Privilege escalation vulnerability in Western Digital
Independent security researcher Xavier Danest has reported a privilege escalation vulnerability in EdgeRover. It should be mentioned that EdgeRover is a software developed by storage products manufacturer Western Digital for content management by unifying multiple storage devices under a single interface. Identified as CVE-2022-22988, the vulnerability has been rated as critical with a CVSSv3 of 9.1 as, due to a directory traversal flaw, it would allow an attacker who has previously compromised the target system to gain unauthorised access to restricted directories and files. This could additionally lead to local privilege escalation, disclosure of confidential information or denial of service (DoS) attacks. The flaw affects the desktop versions of EdgeRover for Windows and Mac, and it is currently unknown whether it is being actively exploited on the network. Western Digital has already fixed file and directory permissions to prevent unauthorised access and modification and recommends upgrading EdgeRover to version 1.5.1-594 or later, which addresses this vulnerability.
Serpent: new backdoor targeting French organisations
Researchers at Proofpoint have discovered a new backdoor that would target French organisations in the construction and government sectors. The detected campaign makes use of macro-enabled Microsoft Word documents under the guise of GDPR-related information in order to distribute Chocolatey, a legitimate, open-source package installer that, after various stealth techniques such as steganography and scheduled task bypass, would implement the backdoor that Proofpoint has named “Serpent”. Once the infection chain is successfully completed, the attacker would be able to manage the target host from its Command & Control (C2) server, exfiltrate sensitive information or even distribute additional payloads. Proofpoint highlights the possibility that Serpent is an advanced, targeted threat, based on its unique targeted behaviors such as steganography, although there is currently no evidence to attribute it to any specific known group.
Critical vulnerabilities in HP printer models
HP has recently published two security bulletins reporting critical vulnerabilities affecting hundreds of the company’s LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format and DeskJet printer models. On the one hand, on March 21st HP published a security advisory (HPSBPI03780) identifying a security flaw catalogued as CVE-2022-3942, CVSS 8.4. According to them, this is a buffer overflow flaw that could lead to remote code execution. The second bulletin (HPSBPI03781) contains three other vulnerabilities, two of which are classified as critical, namely VE-2022-24292 and CVE-2022-24293, CVSS 9.8. Exploitation of these vulnerabilities could allow malicious actors to cause information disclosure, remote code execution or denial of service. All of these security flaws were discovered by Trend Micro’s Zero Day Initiative team. It should be noted that HP has released firmware security updates for most of the affected products, although not all models are patched yet.
Spying campaign using new variant of Korplug malware
ESET security researchers have detected a malicious campaign that has been active for at least eight months and is distributing a new variant of the Korplug remote access trojan (RAT). According to the investigation, the distribution of this malware would be carried out by sending emails under lures associated with current events such as COVID-19 or related to European institutional themes. Among the targets detected, ESET mentions that the campaign targets European diplomats, internet service providers and research institutes in countries such as Greece, Cyprus, and South Africa, among others. Korplug is a trojan previously associated with similar variants of PlugX malware that, depending on the campaign or threat actor using it in its operations, can have the ability to enumerate drives and directories, read and write files, execute commands on a hidden desktop, initiate remote sessions and communicate with the attackers’ Command & Control (C2) server. However, we do not rule out the possibility that Korplug is in the midst of development, adding new stealth functionality. ESET attributes this campaign to the China-linked threat actor Mustang Panda (aka TA416), known to be primarily motivated by political espionage.
New North Korean APT campaigns exploiting 0-day Chrome exploits
Google researchers have identified new campaigns attributed to two North Korean-linked cybercriminal groups that would have exploited remote code execution vulnerabilities in Chrome. The activity of these groups has previously been referred to as Operation Dream Job on the one hand, and Operation AppleJesus on the other. These APTs would have exploited the vulnerability CVE-2022-0609 for just over a month, before the patch was made available on 14 February. The activity is said to have targeted US entities, including media outlets, organisations in the technology sector, cryptocurrencies and the financial technology industry; however, it is possible that other sectors and geographies have also been targeted. The published analysis details the tactics, techniques and procedures (TTPs), indicators of compromise and details about the exploit used by the attackers, which could be exploited by other groups linked to North Korea.
All of the details: https://blog.google/threat-analysis-group/countering-threats-north-korea/