Cyber Security Weekly Briefing, 7 — 14 October

Telefónica Tech    17 October, 2022
Phoro: Priscilla du Preez / Unsplash

Critical vulnerability in Fortinet 

Fortinet has issued a security advisory to its customers urging them to update their FortiGate firewalls and FortiProxy web proxy, in order to fix a critical authentication bypass vulnerability that could allow remote attackers to log into unpatched devices. The vulnerability has been identified as CVE-2022-40684.

The vulnerability has currently no CVSS criticality associated with it according to the vendor, although some researchers estimate that it could reach a score of 9.8.

The flaw resides in the administrative interface where, using alternative routes or channels in FortiOS and FortiProxy, an unauthenticated attacker could perform operations via specially crafted HTTP or HTTPS requests. The vulnerable versions are FortiOS 7.0.0 to 7.0.7, FortiOS 7.2.0 to 7.2.2 and FortiProxy 7.0.0 to 7.0.6 and 7.2.0, the vulnerability being fixed with the new versions FortiOS 7.2.1 y 7.2.2 and FortiProxy 7.2.1.

Also, in case it is not possible to implement these updates, Fortinet has recommended limiting the IP addresses that can reach the administrative interface through a local policy, and even disabling remote administration interfaces to ensure that potential attacks are blocked until the update can be implemented.

There are no reports of possible active exploitation of this flaw by threat actors so far, although according to the search engine Shodan, there are more than 100,000 FortiGate firewalls accessible from the Internet. 

More info → 

​ * * *

LofyGang focuses on supply chain attacks 

Researchers at Checkmarx have published a report on a threat actor focused on supply chain attacks, known as LofyGang.

According to Checkmarx, the group’s latest campaign since 2021 is reportedly focused on infecting open-source software supply chains with malicious NPM packages.

The attackers’ objectives would be focused on obtaining credit card information, or stealing user accounts, including premium accounts for Discord, or services such as Disney+ or Minecraft, among others. In executing the attacks, they use all kinds of TTPs, including typosquatting, targeting typos in the supply chain, or “StarJacking”, linking the URL of the legitimate package to an unrelated GitHub repository.

The group, which is believed to be of Brazilian attribution, communicates mainly via Discord. They also have a YouTube channel and contribute to several underground forums under the nickname DyPolarLofy, promoting their tools and selling the credentials they have obtained.

On the other hand, the group has a GitHub where they offer their open-source repositories offering tools and bots for Discord. It is worth noting that the Checkmarx researchers have created a website to keep track of updates on their findings and a repository of the malicious packages discovered so far. 

More info →  

​ * * *

Emotet resurfaces with new evasion mechanisms 

Researchers at VMware Threat Analysis Unit have published a report analysing the resurrection of the group behind the Emotet malware-as-a-service (MaaS), known as Mummy Spider, MealyBug or TA542.

This new resurgence of the malware comes on the heels of its dismantling by international law enforcement in January 2021. Researchers analysed data from spam emails, URLs and attachments collected from campaigns earlier this year, concluding that Emotet botnets are constantly evolving to make detection and blocking by defence teams more difficult.

They do this by hiding their configurations, creating more complex execution chains and constantly modifying their command and control (C2) infrastructure. In addition, they have expanded and improved their credit card theft capabilities and their mechanism for lateral propagation.

The distribution of the malware is based on mass mailings of emails with malicious links or attachments. 

More info → 

​ * * *

Microsoft fixes 84 vulnerabilities in its Patch Tuesday, including two 0-day vulnerabilities 

Microsoft has fixed 84 vulnerabilities in its October Patch Tuesday, including two 0-day vulnerabilities. One of them actively exploited, and 13 critical flaws that would allow privilege escalation, impersonation or remote code execution.

The actively exploited 0-day, identified as CVE-2022-41033 and CVSS 6.8, was discovered by an anonymous researcher and affects the Windows COM+ event system service, allowing an attacker to gain system privileges. On the other hand, the second 0-day, which, according to Microsoft, has only been publicly disclosed, has been catalogued as CVE-2022-41043 and with a temporary CVSS of 2.9.

In this case, the bug consists of an information disclosure vulnerability in Microsoft Office that could allow an attacker to gain access to user authentication tokens.

Regarding the other two recently known 0-days in the Exchange server (CVE-2022-41040 and CVE-2022-41082), Microsoft clarifies that it has not yet released security updates to address them and refers to its 30 September release, which includes guidance on how to apply mitigations for these vulnerabilities. 

More info

​ * * *

Alchimist: new attack framework targeting Windows, Linux and macOS 

Cisco Talos researchers have discovered a new attack tool, with command and control (C2) capabilities, designed to target Windows, Linux and macOS systems.

Named “Alchimist”, the Cisco release notes that all of the tool’s files are 64-bit executables and are developed in the GoLang programming language, features that facilitate compatibility with different operating systems.

Its operation is based on a web interface that allows it to generate and configure payloads deployed on infected devices to take screenshots, launch arbitrary commands and even execute code remotely.

In addition, Alchimist is able to introduce a new remote access Trojan (RAT) called “Insekt” via PowerShell code for Windows, wget for Linux systems and, in the case of macOS, replaced by a privilege escalation exploit (CVE-2021-4034) in Polkit’s pkexec utility.

Once implemented, the Trojan will establish communication with the attackers’ C2 infrastructure via the Alchimist interface and different communication protocols such as TLS, SNI, WSS/WS, its main purposes being information gathering and command execution. 

More info

Leave a Reply

Your email address will not be published.