Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 9/12/2022

    Authentication Bypass Vulnerability in Cisco Small Business Routers

    Overview

    On September 7, 2022, Cisco revealed the existence of an authentication bypass vulnerability in certain small-business routers. These routers are considered end-of-life, and Cisco will not be releasing a patch for this vulnerability. The following models are affected:

    • RV110W Wireless-N VPN Firewall
    • RV130 VPN Router
    • RV130W Wireless-N Multifunction VPN Router
    • RV215W Wireless-N VPN Router
    Potential Impact

    According to Cisco:’ A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network’. It is also possible that an attacker could obtain privileges identical to the administrative user on the router.  

    Recommended Actions

    Ensure that asset management programs consider the full lifecycle of hardware and software. Plan for end-of-life so that your business will not be caught running unsupported systems.

    If your business is running one of the affected models, it should be replaced with a currently supported router as soon as possible. Cisco has disclosed several other vulnerabilities in these routers, all of which are unpatched. 

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      HP Firmware Vulnerabilities Remain Unpatched After Public Disclosure

      Overview

      Firmware vulnerabilities in HP Elitebook laptops disclosed by Binarly in July 2022 remain unpatched after HP released firmware updates on September 7. 

      Impact

      The vulnerabilities highlighted by researchers at Binarly could result in malware installation in firmware. Such firmware exploitation can lead to attacker persistence that will survive operating system reinstallation and is difficult to detect by security tools.

      Recommendations

      Monitor HP firmware releases closely if your business uses HP Elitebooks. The vulnerabilities disclosed by Binarly highlight the challenge of firmware patching for vendors. Until patched firmware is available, monitor these systems for anomalies. To hinder potential lateral movement, place portable devices on a restricted network segment when they are brought into the business premises.

      Sources
      https://binarly.io/posts/Binarly_Finds_Six_High_Severity_Firmware_Vulnerabilities_in_HP_Enterprise_Devices/index.html
      https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-computer-models-left-unfixed-for-over-a-year/

      Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices

      Overview

      Researchers have uncovered new Linux-based malware dubbed Shikitega that is notable for stealth and sophistication. The malware is delivered through a multistage infection chain and uses polymorphic encoding, making it difficult to detect. Currently, actors deploying the Shikitega malware are targeting CVE-2021-4034 and CVE-2021-3493 post-compromise to gain full root privileges.

      Potential Impact

      Shikitega malware has been observed targeting both traditional Linux servers and IoT devices. Threat actors are dropping crypto mining software (such as XMRig), and also a powerful Metasploit module called Mettle that allows for credential stealing, reverse shells, and other nefarious activities. Malicious processes such as XMRig are being executed in memory without dropping files on the system, making detection and root cause analysis difficult. Also, actors are leveraging legitimate cloud services for command-and-control infrastructure, adding another level of stealth. 

      Recommended Actions

      Administrators are urged to address CVE-2021-4034 and CVE-2021-3493 on all public-facing Linux assets. Note that these are not new vulnerabilities but are being abused to escalate privileges post-compromise. Furthermore, it is recommended that systems are protected with Endpoint Detection & Response software that will allow for anomalous detection of security threats.

      Sources
      https://arstechnica.com/information-technology/2022/09/new-linux-malware-combines-unusual-stealth-with-a-full-suite-of-capabilities/
      https://thehackernews.com/2022/09/new-stealthy-shikitega-malware.html

      Zero-Day Exploit in WordPress BackupBuddy Plugin

      Overview

      A zero-day vulnerability has been discovered in a WordPress plugin called BackupBuddy that is actively being exploited. The BackupBuddy plugin allows users to back up their entire WordPress installation. This vulnerability is being tracked as CVE-2022-31474 with a CVSS score of 7.5 and affecting versions 8.5.8.0 to 8.7.4.1.

      Potential Impact

      The vulnerability stems from a function called “Local Directory Copy” and is relatively easy to exploit. Successful exploitation will allow an unauthenticated threat actor to view or download any file on the server, which could include sensitive information, such as /etc/passwd.

      Recommended Actions

      This vulnerability is addressed in BackupBuddy version 8.7.5. Administrators are urged to update as soon as possible as there are likely to be widespread scans launched by threat actors looking for vulnerable installations. If successful exploitation is discovered, administrators should immediately reset the database password, rotate API keys, and change WordPress salts.

      Sources
      https://thehackernews.com/2022/09/hackers-exploit-zero-day-in-wordpress.html
      https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin/

      Critical Vulnerability Affecting Zyxel NAS Devices

      Overview

      A critical vulnerability in Zyxel NAS devices has been discovered. The vulnerability is tracked as CVE-2022-34747 (CVSS score of 9.8) and affects the NAS326, NAS540, and NAS542 models. This issue relates to a format string vulnerability. 

      Potential Impact

      Successful exploitation could allow an unauthenticated attacker to achieve remote code execution by sending a crafted UDP packet. The targeting of NAS devices is increasing, and threat actors are leveraging these types of vulnerabilities to cause data destruction by deploying ransomware or breaching confidentiality by acquiring data. 

      Recommended Actions

      Administrators are urged to apply the released firmware updates which address this vulnerability. Affected versions and patch availability can be found here: https://www.zyxel.com/us/en/support/Zyxel-security-advisory-for-format-string-vulnerability-in-NAS.shtml. 

      It is also recommended that NAS devices, especially those housing sensitive information, not be directly accessible from the Internet as this increases the risk of compromise. 

      Sources
      https://www.zyxel.com/us/en/support/Zyxel-security-advisory-for-format-string-vulnerability-in-NAS.shtml
      https://thehackernews.com/2022/09/critical-rce-vulnerability-affects.html

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us