Apr 01, 2023Ravie Lakshmanan
Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex
are being exploited by various threat actors in hacks targeting
unpatched systems.
This entails the abuse of CVE-2022-46169[1]
(CVSS score: 9.8) and CVE-2021-35394[2]
(CVSS score: 9.8) to deliver MooBot[3]
and ShellBot[4]
(aka PerlBot), Fortinet FortiGuard Labs said[5]
in a report published this week.
CVE-2022-46169[6]
relates to a critical authentication bypass and command injection
flaw in Cacti servers that allows an unauthenticated user to
execute arbitrary code. CVE-2021-35394[7]
also concerns an arbitrary command injection vulnerability
impacting the Realtek Jungle SDK that was patched in 2021.
While the latter has been previously exploited to distribute
botnets like Mirai, Gafgyt, Mozi, and RedGoBot, the development
marks the first time it has been utilized to deploy MooBot, a Mirai
variant known to be active since 2019.
The Cacti flaw, besides being leveraged for MooBot attacks, has
also been observed serving ShellBot payloads since January 2023,
when the issue came to light.
At least three different versions of ShellBot have been detected
– viz. PowerBots (C) GohacK, LiGhT’s Modded perlbot v2, and B0tchZ
0.2a – the first two of which were recently disclosed[8]
by the AhnLab Security Emergency response Center (ASEC).
All three variants are capable of orchestrating distributed
denial-of-service (DDoS) attacks. PowerBots (C) GohacK and B0tchZ
0.2a also feature backdoor capabilities to carry out file
uploads/downloads and launch a reverse shell.
“Compromised victims can be controlled and used as DDoS bots
after receiving a command from a C2 server,” Fortinet researcher
Cara Lin said. “Because MooBot can kill other botnet processes and
also deploy brute force attacks, administrators should use strong
passwords and change them periodically.”
Active Exploitation of IBM Aspera Faspex Flaw
A third security vulnerability that has come under active
exploitation is CVE-2022-47986[9]
(CVSS score: 9.8), a critical YAML deserialization issue in IBM’s
Aspera Faspex file exchange application.
THN WEBINAR
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the
6-Phase process with Asaf Perlman, Cynet’s IR Leader!
Don’t Miss Out –
Save Your Seat![10]
The bug[11], patched in December
2022 (version 4.4.2 Patch Level 2[12]), has been co-opted by
cybercriminals in ransomware campaigns associated with Buhti[13] and IceFire[14] since February, shortly
after the release of the proof-of-concept (PoC) exploit.
Cybersecurity firm Rapid7, earlier this week, revealed[15] that one of its
customers was compromised by a security flaw, necessitating that
users move quickly to apply the fixes to prevent potential
risks.
“Because this is typically an internet-facing service and the
vulnerability has been linked to ransomware group activity, we
recommend taking the service offline if a patch cannot be installed
right away,” the company said.
Found this article interesting? Follow us on Twitter [16] and LinkedIn[17] to read more exclusive
content we post.
References
- ^
CVE-2022-46169
(nvd.nist.gov) - ^
CVE-2021-35394
(nvd.nist.gov) - ^
MooBot
(thehackernews.com) - ^
ShellBot
(thehackernews.com) - ^
said
(www.fortinet.com) - ^
CVE-2022-46169
(thehackernews.com) - ^
CVE-2021-35394
(thehackernews.com) - ^
recently
disclosed (thehackernews.com) - ^
CVE-2022-47986
(nvd.nist.gov) - ^
Don’t Miss Out – Save Your Seat!
(thn.news) - ^
bug
(thehackernews.com) - ^
4.4.2
Patch Level 2 (www.ibm.com) - ^
Buhti
(attackerkb.com) - ^
IceFire
(thehackernews.com) - ^
revealed
(www.rapid7.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/04/cacti-realtek-and-ibm-aspera-faspex.html
