Exposures, Exposed! Weekly Round-up September 17-22

Welcome back to Exposures, Exposed!, XM Cyber’s weekly round-up of exposure news you can use. We scour the cyber universe to bring you the past week’s most impactful exposures from around the globe. Cyber threats never rest…and neither do our researchers. 

Here are our top picks for this week:

Almost 12K Juniper Firewalls Vulnerable to RCE Vulnerability

Some 12,000 internet-exposed Juniper firewall devices are vulnerable to a remote code execution flaw, CVE-2023-36845, discovered by VulnCheck. Potentially exploitable by an unauthenticated remote attacker, the flaw enables arbitrary code execution on Juniper firewalls without creating system files.

This is a medium-severity vulnerability in Junos OS’s J-Web component, which was patched (along with other vulnerabilities) in an out-of-cycle update by Juniper Networks. The latest exploit focuses solely on CVE-2023-36845 and impacts older systems. It achieves arbitrary code execution by manipulating environment variables and PHP features. 

While Juniper hasn’t reported successful customer exploits, they’ve detected exploitation attempts in the wild. Users must apply necessary fixes promptly to mitigate potential threats.

‘ShroudedSnooper’ Backdoors in Telecom Attacks

A threat actor known as “ShroudedSnooper” recently targeted two Middle East-based telecommunications organizations, using innovative backdoors to infiltrate their systems. Cisco Talos, in a report shared with Dark Reading, revealed this intrusion, which is characterized by two advanced backdoors: “HTTPSnoop” and “PipeSnoop.” 

Both of these backdoors have seriously robust anti-detection mechanisms – notably, they can disguise themselves as legitimate software and infect low-level Windows server components. Once in place, they execute malicious shellcode that grants attackers a persistent presence in victim networks – which is ideal for lateral movement, data theft, or further malware deployment.

ShroudedSnooper’s malicious innovations are great examples of the difficulties telecoms face in identifying and eradicating backdoors. Prevention, rather than response, is a far better defense strategy – especially given the complexity of forensic analysis. Organizations should focus on detecting early-stage attack activities, since attackers require high privileges for deployment.

SprySOCKS Linux Backdoor Threatens Governments 

A China-linked threat actor known as ‘Earth Lusca’ recently targeted government entities using a previously unseen Linux backdoor named SprySOCKS. The Earth Lusca group was first documented in 2022 and employs spear-phishing and watering hole attacks for cyber espionage across Asia, Australia, Europe, and North America. In 2023, the group started concentrating on government departments involved in foreign affairs, technology, and telecommunications – notably in Southeast Asia, Central Asia, and the Balkans.

SprySOCKS is derived from the open-source Windows backdoor Trochilus and is loaded using an ELF injector component called Mandibule. SprySOCKS collects system data, initiates an interactive shell, creates SOCKS proxies, and conducts file operations. Communication is via TCP packets – similar to tactics we saw in the Windows-based RedLeaves trojan. There are multiple SprySOCKS versions, which suggests that Earth Lusca is continuously modifying the malware. Clearly, this threat points to the importance of organizations proactively managing their attack surface through regular patching and system updates.

Fake CVE-2023-40477 Point to VenomRAT

New research from Palo Alto’s Unit 42 disclosed that threat actors are more frequently repurposing older proof-of-concept (PoC) code to rapidly rollout fake PoCs for recently disclosed vulnerabilities. An example of this occurred when the Zero Day Initiative reported an RCE vulnerability in WinRAR (CVE-2023-40477). This was on August 17, 2023 – coming on the heels of disclosure to the vendor on June 8, 2023. Just four days later, a threat actor with the alias “whalersplonk” uploaded a fake PoC script to their GitHub repository.

This fake PoC is designed to exploit the WinRAR vulnerability and is based on a publicly available PoC script that targeted a SQL injection flaw in GeoServer (CVE-2023-25157). Examination of the fake PoC script revealed an infection chain that leads to the installation of the VenomRAT payload.

The threat actor’s intent seems to have been to swiftly exploit the severe RCE in the widely-used WinRAR application, which has over 500 million users globally. 

That’s all for this week – have any to add to our list? Let us know!