Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 01/17/2023

    Vulnerabilities in End-of-Life Cisco Routers

    Overview

    Cisco has stated that two vulnerabilities (CVE-2023-20025 and CVE-2023-20026) affecting small business routers RV016, RV042, RV042G, and RV082 will not be fixed despite public proof-of-concept exploit code. In order to exploit these vulnerabilities, an attacker would need visibility into the web management interface on an affected device.

    Potential Impact

    CVE-2023-20025 can be exploited remotely by sending a crafted HTTP request, allowing an attacker to bypass authentication and elevate permissions. CVE-2023-20026 permits an attacker with valid admin credentials to achieve root-level privileges and access unauthorized data. These vulnerabilities could potentially be used to further an attack by disrupting or modifying network configuration. Note that these vulnerabilities have not yet been observed being exploited in the wild.

    Recommended Actions

    Workarounds include disabling web-based remote management and blocking access to ports 443 and 60443. Administrators could also restrict access to a jump host or management VLAN to reduce risk.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      Cacti Software Vulnerability Being Exploited

      Overview

      A vulnerability in Cacti, an operational and fault management monitoring solution for network devices, is being exploited, especially in instances that are accessible from the Internet. The vulnerability is tracked as CVE-2022-46169 and can be used from an unauthenticated perspective.

      Potential Impact

      Successful exploitation of the vulnerability has resulted in botnet installations and reverse shells. Known post-exploitation activity includes running port scans, though more severe activity could potentially occur, such as launching exploits against internal systems, moving laterally, and privilege escalation.

      Recommended Actions

      A patch for CVE-2022-46169 is available. Generally speaking, organizations should remove Internet access from all management interfaces as it reduces the attack surface. It is also highly recommended to perform regular vulnerability scanning on externally accessible hosts to identify technical vulnerabilities and weak configurations that could potentially be abused by unauthenticated attackers.

       

      Sources

      https://www.bleepingcomputer.com/news/security/hackers-exploit-cacti-critical-bug-to-install-malware-open-reverse-shells/ 

      https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf

      LockBit Ransomware Disrupts UK Royal Mail Service

      Overview

      The United Kingdom’s Royal Mail Service disclosed that it cannot ship items overseas due to a “Cyber Incident.” Further reporting has determined that the Russia-based LockBit ransomware group is behind the attack.

      Potential Impact

      The direct impact of this specific ransomware incident will likely disrupt UK mail services for some time. Readers should always consider the potential impact of ransomware when developing their cybersecurity program.

      Recommended Actions

      Ransomware prevention requires a strong cybersecurity program and incident response capabilities. Ensure that your organization has a consistent and thorough cybersecurity program.

      Sources

      https://www.bleepingcomputer.com/news/security/royal-mail-cyberattack-linked-to-lockbit-ransomware-operation/

      Siemens Logic Controller Flaw Could Allow Attacker Control of Industrial Control Systems

      Overview

      A common Programmable Logic Controller (PLC), the Siemens S7-1500 has been reported as vulnerable to an attack in which a threat actor can replace the controller’s firmware with a tainted version.

      Potential Impact

      The Siemens S7-1500 is widely distributed and difficult to replace. The impact of this is the disruption of operational technology in multiple areas.

      Recommended Actions

      If your organization uses Siemens PLCs, ensure that they are physically secured and that any network connected to them is well-protected. Siemens does not plan to patch this vulnerability. Replacing the PLC with a more recent version may be the only option to mitigate this vulnerability.

      Sources

      https://cert-portal.siemens.com/productcert/html/ssa-482757.html

      https://www.wired.com/story/siemens-s7-1500-logic-controller-flaw/

      IceID Malware Expands Capabilities

      Overview

      Researchers from Cybereason have been tracking the IceID malware campaign since October 2022. This malware has seen significant developments over the first four quarters of 2022 and shows no signs of slowing down. Cybereason researchers have noted that not only has the malware consistently evolved since October, but it has also dramatically changed its tactics.

      For example, the new strands use ISO and LNK files instead of past macro-based documents. Additionally, secondary post-exploitation tactics have decreased native Windows DLL files such as rundll32.exe to bypass some endpoint security tools.

      Potential Impact

      IceID’s newest initial access vector of ISO files has been incredibly successful in exploiting systems. Past that, IceID has been seen utilizing new lateral movement and privilege escalation capabilities. The potential impact grows as IceID continues to see development.

      Recommended Actions

      It is recommended that organizations stay on top of their anti-malware detection and prevention techniques. This includes ensuring that endpoint detection and response (EDR) solutions are fully updated and have the newest signatures for identified malware strands in the wild. Additionally, being prompt in security patches for devices can assist in preventing infection via commonly exploited CVEs.

      Sources

      https://cyware.com/news/rapid-icedid-malware-infection-stuns-researchers-59197144

      https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us