03/08/2023-03/15/2023. Jenkins Security Alert, IceFire Ransomware Exploits IBM Aspera Faspex, Actively Exploited Plex Bug After LastPass Breach And More.

1. New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access

Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610, is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. A buffer underwrite (‘buffer underflow’) vulnerability in FortiOS and FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests. Underflow bugs, also called buffer underruns, occur when the input data is shorter than the reserved space, causing unpredictable behavior or leakage of sensitive data from memory.Other possible consequences include memory corruption that could either be weaponized to induce a crash or execute arbitrary code. Fixes are available in FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0; FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10; and FortiProxy versions 2.0.12, 7.0.9, and 7.0.9.

2. Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable. Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim’s Jenkins server, potentially leading to a complete compromise of the Jenkins server. Once the victim opens the ‘Available Plugin Manager’ on their Jenkins server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server utilizing the Script Console API. Since it’s also a case of stored XSS wherein the JavaScript code is injected into the server, the vulnerability can be activated without having to install the plugin or even visit the URL to the plugin in the first place.

3. Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware

Sunlogin and AweSun remote desktop programs have security vulnerabilities that are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC) reported that this marks the continued abuse of the flaws to deliver various payloads, including the Sliver post-exploitation framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware. PlugX is the latest addition to this list. The backdoor is notable for its ability to start arbitrary services, download and execute files from an external source, and drop plugins that can harvest data and propagate using Remote Desktop Protocol (RDP). “New features are being added to [PlugX] even to this day as it continues to see steady use in attacks,” ASEC said.

4.  IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks

IceFire ransomware, which was previously known to target Windows-based systems, has shifted its focus towards Linux enterprise networks. Cybersecurity company SentinelOne reported that the ransomware is exploiting a recently disclosed vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986) to carry out the intrusions. The attacks have primarily targeted media and entertainment organizations in Turkey, Iran, Pakistan, and the U.A.E. The ransomware binary targeting Linux is capable of avoiding encrypting certain paths, allowing the infected machine to continue functioning. Linux systems are typically more difficult to deploy ransomware against, but actors are turning to exploiting application vulnerabilities to overcome this challenge. Meanwhile, Fortinet FortiGuard Labs has disclosed a new LockBit ransomware campaign using “evasive tradecraft” to bypass MotW protections. 

5. CISA Warns Of Actively Exploited Plex Bug After LastPass Breach

CISA has added a three-year-old remote code execution (RCE) vulnerability in Plex Media Server to its list of security flaws exploited in attacks. CVE-2020-5741 allows attackers with admin privileges to execute arbitrary Python code remotely without user interaction. The vulnerability was patched with the release of Plex Media Server 1.19.3 in May 2020. The attack involves exploiting the Camera Upload feature by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled. CISA did not provide any details on the attacks. However, this could be related to the recent LastPass data breach after a third-party media software RCE bug was abused to install a keylogger on a senior DevOps engineer’s computer, leading to the theft of credentials and critical backups.

6. New GoBruteforcer Malware Targets phpMyAdmin, MySQL, FTP, Postgres

GoBruteforcer is a new Golang-based botnet malware that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services. Once it detects an open port accepting connections, it attempts to log in using hard-coded credentials and deploys an IRC bot on compromised phpMyAdmin systems or a PHP web shell on other targeted services. It then reaches out to its command-and-control server and waits for instructions that will be delivered via the previously installed IRC bot or web shell. The botnet uses a multiscan module to find potential victims within a Classless Inter-Domain Routing (CIDR), which grants it a broad selection of targets to infiltrate networks. GoBruteforcer is likely under active development, and its operators are expected to adapt their tactics and capabilities for targeting web servers and stay ahead of security defenses.

7. New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide

An updated version of a botnet malware called Prometei has infected more than 10,000 systems worldwide. Prometei, first observed in 2016, is a modular botnet that features a large repertoire of components and several proliferation methods, some of which also include the exploitation of ProxyLogon Microsoft Exchange Server flaws. The cross-platform botnet’s motivations are financial, primarily leveraging its pool of infected hosts to mine cryptocurrency and harvest credentials. The latest variant of Prometei (called v3) improves upon its existing features to challenge forensic analysis and further burrow its access on victim machines. The attack sequence proceeds thus: Upon gaining a successful foothold, a PowerShell command is executed to download the botnet malware from a remote server. Prometei’s main module is then used to retrieve the actual crypto-mining payload and other auxiliary components on the system. Some of these support modules function as spreader programs designed to propagate the malware through Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).