With emerging technologies, malicious actors are also updating their threat vectors and coming up with novel ways to target individuals and organizations. Following are the cybersecurity news headlines this week
Vulnerability Detected in Snipe-IT
A vulnerability in Snipe-IT that could be used to send malicious password reset requests to users was recently patched by developers. Snipe-IT is a cloud-based open source project designed to replace Excel spreadsheets and accounts and over 6.7 million managed assets.
With over 200 contributors and 2,100 forks, Snipe-IT’s GitHub allows adopters to either manage their Snipe-IT builds themselves or have them hosted by Grokability. The project vulnerability (tracked CVE-2022-23064) was detected on 2nd May and awarded a CVSS severity score of 8.8.
CVE-2022-23064 was described as a host header injection bug that can lead to various problems such as SQL injection attacks, web cache poisoning, and server-side request forgery (SSRF). The vulnerability CVE-2022-23064 enables adversaries to send fake host headers with password reset requests to the victim’s system. Once clicked, these links lead users to attacker-controlled servers where they steal their passwords.
Cybersecurity experts say that though the vulnerability is triggered by user interaction, it needs no authentication or privileges to be exploited. Snipe-IT versions between 3.0-alpha and v5.3.7 are vulnerable, and hence users are advised to upgrade to at least the v5.3.8 version.
Beware of Operation CuckooBees
A new attack campaign called CuckooBees, which originated from the China-based Winnti APT, has been in operation for years without being detected. CuckooBees uses a hitherto undocumented malware to target organizations and steals their trade data. CuckooBees was first seen in 2021 by cybersecurity experts at Cybereason Nocturnus Incident Response Team, who revealed that the attack campaign has been active at least since 2019.
The campaign targeted manufacturing organizations in Western Europe, North America, and East Asia and stole their intellectual property, including blueprints, sensitive documents, formulas, diagrams, and manufacturing-related data. The Winnti group also compromised information companies’ network architecture, business units, and other credentials that could be used to launch further attacks.
Further, several organizations’ customer data and employee emails were also compromised. Researchers are currently investigating the Winnti campaign and releasing only the partial Indicators of Compromise (IoCs). Much information about CuckooBees remains to be revealed.
Cisco Patched Vulnerabilities in NFVIS
Cisco recently patched severe vulnerabilities in Enterprise Network Function Virtualization Infrastructure Software (NFVIS), including one critical bug with a CVSS score of 9.9 that allowed adversaries to escape from a guest virtual machine (VM). Dubbed CVE-2022-20777, the critical vulnerability affects the Next Generation Input/Output (NGIO) feature in Enterprise NFVIS. The vulnerability is to do with insufficient guest restrictions and allows an attacker to send an API call from a VM. This call easily gets executed on the NFVIS host, thus leading to a full compromise of the host.
The CISCO advisory mentions two other high-severity vulnerabilities in NFVIS – CVE-2022-20779 (awarded a CVSS score of 8.8) and CVE-2022-20780 (with a CVSS score of 7.4). The first of these affects the image registration process of Enterprise NFVIS and can be exploited remotely to inject commands (executable with root privileges) during the VM registration process. The second flaw – CVE-2022-20780 exists in the import function of Enterprise NFVIS and lets a remote, unauthenticated attacker compromise host data.
These and several other cybersecurity issues have been addressed in the Enterprise NFVIS 4.7.1. CISCO noted that these flaws affect the default configuration of NFVIS infrastructure software, and therefore it advises customers to get the latest version at the earliest.
High-Severity Security Flaws Detected in Avast And AVG Drivers
Cybersecurity experts have recently discovered several high-severity flaws in a driver used by AVG and Avast antivirus solutions. Two of these high-severity security vulnerabilities are dubbed CVE-2022-26522 and CVE-2022-26523. The first of these vulnerabilities resides in the anti-rootkit kernel driver named aswArPot.sys. This driver is the “Avast anti-rootkit,” which dates back to June 2012 and was introduced in Avast version 12.1.
The vulnerability could be exploited to disable antivirus solutions, corrupt operating systems, overwrite system components, and escalate privileges. These vulnerabilities went undetected for a decade and affected millions of users.
The second vulnerability – CVE-2022-26523, resides in the function at aswArPot+0xbb94, and together with the first flaw, it can be used for a sandbox escape in a second-stage browser attack.
The flaws were brought to Avast’s notice on 20th December 2021. The company fixed the issues in the 22.1 version of the antivirus released on 8th February 2022. While most of the Avast and AVG installs would be auto-updated with the patch, on-premise and air-gapped installs need to be fixed manually at the earliest.
Beware of DDoS Attacks Exploiting TCP Middlebox Reflection
A series of DDoS attacks exploiting a new amplification technique called TCP Middlebox Reflection has taken over the internet. These attacks target vulnerable firewalls and flawed content filtering systems to amplify and reflect TCP traffic to users’ machines. Cybersecurity experts report that this attack vector.
According to researchers, the new attack vector targets Network Address Translators (NATs), firewalls, load balancers, and Deep Packet Inspection (DPI) boxes via a malformed sequence of TCP packets. Although the spread of this attack is relatively low, more than 18 million IPv4 addresses are vulnerable to these TCP-based DDoS Reflection attacks. China, Iran, and Indonesia have the highest vulnerable IPv4 addresses – 6.3 million, 5.2 million, and 2.7 million, respectively. The first attacks occurred in February 2022 and targeted customers across the travel, banking, media, and gaming web hosting industries. The attack ratio might be temporarily low, but defenders should take necessary ransomware protection measures to tackle TCP-based DDoS attacks.
The Return of REvil
All those who predicted that REvil’s retirement was temporary can commend their accuracy because the REvil ransomware group is back with newer and better infrastructure, an updated malware sample, and a modified encryptor. It was just weeks ago that researchers discovered REvil’s Tor server activities. This finding has been reported by several researchers and analysts who have also shared the original source code.
Reportedly, the ransomware has changed its version number to 1.0, although this version is just a continuation of the last version – 2.08. REvil’s representative, known as ‘Unknown,’ is still out of the picture, but one of its original core developers is believed to have relaunched the operation recently. The new REvil sample comes with many code enhancements and additions. A new configuration field, ‘accs,’ has been added, containing credentials for specific targets. Further, the new ransom sample’s configuration has changed PID and SUB options, and it produced a ransom note very similar to its previous ransom notes.
Rebranding has become a popular trend among ransomware groups, and therefore the return of REvil is only normal and expected. While this may be a trick to evade detection, it is advised to take necessary ransomware protection measures.