A 2018 Fortinet bug replaces the Log4Shell exploit in the top of the most exploited flaws in 2022

CISA, the NSA, the FBI, and Five Eyes cybersecurity authorities released a list of the 12 most exploited vulnerabilities throughout 2022. The Fortinet SSL VPN vulnerability (CVE-2018-13379) is said to have been the most routinely exploited bug last year followed by the ProxyShell bugs (CVE-2021-34473, CVE-2021-31207, CVE-2021-34523), and the CVE-2021-40539 flaw in Zoho ADSelfService Plus. The full list of the most exploited bugs in 2022 is available here.

Over 40% of 0Days discovered in 2022 were variations of previously disclosed bugs

Forty-one actively exploited zero-day vulnerabilities were detected and disclosed in 2022, down from 69 zero-days in 2021, according to Google’s fourth annual review of zero-day flaws exploited in the wild. The report says that more than 40% of zero-day vulnerabilities discovered in 2023 were variants of the previously disclosed flaws, including seven from 2021 and one from 2020.

Google also reported a 42% decline in the number of detected in-the-wild 0-days targeting browsers from 2021 to 2022, dropping from 26 to 15. The researchers believe that this is a result of browser makers’ efforts to make exploitation more difficult, as well as a shift in attacker behavior away from browsers towards 0-click exploits that target other components on the device.

Cybersecurity authorities share more details on Ivanti hacks

CISA and the Norwegian National Cyber Security Centre (NCSC-NO) published a joint security advisory providing more details on a couple of zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) product that were exploited in the recent attacks on the Norwegian government.

The two agencies say that an unnamed threat actor has exploited CVE-2023-35078 since at least April this year. To gain initial access to EPMM devices the hackers compromised small office/home office (SOHO) routers, including ASUS routers.

In related news, Ivanti released security updates to address yet another bug in its EPMM (formerly MobileIron Core) product. One of the flaws is CVE-2023-35081, a path traversal issue that allows a remote hacker to perform directory traversal attacks. The vulnerability exists due to an input validation error when processing directory traversal sequences. A remote privileged user can send a specially crafted HTTP request and overwrite arbitrary files and compromise the affected system.

The vulnerability impacts all supported versions 11.10, 11.9 and 11.8. Older versions/releases are also at risk.

The second Ivanti vulnerability disclosed this week is tracked as CVE-2023-35082 and is described as a remote unauthenticated API access vulnerability in MobileIron Core 11.2 and older. If exploited, it allows to bypass authentication process and gain unauthorized access to the application. This bug was linked to the CVE-2023-35078 flaw exploited in attacks on the Norwegian government.

Hundreds of Citrix endpoints compromised with web shells

Nearly 600 Citrix NetScaler ADC and Gateway servers have been compromised by threat actors to deploy web shells, according to the Shadowserver Foundation’s stats. The attacks abuse CVE-2023-3519, a code injection vulnerability in Citrix NetScaler ADC and NetScaler Gateway products. The majority of the compromised servers are located in Germany, France, and Switzerland.

Salesforce email zero-day flaw exploited in targeted Facebook attacks

Guardio Labs researchers shared details of a sophisticated phishing campaign that took advantage of a zero-day in Salesforce email services and SMTP servers to target valuable Facebook accounts.

Dubbed “PhishForce,” the flaw was used to conceal malicious email traffic in Salesforce’s legitimate email gateway services. The hackers exploited Salesforce’s “Email-To-Case” feature, which is designed to convert customer inbound emails into tickets, allowing them to receive verification emails and gain control of a genuine @salesforce.com email address for their malicious phishing activities.

Hackers deployed a new Submarine backdoor on compromised Barracuda servers

CISA released technical details and Indicators of Compromise related to three different malware families deployed by hackers on compromised Barracuda Email Security Gateway (ESG) appliances - Barracuda Exploit Payload and Backdoor, SEASPY and Submarine.

CISA describes Submarine as a “novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance.” The malware comprises multiple artifacts - including a SQL trigger, shell scripts, and a loaded library for a Linux daemon - that together enable execution with root privileges, persistence, command and control, and cleanup.

EU sanctions entities spreading Russian propaganda

The European Union imposed new sanctions on seven Russian individuals and five organizations involved in a disinformation campaign called RRN (Recent Reliable News) aimed at disseminating pro-Russian disinformation about Russia’s invasion of Ukraine.

The campaign involved spreading pro-Russian narratives through fake websites masquerading as famous European media and government portals, as well as social media accounts.

New P2Pinfect botnet malware targets Redis servers

A novel strain of malware has been observed targeting susceptible Redis servers to ensnare them into a botnet. Dubbed “P2Pinfect” by its developers, the malware is a peer-to-peer self-replicating worm that comes in versions for both Windows and Linux.

The worm uses a number of known Redis exploitation methods for initial access, according to researchers with Cado Security. In the observed attack, a threat actor breached Cado’s honeypot infrastructure by exploiting the replication feature in Redis.

Ukrainian police shutter shadow money exchanges used by hackers

The Security Service of Ukraine has dismantled an illicit financial network operating across the country that facilitated anonymous money transfers between Ukraine and Russia. The network used Russian payment systems banned in Ukraine such as WebMoney and YooMoney, as well as cryptocurrency exchanges to convert Russian rubles into Ukrainian hryvnia. Exchanges received funds in the form of cryptocurrency converted from rubles.

The monthly turnover of the network was over $1 million, the security agency said.

SpyNote Android malware targets financial institutions

An Android banking trojan called ”SpyNote” is targeting European customers of various banks as part of an extensive campaign observed in June and July 2023. While SpyNote is spyware, it is also capable of performing bank fraud due to its diverse functions.

The malware is distributed via email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vhishing attack.

India-linked Patchwork APT targets Chinese research orgs with EyeShell backdoor

The India-based threat actor known as Patchwork APT has been observed targeting universities and research organizations in China with a new backdoor called “EyeShell.” EyeShell is a .NET-based modular backdoor that is able to establish contact with a remote command-and-control (C2) server and execute commands to enumerate files and directories, download/upload files to and from the host, execute a specified file, delete files, and capture screenshots.

Iranian ISP suspected of aiding cybercriminals and nation-state hackers

Iranian internet service provider Cloudzy is reportedly providing infrastructure services to cybercriminals, including ransomware gangs, and at least 17 different state-backed hacking groups from China, Russia, Iran, North Korea, India, Pakistan and Vietnam. Although Cloudzy is registered in the United States, the researchers believe that it is operated out of Tehran, Iran, by an individual named Hassan Nozari likely in violation of US sanctions on Iran.

The company acts as a command-and-control provider (C2P), which provides attackers with Remote Desktop Protocol (RDP) virtual private servers and other anonymized services. The researchers estimated potentially between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity.

Russian hackers abuse Microsoft Teams for credential theft

A Russian state-backed hacking group has been caught abusing Microsoft Teams chat app to steal credentials from targeted organizations. Microsoft’s Threat Intelligence team has linked the attacks to a threat actor it tracks as Midnight Blizzard (more commonly known as Nobelium, Cozy Bear, UNC2452 or APT29).

In the recent cyber-espionage campaign, the threat actor has been observed using previously hacked Microsoft 365 accounts owned by small businesses to create new domains that appear as technical support entities. These domains were then used to send phishing emails aimed at stealing credentials from a targeted organization. Microsoft estimated that the attacks impacted less than 40 global organizations.

Russia-linked BlueCharlie APT evolves tactics as it adapts to public disclosures

A Russia-linked threat group known as BlueCharlie, Callisto, Coldriver, Star Blizzard or Seaborgium has created roughly 100 new domains since March 2023, indicating that the group is swiftly adapting its infrastructure in response to public disclosures. Recorded Future’s Insikt Group has observed BlueCharlie building new infrastructure for likely use in phishing campaigns and/or credential harvesting, which consists of 94 new domains.

Since mid-December 2022, the threat actor has changed its Tactics, Techniques and Procedures (TTPs) following the reports exposing its cyber activities. More specifically, the group changed the naming pattern for its domains using domain-naming themes related to information technology and cryptocurrency.

Canon warns customers to reset Wi-Fi settings before discarding printers

Printer maker Canon has warned its customers that sensitive Wi-Fi settings on its printers are not automatically deleted during resets. Users are advised to manually delete Wi-Fi settings before discarding, selling, or getting their printers repaired to minimize security and privacy risk.