Feb 27 2023

Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities

Description

The MyloBot botnet, which emerged in 2017 and is known for its anti-analysis techniques, has compromised thousands of systems globally, with most of them located in India, the U.S., Indonesia, and Iran, according to cybersecurity firm BitSight. The botnet has the ability to download and execute any type of payload, making it a significant threat. MyloBot is also capable of functioning as a downloader and sending extortion emails from hacked endpoints. It employs a multi-stage sequence to unpack and launch the bot malware, and it sits idle for 14 days before attempting to contact the command-and-control (C2) server to avoid detection. The primary function of the botnet is to establish a connection to a hard-coded C2 domain embedded within the malware and await further instructions. When MyloBot receives an instruction from the C2, it transforms the infected computer into a proxy, allowing it to handle many connections and relay traffic sent through the command-and-control server. BitSight found connections between MyloBot’s infrastructure, and a residential proxy service called BHProxies, suggesting that the compromised machines are being used by the latter. BitSight has been sinkholing MyloBot since November 2018 and has observed the botnet evolving over time.

Infected Technology

Proxy Servers, Personal Computers, and internet connected devices.

Source

https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet

Recommendation

• Keep your software up to date
• Use strong and unique passwords
• Enable multi-factor authentication
• Use reputable antivirus or anti-malware software
• Avoid opening suspicious emails or files

IBM Aspera Faspex Code Execution Vulnerability

Description

A security flaw was found in IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier, which could give hackers the ability to execute arbitrary code on the system. The flaw was due to an issue in YAML deserialization, which is the process of converting a YAML file into a usable object in a programming language. By sending an obsolete API call to the system, attackers could trigger the deserialization process and run unauthorized code on the system, potentially allowing them to gain control of the system or steal sensitive information. IBM has released version 4.4.2 Patch Level 2, which resolves the vulnerability by removing the obsolete API call. To avoid such attacks, users are advised to update their systems to the latest version. This vulnerability was identified and reported by IBM’s X-Force security team, with the identification number243512. The incident highlights the importance of continuous security assessments and software updates to prevent similar attacks.

Infected Technology

IBM Aspera Faspex

Source

https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://exchange.xforce.ibmcloud.com/vulnerabilities/243512

Recommendation

• Upgrade to the latest version.
• Conduct regular security assessments.
• Provide employee training on cybersecurity best practices.
• Have an incident response plan.
• Use multi-factor authentication.
• Monitor system logs.

Apple Warns of 3 New Vulnerabilities Affecting iPhone, iPad, and Mac Devices

Description

Apple recently released revised security advisories containing information about three new vulnerabilities affecting iOS, iPadOS, and macOS. The first flaw involves a race condition in the Crash Reporter component that could enable unauthorized access to arbitrary files as root. Apple fixed this issue by including additional validation. The other two vulnerabilities, identified by a researcher at Trellix, involve bypassing code signing to execute arbitrary code in the context of several platform applications, potentially leading to a sandbox escape and escalation of privileges. The vulnerabilities could enable attackers to access sensitive data such as the calendar, address book, messages, location data, call history, camera, microphone, and photos, and even install arbitrary applications or wipe the device. Apple resolved these issues by improving memory handling in the Foundation framework, and the latest iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2 updates address them.

Infected Technology

iOS, iPadOS, and macOS

Source

https://www.trellix.com/en-us/about/newsroom/stories/research/trellix-advanced-research-center-discovers-a-new-privilege-escalation-bug-class-on-macos-and-ios.html https://support.apple.com/en-us/HT213597

Recommendation

Players of Dota 2 should update their game to the latest version and should be cautious when downloading custom game modes or other user-generated content, especially from untrusted sources.

CVE ID

CVE-2023-23520 CVE-2023-23530 CVE-2023-23531

Hackers now exploit critical FortiNET bug to backdoor servers

Description

There is a security vulnerability (CVE-2022-39952) in Fortinet’s FortiNAC webserver, which can be exploited for remote command execution by threat actors. The vulnerability affects multiple versions of FortiNAC, and the only way to thwart attack attempts is to update to the latest available versions that address the vulnerability. Attackers have already started targeting unpatched FortiNAC appliances with CVE-2022-39952 exploits, and the attacks have been confirmed by multiple cybersecurity companies. The ongoing attacks match the capabilities of a proof-of-concept (PoC) exploit released by the Horizon3security researchers. The attacks can enable initial access to the corporate network, and attackers are using cron jobs to open reverse shells to their IP addresses. In the past, Fortinet has warned customers to patch other actively exploited security bugs (CVE-2022-42475 and CVE-2022-40684) in its products. Recently, attackers have started to install fortii.jsp and shell.jsp web shells on compromised FortiNAC devices.

Infected Technology

FortiNAC devices

Source

https://www.bleepingcomputer.com/news/security/hackers-now-exploit-critical-fortinet-bug-to-backdoor-servers/

Recommendation

• Update FortiNAC appliances to latest available versions that address the CVE-2022-39952 vulnerability.
• Stay vigilant and monitor for any suspicious activity on the network.
• Implement additional security measures, such as access controls, firewalls, and intrusion detection systems.

CVE ID

CVE-2022-39952 CVE-2022-42475 CVE-2022-40684

VMware warns admins of critical Carbon Black App Control flaw

Description

VMware has issued a critical security update to address a serious vulnerability (CVE-2023-20858) affecting multiple versions of Carbon Black App Control for Windows. This flaw allows an attacker with privileged access to the administration console to gain access to the operating system using specially crafted input. The severity rating for this vulnerability is 9.1 out of 10, and VMware strongly recommends that administrators upgrade to safe versions of the product (8.9.4, 8.8.6, and 8.7.8 or later). In addition, VMware has fixed a high-severity XXE injection vulnerability (CVE-2023-20855) that could allow an attacker to bypass XML parsing restrictions and access sensitive information or perform privilege escalation.

Infected Technology

VMware

Source

https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-critical-carbon-black-app-control-flaw/

Recommendation

• Keep software up to date with the latest security patches and best practices.
• Implement security measures such as firewalls, intrusion detection/prevention systems, and security monitoring to help detect and prevent attacks.

CVE ID

CVE-2023-20858 CVE-2023-20855

Unauthenticated Insecure Deserialization Vulnerability In Word-press BuddyForms

Description

The vulnerability involves the function ‘buddyforms_upload_image_from_url()’, which takes in a parameter named ‘url’. This function is vulnerable to a type of attack known as “deserialization of untrusted input”. Essentially, this means that an attacker can submit a malicious input (in this case, a specially crafted value for the ‘url’ parameter) that can be deserialized by the function in unintended ways. In particular, the vulnerability allows an unauthenticated attacker to call files using a PHAR wrapper. PHAR is a file format used for archiving PHP code. By using the PHAR wrapper, an attacker can force PHP to deserialize data in a specific way that allows them to call arbitrary PHP Objects. This is dangerous because arbitrary PHP Objects can be used to perform a variety of malicious actions, such as executing arbitrary code on the server, stealing sensitive data, or modifying server configurations.

Infected Technology

Word-Press Plugin (BuddyForms)

Source

https://www.tenable.com/security/research/tra-2023-7

Recommendation

• Update to plugin 2.8.7

CVE ID

CVE-2023-26326