Cyber Security Weekly Recap (3-9 Oct.)

Security 1024x790
Cyber Security Weekly Recap (3-9 Oct.)

A Dell driver flaw has been exploited by hackers to install a rootkit on targeted computers.

The Lazarus Group, an organization allegedly funded by North Korea, has been caught distributing a Windows rootkit by exploiting a vulnerability in a Dell firmware driver.

ESET researcher Peter Kálnai said that the attack began with “spear-phishing emails” carrying malicious Amazon-themed files and that the recipients included an aerospace industry employee in the Netherlands and a political journalist in Belgium.

Launching the lure documents triggered attack chains that ultimately resulted in the release of malicious droppers that were trojan versions of open-source projects. According to ESET’s findings, Lazarus was seen distributing HTTPS downloaders and uploaders, as well as compromised versions of FingerText and sslSniffer, a component of the wolfSSL library.

This indicates a shift in strategy on the part of the state-sponsored hackers who have been persisting for a long time under intensive scrutiny from law enforcement and the research community, adapting and developing new tactics on the go.

Presenting: ProxyNotShell

A newly discovered exploit, named ProxyNotShell, targets the previously disclosed Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and another the Remote Code Execution (RCE) vulnerability tracked as CVE-2022-41082.

This new zero-day is built on ProxyShell and uses a chained attack similar to the one used in the 2021 ProxyShell attack, which took advantage of the combination of three vulnerabilities (CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207) to allow a remote actor to execute arbitrary code.

CVE-2022-41082 was logged on September 19, 2022, and it is a vulnerability that allows for low-complexity, low-privilege attacks against Microsoft Exchange Servers. In the event that the vulnerable services are abused, an authorized attacker may compromise the underlying exchange server by using the already-existing exchange PowerShell.

An attacker may remotely trigger CVE-2022-41082 by using another Microsoft vulnerability, CVE-2022-41040, which was also documented on September 19, 2022. Since Microsoft has not yet released a fix, users are encouraged to take preventative measures by setting up a blocking rule.

Microsoft released a new set of temporary fixes to patch Exchange zero-days.

Microsoft has revised its mitigating measures for the aggressively exploited zero-day flaws in Exchange Server after researchers found how easily they could be bypassed.

The two vulnerabilities, listed as CVE-2022-41040 and CVE-2022-41082, have been nicknamed ProxyNotShell. They have similarities with another pair of vulnerabilities termed ProxyShell, which the tech giant fixed last year.

The exploitation of the two flaws has been seen in the wild, with the attackers chaining them together to achieve remote code execution on compromised servers with administrative rights, ultimately leading to the insertion of web shells.

Windows has admitted that since August 2022, a single state-sponsored threat actor may have been weaponizing the flaws in limited targeted attacks, but the tech giant has not yet released a fix for them.

The company has published temporary fixes to limit exposure by blocking common attack vectors through a rule in the IIS Manager.

A new vulnerability in the macOS Archive Utility has been patched recently.

Researchers in the field of computer security have disclosed a vulnerability in Apple’s macOS operating system that has been patched but could have been used by hackers to install malware.

According to an analysis by Apple’s own device management partner Jamf, Apple’s built-in Archive Utility contains a flaw with the CVE identifier of CVE-2022-32910. As per what has been revealed, this flaw could allow hackers to execute an unsigned and unnotarized application without displaying security prompts to the user, by using an archive designed for that purpose.

Apple patched the vulnerability that had been responsibly disclosed on macOS Big Sur 11.68.2 and Monterey 12.5 in May and July this year. Moreover, as of October 4th, the tech giant updated the previously released advisory to include a section on the vulnerability.

According to Apple, the flaw is a logic error that might enable a specially crafted archive file to bypass the Gatekeeper security mechanism, which is meant to ensure that only trusted software is allowed to execute on the operating system.

LilithBot malware has been connected to the Eternity Group hackers.

Eternity Group, a malware-as-a-service (MaaS) threat actor, has been linked to a new threat dubbed LilithBot.

According to the information that is available, LilithBot has sophisticated capabilities and persistence mechanisms that allow it to be used as a miner, stealer, and clipper. Improvements like anti-debug and anti-VM checks are only two examples of how the threat actor has been consistently upgrading the malware.

Earlier this year, Eternity Group used a Telegram channel to announce its new releases and provide promotional material for its updated products. Ransomware, stealer, miner, USB worm, clippers, and DDoS bots are all part of the service menu. The inclusion of LilithBot in the list has been made recently. The versatile malware bot is similar to others in that it is offered to other hackers as a subscription service in exchange for crypto payment.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment