Cyber Security Weekly Briefing, 15-21 October

Telefónica Tech    21 October, 2022

The Noname057(16) group attacks the Spanish Ministry of Defense

Last Friday, threat actor Noname057(016) carried out an attack against the website of the Spanish Ministry of Defense, rendering them unavailable over a short period of time. 

Noname057(16) is a group with political motivation that tends to carry out denial-of-service attacks against its victims, which are usually institutions and companies from EU or NATO countries, especially in the public, transport and telecommunications sectors.

The group has been acting through this type of attacks since March of 2022, when their Telegram channel was created, but has increased its activities since last Summer.

Additionally, the group has recently claimed that they are not to be confused with the Killnet hacktivist group, which has a similar profile and modus operandi.

More info

* * *

Microsoft reports a misconfigured endpoint of its own

Microsoft Security Response Center has reported the remediation of a misconfigured endpoint, which could have resulted in unauthorised access to data contained on the endpoint.

The information that could have been exposed involved business transactions between Microsoft and customers, including sensitive information such as personal names, email addresses, email content, company names, phone numbers, or document attachments.

Microsoft became aware of the misconfigured endpoint on 24 September thanks to a tip-off from SOCRadar, and then proceeded to address the risk. According to the information published by Microsoft, there is no indication that customer accounts or systems have been compromised, and they have indicated that all affected customers have been notified directly.

More info

* * *

Critical vulnerability in Apache Commons Text

A critical vulnerability in Apache Commons Text has recently been disclosed. It would allow an unauthenticated attacker to remotely execute code (RCE) on servers running applications with the affected component.

Identified with CVE-2022-42889 and a CVSS of 9.8, the flaw affects Apache Commons Text versions 1.5 to 1.9 and is located in insecure defaults at the time Apache Commons Text performs variable interpolation, which could lead to arbitrary code execution on remote servers.

According to the Apache Foundation itself, the Apache Commons Text library is reportedly present in more than 2,500 projects and recommends upgrading as soon as possible to Apache Commons Text 1.10.0, which disables interpolators that present problems by default.

On the other hand, several security researchers have pointed out the public availability of a proof of concept (PoC) for this vulnerability, a fact that considerably increases the risk.

Other sources have even compared this bug to the well-known Log4j vulnerability, although it seems likely that its impact is less widespread and for the time being there are no reports of its possible active exploitation on the network.

More info

* * *

BlackLotus: highly sophisticated malware for sale in underground forums

Security researchers have reportedly detected a threat actor selling a tool called BlackLotus on underground forums, with capabilities that have so far only been observed in state-sponsored groups and actors.

This tool, a type of UEFI bookit, would be installed in the computer’s firmware and would evade detection by security solutions by loading itself early in the device’s boot sequence.

According to the author of the tool in his publication, BlackLotus is said to have features to detect activity in virtual machines and has protections against removal, thus making malware analysis more difficult.

Finally, security researcher Scheferman says that until a sample of the malware has been fully analysed, it cannot be ruled out that BlackLotus could be used to carry out a Bring Your Own Driver (BYOVD) attack.

More info

* * *

​PoC available for critical Fortinet vulnerability

Over the past few days, a proof-of-concept (PoC) has been published on GitHub that exploits the critical security flaw affecting Fortinet FortiOS, FortiProxy and FortiSwitchManager products that was reported over the past week under the coding CVE-2022-40684.

Specifically, exploitation of this vulnerability could allow a remote attacker to perform an authentication bypass, deriving their actions in performing malicious operations on the administrative interface via HTTP(S) requests.

In addition, according to Horizon3.ai, following an analysis of the PoC, they indicate that FortiOS would expose a management web portal, allowing the user to configure the system.

It is worth noting that when the PoC was published in open source, Fortinet had already reported active exploitation of the vulnerability. However, on Friday it issued an advisory that included mitigation guidance, as well as updates and fixes for customers.

Finally, it is worth noting that researchers from GreyNoise and Wordfence have published detection of exploitation attempts.

More info

Leave a Reply

Your email address will not be published.