Cyber Security Weekly Briefing, 14 – 20 January

Telefónica Tech    20 January, 2023

Several vulnerabilities have been discovered in Netcomm and TP-Link routers. On the one hand, the flaws, identified asCVE-2022-4873 and CVE-2022-4874, are a case of buffer overflow and authentication bypass that would allow remote code execution.

The researcher who discovered them, Brendan Scarvell, has published a PoC for both. The affected router models are Netcomm NF20MESH, NF20 and NL1902 running firmware versions prior to R6B035.

On the other hand, the CERT/CC detailed two vulnerabilities affecting the TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 routers, which could cause information disclosure (CVE-2022-4499) and remote code execution (CVE-2022-4498).

More info

​​* * *

PoC for multiple vulnerabilities in WordPress plugins

Researchers at Tenable have published details of three new vulnerabilities in plugins for the WordPress platform, including proof-of-concepts (PoCs) for all of them.

The first, catalogued as CVE-2023-23488 with a CVSS score of 9.8, is a SQL injection vulnerability without authentication in the Paid Membership Pro plugin. The second, identified as CVE-2023-23489 with the same score and of the same type as the previous one, affects the Easy Digital Downloads plugin.

And the third and last, CVE-2023-23490 with a CVSS score of 8.8 and also a SQL injection vulnerability, affects the Survey Maker plugin. The authors of the plugins would have been notified in December 2022 and would have released security updates correcting these issues, so that the latest available versions would no longer be vulnerable.

More info

​​* * *

Hook: new banking trojan targeting Android devices

Researchers at ThreatFabric have discovered a new Android banking trojan called Hook. According to the researchers, it was reportedly released by the same developer as the Android banking trojan Ermac, although it has more capabilities than its predecessor.

ThreatFabric claims that Hook shares much of its source code with Ermac, so it should also be considered a banking trojan. The most notable aspect of Hook is that it includes a VNC (virtual network computing) module that allows it to take control of the compromised interface in real time. 

It is worth noting that Spain is the country with the second highest number of banking applications threatened by Hook after the United States, according to the ThreatFabric report.

More info

​​* * *

Malware discovered hidden in PyPI repository packages

Fortinet researchers have discovered three packages in the PyPI (Python Package Index) repository containing malicious code intended to infect developers’ systems with infostealer-type malware. The three packages, which have been uploaded to the platform by the same user with the nickname Lolip0p, are called Colorslib, httpslib and libhttps, respectively.

Fortinet highlights that as a major novelty in this type of supply chain attack, the threat actor has not tried to embed malware in malicious copies of legitimate packages, but has instead created its own projects by investing a lot of effort in making them look trustworthy.

Fortinet found that the setup file for all three packages is identical and attempts to run a PowerShell that downloads a malicious file. According to PyPI’s statistics, together these three packages have been downloaded 549 times so far.

More info

​​* * *

NortonLifeLock reports password manager incident

Gen Digital, the company that owns NortonLifeLock, has begun sending a statement to an undisclosed number of its users informing them that an unauthorised third party has been able to access their Norton Password Manager accounts and exfiltrate first names, last names, phone numbers and email addresses.

In the official notification sent to the Vermont Attorney General’s Office, Norton explains that its systems have not been compromised or abused, and that the incident is due to the attacker reusing usernames and passwords available in a database for sale on the dark web.

This claim is supported by the fact that in late December Norton detected a substantial and unusual increase in the number of failed login attempts on its systems, indicating that attackers were trying to gain access by testing compromised passwords on another service.

The incident again highlights the need for a proper password policy with unique passwords for each online service.

More info

Featured photo: Souvik Banerjee / Unsplash