Cyber Security Weekly Recap (30 Jan.-05 Feb.)

Cyber Security Weekly Recap 30.01 05.02 1024x684

Recent Ransomware Attacks on ESXi Servers Take Advantage of a VMware Flaw

A new wave of attacks is aimed at deploying ransomware on VMware ESXi hypervisors.

The French Computer Emergency Response Team (CERT) issued an alert saying, that the attack efforts seem to exploit a vulnerability tracked as CVE-2021-21974,  a patch for which has been available since February 23, 2021.

In its own advisory, VMware called the vulnerability an OpenSLP heap overflow that might allow for the execution of arbitrary code.

The virtualization services provider warned that a malicious actor sitting inside the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP and use it to execute remote code.

OVHcloud, a French cloud services company, said that attacks have been detected all around the world, particularly in Europe.

Over the weekend, OVHcloud acknowledged that a vulnerability in OpenSLP was used as the initial attack vector in the ransomware attacks. However, the company said that it is unable to clarify at this time whether or not the exploit involved CVE-2021-21974.

It is suspected that the recent breaches have been linked to Nevada, a new strain of Rust-based ransomware that appeared in December 2022. However, there is still no evidence of that.

Those who are using an older version of ESXi, should update so that only authorized IP addresses can connect to the OpenSLP service.

Jira, Atlassian’s Service Management Platform, Has a Critical Security Flaw.

Atlassian has published patches to address a critical vulnerability in order to prevent an attacker from impersonating a legitimate user and accessing vulnerable installations of Jira Service Management Server and Data Center.

This issue, identified as CVE-2023-22501 (CVSS score: 9.4), is an example of broken authentication with low attack complexity.

As per what has been explained, an attacker with access to a Jira Service Management instance with outgoing email enabled and write access to a User Directory, can send a registration token to a user who has never signed into their account in order to acquire access to their credentials.

The Cisco IOx and F5 BIG-IP products have been found to have new critical vulnerabilities.

F5 has issued a critical security advisory on a vulnerability in BIG-IP equipment that might allow for denial-of-service (DoS) attacks or even remote code execution.

Here are the BIG-IP releases that are impacted by this issue: 13.1.5, 14.1.4.6, 15.1.5.1, 15.1.8, 16.1.2.2, 16.1.3, and 17.0.0.

As per the details that have been revealed, the problem originates in the iControl Simple Object Access Protocol (SOAP) interface.  

In an advisory published by the company it was explained that an authenticated attacker may crash the iControl SOAP CGI process or, possibly, execute arbitrary code due to a format string vulnerability.

The vulnerability, identified on December 6, 2022, and assigned the tracking number CVE-2023-22374 (CVSS score: 7.5/8.5), was discovered and reported by security researcher Ron Bowes of Rapid7.

F5 said it has fixed the issue via an engineering patch that is downloadable for all BIG-IP versions that are currently being maintained. The business suggests limiting who may use the iControl SOAP API as a workaround solution.

New Android Banking Trojan called PixPirate is Attacking Brazilian Banks

A new Android banking virus is targeting financial institutions in Brazil by exploiting the PIX payments platform.

The spyware, dubbed PixPirate by the Italian cybersecurity firm Cleafy, was first detected between December 2022 and January 2023.

Researchers Francesco Iubatti and Alessandro Strino say that PixPirate is part of a new generation of Android banking trojans because it supports ATS (Automatic Transfer System), which allows attackers to automatically insert a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks.

The malware represents a threat from the newest generation of Android banking malware. It can disable Google Play Protect, intercept SMS communications, prevent uninstallation, and serve rogue adverts through push notifications by abusing the operating system’s accessibility services API.

The threat actors behind the operation have used code obfuscation and encryption with the help of a framework called Auto.js to thwart reverse engineering attempts and obtain users’ credentials for banking applications.

A security flaw in Microsoft’s “Verified Publisher” OAuth apps was abused by hackers to get into company email accounts.

On Tuesday, Microsoft said that it has disabled false Microsoft Partner Network (MPN) accounts used in a phishing attempt to access businesses’ cloud infrastructures and steal email via the use of rogue OAuth apps.

The tech giant explained that the applications created by the attackers were deployed thanks to a “consent” phishing campaign in which users were lured into giving rights to the fraudulent apps. As per the details that have been revealed, most of the victims of this phishing attack were located in the United Kingdom and Ireland.

Consent phishing is a form of attack that uses social engineering to deceive people into giving permissions to malicious cloud apps which can then be exploited to access legitimate cloud services and sensitive user data.

The Windows maker claimed that it learned of the attack on December 15, 2022. Since then, the company has sent email notices to the concerned users, explaining that the threat actors have misused their permission to access email boxes.

In order to reduce the likelihood of fraudulent activity in the future and enhance the verification process, Microsoft announced the implementation of new safety measures to the Microsoft Cloud Partner Program (previously MPN).

Fortra’s GoAnywhere MFT Has a Zero-Day Vulnerability That Is Currently Being Exploited by Hackers

A zero-day flaw in Fortra’s GoAnywhere MFT controlled file transfer program is actively exploited in the wild. Fortra has not issued a warning to the general public regarding the issue yet.

As per the information that is available, the detected zero-day flaw is a kind of remote code injection that can only be exploited by gaining access to the application’s administrative console, therefore it is crucial that the app’s systems are not accessible via the internet.

However, Kevin Beaumont, a security researcher, claims that there are over a thousand on-premise instances, the most majority of which are in the United States, which are openly accessible over the internet.

The researcher also warns that compromised administrator access to the console might be obtained by exploiting previously used, weak, or default credentials.

The zero-day flaw currently has no patch, but Fortra has issued workarounds that include editing the web.xml file to delete the “License Response Servlet” setting.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment