InfoSec Weekly
May 8, 2023
Table Of Contents
N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks
Description
The North Korean state-sponsored hacking group Kimsuky, also known as APT43, has been using a new reconnaissance tool called ReconShark in spear-phishing attacks to target individuals in NGOs, think tanks, diplomatic agencies, and other organizations across North America, Asia, and Europe. The malware exfiltrates system information and can deploy additional payloads from a server based on what detection mechanism processes run on infected machines. ReconShark does not save the harvested information on the file system, but instead stores the data in string variables and uploads it to the C2 server by issuing HTTP POST requests. This indicates that the threat actor is evolving its tactics to gather intelligence for extended periods of time and carry out “precision attacks” tailored to targeted environments.
Infected Technology
Microsoft Word documents hosted on OneDrive
Source
https://thehackernews.com/2023/05/n-korean-kimsuky-hackers-using-new.html
Recommendation
• Train employees to recognize and report suspicious emails. • Use endpoint protection software. • Keep software and systems up to date. • Implement multi-factor authentication. • Regularly backup important data. • Monitor network traffic and logs. • Consider using a managed security service provider.
Cisco Warns of Vulnerability in Popular Phone Adapter, Urges Migration to Newer Model
Description
Cisco has issued a warning about a critical security flaw (CVE-2023-20126) in the SPA112 2-Port Phone Adapter that could allow remote attackers to execute arbitrary code on affected devices. The vulnerability is caused by a missing authentication process in the firmware upgrade function, which an attacker could exploit by upgrading an affected device to a crafted version of firmware. Despite the severity of the flaw, Cisco will not release any fixes as the devices have reached their end-of-life stage. Instead, Cisco recommends users to switch to the Cisco ATA 190 Series Analog Telephone Adapter, which will receive its last update on March 31, 2024. There have been no known instances of the flaw being exploited maliciously.
Infected Technology
SPA112 2-Port Phone Adapter
Source
https://thehackernews.com/2023/05/cisco-warns-of-vulnerability-in-popular.html
Recommendation
• Update software and hardware. • Use strong passwords and change default credentials. • Use network segmentation.
CVE ID
CVE-2023-20126
TBK DVR Devices Vulnerable to Hackers Exploiting 5-Year-Old Unfixed Flaw
Description
Threat actors are currently taking advantage of a security flaw in TBK digital video recording (DVR) devices that has remained unpatched for five years. This vulnerability, known as CVE-2018-9995, involves a critical authentication bypass issue that can be leveraged by remote actors to gain elevated permissions. According to Fortinet, the vulnerability arises from an error in how malicious HTTP cookies are handled. Exploiting this flaw enables attackers to bypass authentication, obtain administrative privileges, and gain access to camera video feeds. In April 2023, over 50,000 attempts to exploit TBK DVR devices were observed by Fortinet, even though there are no known fixes that address the vulnerability. The flaw affects TBK DVR4104 and DVR4216 product lines, as well as other rebranded products sold under different names, and could allow a remote attacker to execute arbitrary operating system commands as root.
Infected Technology
DVR4104 and DVR4216 product
Source
https://thehackernews.com/2023/05/hackers-exploiting-5-year-old-unpatched.html?m=1
Recommendation
• Conduct a security audit • Encourage customers to apply the patch • Disable remote access until the patch is available • Educate customers on securing their devices • Monitor network traffic for exploitation attempts • Release a patch
CVE ID
CVE-2018-9995
WordPress Advanced Custom Fields plugin XSS exposes +2M sites to attacks
Description
On January 23, 2023, Assetnote researchers discovered a reflected cross-site scripting (XSS) vulnerability in the Advanced Custom Fields (ACF) plugin for WordPress. The vulnerability, tracked as CVE-2023-29489, has a CVSS score of 6.1 and could be exploited by an authenticated attacker to achieve command execution if targeting a logged-in cPanel user. The ACF plugin is a popular WordPress plugin that allows users to quickly and easily add fields to WP edit screens with only the click of a few buttons. As of March 1, 2023, the plugin had over 2 million active installations. The vulnerability exists in the ACF field builder’s “ajax_load_more_fields” function. The function is responsible for loading additional fields from the ACF database when a user clicks the “Load more fields” button. The vulnerability is triggered when an attacker can inject malicious JavaScript code into the URL of an ACF field edit screen. When the user clicks the “Load more fields” button, the malicious JavaScript code will be executed in the context of the logged-in user. The attacker can then use the malicious JavaScript code to hijack the user’s cPanel session and carry out malicious activities, such as uploading a web shell and gaining command execution.
Infected Technology
versions of ACF prior to 5.11.1.
Source
https://securityaffairs.com/145847/hacking/wordpress-advanced-custom-fields-xss.html
Recommendation
• Update the plugin.
Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry
Description
The advanced persistent threat (APT) group known as Dragon Breath has been employing a new DLL side-loading technique to enhance their attacks. The technique involves a multi-stage process where a first-stage clean application loads a second clean application, which then loads a malicious loader DLL, and finally executes the payload. Dragon Breath, also known as APT-Q-27 or Golden Eye, has previously used Telegram installers to distribute trojanized Windows installers, and their latest campaigns have expanded to include tampered installers for apps like LetsVPN and WhatsApp. The attacks, observed in countries like the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China, aim to target the online gaming and gambling industries. The payload serves as a backdoor, enabling various malicious activities such as file downloads, command execution, event log clearing, clipboard manipulation, and cryptocurrency theft. The use of DLL side-loading demonstrates the continued effectiveness and appeal of this tactic for threat actors, especially when targeting sectors that receive less security scrutiny.
Infected Technology
DLL side-loading
Source
https://thehackernews.com/2023/05/dragon-breath-apt-group-using-double.html
Recommendation
• Ensure that all software is up to date with the latest patches and updates. • Be cautious when downloading software or files from unfamiliar sources.
Ready to get started?
Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.
Contact Us