June 26, 2023

New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks

Description

A new malware called Condi is targeting TP-Link Archer AX21 Wi-Fi routers to create a DDoS botnet. The campaign has been active since May 2023 and is run by an individual known as zxcr9999 on Telegram. Condi is advertised on the Telegram channel “Condi Network” and offers DDoS-as-a-service and sells the malware source code. The malware terminates competing botnets on the same host but lacks persistence after a system reboot. It exploits a vulnerability (CVE-2023-1389) in the router, which was previously used by the Mirai botnet. Condi aims to expand by exploiting other known security flaws. In a separate incident, poorly managed Linux servers are being breached to deliver DDoS bots like ShellBot and Tsunami for cryptocurrency mining. The Tsunami botnet variant called Ziggy is used, employing IRC for command-and-control. Administrators are advised to use strong passwords, change them periodically, and keep their servers updated to prevent such attacks.

Infected Technology

TP-Link Archer AX21 (AX1800) Wi-Fi routers

Source

https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html

Recommendation

• Update firmware and apply patches promptly. • Secure router configuration and change default credentials. • Implement network segmentation for IoT devices. • Activate firewalls and monitor network traffic. • Regularly update passwords and use multi-factor authentication.

CVE ID

CVE-2023-1389

Potential for Remote Code Execution Identified in VMware Aria Operations for Networks Vulnerability

Description

A vulnerability has been discovered in the VMware Aria Operations for networks, a network monitoring tool that gathers and analyzes metrics, APIs, configurations, metadata, integrations, telemetry netflow, sFlow, and IPFIX flow traffic across the infrastructure. This security flaw, identified as CVE-2023-20887, has the potential to enable a malicious individual with network access to execute a command injection attack, resulting in the execution of remote code. If successfully exploited, this vulnerability can lead to remote code execution within the administrator account’s context. Consequently, an attacker would be able to install software, access, modify, or delete data, as well as create new accounts with complete user privileges.

Infected Technology

• VMware Aria Operations for Networks

Source

https://www.cisecurity.org/advisory/a-vulnerability-in-vmware-aria-operations-for-networks-could-allow-for-remote-code-execution_2023-067

Recommendation

• Conduct regular security assessments. Deploy multi-layered defense measures. Update VMware Aria Operations for Networks to the latest patched version

CVE ID

CVE-2023-29336

Millions of Repositories Likely Vulnerable to RepoJacking Attack

Description

The supply chain vulnerability, also known as dependency repository hijacking, is a class of attacks that makes it possible to take over retired organization or user names and publish trojanized versions of repositories to run malicious code. “When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository,” researchers Ilay Goldman and Yakir Kadkoda said. “However, it is possible for anyone to create the old username and break this link. “Alternatively, a similar scenario could arise when a repository ownership is transferred to another user and the original account is deleted, thus allowing a bad actor to create an account with the old username. An analysis of a subset of 1.25 million repositories for the month of June 2019 revealed that as many as 36,983 repositories were vulnerable to RepoJacking, denoting a 2.95% success rate. With GitHub containing more than 330 million repositories, the findings suggest that millions of repositories could be vulnerable to a similar attack.

Infected Technology

• Github Repositories

Source

https://thehackernews.com/2023/06/alert-million-of-github-repositories.html

Recommendation

• Make sure that every link that server using to fetch the resources from github repository are not broken.

Asus’s new patch fixes over 9 CVEs across 19 routers

Description

A new firmware security update for ASUS routers of various models has been released as of 19th June, 2023. Security flaws effecting over 19 router models through 9 vulnerabilities ranging from remote code execution, arbitrary code execution, authentication bypass, memory corruption, DOS, MITM, command injection and more were found to have existed in the previous patches of the ASUS firmware. The first of the mentioned vulnerabilities (CVE-2018-1160) has been existing in the ASUS devices for the past five years while the latest vulnerability (CVE-2023-28702) was found recently. The company has assured that the new firmware update fixes all the 9 vulnerabilities among which some vulnerabilities were listed as high and critical. ASUS has informed their customers to update to the latest firmware as soon as possible, however if updating is not an option ASUS has recommended to limit the devices from WAN access until the devices are secured.

Infected Technology

• GT6, GT-AXE16000, GT-AXE11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, ZenWiFi XT9, ZenWiFi XT8, ZenWiFi XT8_V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, TUF-AX5400

Source

https://www.asus.com/content/asus-product-security-advisory/

Recommendation

• Keep device firmware up to date to maintain device security. • If updating the firmware is not an option due to device configurations (which may be wiped or lost upon updating), turn off the vulnerable services available from WAN side (such as port forwarding, VPN server, remote access from WAN etc.) which are not in use • Frequently audit security procedures and physical devices

Cybercrime Group “Muddled Libra” Targets Financial Institutions: A Critical Security Threat

Description

The cybersecurity landscape is under siege once again as a notorious cybercrime group, known as “Muddled Libra,” has emerged with a renewed focus on infiltrating financial institutions. Their latest campaign has alarmed experts due to its sophisticated techniques and potential to cause significant damage. Muddled Libra’s primary objective is to compromise the security of banks, cryptocurrency exchanges, and other financial entities, posing a severe threat to the integrity of the global financial system.

Infected Technology

• Platforms facilitating the buying, selling, and trading of digital currencies, including Bitcoin, Ethereum, and other cryptocurrencies.

Source

https://thehackernews.com/2023/06/cybercrime-group-muddled-libra-targets.html?m=1

Recommendation

• Deploying advanced endpoint security solutions, such as next-generation antivirus software and endpoint detection and response (EDR) systems can help detect and mitigate Muddled Libra’s attempts to gain unauthorized access to critical systems.