02/16/2023-02/22/2023. New Vulnerabilities in KEV Catalog, VMware Patches Critical Vulnerability, Vulnerability Discovered in ClamAV Open Source Antivirus Software And More

1. U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog

CISA has added three security flaws to its Known Exploited Vulnerabilities catalog that are currently being actively exploited. IBM Aspera Faspex Code Execution Vulnerability (CVE-2022-47986) is a YAML deserialization flaw that enables a remote attacker to execute code on the system. Mitel MiVoice Connect Code Injection Vulnerability (CVE-2022-41223) and Mitel MiVoice Connect Command Injection Vulnerability (CVE-2022-40765) could allow an authenticated attacker with internal network access to execute arbitrary code. The nature of the attacks is unclear, but the vulnerabilities were patched by Mitel in October 2022. Federal Civilian Executive Branch agencies must apply the necessary updates by March 14, 2023, to secure networks against potential threats. In a related development, CISA released an Industrial Control Systems advisory relating to critical flaws in Mitsubishi Electric’s MELSOFT iQ AppPortal.

2. VMware Patches Critical Vulnerability in Carbon Black App Control Product

 VMware has released patches to address a critical security vulnerability affecting its Carbon Black App Control product. The injection vulnerability, tracked as CVE-2023-20858, carries a CVSS score of 9.1 out of 10 and affects App Control versions 8.7.x, 8.8.x, and 8.9.x. A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input to access the underlying server operating system. VMware has advised customers to update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate risks. In addition, VMware has fixed an XML External Entity (XXE) vulnerability (CVE-2023-20855, CVSS score: 8.8) affecting vRealize Orchestrator, vRealize Automation, and Cloud Foundation. It’s important to install the patches as soon as possible, given the common targeting of Fortinet product vulnerabilities by threat actors in attacks.

3. GoDaddy Discloses Multi-Year Security Breach Causing Malware Installations and Source Code Theft

GoDaddy has reported a multi-year breach that enabled unknown cybercriminals to install malware and exfiltrate source code related to some of its services. The breach occurred in December 2022, and the company identified that an unauthorized third party gained access to servers hosted in its cPanel environment. The attackers installed malware, resulting in the intermittent redirection of customer websites. GoDaddy notes that the ultimate objective of the intrusions was to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities. The company added that the December 2022 incident is connected to two other security events it encountered in March 2020 and November 2021. In the first incident, credentials were compromised, affecting around 28,000 hosting customers and a small number of its personnel, while the second saw a rogue actor gain access to the Managed WordPress provisioning system.

4. Critical RCE Vulnerability Discovered in ClamAV Open Source Antivirus Software

Cisco has issued security updates to fix a severe flaw affecting its ClamAV open-source antivirus engine. The bug, tracked as CVE-2023-20032, has a CVSS score of 9.8 and could lead to remote code execution on vulnerable devices. The issue is a remote code execution vulnerability that resides in the HFS+ file parser component. An attacker could exploit the flaw by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. The weakness affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. The company also addressed a remote information leak vulnerability in ClamAV’s DMG file parser and a denial-of-service vulnerability in Cisco Nexus Dashboard. The company has urged all customers to upgrade to the latest versions of ClamAV to stay secure.

5. Researchers Hijack Popular NPM Package with Millions of Downloads

A popular npm package with over 3.5 million weekly downloads has been found to be vulnerable to an account takeover attack. Illustria, a software supply chain security company, explained that the package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password, enabling access to the package’s associated GitHub account. Attackers can publish trojanized versions to the npm registry, making it possible to conduct supply chain attacks at scale. Illustria did not disclose the name of the module but reached out to the maintainer, who has taken steps to secure the account. The attack bypasses two-factor authentication as the GitHub Action, configured in the repository, automatically publishes packages when new code changes are pushed.

6. New Mirai Malware Variant Infects Linux Devices To Build DDoS Botnet

A new variant of the Mirai botnet, called V3G4, has been detected targeting Linux-based servers and IoT devices to carry out DDoS attacks. The malware infects devices by exploiting weak or default telnet/SSH credentials and hardcoded vulnerabilities.

Once a device is compromised, it is recruited into the botnet. Researchers at Palo Alto Networks have identified V3G4 in three separate campaigns between July and December 2022, all believed to originate from the same threat actor. The botnet uses four different XOR encryption keys, making decoding its functions more challenging. It also terminates processes from a hardcoded list that includes competing botnet malware families. After infecting a device, a Mirai-based payload is dropped onto the system, and the botnet attempts to connect to the hardcoded C2 address. Users can protect themselves by changing default passwords and installing the latest security update.