Here are the most relevant headlines of the week, take note and keep informed of all the details:

VMware critical security advisory

VMware critical security advisory (VMSA-2022-0021): reporting ten recently detected and patched vulnerabilities:

• It is included a critical vulnerability discovered by VNG Security researcher Petrus Viet and listed as CVE-2022-31656 with a CVSSv3 of 9.8. It is an authentication bypass vulnerability that affects local domain users and could allow an unauthenticated attacker to gain administrator privileges.
• The rest of the vulnerabilities: six of them have been cataloged with “significant” risk (CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31665), CVE-2022-31665) and three with “moderate” risk (CVE-2022-31657, CVE-2022-31662, CVE-2022-31663), including remote code execution, privilege escalation and cross-site scripting (XSS) bugs, among others.

More info: https://www.vmware.com/security/advisories/VMSA-2022-0021.html

Possible link between Raspberry Robin malware and Evil Corp infections

The Microsoft Threat Intelligence Center (MSTIC) team has published new information about the Raspberry Robin malware, first detected by the Red Canary team in September 2021.

• The primary method of spread associated with this family: via infected USB devices.
• Main features: using QNAP NAS devices as Command & Control (C2) servers.

​More info: https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0206-DEV-0243

RapperBot: new botnet targeting Linux systems

Fortinet security researchers have discovered a new botnet, called RapperBot, that specifically targets Linux systems.

• Reportedly based on the original source code of the Mirai botnet but is notable for having unique features that are rare in this type of malware, such as its own Command & Control (C2) protocol.
• Unlike Mirai, RapperBot focuses on using brute-force techniques to access SSH servers instead of Telnet, launching tests on lists of credentials downloaded by the malware from its own resources. If it succeeds in gaining access to the server, the bot adds a new SSH key and creates a Cron task that re-adds the user every hour in case an administrator discovers the account and deletes it.

More info: https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery

Vulnerabilities in Apache HTTP Server

Multiple vulnerabilities have been discovered in Apache HTTP Server affecting versions prior to 2.4.54. A remote attacker could exploit some of these vulnerabilities to trigger a denial-of-service condition, disclosure of confidential information, cross-site scripting (XSS), or circumvention of security restrictions on the target system. The vulnerability cataloged as CVE-2022-31813 [1] stands out for having a CVSSv3 of 9.8 and its exploitation would allow the evasion of IP-based authentication control by not sending, under certain conditions, X-Forwarder-* headers.

More info: https://httpd.apache.org/security/vulnerabilities_24.html 

Remote code execution vulnerability in DrayTek routers

An important remote code execution vulnerability affecting DrayTek routers has been detected by The Trellix Threat Labs team.

The exploitation of the vulnerability tracked as CVE-2022-32548 – CVSSv3 10.0 [1], would allow the execution of attacks that do not require user interaction, as long as the device’s management interface is configured for network services. If successful, the attacker would gain access to the device’s internal resources, completely compromise the device, and even launch attacks within the LAN from the device’s own default configuration.

More info: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html

Here you have the full report of these attacks and vulnerabilities and direct links for more information.