At a glance.
- ICS advisory for 10 Mitsubishi Electric automation products.
- CISA added three exploited vulnerabilities to its catalog.
- ViperSoftX info-stealer now targets password managers as well as crypto wallets.
- LOBSHOT, a cryptowallet stealer abusing Google Ads.
- Known CCTV vulnerability is currently being exploited.
- FDA warns of vulnerability affecting biomedical devices.
CISA releases ICS advisory for 10 Mitsubishi Electric automation products.
CISA released an ICS advisory for 10 Mitsubishi Electric factory automation products today stating “Successful exploitation of these vulnerabilities could allow a malicious attacker to escalate privileges, disclose parameter information in the affected products, and cause a denial-of-service condition.” They rate a worst case exploitation scenario with a CVSS score of 8.8. At the time of writing this article there are no known campaigns utilizing these vulnerabilities. These exploits would require physical access so Mitsubishi recommends that users restrict access from unauthorized individuals. Additionally, CISA recommends the following:
- “Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.”
Affected products: MI5122-VM: All versions, MI1002-W: All versions, MI2012-W: All versions, MI3321G-W: All versions, MI3315G-W: All versions, R102WCPU-W: All versions, Q24DHCCPU-V: All versions, Q24DHCCPU-VG: All versions, Q24DHCCPU-LS: All versions, Q26DHCCPU-LS: All versions.
CISA added three exploited vulnerabilities to its catalog.
Yesterday CISA has added three vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2023-1389 TP-Link Archer AX-21 Command Injection Vulnerability, CVE-2021-45046 Apache Log4j2 Deserialization of Untrusted Data Vulnerability, and CVE-2023-21839 Oracle WebLogic Server Unspecified Vulnerability. CVE-2021-45046 was given a CVSS score of 9.0 (critical) and as Logging Services reports, “It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.” CVE-2023-1389 and CVE-2023-21839 were both given a CVSS score of high.
ViperSoftX info-stealer now targets password managers as well as crypto wallets.
BleepingComputer reported Friday that the ViperSoftX info-stealing malware which historically has focused on cryptowallets has recently been observed targeting password managers. “A new version of the ViperSoftX information-stealing malware has been discovered with a broader range of targets, including targeting the KeePass and 1Password password managers.” Researchers at Trend Micro discovered a new version of the malware which has been updated to check for KeePass 2 and 1Password password managers writing, “Noting the malware’s capability to scan KeePass, we looked into the possible abuse of the KeePass security gap CVE-2023-24055, which forces the application to dump stored passwords in plain text (a feature already disabled in recent patches and versions).” The developers of the malware typically hide it in a “legitimate” key generator to crack software so the user can forgo the cost of purchasing the software from a licensed seller. Trend Micro notes that they were surprised at the amount of enterprise victims they observed (nearly 40% of all victims), but they attribute this to companies trying to cut corners and save on their budgets. Consumer victims are mainly based out of Australia, Japan and the US, and enterprise victims tend to be based out of India, Pakistan and the Philippines. Experts recommend users purchase and download software from reputable sellers as opposed to downloading programs from the internet to try to avoid costs as in the end, it may cost significantly more than the initial program itself.
LOBSHOT, a cryptowallet stealer abusing Google Ads.
Elastic Security Labs reports a new trend of Google Ad based malware that uses “an elaborate scheme of fake websites through Google Ads and embedding backdoors in what appears to users as legitimate installers.” Elastic Security calls this malware strain “LOBSHOT,” and describes it as having hidden virtual network computing (hVNC) capability. That allows LOBSHOT to remain undetected by the host machine. Researchers attribute this campaign to the Russian cybercrime group TA505, “a well-known cybercrime group associated with Dridex, Locky, and Necurs campaigns.” LOBSHOT is used to steal financial data, specifically going after chrome extensions associated with cryptowallets. It also seems to have the ability to target Edge and Firefox wallets.
As SecurityWeek reported, “the malware allows attackers to bypass fraud detection engines and provides them with stealthy, direct access to the infected machines.” Elastic Security explains that it does this by performing a Windows Defender anti-emulation check. This allows the malware to verify “if the string [matches] HAL9TH and if the username matches JohnDoe. These are hard-coded values within the emulation layer of Defender; if they are present, the malware immediately stops running.” The malware comes with a built-in GUI which allows attackers to execute specific commands quickly such as: modifying sounds settings, starting browsers, and using the infected machine’s clipboard (presumably to obtain or modify copied wallet addresses.)
Known CCTV vulnerability is currently being exploited.
FortiGuard Labs is monitoring a spike in the exploitation of Digital Video Recorder (DVR) Authentication Bypass Vulnerability (CVE-2018-9995) in TBK Vision systems. (Many of those systems are white-badged and sold under other vendors' brands.) The researchers observed over 50,000 unique IPS detections in the month of April. FortiGuard explains the vulnerability as “an authentication bypass vulnerability that affects DVR4104 and DVR4216 Digital Video Recorder devices manufactured by TBK. The vulnerability is due to an error in the vulnerable application when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this to bypass authentication and obtain administrative access.” This vulnerability has been given a 9.8 CVSS score, which marks it as critical. The vulnerability was first discovered in 2018, and no patch has so far been issued. SecurityWeek writes “Organizations are advised to review the CCTV cameras, DVRs, and related equipment they are using and remove any vulnerable models from their environments or ensure that they are protected by a firewall and not directly accessible from the internet.”
FDA warns of vulnerability affecting biomedical devices.
The US Food and Drug Administration (FDA) is warning healthcare providers of a vulnerability affecting the Universal Copy Service (UCS) software in a multitude of Illumina devices. The vulnerability impacts a range of devices and instruments used primarily in sequencing DNA for diagnosing potential genetic medical conditions, as well as research. The FDA lists affected devices, which include “Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 sequencing instruments.” The vulnerability allows for an unauthorized user to remotely control, alter settings, configuration, software, or data, and can alter genomic data outcomes to show no results at all, or an incorrect or altered version of the results. The FDA reports that on April 5 of this year, Illumina notified affected parties of the vulnerability, and advised checking the relevant devices for signs of exploitation. No exploitations have so far been reported. Illumina’s chief technology officer, Alex Aravanis, wrote in a LinkedIn post that the company has developed a software update for the vulnerability, which he says will be free and require “little to no downtime for most.” For more on this vulnerability and its mitigation, see CyberWire Pro.
FIN7 used CVE-2023-27532 to attack Veeam servers and steal credentials.
WithSecure Intelligence reported on 26 April that the FIN7 Russian cybercrime group was likely behind the attack on Veeam Backup and Replication servers. The gang was able to steal credentials using a custom PowerShell script not previously associated with FIN7. “Our research indicates with high confidence that the intrusion set used in these attacks is consistent with activities attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.” WithSecure Intelligence explained that there are some uncertainties on how the threat actor was able to gain access, but explained that the servers were not patched to deal with CVE-2023-27532. WithSecure Intelligence concluded:
“WithSecure Intelligence has so far identified two instances of such attacks conducted by FIN7. As the initial activity across both instances were initiated from the same public IP address on the same day, it is likely that these incidents were part of a larger campaign. However, given the probable rarity of Veeam backup servers with TCP port 9401 publicly exposed, we believe the scope of this attack is limited.
“Nonetheless, we advise affected companies to follow the recommendations and guidelines to patch and configure their backup servers appropriately as outlined in KB4424: CVE-2023-27532. The information in this report as well as our IOCs GitHub repository can also help organizations look for signs of compromise.”