Jan 22, 2023

Cisco Issues Warning for Unpatched Vulnerabilities in EoL Business Routers

Description

Cisco has warned of two security vulnerabilities that affect its Small Business RV016, RV042, RV042G, and RV082 routers, which are end-of-life (EoL) products. These vulnerabilities are in the router’s web-based management interface and allow a remote attacker to bypass authentication or execute malicious commands on the operating system. The most severe of the two vulnerabilities is CVE-2023-20025, which has a CVSS score of 9.0 and is caused by improper validation of user input in incoming HTTP packets. Cisco has stated that it will not release software updates to address these vulnerabilities and recommends that administrators disable remote management and block access to ports 443 and 60443 as a workaround. However, the company advises users to determine the effectiveness of these mitigations in their own environment.

Infected Technology

Small Business RV016, RV042, RV042G, and RV082 routers.

Source

https://thehackernews.com/2023/01/cisco-issues-warning-for-unpatched.html

Recommendation

Disable remote management on the affected routers. Block access to ports 443 and 60443 on the affected routers. Keep your network and systems up to date with the latest security patches and updates.

CVE ID

CVE-2023-20025 CVE-2023-20026

Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems

Description

Three malicious packages that are intended to install malware on targeted developer workstations have been uploaded to the Python Package Index (PyPI) repository by a threat actor going by the handle Lolip0p. The author released the following packages between January 7 and January 12 of 2023: colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12). The modules have identical setup scripts that launch PowerShell and a malicious binary (“Oxzy.exe”) that is stored on Dropbox. Once launched, the executable causes the following stage, also a binary with the name update.exe, to be retrieved and run in the Windows temporary folder ("%USER%AppDataLocalTemp"). The update.exe file has been identified by multiple antivirus providers as a dangerous program that can steal personal information and potentially drop additional binaries, one of which has been identified by Microsoft as Wacatac. This trojan has the capability to execute various harmful actions chosen by a hacker, such as delivering ransomware or other harmful payloads on the affected computer.

Infected Technology

Developers’ system

Source

https://thehackernews.com/2023/01/researchers-uncover-3-pypi-packages.html

Recommendation

Be caution when downloading and running packages from untrusted authors

CISA Warns of Flaws Affecting Industrial Control Systems from Major Manufacturers

Description

The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts about various significant security issues discovered in industrial control systems from various manufacturers, such as Sewio, InHand Networks, Sauter Controls, and Siemens. These vulnerabilities include things like built-in passwords, command injection, and out-of-bounds write vulnerabilities, which could be used by attackers to gain unauthorized access to servers, change information, disrupt services, elevate privileges, and run arbitrary code. CISA suggests that organizations should locate and repair these vulnerabilities and follow security best practices to prevent attacks.

Infected Technology

Sewio, InHand Networks, Sauter Controls and Siemens.

Source

https://thehackernews.com/2023/01/cisa-warns-for-flaws-affecting.html

Recommendation

Locate and repair vulnerabilities in industrial control systems. Regularly update software and firmware. Implement strong authentication and access controls. Monitor network traffic and investigate suspicious activity.

CVE ID

CVE-2022-45444 CVE-2022-47911 CVE-2022-43483 CVE-2022-43489 CVE-2022-46823 CVE-2023-0052 CVE-2023-0053

New Backdoor Created Using Leaked CIA’s Hive Malware Discovered in the Wild

Description

A new malware called xdr33 has been discovered by Chinese cybersecurity firm Qihoo Netlab 360. The malware, which is a variant of the CIA’s Hive malware, was found to be exploiting an unspecified vulnerability in F5 appliances. The malware is designed to harvest sensitive information and act as a launchpad for further intrusions. It uses SSL and forged Kaspersky certificates to communicate with a command-and-control server and has added new capabilities such as the ability to download and upload files and update itself to avoid detection. The malware also includes a Trigger module that listens for specific network traffic and extracts a C2 server IP address for further communication, which is encrypted using a Diffie-Hellman key exchange and AES algorithm.

Infected Technology

F5 products

Source

https://thehackernews.com/2023/01/new-backdoor-created-using-leaked-cias.html

Recommendation

Keep software and systems updated. Conduct regular vulnerability scans.

Git Users Urged to Update Software to Prevent Remote Code Execution Attacks.

Description

Updates have been made available by the Git source code version management system’s maintainers to patch two serious security holes that attacker may use to execute code remotely. The most serious flaw permits clone or pull operations to cause a heap-based memory corruption, which might lead to code execution. An integer overflow bug that occurs during the formatting of the commit logs causes a serious vulnerability that may be exploited during an archive operation and result in code execution. Numerous integer-related problems that might result in out-of-bound reads, denial-of-service attacks, or just poorly handled corner cases on big inputs have been discovered, according to X41 D-Sec.

Infected Technology

Git source code version control system.

Source

https://thehackernews.com/2023/01/git-users-urged-to-update-software-to.html

Recommendation

It is recommended to use 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

CVE ID

CVE-2022-23521, CVE-2022-41903