InfoSec Weekly

May 22, 2023

Table Of Contents

Cisco warns of critical switch bugs with public exploit code

Description

It appears that Cisco has recently issued a warning to its customers regarding four critical remote code execution vulnerabilities affecting multiple Small Business Series Switches. These vulnerabilities have received high severity ratings, and successful exploitation could allow attackers to execute arbitrary code with root privileges on the compromised devices. The vulnerabilities, tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189, are caused by improper validation of requests sent to the affected switches’ web interfaces. Attackers can exploit these vulnerabilities by sending maliciously crafted requests through the web-based user interfaces of targeted devices, and these attacks do not require user interaction. It’s important to note that the vulnerabilities are independent of each other, meaning that exploiting one vulnerability is not necessary to exploit another. Additionally, a software release affected by one vulnerability may not be affected by the others. Cisco has provided firmware updates to address the vulnerabilities in certain switch models. For the 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches, the issue is fixed in firmware version 2.5.9.16. For the Business 250 Series Smart Switches and Business 350 Series Managed Switches, the fix is available in firmware version 3.3.0.16. Unfortunately, the Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches are not receiving patches because they have already entered the end-of-life process. These devices will not receive further firmware updates. Cisco’s Product Security Incident Response Team (PSIRT) has noted the availability of proof-of-concept exploit code for these vulnerabilities, which raises concerns about potential active exploitation by threat actors. However, as of now, there is no evidence to suggest that the vulnerabilities have been exploited. In addition to these switch vulnerabilities, Cisco is also working on patching a cross-site scripting (XSS) vulnerability in its Prime Collaboration Deployment (PCD) server management tool, which was reported by Pierre Vivegnis of NATO’s Cyber Security Centre (NCSC).Furthermore, a joint advisory from the US, UK, and Cisco has warned about APT28 Russian military hackers deploying custom ‘Jaguar Tooth’ malware on Cisco IOS routers to gain unauthenticated access to compromised devices.

Infected Technology

IOS, iPadOS, macOS, and Safari web browser

Source

https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-switch-bugs-with-public-exploit-code/

Recommendation

• Apply firmware updates, implement network segmentation, disable unnecessary devices.

CVE ID

CVE-2023-20159 CVE-2023-20160 CVE-2023-20161 CVE-2023-20189


Cloned CapCut websites push information stealing malware

Description

Cybercriminals have launched a malware distribution campaign by impersonating the popular CapCut video editing tool. By creating malicious websites that mimic CapCut download sources, they target unsuspecting users seeking alternative ways to obtain the application. These websites distribute various malware strains, and two separate campaigns have been identified. In one campaign, fake CapCut sites deliver the Offx Stealer, a malware that operates silently in the background on Windows systems, extracting sensitive information such as passwords, cookies, and specific filetypes. The stolen data is sent to the attackers via a private Telegram channel or a file hosting service. The second campaign drops a file named ‘CapCut_Pro_Edit_Video.rar’ containing a stealthy loader that triggers a PowerShell script, ultimately loading Redline Stealer and a .NET executable. Redline Stealer can grab valuable data stored in web browsers and applications. To stay protected, users are advised to download software directly from official sources and avoid unofficial sites shared on forums or social media.

Infected Technology

Windows, smartphones, servers, IoT devices, network infrastructure

Source

https://blog.cyble.com/2023/05/19/capcut-users-under-fire/

Recommendation

• Keep software updated regularly. • Use strong, unique passwords.


Apple Patches 3 Exploited WebKit Zero-Day Vulnerabilities

Description

Apple has recently issued security updates for its operating systems to address numerous vulnerabilities that could potentially expose iPhones and Macs to cyberattacks. Among these vulnerabilities are three zero-days that affect the WebKit browser engine and have been actively exploited. Two of the zero-days, identified as CVE-2023-28204 and CVE-2023-32373, were reported by an anonymous researcher and can result in the disclosure of sensitive information and execution of arbitrary code if a user is deceived into interacting with malicious web content. Apple’s latest updates, including iOS 16.5 and iPadOS 16.5, address these zero-days, along with another zero-day (CVE-2023-32409) that enables the bypassing of the Web Content sandbox. The exploited vulnerabilities in WebKit have also been resolved in Apple TV, Apple Watch, and Safari. Additionally, macOS Ventura has been updated to address the zero-days and approximately 50 other vulnerabilities that could lead to information disclosure, code execution, denial-of-service attacks, security bypass, and privilege escalation. Apple has also released updates for macOS Monterey and Big Sur to address numerous vulnerabilities, although none of the zero-days were present in those updates.

Infected Technology

HP Printer

Source

https://support.apple.com/en-us/HT213758

Recommendation

• Update to the latest version

CVE ID

CVE-2023-28204 CVE-2023-32373 CVE-2023-32409


npm packages hide TurkoRAT malware in what looks like a NodeJS EXE

Description

Security researchers have identified several npm packages on the npmjs.com registry that contained a malicious trojan disguised as NodeJS libraries. These packages, which had low detection rates and remained undetected for over two months, were analyzed by researchers from ReversingLabs. One of the packages, named nodejs-encrypt-agent, initially appeared legitimate but contained a malicious portable executable (PE) file called ’lib.exe.’ The file closely resembled the genuine NodeJS application, making it harder to detect. Another package, nodejs-cookie-proxy-agent, included axios-proxy as a dependency, which in turn contained the malicious executable. The trojan discovered, called TurkoRAT, is an infostealer designed to steal sensitive information and evade analysis. Although these malicious packages were subsequently removed from the npm registry, the incident highlights the ongoing security risks associated with unvetted open-source packages in the software supply chain.

Infected Technology

nodejs-encrypt-agent, nodejs-cookie-proxy-agent, axios-proxy

Source

https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic

Recommendation

• Strengthen Supply Chain Security • Educate Developers


KeePass Flaw Exposes Master Passwords

Description

A security researcher named Dominik Reichl has discovered a vulnerability (CVE-2023-32784) in the KeePass password management software (v2.X) that allows an attacker to extract the master password from the program’s memory. Reichl clarified that this vulnerability can only be exploited if the master password is typed on a keyboard, not if it is copied from the clipboard. The flaw involves a text box used for password entry, which creates residual strings in memory that are difficult to remove. The attacker can scan the memory dump to guess likely password characters. The vulnerability does not require code execution on the target system, only a memory dump. To mitigate the risk, users are advised to update to KeePass 2.54 or a higher version when it becomes available. Reichl also recommends changing the master password, restarting the computer, deleting certain files, and overwriting deleted data on the hard disk drive. Fresh installation of the operating system is also advised for maximum security. It is important to note that some KeePass-based products are not affected by this vulnerability.

Infected Technology

KeePass Password Safe

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-32784

Recommendation

• Update to the latest version

CVE ID

CVE-2023-32784


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us