Go to listing page

Cyware Daily Threat Intelligence, May 05, 2022

Cyware Daily Threat Intelligence, May 05, 2022

Share Blog Post

Active exploitation of unpatched vulnerabilities continues to explode as CISA sets a deadline for federal agencies to patch five new vulnerabilities added to its ‘Known Exploited Vulnerabilities’ catalog. Two of these flaws affect multiple Apple products. Amidst these vulnerability concerns, Avast and AVG have taken actions to patch two high-severity flaws that went undetected for more than a decade.

In other news, security experts are warning about a new fileless malware attack tactic that involves the use of Windows event logs. Adversaries are actively leveraging logs to stash and launch trojans on infected systems.

Top Breaches Reported in the Last 24 Hours


Heroku discloses a breach
Heroku acknowledged a security breach that occurred due to the compromise of OAuth tokens last month. This affected its internal customer database. As a precautionary measure, the firm has started performing forced password resets for a subset of its user accounts.

ElasticSearch server exposes data
An unprotected ElasticSearch server instance was found exposing around 5.8 GB of financial information about loans from Indian and African financial services. A total of 1,686,363 records containing personal information such as names, loan amounts, dates of birth, and account numbers were compromised in the incident.

Top Malware Reported in the Last 24 Hours


New updates on IssacWiper
Researchers have associated the recently discovered IssacWiper malware with the Sprite Spider threat actor group. The similarities are drawn based on the infrastructure deployed, including the subroutines responsible for error handling, heap memory allocation, and concurrency management.

New fileless malware attack tactic
Threat hunters have documented a fileless malware attack that abuses Windows event logs to stash and launch trojans in the last stage of the infection stage. The attack also employs Cobalt Strike Beacon, NetSPI, and various custom modules.
 

Top Vulnerabilities Reported in the Last 24 Hours


Cisco patches several flaws
Cisco has released patches for several vulnerabilities affecting its Enterprise Network Function Virtualization Infrastructure Software (NFVIS). One of these is a critical vulnerability—tracked as CVE-2022-20777— that can be abused to escape guest virtual machine and inject commands at the root level or leak system data from the host.

CISA adds five exploited vulnerabilities
CISA’s Known Exploited Vulnerabilities catalog is updated with five new widely exploited vulnerabilities. These include Type Confusion vulnerabilities affecting multiple Apple products and use-after-free vulnerabilities affecting Microsoft Internet Explorer and Win32k.

Decade-old flaws discovered
Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products that went undetected for ten years. The flaws are tracked as CVE-2022-26522 and CVE-2022-26523. Both the flaws exist in Avast Anti Rootkit driver, introduced in January 2012 and also used by AVG. The vulnerabilities have been patched by respective vendors.

F5 patches 43 vulnerabilities
F5 has issued patches for a total of 43 vulnerabilities affecting its products. The most severe one is tracked as CVE-2022-1388 and can be exploited to execute arbitrary system commands, disable services, or delete files. The vendor has addressed the flaws in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5 of the product.

A flaw patched in Snipe-IT 
Developers have patched a critical vulnerability in Snipe-IT that could be exploited to send users malicious password reset requests. Described as Server-Side Request Forgery (SSRF), the flaw is tracked as CVE-2022-23064 and has a CVSS score of 8.8.

New Threat in Spotlight


New threats from UNC2903 identified
Researchers from Mandiant have released a complete timeline of multi-phased attacks on cloud platforms. Launched by a threat actor named UNC2903, the attack leveraged the PoC for a previously disclosed SSRF vulnerability (CVE-2021-21311) that could be exploited to gain access to secret keys of targeted AWS applications and subsequently steal data. 

 Tags

unprotected elasticsearch server
issacwiper malware
snipe it
sprite spider group
heroku

Posted on: May 05, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.