ZeroFox Daily Intelligence Brief - July 26, 2023
|by Alpha Team
ZeroFox Daily Intelligence Brief - July 26, 2023
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Please find today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Remote Execution Vulnerability in MikroTik RouterOS
- IYamaha Canada Music Issues Statement on Ransomware Incident
- VMware Fixes Bug Exposing CF API Admin Credentials in Audit Logs
- Data broker / initial-access broker / XSS: RDP Access To Unnamed Brazilian Construction Company and SSH Access To API Server Of Taiwanese Taxi Company Advertised
- Vulnerabilities: CVE-2023-23719 and CVE-2023-39130
- Exploits: CVE-2010-1871 and CVE-2020-11857
- Breaches: Spamhaus Data Breach and Telegram: TIZIX FREE.rar
Remote Execution Vulnerability in MikroTik RouterOS
A severe privilege escalation flaw in MikroTik RouterOS could be exploited by remote malicious actors to execute arbitrary code and gain full control of vulnerable devices. This vulnerability, known as CVE-2023-30799 (CVSS score: 9.1), affects around 500,000 and 900,000 RouterOS systems. The flaw was initially disclosed as the FOISted exploit in June 2022, and a patch was released on October 13, 2022, for version 6.49.7 and July 19, 2023, for version 6.49.8 of RouterOS.
Yamaha Canada Music Issues Statement on Ransomware Incident
Yamaha Canada Music Ltd. recently faced a cyberattack, leading to unauthorized access and data theft. In response the company contained the attack, collaborating with specialists to prevent significant damage or malware infiltration and taking Actions to reinforce network defenses and enhance security measures. Affected individuals are being notified, with credit monitoring services offered to those at risk. Yamaha stated that it regrets any potential impact on individuals and organizations associated with it. The company was added by Akira ransomware on its leak site on July 21.
VMware Fixes Bug Exposing CF API Admin Credentials in Audit Logs
VMware has resolved an information disclosure vulnerability affecting Tanzu Application Service for VMs (TAS for VMs) and Isolation Segment. This flaw exposed credentials via system audit logs, potentially allowing remote attackers with low privileges to access Cloud Foundry API admin credentials. Exploitation could enable threat actors to push malicious app versions. VMware advises affected users to rotate Cloud Foundry API admin credentials as a precaution.
THREAT ACTIVITY: INITIAL-ACCESS BROKERS, DATA BROKERS, AND HACKTIVISTS
- XSS:: RDP Access To Unnamed Brazilian Construction Company
- XSS:: SSH Access To API Server Of Taiwanese Taxi Company Advertised
VULNERABILITIES
- CVE-2023-23719 - Cross-Site Request Forgery (CSRF) vulnerability in Premmerce plugin
- CVE-2023-39130 - GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow
EXPLOITS
- CVE-2010-1871: JBoss Seam 2 - Arbitrary File Upload / Execution (Metasploit)
- CVE-2020-11857: Micro Focus Operations Bridge Reporter shrboadmin Default Password
BREACHES
- Telegram: TIZIX FREE.rar (169,081 Records)| Credit Card Data Breach
Tags: DIB, tlp:green