Cyber Security Weekly Briefing 12-18 February

Telefónica Tech    18 February, 2022
Report cyber

Researchers develop exploit for critical vulnerability in Magento

Positive Technologies’ offensive security team has developed a Proof of Concept (PoC) for the CVE-2022-24086 CVSSv3 9.8 vulnerability, claiming that it would allow control of the system to be gained with web server permissions. However, the researchers have stated that they do not intend to release this exploit either publicly or privately to other industry analysts. This critical vulnerability affecting Adobe Commerce and Magento Open Source was fixed by Adobe last Sunday in a security update. Exploiting this flaw would allow an unauthenticated attacker to execute arbitrary code remotely, although it is worth noting that, despite not requiring authentication, it can only be exploited by an attacker with administrator privileges. The flaw affects Magento Open Source and Adobe Commerce versions 2.4.3-p1 and 2.3.7-p2 and earlier, with the exception of Adobe Commerce versions prior to 2.3.3.3. Also yesterday, Adobe updated this security bulletin to add a new flaw, CVE-2022-24087, also of the Improper Input Validation type, which also has a CVSSv3 score of 9.8 and would allow an unauthenticated attacker to execute arbitrary code remotely. It is recommended to patch both critical vulnerabilities as soon as possible.

More info: https://helpx.adobe.com/security/products/magento/apsb22-12.html

​​0-day in Chrome being actively exploited

Google released fixes for eight security flaws in the Google Chrome browser on Monday, including a high-criticality vulnerability that is being actively exploited. This use-after-free vulnerability resides in the animation component, has been identified as CVE-2022-0609 and, if successfully exploited, would allow an attacker to execute arbitrary code remotely, as well as alter legitimate information. Google has also addressed four other high-criticality vulnerabilities of the use-after-free type that affect the file manager, ANGLE, GPU and Webstore API, as well as a heap buffer overflow vulnerability in Tab Groups and an inappropriate implementation in the Gamepad API. Google recommends updating Google Chrome to version 98.0.4758.102 to fix these bugs.

Discover more: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html

​TA2541 campaign persistent over time

Researchers at Proofpoint have published a new paper attributing a long-running, persistent attack campaign to the TA2541 group. The campaign targets aviation, aerospace, transportation, manufacturing and defence sectors in North America, Europe and the Middle East. The activity of this group dates back to 2017 and, since that year, they have used TTPs that have been maintained over time. The usual entry vector identified is an English-language phishing campaign using aviation, transport or travel-related subjects. They do not take advantage of current subjects as other groups often do, although they have also occasionally mixed their usual subjects with current ones like COVID-19. These emails include attachments that already download the payloads of different RATS, mainly families that can be easily acquired in cybercrime forums, with AsyncRAT, NetWire and WSH RAT standing out above the rest. The group has recently improved its campaigns and is no longer sending payloads in attachments, but in links included in emails that connect to cloud services.

All details: https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight

​Classified US information exfiltrated by Russian actors

CISA has published a security advisory warning of a cyber espionage campaign dating back to at least January 2020. According to the warning, Russian threat actors have compromised and exfiltrated information from US-authorised defence contractors (CDC), private entities that are authorised to access highly sensitive information in order to bid for contracts, access information in the areas of intelligence, armaments, aircraft, information technology, among others. Among the techniques used as an entry vector, the attackers would have used spearphishing campaigns, credential harvesting, brute force techniques, password spraying or the exploitation of vulnerabilities. Once the companies had been compromised, the attackers managed to establish persistence in some of them for at least six months, thus enabling Russia to obtain strategic information with which it could have established military priorities, strategic plans and accelerated software development.

More info: https://www.cisa.gov/uscert/ncas/alerts/aa22-047a

Leave a Reply

Your email address will not be published.