Here are the most relevant headlines of the week, take note and keep informed of all the details:
VMware critical security advisory
VMware critical security advisory (VMSA-2022-0021): reporting ten recently detected and patched vulnerabilities:
- It is included a critical vulnerability discovered by VNG Security researcher Petrus Viet and listed as CVE-2022-31656 with a CVSSv3 of 9.8. It is an authentication bypass vulnerability that affects local domain users and could allow an unauthenticated attacker to gain administrator privileges.
- The rest of the vulnerabilities: six of them have been cataloged with “significant” risk (CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31665), CVE-2022-31665) and three with “moderate” risk (CVE-2022-31657, CVE-2022-31662, CVE-2022-31663), including remote code execution, privilege escalation and cross-site scripting (XSS) bugs, among others.
More info: https://www.vmware.com/security/advisories/VMSA-2022-0021.html
Possible link between Raspberry Robin malware and Evil Corp infections
The Microsoft Threat Intelligence Center (MSTIC) team has published new information about the Raspberry Robin malware, first detected by the Red Canary team in September 2021.
- The primary method of spread associated with this family: via infected USB devices.
- Main features: using QNAP NAS devices as Command & Control (C2) servers.
More info: https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0206-DEV-0243
RapperBot: new botnet targeting Linux systems
Fortinet security researchers have discovered a new botnet, called RapperBot, that specifically targets Linux systems.
- Reportedly based on the original source code of the Mirai botnet but is notable for having unique features that are rare in this type of malware, such as its own Command & Control (C2) protocol.
- Unlike Mirai, RapperBot focuses on using brute-force techniques to access SSH servers instead of Telnet, launching tests on lists of credentials downloaded by the malware from its own resources. If it succeeds in gaining access to the server, the bot adds a new SSH key and creates a Cron task that re-adds the user every hour in case an administrator discovers the account and deletes it.
More info: https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
Vulnerabilities in Apache HTTP Server
Multiple vulnerabilities have been discovered in Apache HTTP Server affecting versions prior to 2.4.54. A remote attacker could exploit some of these vulnerabilities to trigger a denial-of-service condition, disclosure of confidential information, cross-site scripting (XSS), or circumvention of security restrictions on the target system. The vulnerability cataloged as CVE-2022-31813  stands out for having a CVSSv3 of 9.8 and its exploitation would allow the evasion of IP-based authentication control by not sending, under certain conditions, X-Forwarder-* headers.
More info: https://httpd.apache.org/security/vulnerabilities_24.html
Remote code execution vulnerability in DrayTek routers
An important remote code execution vulnerability affecting DrayTek routers has been detected by The Trellix Threat Labs team.
The exploitation of the vulnerability tracked as CVE-2022-32548 – CVSSv3 10.0 , would allow the execution of attacks that do not require user interaction, as long as the device’s management interface is configured for network services. If successful, the attacker would gain access to the device’s internal resources, completely compromise the device, and even launch attacks within the LAN from the device’s own default configuration.
More info: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html
Here you have the full report of these attacks and vulnerabilities and direct links for more information.