InfoSec Weekly

April 24, 2023

Table Of Contents

Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies

Description

Transparent Tribe, a Pakistan-based advanced persistent threat (APT) group, has used a fake version of an Indian government 2FA tool called Kavach to deliver a new Linux backdoor malware named Poseidon. Poseidon is a general-purpose backdoor that allows attackers to hijack an infected host, including logging keystrokes, taking screenshots, uploading, and downloading files, and remotely administering the system. Transparent Tribe has previously targeted Indian government organizations, military personnel, defense contractors, and educational entities using trojanized versions of Kavach to deploy various malware such as CrimsonRAT and LimePad. The latest attacks involve a backdoored version of Kavach to target Linux users working for Indian government agencies, and the fake Kavach apps are distributed through rogue websites disguised as legitimate Indian government sites. Users working for the Indian government are advised to double-check URLs received in emails before opening them.

Infected Technology

Kavach

Source

https://thehackernews.com/2023/04/pakistani-hackers-use-linux-malware.html

Recommendation

• Keep software and systems updated. • Use strong passwords and 2FA. • Be cautious of suspicious emails and attachments. • Double-check URLs before clicking. • Use trusted security software. • Train employees on how to avoid phishing scams. • Back up important data regularly. • In case of breach, isolate affected systems and notify authorities.


Cisco and VMware Release Security Updates to Patch Critical Flaws in their Products

Description

Cisco and VMware, two major players in the networking and virtualization industries, have recently released critical security updates to address vulnerabilities in their products. The flaws in question could potentially be exploited by malicious actors to execute arbitrary code on affected systems, resulting in unauthorized access and data breaches.Cisco’s Industrial Network Director product was found to have a command injection flaw and a file permissions vulnerability. The former, tracked as CVE-2023-20036, has a CVSS score of 9.9, making it the most severe of the vulnerabilities. It resides in the web UI component and occurs due to improper input validation when uploading a Device Pack. An attacker who successfully exploits this flaw can execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device. The file permissions vulnerability, tracked as CVE-2023-20039, has a CVSS score of 5.5 and can be abused by an authenticated, local attacker to view sensitive information.VMware’s Aria Operations for Logs product was found to have a deserialization flaw and a command injection flaw. The deserialization flaw, tracked as CVE-2023-20864, has a CVSS score of 9.8 and affects multiple versions of the product. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. The command injection flaw, tracked as CVE-2023-20865, has a CVSS score of 7.2 and can allow an attacker with admin privileges to run arbitrary commands as root.To address these vulnerabilities, Cisco and VMware have released updates for their affected products. Users are advised to apply the updates as soon as possible to mitigate potential threats. Given the severity of these flaws and the potential consequences of exploitation, it is critical for users to take prompt action to ensure the security of their systems and data.

Infected Technology

Cisco and VMware products

Source

https://thehackernews.com/2023/04/cisco-and-vmware-release-security.html

Recommendation

Apply the updates as soon as possible.

CVE ID

CVE-2023-20036 CVE-2023-20039 CVE-2023-20154 CVE-2023-20864 CVE-2023-20865


Google Chrome Hit by Second Zero-Day Attack

Description

On Tuesday, Google announced that it had rolled out emergency updates to address a high-severity zero-day flaw in its Chrome web browser. The flaw, which is known as CVE-2023-2136, is an integer overflow issue in Skia, a popular open source 2D graphics library. Clément Lecigne, a member of Google’s Threat Analysis Group, discovered and reported the flaw on April 12, 2023.According to the National Vulnerability Database (NVD), the vulnerability in Skia allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape by creating a crafted HTML page. In addition to CVE-2023-2136, Google also addressed seven other security issues with the latest update. Google has acknowledged the active exploitation of the flaw but has not provided further details to prevent additional exploitation. The development marks the second time this year that a zero-day vulnerability has been exploited in Chrome by malicious actors. Google patched CVE-2023-2033 last week, just a few days before the announcement of CVE-2023-2136, and it is not yet clear whether the two zero-day vulnerabilities have been used in conjunction with each other. As a precautionary measure, users of the Chrome browser are recommended to upgrade to version 112.0.5615.137/138 for Windows, 112.0.5615.137 for macOS, and 112.0.5615.165 for Linux to mitigate potential threats. Furthermore, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are advised to apply the fixes as and when they become available to protect themselves from potential exploitation.

Infected Technology

Google Chrome

Source

https://thehackernews.com/2023/04/google-chrome-hit-by-second-zero-day.html

Recommendation

Upgrade to version 112.0.5615.137/138 for Windows, 112.0.5615.137 for macOS, and 112.0.5615.165 for Linux to mitigate potential threats. Apply patches for Chromium-based browsers as soon as possible.

CVE ID

CVE-2023-2136

Alibaba Cloud’s PostgreSQL databases were discovered to have two significant security flaws.

Description

Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL had two major security flaws, known as BrokenSesame, that could have allowed unauthorized access to sensitive customer data and breached tenant isolation protections. The vulnerabilities included a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS, which could have allowed attackers to obtain unauthorized access to the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node. The cloud security firm Wiz reported these vulnerabilities to Alibaba Cloud in December 2022, and the company deployed mitigations on April 12, 2023, to address the issues. While there is no evidence of these vulnerabilities being exploited in the wild, they highlight the importance of addressing common cloud security issues such as misconfigurations, weak credentials, unpatched vulnerabilities, and malicious open-source software packages.

Infected Technology

ApsaraDB and AnalyticDB

Source

https://thehackernews.com/2023/04/two-critical-flaws-found-in-alibaba.html

Recommendation

• Apply security patches and updates regularly. • Conduct regular security audits. • Implement access controls and segregation of duties. • Use strong passwords and multi-factor authentication. • Use encryption to protect sensitive data in transit and at rest


Fortra shares findings on GoAnywhere MFT zero-day Attacks

Description

Fortra has released a detailed timeline of events following the exploitation of CVE-2023-0669, a zero-day flaw in the GoAnywhere MFT solution that led to data theft from over 130 companies by the Clop ransomware gang. The flaw was first identified by Fortra on January 30th, 2023, after suspicious activity was detected in certain GoAnywhere MFTaaS instances. The investigation revealed that the vulnerability had been leveraged between January 18th and January 30th, allowing the threat actor to create user accounts and download files from customer environments. The attacker also installed additional tools, including Netcat and Errors.jsp, in some environments. Fortra issued a security update on February 7th, and the Clop ransomware gang announced their successful data theft on February 10th.

Infected Technology

Fortra Products

Source

https://www.bleepingcomputer.com/news/security/fortra-shares-findings-on-goanywhere-mft-zero-day-attacks/

Recommendation

Customers affected by the GoAnywhere MFT attacks should rotate their Master Encryption Key, reset all credentials, review audit logs and delete suspicious accounts, and revoke credentials of users of other systems in the environment that may have been exposed to prevent subsequent breaches.

CVE ID

CVE-2023-0669


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us