InfoSec Weekly

Jan 15, 2023

Table Of Contents

Experts Detail Chromium Browser Security Flaw Putting Confidential Data at Risk

Description

A vulnerability, named SymStealer, was found in Google Chrome and Chromium-based browsers by Imperva researcher Ron Masas. This vulnerability could have allowed attackers to steal sensitive files by bypassing the program’s file system restrictions. Google has released fixes for this vulnerability in versions 107 and 108 in October and November 2022. The vulnerability can be exploited by tricking victims into visiting a fake website and downloading a ZIP archive file containing a symlink to valuable files or folders on the victim’s computer, such as wallet keys and credentials.

Infected Technology

Google chrome and Chromium-based browsers

Source

https://thehackernews.com/2023/01/experts-detail-chromium-browser.html

Recommendation

Update to the latest version of Google Chrome or Chromium-based browsers. Use anti-virus and anti-malware software to help protect against malicious files and websites. Keep your computer and all your programs updated.

CVE ID

CVE-2022-3656


FortiOS Flaw Exploited as Zero-Day in Attacks on Government and Organizations.

Description

A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting governments and other large organizations. “The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” Fortinet researchers said in a post-mortem analysis published this week. The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests. The infection chain analyzed by the company shows that the end goal was to deploy a generic Linux implant modified for FortiOS that’s equipped to compromise Fortinet’s intrusion prevention system (IPS) software and establish connections with a remote server to download additional malware and execute commands. Fortinet said it was unable to recover the payloads used in the subsequent stages of the attacks. It did not disclose when the intrusions took place.

Infected Technology

FortiOS SSL-VPN

Source

https://thehackernews.com/2023/01/fortios-flaw-exploited-as-zero-day-in.html

Recommendation

Keeping Software updated and Monitor the relevant CVE ID for possible exploitation.

CVE ID

CVE-2022-42475


Qualcomm UEFI Flaws Expose Microsoft, Lenovo, Samsung Devices to Attacks

Description

Many devices manufactured by Microsoft, Lenovo, Samsung, and maybe others are vulnerable to potentially significant UEFI firmware vulnerabilities in Qualcomm Snapdragon CPUs. Qualcomm released updates for a dozen vulnerabilities this week, including five connection and boot-related flaws found by researchers from firmware security firm Binarly. Binarly founder and CEO Alex Matrosov told SecurityWeek that when evaluating the firmware for Lenovo Thinkpad X13s laptops powered by the Qualcomm Snapdragon system- on-a-chip, they uncovered a total of nine vulnerabilities (SoC). Further investigation indicated that, while some of the nine issues are unique to Lenovo devices, five of them affect Qualcomm reference code, implying that the vulnerabilities also exist in laptops and other devices that use Snapdragon CPUs. The Snapdragon CPU is built on the Arm architecture, and Matrosov claims this is the first time UEFI firmware vulnerabilities in the Arm device ecosystem have been disclosed. The DXE driver was found to have two sorts of vulnerabilities: stack-based buffer overflows and out-of-bounds read concerns. According to Lenovo’s alert, these can be abused by local attackers with elevated rights.

Infected Technology

Qualcomm UEFI

Source

https://www.securityweek.com/qualcomm-uefi-flaws-expose-microsoft-lenovo-samsung-devices-attacks

Recommendation

Apply security updates when they become available from device makers.

CVE ID

CVE-2022-40516 CVE-2022-40517 CVE-2022-40520 CVE-2022-40518 CVE-2022-4432 CVE-2022-4433 CVE-2022-4434 CVE-2022-40519 CVE-2022-4435


Hackers exploit Control Web Panel flaw to open reverse shells

Description

In the Control Web Panel (CWP) server management tool, there is a critical vulnerability that hackers are using. The security flaw was given the CVE-2022-44877 identification number and a critical severity rating of 9.8 out of 10. More than 400,000 internet-accessible instances are found when searching for CWP servers on Shodan. According to researchers, 38,000 new CWP instances are reported daily. The worst part of using CVE-2022-44877 in attacks is how simple it has become, especially since the exploit code was made available to the public. The only thing left for hackers to do is locate weak targets. On October 25, 2022, CWP version 0.9.8.1147, which fixes this problem, was released. While some only look for machines that are vulnerable, perhaps to get a head start on future attacks, not all hackers are that quick.

Infected Technology

Control Web Panel

Source

https://www.bleepingcomputer.com/news/security/hackers-exploit-control-web-panel-flaw-to-open-reverse-shells/

Recommendation

Update to the latest version available.

CVE ID

CVE-2022-44877


Kubernetes clusters hacked in malware campaign via PostgreSQL

Description

Kinsing malware is currently actively breaching Kubernetes clusters by exploiting known flaws in container images and unprotected PostgreSQL containers. While these approaches aren’t new, Microsoft’s Defender for Cloud team sees an increase recently, indicating that threat actors are actively hunting for specific entry points. Kinsing is a Linux virus that has a history of targeting containerized settings for crypto mining, using the hardware resources of the compromised server to earn cash for the threat actors. Kinsing’s threat actors are recognized for breaching targets and establishing persistence by exploiting known vulnerabilities such as Log4Shell and, more recently, an Atlassian Confluence RCE. According to Microsoft, there has been an increase in the usage of two approaches by Kinsing operators to get initial access to a Linux server: exploiting a vulnerability in container images or misconfigured PostgreSQL database servers. When exploiting image vulnerabilities, threat actors look for remote code execution weaknesses that would allow them to push their payloads.

Infected Technology

Kubernetes

Source

https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/

Recommendation

Update to the latest version of PostgreSQL. Ensure that Kubernetes clusters are configured with appropriate security settings

CVE ID

CVE-2020-14882 CVE-2020-14750 CVE-2020-14883


Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability

Description

Most internet-exposed Cacti servers have not been patched against a critical security vulnerability that has come under active exploitation in the wild. Out of a total of 6,427 servers, only 26 were found to be running a patched version of Cacti. The vulnerability, known as CVE-2022-46169, is a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution. The vulnerability impacts versions 1.2.22 and below and was first revealed by Sonar Source. The public disclosure of the vulnerability has also led to “exploitation attempts,” with malicious attacks originating from one IP address located in Ukraine. Additionally, SugarCRM shipped fixes for a publicly disclosed vulnerability that has also been actively weaponized to drop a PHP-based web shell on 354 unique hosts. It is important for users to move quickly to patch these vulnerabilities to prevent potential attacks.

Infected Technology

Cacti Servers

Source

https://thehackernews.com/2023/01/cacti-servers-under-attack-as-majority.html

Recommendation

Regularly check and update software versions to protect against known vulnerabilities. Apply fixes for the publicly disclosed vulnerability in SugarCRM.

CVE ID

CVE-2022-46169


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us