Home > News > The main attacks and vulnerabilities found by our experts last week: 9th — 16th September
Here are the most relevant headlines of the week, take note and keep informed of all the details:
Researcher Jeff White from Unit 42 in Palo Alto has published the results of his recent analysis on the OriginLogger keylogger, which is the heir to Agent Tesla.
Used to steal credentials, screenshots, and all kinds of device information, and it is for sale on sites that specialize in spreading malware.
Its infection chain is initiated through different types of droppers, but usually a Microsoft Office document with malicious macros, which redirect to a page from which a file with an obfuscated script is downloaded, used at the same time for downloading a payload that will be used to create persistence and schedule different tasks.
Microsoft has fixed 63 vulnerabilities in its September Patch Tuesday, including two 0-days, one actively exploited, and another five critical flaws that would allow remote code execution.
The actively exploited 0-day, identified as CVE-2022-37969 and CVSS 7.8, was discovered by researchers from DBAPPSecurity, Mandiant, CrowdStrike, and Zscaler and affects the Common Log File System (CLFS), allowing an attacker to gain system privileges.
The second 0-day that has not been exploited is listed as CVE-2022-23960 and with CVSS 5.6, and it refers to a cache speculation restriction vulnerability.
Symantec’s threat research team published a post yesterday detailing the activities of a group called Webworm, which reportedly has the same TTPs and devices in use as the threat actor known as Space Pirates, leading researchers to believe they could be the same group.
The group has been active since 2017 and has been engaged in attacks and espionage campaigns against government agencies and companies in the IT, aerospace, and energy sectors, especially in Asian countries.
Cofense researchers have analyzed a phishing campaign distributed by email, in which the attachment contains a script that downloads and executes the Lampion malware.
This malware, discovered in 2019, corresponds to a banking trojan that seeks to steal information from the infected device. It connects to its command-and-control (C2) server and can superimpose a page on top of banking login forms to get the user’s information.
SAP has issued 16 security advisories on its September Security Patch Day, fixing 55 Chromium and other high-priority vulnerabilities.
First, SAP is issuing security updates for the Google Chromium browser that affect several versions of SAP Business Client. On the other hand, among the high priority vulnerabilities fixed is an XSS vulnerability affecting SAP Knowledge Warehouse, identified as CVE-2021-42063 and with CVSS 8.8.
Also among the most critical is CVE-2022-35292, with CVSS of 7.8, which affects the service path in SAP Business One and would allow privilege escalation to SYSTEM.
The second priority note corresponds to the SAP BusinessObjects service, affected with two vulnerabilities, one of them, with CVE-2022-39014 and CVSS 7.7, would make it possible for an attacker to gain access to unencrypted confidential information; while the other vulnerability, designated with CVE-2022-28214 and CVSS 7.8, corrects for the possibility of information disclosure in the service.