Cyber Security Weekly Briefing, 18 – 24 February

Telefónica Tech    24 February, 2023

Fortinet fixes critical vulnerabilities in FortiNAC and FortiWeb

Fortinet has issued a security advisory fixing two critical vulnerabilities affecting its FortiNAC and FortiWeb products.

The security flaws have been registered as CVE-2022-39952, with a CVSSv3 of 9.8, which affects FortiNAC and could allow an unauthenticated attacker to execute unauthorised code or commands via a specially crafted HTTP request.

The other vulnerability, identified as CVE-2021-42756, has a CVSSv3 of 9.3, affects FortiWeb and its exploitation could allow an unauthenticated remote attacker to perform arbitrary code execution via specially crafted HTTP requests.

Fortinet recommends that affected users upgrade FortiNAC to versions 9.4.1, 9.2.6, 9.1.8, and 7.2.0 on the one hand, and upgrade FortiWeb to 7.0.0, 6.3.17, 6.2.7, 6.1.3, and 6.0.8 or later on the other hand.

More info

* * *

Access credentials of two major data centre operators exposed

The Resecurity team has published an investigation into the sale of login credentials of two data centre operators in Asia, namely GDS Holdings Ltd. (China) and ST Telemedia Global Data Centres (Singapore).

The security incidents, which have yet to be clarified, took place in 2021, but only became public knowledge on 20 February, when the stolen data was published on an underground forum. Among the exfiltrated data are credentials, emails, phone numbers or ID card references, with an estimated compromise of more than 3,000 records in total.

Indirectly, large global corporations that used these data centres have also been compromised, with logins of companies such as Apple, BMW, Amazon, Walmart, Alibaba, Microsoft and Ford Motor, among others, being exposed.

It should be noted that both data centres forced their customers to change their passwords last January, although Resecurity has confirmed several attempts to access different customer portals.

Finally, it should be noted that researchers have also been unable to attribute these attacks to any particular group.

More info

* * *

Fake ChatGPT applications used to distribute malware

Kaspersky researchers are warning of a fake Windows desktop version of ChatGPT being used to distribute malware.

The authors of this campaign, taking advantage of the growing popularity of the OpenAI chatbot, are reportedly using social media accounts to advertise the platform and include a link to the supposed download site.

Some of the profiles identified by Kaspersky also offered trial accounts to increase the interest of potential victims. Once the download is complete, an error message is displayed warning of a problem with the installation, while in reality a Trojan with infostealer capabilities has been downloaded and named “Fobo”.

Cyble’s intelligence team has also investigated the same campaign distributing other malware families such as the Lumma and Aurora stealers. Security researcher Dominic Alvieri has also published about other cases of campaigns distributing the RedLine stealer.

More info

* * *

​Vulnerabilities in VMware products

VMware has issued two security advisories warning of two critical vulnerabilities affecting several of the company’s products:

  1. The most critical security flaw has been reported as CVE-2023-20858, with a CVSSv3 of 9.1 according to the vendor, which affects Carbon Black App Control.
    • Exploiting this vulnerability could allow a malicious actor to use a specially crafted entry in the App Control management console to gain access to the server’s operating system.
  2. Another vulnerability has been published as CVE-2023-20855, with a CVSSv3 of 8.8 according to the vendor, which impacts vRealize Orchestrator, vRealize Automation and Cloud Foundation products.
    • In this case, a malicious actor could use specially crafted entries to bypass XML parsing restrictions that terminate access to sensitive information or allow privilege escalation on affected systems.

More info

* * *

Phishing campaign via PayPal

Avanan researchers have reported a new phishing campaign sent from the PayPal platform.

The malicious actors are taking advantage of the ease of creating free PayPal accounts, which offer the ability to create and send invoices to multiple recipients at once. In this way, the messages received by the victims come directly from the PayPal domain, circumventing possible security detections.

In the detected campaign, several messages have been observed in which victims are told that their account has been debited, and that in case it has not been authorised, they should call a telephone number.

This phone number is not associated with PayPal, and by calling it the attackers get the victims’ phone number and other personal details, which can be used in future attacks.

Due to the difficulty of implementing security measures to block these emails, researchers recommend searching for the phone number on the Internet in order to see whether or not it is related to PayPal.

More info