Media Coverage

In-the-wild exploitation of a Fortinet FortiNAC vulnerability tracked as CVE-2022-39952 was seen just days after a patch was announced, and on the same day a proof-of-concept (PoC) exploit was made public. Fortinet published 40 security advisories on February 16, including one describing a critical vulnerability in the company’s FortiNAC network access control (NAC) solution. The security hole was discovered internally by Fortinet. The flaw, an external file name and path control issue, can be exploited by an unauthenticated attacker to write data on a system, which can result in arbitrary code execution.  On February 21, autonomous pentesting company Horizon3 released a blog post detailing how CVE-2022-39952 can be exploited and also released a PoC exploit. On the same day, the nonprofit cybersecurity organization Shadowserver warned that its honeypots had started seeing exploitation attempts coming from multiple IP addresses. Several Fortinet product vulnerabilities have been exploited in attacks in the past years. The US Cybersecurity and Infrastructure Security Agency (CISA) lists nine such flaws in its known exploited vulnerabilities catalog. The most recent is CVE-2022-42475, which has been leveraged by a China-linked threat actor in attacks aimed at government organizations in Europe.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows –

• CVE-2022-47986 (CVSS score: 9.8) – IBM Aspera Faspex Code Execution Vulnerability
• CVE-2022-41223 (CVSS score: 6.8) – Mitel MiVoice Connect Code Injection Vulnerability
• CVE-2022-40765 (CVSS score: 6.8) – Mitel MiVoice Connect Command Injection Vulnerability

CVE-2022-47986 is described as a YAML deserialization flaw in the file transfer solution that could allow a remote attacker to execute code on the system.Details of the flaw and a proof-of-concept (PoC) were shared by Assetnote on February 2, a day after which the Shadowserver Foundation said it “picked up exploitation attempts” in the wild. CISA also added two flaws impacting Mitel MiVoice Connect (CVE-2022-41223 and CVE-2022-40765) that could permit an authenticated attacker with internal network access to execute arbitrary code.

Attackers are actively exploiting critical vulnerabilities in IBM Aspera Faspex and Mitel MiVoice Connect to attack organizations, the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security warns. This would include ransomware attacks. IBM Aspera Faspex is a web-based file exchange application running on an Aspera server. On January 26, IBM released a security update for a critical vulnerability in Aspera Faspex, identified as CVE-2022-47986 . By sending a specially crafted API call, an attacker can execute arbitrary code on the system. The impact of the vulnerability was rated on a scale of 1 to 10 with a 9.8. On February 13, the Shadowserver Foundation , a non-profit foundation registered in the Netherlands and the United States that fights botnets and cybercrime, reported that attackers are exploiting the vulnerability. The first detected attack attempts appeared to date from February 3, a week after the release of the security update. The CISA is now also reporting abuse of the Aspera leak. The US government agency also states that attackers are also exploiting two vulnerabilities in Mitel MiVoice Connect. These are CVE-2022-41223 and CVE-2022-40765 . Mitel MiVoice Connect is a voip platform for organizations that offers communication and collaboration tools through a single interface. The two Mitel vulnerabilities that the CISA is now warning of have also been found by CrowdStrike. 

ESXiArgs has turned into one of the highest-profile threat campaigns in recent memory, despite only having a moderate scale. ESXiArgs is the name of the ransomware campaign involving a series of attacks against servers with vulnerable instances of VMware ESXi. Initial attack reports came in early February, and an updated advisory from French cyber agency CERT-FR listed vulnerabilities CVE-2020-3992 and CVE-2021-21974 as possible attack vectors. Thousands of servers have apparently been infected by the ransomware so far.  The Shadowserver Foundation CEO Piotr Kijewski told TechTarget Editorial last week that ESXiArgs lacks the scale of Log4Shell and ProxyShell threats, but it has perhaps proven notable because it’s an enterprise-focused campaign that spread quickly. There are also looming questions about ESXiArgs’ attack vector and which threat actor — or actors — is behind the campaign.

Exploitation attempts targeting a critical-severity Oracle E-Business Suite vulnerability have been observed shortly after proof-of-concept (PoC) code was published. One of the major Oracle product lines, the E-Business Suite is a set of enterprise applications that help organizations automate processes such as supply chain management (SCM), enterprise resource planning (ERP), and customer relationship management (CRM). Tracked as CVE-2022-21587 (CVSS score of 9.8), the exploited flaw was identified in the Web Applications Desktop Integrator of Oracle’s enterprise product and was addressed as part of Oracle’s October 2022 Critical Patch Update. According to a NIST advisory, unauthenticated attackers with network access via HTTP can easily exploit the security defect to compromise the Web Applications Desktop Integrator and take it over. This week, CISA added CVE-2022-21587 to its Known Exploited Vulnerabilities (KEV) catalog, urging Oracle customers to apply the available patches as soon as possible. The first exploitation attempts, however, were observed on January 21, Shadowserver warned last week. “Since Jan 21st we are seeing exploitation attempts in our honeypot sensors for Oracle E-Business Suite CVE-2022-21587 (CVSS 9.8 RCE) shortly after a PoC was published, (by Viettel Cyber Security)” Shadowserver said. According to Shadowserver data, the number of observed exploitation attempts is currently low. However, threat actors are known to target unpatched Oracle products, and the number of attacks may increase shortly. This week, CISA also warned of observed exploitation of CVE-2023-22952, a high-severity remote code execution flaw in SugarCRM.

Shadowserver Foundation recently published scanning results for MySQL server instances on port 3306/TCP. Over 3.6 million MySQL servers were accessible worldwide. For almost all of these databases, there is no use case for the general public to access or even know these servers exist. We’re pretty certain that none of the 3.6 million had intentionally left their databases accessible, so here is a quick scan you can do, to check if your MySQL databases have their ports open.

Microsoft urged customers today to keep their on-premises Exchange servers patched by applying the latest supported Cumulative Update (CU) to have them always ready to deploy an emergency security update. “Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one. You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.” Unfortunately, Exchange servers are highly sought-after targets, as evidenced by the FIN7 cybercrime group’s efforts to create a custom auto-attack platform dubbed Checkmarks specifically designed to help breach Exchange servers. Today’s warning comes after Microsoft also asked admins to continuously patch on-prem Exchange servers after issuing emergency out-of-band security updates to address the ProxyLogon vulnerabilities that were exploited in attacks two months before official patches were released. At least ten hacking groups were using ProxyLogon exploits in March 2021 for various purposes, one being a Chinese-sponsored threat group tracked by Microsoft as Hafnium. To show the massive number of organizations exposed to such attacks, the Dutch Institute for Vulnerability Disclosure (DIVD) found 46,000 servers unpatched against the ProxyLogon bugs one week after Microsoft released security updates. More recently, in November 2022, Microsoft patched another set of Exchange bugs known as ProxyNotShell that allow privilege escalation and remote code execution on compromised servers two months after in-the-wild exploitation was first detected. Last but not least, CISA ordered federal agencies to patch a Microsoft Exchange bug dubbed OWASSRF and abused by the Play ransomware gang as a zero-day to bypass ProxyNotShell URL rewrite mitigations on unpatched servers belonging to Texas-based cloud computing provider Rackspace. To put things in perspective, earlier this month, security researchers at the Shadowserver Foundation found that over 60,000 Microsoft Exchange servers exposed online are still vulnerable to attacks leveraging ProxyNotShell exploits targeting the CVE-2022-41082 remote code execution (RCE) vulnerability.

A critical remote code execution (RCE) vulnerability affecting multiple Zoho ManageEngine products is now being exploited in attacks. The first exploitation attempts were observed by cybersecurity firm Rapid7 on Tuesday, two days before Horizon3 security researchers released public exploit code and in-depth technical analysis of the flaw.  “Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products,” the threat detection firm said. Rapid7 observed exploitation across organizations as early as January 17, 2023 (UTC).” This was confirmed by researchers at the Shadowserver Foundation, who said they are “picking up exploitation attempts from at least 10 IPs for CVE-2022-47966 unauthenticated RCE affecting multiple Zoho ManageEngine products (that have SAML SSO enabled).”

The Brazilian Hospital Services Company (Ebserh), which operates in the country’s 38 university hospitals, has joined a project that brings together several Latin American countries to collaborate on detecting cyber threats.  The initiative, initiated by the Ecuadorian Corporation for the Development of Research and Academia (CEDIA) and the Shadowserver Foundation, is deploying a network of sensors in Latin America and the Caribbean, using as a foundation the technology developed by Shadowserver to automate sensor deployments and the CEDIA’s experience as an IT Security Incident Response Center (CSIRT). This network provides a unique view of IoT threats in the region and, together with a communication campaign, will help reduce the number of infected devices. Data generated will be shared with 21 national CSIRTs and 235 network owners in the region, as well as a total of 109 national CSIRTs and more than 5,000 network owners worldwide via Shadowserver’s daily corrective action feeds. The project will take existing IoT-related open source honeypots and deploy them at scale using the Shadowserver framework. The project will be supported by a combination of paid VPS services and third-party donated nodes. At least 50 sensors will be placed in 15 countries.

Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks. An open-source web-based network monitoring and graphing tool that offers an operational monitoring and fault management framework, Cacti is a front-end application for the data logging utility RRDtool. In early December 2022, the tool’s maintainers announced patches for CVE-2022-46169, a critical-severity (CVSS score 9.8) command injection flaw that could allow unauthenticated attackers to execute code on the server running Cacti, if a specific data source was used. Cacti versions 1.2.23 and 1.3.0, released on December 5, include patches for this vulnerability. A few days after SonarSource published a technical analysis of CVE-2022-46169 on January 3, The Shadowserver Foundation warned that it had logged the first exploitation attempts targeting the security defect. “Using Cacti? We started to pick up exploitation attempts for Cacti unauthenticated remote command injection CVE-2022-46169 including subsequent malware download. These started Jan 3rd. Make sure to patch & not expose your Cacti instance to the Internet,” Shadowserver said. This week, attack surface management firm Censys revealed that, out of 6,400 internet-accessible Cacti hosts that it has identified, only 26 were running a patched version of the tool. Most of these servers are in Brazil, with Indonesia and the US rounding up the top three. With exploitation of this vulnerability underway, organizations are advised to update Cacti to a patched version as soon as possible.