July 14, 2023

Fortify Security Team
Jul 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress
Date Published: July 14, 2023


Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data related to vulnerabilities and misconfigurations. Leveraging the extensive Common Crawl dataset and pushing the boundaries of data analysis, cybersecurity firm Sicuranex successfully indexed over 15 million WordPress websites using the PWNPress service. This endeavor involved parsing the entire Web Archive Text (WAT) database, a massive 21 TiB repository, to identify WordPress installations worldwide. At PWNPress, we believe that data is the key to uncovering vulnerabilities and fortifying WordPress websites. To achieve this, our dedicated team meticulously compared the vast collection of WordPress installations with the comprehensive Common Vulnerabilities and Exposures (CVE) database. This exhaustive analysis encompassed WordPress core versions, plugin versions, PHP versions, and web server types, providing us with invaluable insights into potential security risks and vulnerabilities.”

Title: Chinese APT Favorite Backdoor Found in Pakistani Government App
Date Published: July 14, 2023


Excerpt: “Trend Micro has discovered a sample of Shadowpad, a sophisticated backdoor used by various Chinese-sponsored threat actors, in an application built by the National Information Technology Board (NITB), a Pakistani government entity. In research published on July 14, 2023, Daniel Lunghi and Ziv Chang, two threat analysts working for the Japanese cybersecurity provider, analyzed the Microsoft Windows installer of E-Office, an e-administration application developed by the NITB and exclusively used by Pakistani government organizations. One of the three files launched by the installer, mscoree.dll, appeared to be a Shadowpad payload. Shadowpad is a modular backdoor discovered in 2017 after a supply-chain attack on a popular piece of server management software attributed to APT41 (aka Wicked Panda and Bronze Atlas), a Chinese dual espionage and cybercrime threat actor. Since 2019, this malware has been shared among multiple Chinese threat actors, such as Earth Akhlut or Earth Lusca. Therefore, Trend Micro said that campaign could be potentially linked to the “nexus” of Chinese threat actors, but could not attribute to a particular group with confidence.”

Title: Unnamed APT Eyes Vulnerabilities in Rockwell Automation Industrial Contollers (Cve-2023-3595 Cve-2023-3596)
Date Published: July 13, 2023


Excerpt: “Rockwell Automation has fixed two vulnerabilities (CVE-2023-3595, CVE-2023-3596) in the communication modules of its ControlLogix industrial programmable logic controllers (PLCs), ahead of expected (and likely) in-the-wild exploitation. “An unreleased exploit capability leveraging these vulnerabilities is associated with an unnamed APT (Advanced Persistent Threat) group,” industrial cybersecurity company Dragos has stated on Wednesday. CVE-2023-3595 allows attackers to manipulate firmware memory, perform remote code execution with persistence, and modify, deny, and exfiltrate data passing through the device. It affects the 1756 EN2* and 1756 EN3* series of ControlLogix modules. CVE-2023-3596 could be used to trigger a denial-of-service condition, and affects the 1756-EN4* series of ControlLogix modules.”

Title: Adobe Patches Critical Coldfusion, Indesign Zero-Day Bugs
Date Published: July 14, 2023


Excerpt: “Adobe has released patches for critical zero-day vulnerabilities found in its ColdFusion and InDesign products, both of which left the door open for arbitrary code execution attacks. The two critical fixes were among 15 patches the company made available this week—three for ColdFusion and 12 for InDesign—as part of its regular monthly security update service. Adobe warned the ColdFusion vulnerabilities—affecting the 2018, 2021 and 2023 versions of its web-application development platform—could “lead to arbitrary code execution and security feature bypass”. The most serious of the three bugs, CVE-2023-29300, was a deserialization of untrusted data vulnerability with a critical-severity CVSS v3 rating of 9.8.”

Title: Cisco SD-WAN vManage Impacted by Unauthenticated REST API Access
Date Published: July 13, 2023


Excerpt: “The Cisco SD-WAN vManage management software is impacted by a flaw that allows an unauthenticated, remote attacker to gain read or limited write permissions to the configuration of the affected instance. Cisco SD-WAN vManage is a cloud-based solution allowing organizations to design, deploy, and manage distributed networks across multiple locations. vManage instances are deployments that might serve in centralized network management, setting up VPNs, SD-WAN orchestration, device configuration deployment, policy enforcement, etc. Cisco published a security bulletin yesterday informing of a critical-severity vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software, tracked as CVE-2023-20214. The flaw is caused by an insufficient request validation when using the REST API feature, which can be exploited by sending a specially-crafted API request to the affected vManage instances. This could enable attackers to read sensitive information from the compromised system, modify certain configurations, disrupt network operations, and more.”

Title: Crit.IX: Flaws in Honeywell Experion DCS, Posing Risk to Critical Industries
Date Published: July 13, 2023


Excerpt: “These vulnerabilities, dubbed Crit.IX can allow unauthorized remote code execution on the Honeywell server and controllers’ legacy version. Security researchers at cybersecurity firm Armis and American conglomerate Honeywell have jointly disclosed details of nine new vulnerabilities found in Honeywell Experion DCS platforms. Reportedly, Armis detected these flaws in May 2022 and informed Honeywell about 13 code issues found in the Experion C300 controllers and server, which were later rolled into nine new vulnerabilities. Out of the 9 vulnerabilities, 7 were declared critical. Armis and Honeywell decided to investigate these findings and their potential impact collectively. These vulnerabilities, dubbed Crit.IX can allow unauthorized remote code execution on the Honeywell server and controllers’ legacy versions. The impacted devices are used in critical industries, therefore their exploitation would cause physical disruption of crucial services and may even risk users’ safety.”

Title: Patch Now! SonicWall, Fortinet Fix Multiple Critical Bugs
Date Published: July 13, 2023


Excerpt: “Networking and security appliance manufacturers SonicWall and Fortinet this week released details of multiple critically rated vulnerabilities that affect at least half a dozen network security products. SonicWall on Wednesday released security fixes for 15 bugs affecting its Global Management System’s firewall management and Analytics network reporting engine software. The flaws affect the on-premises versions of GMS 9.3.2-SP1 and earlier and Analytics and earlier. The fixes include four critically rated authentication bypass vulnerabilities that could result in exposure of sensitive information to an unauthorized actor, SonicWall’s security advisory says.”

Title: Mandiant Unveils Russian GRU’s Cyber Playbook Against Ukraine
Date Published: July 13, 2023


Excerpt: “Drawing on its tracking of Russia-backed disruptive operations against Ukraine since the country’s invasion of its neighbor in February 2022, Mandiant observed that multiple distinct Russian threat clusters have been persistently using the same, repeatable playbook throughout the war to pursue Russia’s information confrontation objectives. The cybersecurity firm, now part of Google Cloud, presented its findings in a blog post published on July 12, 2023.”

Title: Zimbra Urges Customers to Manually Fix Actively Exploited Zero-Day Reported by Google Tag
Date Published: July 13, 2023


Excerpt: “Zimbra has released updates to address a zero-day vulnerability actively exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers. Zimbra urges customers to manually install updates to fix a zero-day vulnerability that is actively exploited in attacks against Zimbra Collaboration Suite (ZCS) email servers. Zimbra Collaboration Suite is a comprehensive open-source messaging and collaboration platform that provides email, calendaring, file sharing, and other collaboration tools. It was developed by Zimbra, Inc. Zimbra offers both on-premises and cloud-based solutions. Zimbra is an email and collaboration platform used by more than 200,000 businesses from over 140 countries.”

Title: Linux Hacker Exploits Researchers With Fake PoCs Posted to GitHub
Date Published: July 13, 2023


Excerpt: “A cyber attacker gives defenders a taste of their own medicine, with GitHub honeypots concealing infostealers. A GitHub user managed to dupe security researchers by publishing fake proofs-of-concept (PoCs) containing Linux backdoors. Cybersecurity researchers use PoCs to test and better understand publicly known vulnerabilities. They are essential and ubiquitous which, perhaps, makes it easier for a bad one to slip through. Researchers from Uptycs this week outed a GitHub user (now deactivated) who copied legitimate PoCs for known vulnerabilities, reposting them with hidden Linux-built infostealing malware. One of the two fake PoCs had already been forked 25 times at the time of discovery; a second copy has been forked 20 times.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

Critical Patches Issued for Microsoft Products, July 11, 2023

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs;...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...