The North Korean state-sponsored attack group dubbed UNC2970 has introduced three new code families: TOUCHMOVE, SIDESHOW, and TOUCHSHIFT.

They targeted security researchers in an attack campaign which began in June 2022. 

In this campaign, called Dream Job, the attackers sent spear-phishing emails with fake job postings to employees in European organizations. Once malicious attachments were downloaded, the attackers exploited the ASUS EC Tool Driver vulnerability, tracked as CVE-2022-42455 to gain access. These Bring Your Own Vulnerable Driver (BYOVD) technique based attacks use Two backdoors named AIRDRY.V2 and PLANKWALK to carry out the attacks.

For further intrusions, UNC2970 used in-memory-only dropper called LIGHTSHIFT that facilitates the distribution of another piece of malware codenamed LIGHTSHOW.

FBI Publishes a Warning Against LockBit

In its #StopRansomware campaign, the FBi released the latest advisory on the LockBit ransomware gang. In their recent round of attacks, the gang used Stealbit, a custom exfiltration tool, rclone, an open-source command line cloud storage manager, and publicly available file sharing services, such as MEGA. The gang compromises victims’ systems and networks to exfiltrate data and demand ransom. The FBI’s advisory contains all the IOCs and TTPs used by the LockBit gang.

For further information about the attacks and vulnerabilities LockBit uses, refer to our detailed blog, All About LockBit Ransomware.

BianLian Changes Extortion Technique

The BianLian ransomware gang which began targeting victims in July 2022 used the double extortion technique on its victims till now. In this technique, data is first exfiltrated from the victims’ devices and then the files are encrypted. The victim is required to pay a ransom to keep the exfiltrated data from being published and also to decrypt their files. However, in January 2023, Avast released a free decryptor tool to help victims recover files encrypted by the ransomware. This served as a blow to the gang’s operation prompting them to change their extortion technique. The gang now demands a ransom by threatening to release the exfiltrated data from the victims’ devices.

BianLian exploits CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 to gain access to victims’ systems.

Vulnerabilities to Watch Out For

Several Vulnerabilities in Jenkins Server

A chain of vulnerabilities in Jenkins Server and Update Center was recently discovered. An attacker can execute arbitrary code in a compromised server by exploiting these vulnerabilities.

Tracked as CVE-2023-27898 and CVE-2023-27905, they are called CorePlague and can also allow attackers to impact self-hosted Jenkins servers.

Jenkins patched these vulnerabilities on Feb 15, 2023 and recommends users to apply it to mitigate risks. 

FortiOS Zero-Day Vulnerability

CVE-2022-41328 is a high-severity vulnerability in FortiOS that is actively exploited by threat actors.  An authenticated attacker can exploit it to read and write arbitrary files by sending crafted CLI commands. Forti has patched this vulnerability in FortiOS version 6.4.12 and above.

Threat actors are targeting Government networks which use unpatched versions of FortiOS.

Several Vulnerabilities in SAP

SAP fixed 5 critical vulnerabilities in its products along with 14 other bugs. Given below are the details of the critical vulnerabilities:

CVE-2023-25616 is a code injection vulnerability impacting the SAP Business Intelligence Platform, It allows an attacker to access resources only available to privileged users. CVE-2023-23857 is an information disclosure, data manipulation, and DoS flaw affecting SAP NetWeaver AS for Java, version 7.50. It allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API.

CVE-2023-27269 is a directory traversal problem inSAP NetWeaver Application Server for ABAP. The flaw allows a non-admin user to overwrite system files.

CVE-2023-27500, a directory traversal in SAP NetWeaver AS for ABAP allows an attacker to overwrite system files, causing damage to the vulnerable endpoint.

CVE-2023-25617 is a command execution vulnerability in SAP Business Objects Business Intelligence Platform. The flaw allows a remote attacker to execute arbitrary commands on the OS using the BI Launchpad, Central Management Console, or a custom application based on the public java SDK, under certain conditions.

SAP users are recommended to patch all these vulnerabilities at the earliest.

Microsoft Patch Tuesday

Microsoft patched 83 vulnerabilities on March 14, 2023. This included 2 zero-days, 21 privilege escalation vulnerabilities and 27 remote code execution vulnerabilities.

The two zero-days are already exploited in the wild. They are:

CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability

This flaw allows attackers to connect an external UNC location to thevictim’s system by sending specially crafted emails. Once the connection is made, the Net-NTLMv2 hash of the victim can be obtained using which the attacker can connect to another service and authenticate as the victim.

This vulnerability is said to be exploited by STRONTIUM, a state-sponsored Russian hacking group.

CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-24880 can be exploited to create executables that bypass the Windows Mark of the Web security warning. Threat actors use stand-alone, signed JavaScript (.JS) files with a malformed signature ro exploit the vulnerability.

Magniber has been exploiting CVE-2023-24880.

Check out this section to track how these threats evolve!