Feb 12, 2023

CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws

Description

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active abuse in the wild. The first vulnerability is CVE-2022-24990, which affects TerraMaster network-attached storage (TNAS) devices and could result in unauthenticated remote code execution with the highest privileges. This vulnerability has been weaponized by North Korean nation-state hackers to attack healthcare and critical infrastructure entities with ransomware. The second vulnerability is CVE-2015-2291, an unspecified flaw in the Intel ethernet diagnostics driver for Windows that could cause a denial-of-service state. The third vulnerability is a remote code injection discovered in Fortra’s GoAnywhere MFT managed file transfer application (CVE-2023-0669) that has been linked to a ransomware operation. Federal Civilian Executive Branch agencies are required to apply fixes by March 3, 2023, to secure their networks against these active threats.

Infected Technology

TerraMaster network-attached storage (TNAS)

Source

https://thehackernews.com/2023/02/cisa-warns-of-active-attacks-exploiting.html

Recommendation

Install software updates and patches. Segment the network and isolate critical systems. Implement strong access control measures. Regularly back up critical data.

CVE ID

CVE-2022-24990
CVE-2023-0669 CVE-2015-2291

Unpatched Security Flaws Disclosed in Multiple Document Management Systems.

Description

Multiple unpatched security weaknesses have been discovered in four companies’ open source and freemium Document Management System (DMS) offerings: LogicalDOC, Mayan, ONLYOFFICE, and OpenKM. The eight flaws provide a way by which “an attacker may persuade a human operator to save a malicious document on the platform, and once the document is indexed and activated by the user, the attacker has several avenues to control the organization.” Rapid7 researcher Matthew Kienow uncovered the following eight cross-site scripting (XSS) flaws: CVE-2022-47412 - ONLYOFFICE Workspace Search Stored XSS, CVE-2022-47413 and CVE-2022-47414 - OpenKM Document and Application XSS, CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 - LogicalDOC Multiple Stored XSS CVE-2022-47419 - Mayan EDMS Tag Stored XSS. A threat actor can take advantage of the issues by distributing a bogus document, allowing the intruder to expand their influence over the infiltrated network. A common attack strategy would be to steal the session cookie used to authenticate a locally logged in administrator, and then reuse the session cookie to impersonate that user to create a new privileged account.

Infected Technology

LogicalDOC, Mayan, ONLYOFFICE, and OpenKM

Source

https://thehackernews.com/2023/02/unpatched-security-flaws-disclosed-in.html

Recommendation

Exercise caution when importing documents from unknown or untrusted sources. Limit the formation of anonymous, untrusted users. Restrict some functionality such as chats and tagging to known users

CVE ID

CVE-2022-47412 CVE-2022-47413 CVE-2022-47414 CVE-2022-47415

Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages

Description

The US CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2015-2291, CVE-2022-24990, and CVE-2023-0669. CVE-2015-2291 is a denial-of-service flaw in the Intel ethernet diagnostics driver. CVE-2022-24990 is a remote command execution vulnerability in TerraMaster OS, exploited by North Korea-linked APT groups. CVE-2023-0669 is a remote code injection flaw in GoAnywhere MFT. Agencies are required to address the identified vulnerabilities by the due date as per the Binding Operational Directive (BOD) 22-01. Private organizations are recommended to review the Catalog and fix the vulnerabilities in their infrastructure.

Infected Technology

Python Packages

Source

https://securityaffairs.com/142115/hacking/mft-terramaster-intel-driver-flaws-to-its-known-exploited-vulnerabilities-catalog.html

Recommendation

Verify authenticity of packages from open-source repositories. Use secure package managers like pip or npm. Keep system and packages updated to protect against vulnerabilities. Exercise caution when downloading packages, check publisher and user reviews.

OpenSSH addressed a new pre-auth double free vulnerability.

Description

The maintainers of OpenSSH have addressed several security vulnerabilities with the release of version 9.2. One of the issues addressed by the maintainers is a memory safety bug in the OpenSSH server (sshd) tracked as CVE-2023-25136.The vulnerability can be potentially exploited by a remote attacker to execute arbitrary code on the target system. The root cause of the flaw is a boundary error within the sshd(8) daemon. The pre-authentication double-free memory fault was introduced in the release OpenSSH 9.1. The release note published by the maintainers pointed out that this issue is not believed to be exploitable. “OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration; however, the vulnerability discoverer reports that “exploiting this vulnerability will not be easy.”” reads the description for this vulnerability.The vendor believes exploitation of this vulnerability has limitations.

Infected Technology

OpenSSH

Source

https://securityaffairs.com/141907/hacking/openssh-pre-auth-double-free-bug.html

Recommendation

Update to OpenSSH 9.2

CVE ID

CVE-2023-25136

GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks.

Description

A recent exploitation of a zero-day vulnerability in the GoAnywhere Managed File Transfer (MFT) software has been linked by Huntress, a managed endpoint detection and response firm, to the Truebot malware family, which is associated with the Russian-speaking cybercrime group Silence. The group has previously been linked to the distribution of the Cl0p ransomware. The exploitation of the vulnerability requires access to the application’s admin console, and it has been reported that over 1,000 instances of GoAnywhere are internet-exposed, but not all of them are vulnerable. The vulnerability was assigned the identifier CVE-2023-0669 by Rapid7, a cybersecurity firm. The vendor provided mitigation and patch a week after the issue was reported by Fortra on February 1.

Infected Technology

GoAnywhere Managed File Transfer Software

Source

https://www.securityweek.com/goanywhere-mft-zero-day-exploitation-linked-to-ransomware-attacks

Recommendation

Limit admin portal exposure. Monitor for indicators of compromise. Implement multi-factor authentication. Keep software updated.

CVE ID

CVE-2023-0669