Cyber Security Weekly Recap (16-22.Jan)

Cyber Security Weekly Recap 16 22 Jan 1024x656

A Backdoor backdoor that borrows features of the CIA’s Hive Malware has been found in the wild.

A new backdoor that takes its features from the Hive multi-platform malware suite developed by the United States Central Intelligence Agency (CIA) has been deployed by unidentified threat actors. The source code for this malware suite was leaked by WikiLeaks in November 2017.

A technical write-up of Qihoo Netlab 360 reveals that this is the first time a variant of the CIA Hive attack kit has been detected in the wild.

The threat has been codenamed “xdr33,” based on its embedded Bot-side certificate CN=xdr33.

It is believed that the xdr33 malware spreads via F5 appliances by taking advantage of an unidentified N-day security vulnerability and uses SSL to interact with a command-and-control (C2) server.

According to the cybersecurity company, the backdoor’s purpose is to gather sensitive information and serve as a launching pad for further incursions. The malware is an improvement over Hive since it adds additional C2 instructions and features.

Critical Flaws Found in Routers Manufactured by Netcomm and TP-Link

New research reveals security flaws in routers manufactured by Netcomm and TP-Link. According to the information that has been published, some of these flaws might be exploited by an attacker to carry out remote code execution.

The vulnerabilities, which are identified as CVE-2022-4873 and CVE-2022-4874, are linked to cases of stack-based buffer overflow and authentication bypass. These flaws have an effect on Netcomm router models NF20MESH, NF20, and NL1902 that are running firmware versions older than R6B035.

An advisory was released by the CERT Coordination Center (CERT/CC), which states that if the two vulnerabilities are chained together, they permit a remote attacker to get unauthorized access to the devices that are impacted, and then exploit those entry points to gain access to other networks or compromise the data that is being transferred from the internal network.

In a separate but related development, CERT/CC detailed two unpatched security vulnerabilities affecting TP-Link routers WR710N-V1-151022 and Archer-C5-V2-160201 that could lead to information disclosure and remote code execution.

The flaws have been tracked as (CVE-2022-4499) and (CVE-2022-4498) and could be exploited by malicious actors to steal sensitive data or execute arbitrary code.

Chinese Hackers Used a Recently Discovered Flaw in Fortinet as a Zero-Day Exploit to Drop Malware

A vulnerability in Fortinet FortiOS SSL-VPN that had just been fixed was used as a zero-day exploit in attacks that targeted a European government organization and a managed service provider (MSP) situated in Africa. The attacks are thought to have originated in China.

Evidence collected by Mandiant, which is now owned by Google, suggests that the exploit was used in October 2022, which is nearly two months before updates were made available.

The attackers made use of a sophisticated backdoor known as BOLDMOVE. The BOLDMOVE backdoor has a Linux version that is intended to function only on the FortiGate firewalls manufactured by Fortinet.

Security researchers suspect that the intrusion is related to the exploitation of CVE-2022-42475, which is a heap-based buffer overflow vulnerability in FortiOS SSL-VPN. If exploited, this vulnerability could lead to unauthenticated remote code execution through the use of requests that have been specially crafted.

BOLDMOVE is an example of a backdoor Trojan horse capable of carrying out a system survey and receiving commands from a command-and-control (C2) server. These commands, in turn, allow attackers to execute different file operations, spawn a remote shell, and detour traffic through the infected host.

A new vulnerability in Microsoft Azure called EmojiDeploy allowing Remote Code Execution has been discovered.

A critical remote code execution (RCE) bug has been identified that affects numerous services associated with Microsoft Azure. This vulnerability might be used by a malicious actor to entirely take control of an application that is the target of their attack.

As per the information that has been revealed, the vulnerability stems from CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu.

By taking advantage of the vulnerability, attackers are able to upload malicious ZIP files to the victim’s Azure application.

According to the Israeli cloud infrastructure security company that gave the flaw the name EmojiDeploy, the vulnerability might further allow the theft of sensitive data and lateral migration to other Azure services.

Following the responsible disclosure of the vulnerability on October 26, 2022, Microsoft has subsequently addressed the issue as of December 6, 2022. In addition, a bug reward in the amount of $30,000 has been awarded to the researchers who have discovered it.

Users of Git are being urged to update their software in order to prevent attacks that include remote code execution.

Updates have been issued by the maintainers of the Git source code version control system to repair two significant vulnerabilities that might be used by a malicious actor. According to the information that has been shared, these vulnerabilities, identified as CVE-2022-23521 and CVE-2022-41903, could be exploited to achieve remote code execution.

These are the affected Git versions: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0.

CVE-2022-23521 is a critical vulnerability that allows an attacker to trigger heap-based memory corruption during clone or pull operations, which might result in code execution.

CVE-2022-41903 is triggered whenever an archive action is performed. This weakness, which involves an integer overflow, manifests itself while the commit logs are being formatted. As a result, code may be executed.

According to the findings of X41 D-Sec, a substantial number of integer-related flaws were detected, which may lead to denial-of-service scenarios and out-of-bound reads.

Git recommends that users deactivate “git archive” in untrusted repositories as a mitigation for CVE-2022-41903 in situations where upgrading to the most recent version is not an option. This recommendation is also made for CVE-2022-23521 despite the fact that there is no fix for it yet.

GitLab said in an advisory that it has published versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) to address the vulnerabilities, and it urges users to install the updates as soon as possible.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment