Cyber Seucirty Weekly Recap (01-07 May)

Cyber Security Weekly Recap 01 07 May 2023

Microsoft Azure API Management Service Flaws Discovered

Researchers have recently disclosed three new security flaws within Microsoft Azure API Management service, a platform that helps organizations publish, manage, and secure their APIs. These vulnerabilities could be exploited by malicious actors to access sensitive information or backend services, causing significant damage.

Israeli cloud security firm Ermetic reported two server-side request forgery (SSRF) flaws, namely CVE-2023-1373 and CVE-2023-1374, and one unrestricted file upload functionality vulnerability, CVE-2023-1375, in the API Management developer portal. Exploitation of SSRF flaws could lead to a loss of confidentiality and integrity, allowing threat actors to access internal Azure resources and execute unauthorized code. Following responsible disclosure, Microsoft has patched all three flaws and urged users to apply the necessary security updates.

Dragon Breath APT Group Targets Gambling Industry

An advanced persistent threat (APT) group known as Dragon Breath, APT-Q-27, and Golden Eye has been observed using a new DLL side-loading mechanism to add complexity to its attacks, making them harder to detect and mitigate. This group has been documented using a watering hole campaign to trick users into downloading a trojanized Windows installer for Telegram, a popular messaging app.

Dragon Breath is part of a larger entity called Miuuti Group, which is a Chinese-speaking group targeting the online gaming and gambling industries. Their primary goal is to steal sensitive information and intellectual property from these industries. Researchers have advised organizations to stay vigilant and employ robust security measures to counter such threats.

Google Introduces Passwordless Secure Sign-In with Passkeys

Google has started rolling out a passwordless solution, known as passkeys, across Google Accounts on all platforms, aiming to increase security and user convenience. Passkeys provide a more secure way to sign in to apps and websites without using traditional passwords, relying on biometrics or a local PIN instead.

This new technology minimizes the risk of password-related attacks such as brute force, dictionary attacks, and credential stuffing. Passkeys are locally stored on the device, not shared with other parties, and are resistant to online attacks like phishing. Although Google is rolling out this feature, it intends to continue supporting existing login methods like passwords and two-factor authentication for the foreseeable future, ensuring a smooth transition for users.

Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified three vulnerabilities that are actively being exploited by cybercriminals and have added them to the Known Exploited Vulnerabilities catalog. These vulnerabilities are CVE-2023-1389, which enables remote attackers to execute arbitrary commands with administrative privileges, CVE-2021-45046, a critical remote code execution flaw that has affected a broad range of applications, and CVE-2023-21839, which allows attackers to compromise targeted systems.

Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes provided by the vendors by May 22, 2023, to safeguard their networks against these active threats. Private sector organizations are also urged to apply these patches without delay to mitigate the risk posed by these vulnerabilities.

New BGP Flaws Found in Popular Internet Routing Protocol Software

Recently, cybersecurity experts have unearthed some critical weaknesses in the Border Gateway Protocol (BGP) software implementation that could be manipulated to inflict a Denial-of-Service (DoS) attack on vulnerable BGP peers, which can lead to severe internet routing issues, affecting millions of users worldwide. The three vulnerabilities, namely CVE-2023-30793, CVE-2023-30794, and CVE-2023-30795, are associated with the FRRouting (FRR) software suite, which is a widely adopted open-source BGP implementation by ISPs and cloud providers to manage internet traffic routing. Cybercriminals could take advantage of these vulnerabilities to inject corruptive BGP update messages that could crash the affected BGP daemon, ultimately disrupting the routing table. This has the potential to lead to global internet connectivity issues, with significant repercussions on a global scale. Thankfully, the FRRouting project has issued patches to fix these vulnerabilities, and organizations using FRR software are strongly urged to apply these patches immediately to mitigate possible disruptions and safeguard their internet traffic routing.

A WordPress Plugin Vulnerability Exposes Over 2 Million Sites to Cyberattacks

A new vulnerability has been found in the popular Advanced Custom Fields plugin for WordPress, putting over two million sites at risk of cyberattacks. This security flaw, identified as CVE-2023-30777, involves a case of reflected cross-site scripting (XSS) that can be exploited to inject harmful executable scripts into benign websites. This vulnerability can allow an unauthenticated user to steal sensitive information and can lead to privilege escalation on the WordPress site by tricking a privileged user into visiting a specially crafted URL path. Researchers from Patchstack discovered this vulnerability and reported it to the maintainers on May 2, 2023.

Victims of reflected XSS attacks are often deceived into clicking on a fake link sent via email or other channels, which causes the malicious code to be delivered to the vulnerable website, which then reflects the attack back to the user’s browser. While this type of attack has less reach and scale compared to stored XSS attacks, hackers still distribute malicious links to as many victims as possible.

Interestingly, CVE-2023-30777 can be activated on the default installation or configuration of Advanced Custom Fields, but only by logged-in users who have access to the plugin. The discovery of this vulnerability coincides with the patching of two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) in Craft CMS that could also be used to serve malicious payloads.

Additionally, there was the disclosure of another XSS vulnerability in the cPanel product (CVE-2023-29489, CVSS score: 6.1), which could be exploited to execute arbitrary JavaScript without any authentication, allowing an attacker to hijack a valid user’s cPanel session and potentially upload a web shell, leading to command execution. The presence of these vulnerabilities reinforces the need for website owners to remain vigilant and take measures to protect their sites against cyberattacks by patching vulnerabilities as soon as they are discovered.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment