March 19 2023

Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities

Description

A newly discovered botnet called GoBruteforcer is causing concern among cybersecurity experts due to its ability to target multiple architectures and exploit a variety of web services. Palo Alto Networks recently reported that the malware, which is based on Golang, is capable of attacking web servers running services such as FTP, MySQL, phpMyAdmin, and Postgres. What makes GoBruteforcer especially dangerous is its ability to deploy an internet relay chat (IRC) bot on the compromised server for communication purposes. This makes it difficult for security researchers to track the botnet’s activity and also allows the attackers to issue commands to the infected machines. The malware is hosted on a legitimate domain and uses classless inter-domain routing (CIDR) block scanning to identify hosts within a network. Once the botnet has identified a target host, it uses brute force to compromise the server using hardcoded credentials. GoBruteforcer is still under development and is packed with UPX Packer. It has a multi-scan module that scans for open ports for targeted services and uses specific credentials to brute-force the server. For phpMyAdmin services, it scans for any open port 80, after which it attempts to deploy the IRC bot for communication. For MySQL and Postgres services, the malware checks for open ports 3306 and 5432, then pings the host’s database using specific credentials. For FTP services, it checks for open port 21 and tries to authenticate using the Goftp library. Once the botnet has successfully compromised a server, it deploys an IRC bot on the system. At a later stage, it uses a PHP web shell to query the victim system. Palo Alto Networks discovered a PHP web shell on the victim servers, which provides attackers with reverse shell and bind shell capabilities. This allows the attackers to gain remote access to the infected machines and execute commands on them.

Infected Technology

Web Servers running phpMyAdmin, MySQL, FTP and Postgres services

Source

https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/

Recommendation

• Use strong passwords that are not susceptible by any brute force attempts.

Google Uncovers 18 Severe Security Vulnerabilities in Samsung Exynos Chips

Description

The discovery of severe security flaws in Samsung’s Exynos chips by Google has raised concerns over the potential remote exploitation of Android smartphones, wearables, and vehicles that use the chipset. The vulnerabilities could be exploited without any user interaction, giving attackers entrenched access to cellular information passing in and out of the targeted device. Though four of the 18 zero-day vulnerabilities are said to be the most severe, the remaining 14 flaws still pose a significant risk, requiring a rogue mobile network insider or an attacker with local access to the device. While Pixel 6 and 7 handsets have already received a fix, other devices may have to wait for patches to become available, prompting users to take precautions like disabling Wi-Fi calling and Voice over LTE until a fix is provided.

Infected Technology

Samsung Exynos Chips

Source

https://thehackernews.com/2023/03/google-uncovers-18-severe-security.html

Recommendation

• Install security updates.
• Disable Wi-Fi calling and Voice over LTE (VoLTE)
• Use a mobile security solution.
• Be cautious with app downloads.
• Stay vigilant for suspicious activity.
• Consider using a different device if a patch is not available for your current device.

9 Critical CVEs, Including Two Actively Exploited Zero Days

Description

In March 2023, Microsoft has released 80 security patches in their latest Patch Tuesday rollout, with 9 labeled as Critical and two zero-day vulnerabilities being actively exploited. One of the zero-day vulnerabilities is a Critical elevation of privilege problem in Microsoft Outlook (CVE-2023-23397), and the other is a Moderate security feature bypass in Windows SmartScreen (CVE-2023-24880). The leading risk type this month is remote code execution, accounting for 40% of all vulnerabilities. The Patch Tuesday has affected Microsoft Windows the most with 56 patches being released. The need for a comprehensive MDR solution and a ready-to-go Incident Response team is emphasized to detect and respond to these vulnerabilities promptly. The actively exploited zero-day vulnerabilities could result in significant disruption and loss of data, emphasizing the importance of having a comprehensive IR plan in place.

Infected Technology

Infected Technology Mircosoft Products

Source

https://www.crowdstrike.com/blog/patch-tuesday-analysis-march-2023/

Recommendation

• Install the latest security patches released by Microsoft.
• Have a ready-to-go Incident Response team in place to minimize the impact of an attack.
• Implement a comprehensive MDR solution to detect and respond to vulnerabilities promptly.

ChatGPT Browser Extension Hijacks Facebook Business Accounts

Description

A fake ChatGPT browser extension was used to compromise thousands of Facebook accounts, including business accounts. The malicious extension not only promised quick access to the ChatGPT AI chatbot but also harvested a wide range of user data, including cookies and session tokens for Google, Twitter, and YouTube. For users with an active authenticated session on Facebook, the extension accessed the Meta Graph API for developers, allowing it to harvest all data associated with the user’s Facebook account and take actions on their behalf.Guardio suggested that the threat actor behind the campaign may sell the harvested information to the highest bidder or create a bot army of hijacked Facebook Business accounts to post malicious ads using victims’ accounts. The malware also had mechanisms to bypass Facebook’s security measures when handling access requests to its APIs.

Infected Technology

Chat GPT, Facebook, Google Chrome

Source

https://www.darkreading.com/application-security/chatgpt-browser-extension-hijacks-facebook-business-accounts

Recommendation

• download extensions from reputable sources
• regularly review and manage the permissions granted to browser extensions.

Fortinet FortiOS Flaw Exploited in Targeted Cyberattacks on Government Entities

Description

An unidentified attacker has targeted government entities and large organizations by exploiting a security flaw in Fortinet FortiOS software, which resulted in data loss and operating system and file corruption. Fortinet researchers have stated that the exploit is highly targeted and suggests that an advanced actor is behind the attack. The vulnerability in question is CVE-2022-41328, which is a medium security path traversal bug in FortiOS that can lead to arbitrary code execution. The attack impacted FortiOS versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3. Fixes are available in versions 6.4.12, 7.0.10, and 7.2.4, respectively. The attack came to light after multiple FortiGate devices belonging to an unnamed customer suffered from a sudden system halt and boot failure, indicating an integrity breach. The attacker modified the device’s firmware image to include a new payload, allowing the malware to establish contact with a remote server, download files, exfiltrate data from the compromised host, and grant remote shell access. The attack is highly targeted, and evidence suggests that the attacker has a deep understanding of FortiOS and the underlying hardware.

Infected Technology

FortiOS

Source

https://thehackernews.com/2023/03/fortinet-fortios-flaw-exploited-in.html

Recommendation

• Patch your software.
• Monitor network for suspicious activity.
• Conduct regular security assessments.

CVE ID

CVE-2022-41328