|
17 Nov 23
Cyber Threat Roundup
A collection of recent open-source items of interest to the Defense Industrial Base
|
|
Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups
A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. The flaw, tracked as CVE-2023-37580 (CVSS v3 score 6.1), is a reflected cross-site scripting (XSS) vulnerability impacting versions before 8.8.15 Patch 41. It was addressed by Zimbra as part of patches released on July 25, 2023. Successful exploitation of the shortcoming could allow execution of malicious scripts on the victims' web browser simply by tricking them into clicking on a specially crafted URL, effectively initiating the XSS request to Zimbra and reflecting the attack back to the user. Three of the four campaigns were observed prior to the release of the patch, with the fourth campaign detected a month after the fixes were published.
https://thehackernews.com/2023/11/zero-day-flaw-in-zimbra-email-software.html
|
|
MySQL Servers Targeted by 'Ddostf' DDoS-as-a-Service Botnet
MySQL servers are targeted by the 'Ddostf' malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals. Ddostf's operators either leverage vulnerabilities in unpatched MySQL environments or brute-force weak administrator account credentials to breach the servers. The attackers are scanning the internet for exposed MySQL servers and, when found, attempt to breach them by brute-forcing administrator credentials. For Windows MySQL servers, the threat actors use a feature called user-defined functions (UDFs) to execute commands on the breached system. UDF is a MySQL feature that allows users to define functions in C or C++ and compile them into a DLL (dynamic link library) file that extends the capabilities of the database server.
https://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-ddostf-ddos-as-a-service-botnet/
|
|
A Critical OS Command Injection Flaw Affects Fortinet FortiSIEM
Fortinet is warning customers of a critical OS command injection vulnerability, tracked as CVE-2023-36553 (CVSS v3 score 9.3), in FortiSIEM report server. A remote, unauthenticated attacker can exploit the flaw to execute commands by sending specially crafted API requests. This vulnerability was internally discovered as a variant of FG-IR-23-130. FortiSIEM is the security information and event management (SIEM) solution provided by Fortinet. FortiSIEM collects, aggregates, and correlates log data from various sources across the network. The flaw affects Fortinet FortiSIEM version 5.4.0 and 5.3.0 through 5.3.3 and 5.2.5 through 5.2.8 and 5.2.1 through 5.2.2 and 5.1.0 through 5.1.3 and 5.0.0 through 5.0.1 and 4.10.0 and 4.9.0 and 4.7.2. This vulnerability was internally discovered as a variant of another issue tracked as CVE-2023-34992, which was also an improper neutralization of special elements used in an os command (‘os command injection’) in FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2.
https://securityaffairs.com/154301/security/fortinet-fortisiem-os-command-injection.html
|
|
27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts
An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads, Checkmarx said in a new report. A majority of the downloads originated from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan. A defining characteristic of this attack was the utilization of steganography to hide a malicious payload within an innocent-looking image file, which increased the stealthiness of the attack. Some of the packages are pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, the last of which was planted on May 13, 2023.
https://thehackernews.com/2023/11/27-malicious-pypi-packages-with.html
|
|
U.S. Cybersecurity Agencies Warn of Scattered Spider's Gen Z Cybercrime Ecosystem
U.S. cybersecurity and intelligence agencies released a joint advisory about a cybercriminal group known as Scattered Spider that's known to employ sophisticated phishing tactics to infiltrate targets. Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs. Considered as experts in social engineering, Scattered Spider is known to rely on phishing, prompt bombing, and SIM swapping attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA). Scattered Spider, like LAPSUS$, is said to be part of a larger Gen Z cybercrime ecosystem that refers to itself as the Com (alternately spelled Comm), which has resorted to violent activity and swatting attacks.
https://thehackernews.com/2023/11/us-cybersecurity-agencies-warn-of.html
|
|
CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability
CISA adds Sophos, Oracle and Microsoft product security holes to its Known Exploited Vulnerabilities (KEV) catalog. The Sophos flaw that the agency says has been exploited in attacks is CVE-2023-1671, a critical Sophos Web Appliance vulnerability that can be exploited by an unauthenticated attacker for arbitrary code execution. Sophos announced patches in April, when it also informed customers that the impacted appliance would reach end of life on July 20, 2023. It’s not uncommon for threat actors to exploit Sophos product vulnerabilities in their attacks. Some attacks have been linked to a Chinese APT and targeted government and other organizations in South Asia.
https://www.securityweek.com/cisa-warns-of-attacks-exploiting-sophos-web-appliance-vulnerability/
|
|
|
|
|
