InfoSec Weekly
September 10, 2023
Table Of Contents
Cacti Network Monitoring Tool Exposes Critical Stored XSS Vulnerability
Description
A Stored Cross-Site Scripting (Stored XSS) vulnerability has been identified in Cacti,a web-based open-source network monitoring and management tool. This flaw allows authenticated users to inject malicious code into Cacti’s database, and administrative accounts can unwillingly execute this code when viewing the poisoned data. The vulnerability resides in the “report_admin.php” PHP file, which is accessible to administrative accounts with additional privileges. By supplying a malicious device name linked to a graph, users with specific permissions can trigger the stored XSS attack. Threat actors can exploit this vulnerability for activities such as Account Take Over (ATO), malicious actions on behalf of the victim user, redirection to malicious websites, and more.
Infected Technology
Cacti, a web-based network monitoring and management tool.
Source
https://cybersecuritynews.com/cacti-xss-vulnerability/
Recommendation
• Organizations using Cacti should ensure that data is treated as a text element in the rendered HTML to prevent the execution of malicious code in the final HTML output.
North Korean Hackers Exploit Zero-Day Vulnerability: Target Cybersecurity Community in Complex Attack
Description
North Korean threat actors are launching a sophisticated cyber-espionage campaign, targeting the cybersecurity community and utilizing a zero-day vulnerability in undisclosed software. Google’s Threat Analysis Group (TAG) has uncovered their tactics, which involve creating fake social media accounts on platforms like X (formerly Twitter) and Mastodon to build trust with potential targets. The attackers engaged in lengthy conversations, even collaborating with security researchers, before luring victims into encrypted messaging apps. This elaborate social engineering scheme ultimately delivered a malicious payload containing at least one zero-day exploit in a widely-used software package. The vulnerability is currently under repair, but the threat remains significant as the attackers continue to employ anti-virtual machine checks and exfiltrate data, including screenshots, to a server under their control.
Infected Technology
developer environment with a variety of platforms.
Source
https://thehackernews.com/2023/09/north-korean-hackers-exploit-zero-day.html
Recommendation
• Maintain up-to-date software and promptly install patches and updates to mitigate the risk of falling victim to zero-day vulnerabilities.
Multiple APT Hackers Exploiting Fortinet & ManageEngine Vulnerability
Description
Several nation-state actors are using security holes in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to obtain unauthorized access and establish persistence on compromised systems, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday. The business established that the user had been deactivated before the observed behavior, and it was determined that APT actors had stolen and utilized valid administrator account credentials from a previously engaged contractor.In addition to using legitimate credentials to jump from the firewall to a web server and deploy web shells for backdoor access, the attackers have been seen starting multiple Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses, indicating data transfer from the firewall device.
Infected Technology
Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus
Source
https://cybersecuritynews.com/apt-fortinet-manageengine-vulnerability/?amp
Recommendation
• Ensure that the settings and vulnerabilities are handled correctly. • Network segmentation is necessary. • Accounts, Permissions, and Workstations must be managed properly. • Always make sure to secure remote access software. • All the scheduled tasks must be audited. • All the findings must be validated. • Make sure to use the application allowlists. • All the security controls must be verified properly.
Millions Infected by Spyware Hidden in Fake Telegram Apps on Google Play
Description
There has been spyware discovered in the Google Play Store that poses as altered versions of Telegram and is intended to collect private data from infected Android devices.
Igor Golovin, a security researcher with Kaspersky, claims that the applications include malicious capabilities that allow them to collect and transmit names, user IDs, contacts, phone numbers, and chat messages to a server under the control of an attacker. The business said that these applications “at first glance appear to be complete Telegram clones with a localized interface.” “Everything appears to operate almost exactly like the genuine thing. There is a little distinction, however, that the Google Play censors missed: the infected versions contain an extra module.
The Russian cybersecurity organization has given the operation the codename “Evil Telegram.”
Infected Technology
telegram
Source
https://thehackernews.com/2023/09/millions-infected-by-spyware-hidden-in.html
Recommendation
• always use official store to download and install apps. • Before installing even the most official app from the most official store, look closely at its page and make sure that it’s real — pay attention not only to the name, but also the developer. Cybercriminals often try to fool users by making clones of apps with descriptions similar to the original.
Cybercriminals Weaponizing Legitimate Advanced Installer Tool in Crypto-Mining Attacks
Description
Threat actors have been using Advanced Installer, a legal Windows application for building software packages, since at least November 2021 to install cryptocurrency-mining malware on affected computers.Other trustworthy software installers, like those for Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, are bundled with malicious scripts by the attacker using Advanced Installer, and the malicious scripts are then made to run using the Custom Actions feature of Advanced Installer. The attacks culminate in the implementation of numerous cryptocurrency-mining malware families, including lolMiner and PhoenixMiner, as well as an M3_Mini_Rat, a PowerShell script that probably functions as a backdoor to download and execute further threats.
In terms of the first access vector, it’s possible that SEO poisoning tactics were used to get the rigged software installers onto the victims’ computers.
Infected Technology
span architecture, engineering, construction, manufacturing, and entertainment sectors.
Source
https://thehackernews.com/2023/09/cybercriminals-weaponizing-legitimate.html
Recommendation
• Establish definite guidelines for the usage of firm resources in crypto mining. Make sure staff members are aware of the effects of illegal mining. • Continuously monitor and assess the third-party software used in your organization for potential vulnerabilities and misuse.
Ready to get started?
Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.
Contact Us