Weekly Cyber Reports

This Week in Cyber 10th March 2023

Latest news & views from our Cyber Analysts

Written by

Team Nucleus

Written on

10th March, 2023


LastPass Breach Caused by Unpatched Software

The latest LastPass breach looks to have been caused by an outdated, vulnerable version of the Plex Media Server software running on an employees home computer. The flaw allowed the attackers to execute code on the engineer's computer, steal their credentials, and breach the password management service's cloud storage environment. The breach resulted in the theft of partially encrypted password vault data and customer information. This really highlights the importance of ensuring devices used to access company data are properly managed, patched and configured properly.

New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access

Fortinet has released patches to fix 15 security vulnerabilities, including a critical flaw (CVE-2023-25610) in FortiOS and FortiProxy that could allow a remote attacker to take control of affected systems. This vulnerability is rated 9.3 out of 10 for severity and could allow an attacker to execute arbitrary code on the device and/or perform a DoS on the GUI. Fortinet recommends disabling the HTTP/HTTPS administrative interface or limiting IP addresses that can reach it as workarounds until the patches can be applied. The vulnerability affects various versions of FortiOS and FortiProxy, and fixes are available for download. It's worth noting that the vulnerability (CVE-2023-25610) was internally discovered and reported by Fortinet's security teams, and the company has stated that it is not aware of any malicious exploitation attempts against the flaw. However, given the severity of the vulnerability and the potential for it to be exploited, users should apply the patches as soon as possible.

Veeam Urges Customers to Patch Now

A security flaw tracked as CVE-2023-27532, reported by a security researcher in mid-February allows an unauthenticated attacker within the backup network to obtain encrypted credentials stored within the system configuration. This could result in an attacker gaining access to backup hosts themselves. The company has released patches for the vulnerability which affects all Veeam Backup and replication (VBR) versions.

New Malware Targets Sonicwall SMA Devices

Sonicwall and Mandiant have released details relating to a hacking campaign targeting Sonicwall SMA appliances which installs custom malware designed to steal user credentials, provide shell level access to attackers. There are signs that the malware could have been in existence since 2021 and is designed to persist through any firmware updates carried out. A new release of firmware containing many new security related features including FIM (File Integrity Monitoring) and anomalous process identification will help to detect and stop the threat. See the Sonicwall website here for more information.

IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks

IceFire, a previously known Windows-based ransomware, has started targeting Linux enterprise networks belonging to several media and entertainment sector organizations worldwide. The ransomware is exploiting a recently disclosed deserialization vulnerability (CVE-2022-47986) in IBM Aspera Faspex file-sharing software. SentinelOne, has reported that the majority of attacks have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E. – all are countries not typically targeted by organized ransomware groups. The ransomware binary targeting Linux is a 64-bit ELF file, and it's capable of avoiding encrypting certain paths so that the infected machine continues to be operational.

Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

Cloud security firm Aqua has disclosed two severe vulnerabilities in the open-source automation server Jenkins that could result in code execution on targeted systems. The vulnerabilities, collectively named CorePlague, impact the Jenkins server and Update Center and could allow unauthenticated attackers to execute arbitrary code on the victim's server. The flaws are a result of how Jenkins processes plugins available from the Update Center, which could enable a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. All Jenkins versions prior to 2.319.2 are affected by the vulnerabilities.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus