All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of December 5th, 2022. I’ve also included some comments on these stories.
Vulnerable Redis servers allow malware to drop a backdoor
A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution, BleepingComputer reported. CVE-2022-0543 is a critical vulnerability in Redis (Remote Dictionary Server) software with a maximum severity rating. It was discovered and fixed this past February.
Redis servers that have been left unpatched from the Lua Sandbox escape (CVE-2022-0543) vulnerability are subject to malware dropping a backdoor. The most recent malware dropping a backdoor is called “Redigo” because it is Go based. To bypass detection the malware will emulate Redis communication. According to AquaSec, the infected systems will most likely be added into a bot net to be used in DDoS attacks.
This vulnerability was discovered in February 2022 and an exploit was released soon after. Malware started to exploit the software a day after the release of the PoC. Systems may not have been immediately patched because of stability concerns. However, a high severity vulnerability should be taken into consideration and public access should have been restricted until systems were patched.
Data breach at LastPass
LastPass says unknown attackers breached its cloud storage using information stolen back in August during a previous security incident, noted BleepingComputer on November 30th. The company added that the threat actors were able to gain access to customer data – but not all.
Customer data has been accessed during a breach at LastPass. This information was stolen from LastPass’ cloud storage service. The attackers used information that was obtained in August. LastPass has ensured customers that passwords have not been compromised due to its Zero Knowledge architecture.
Cisco IP phone code execution vulnerability
Last Thursday, Cisco disclosed a high-severity vulnerability affecting the latest generation of its IP phones, BleepingComputer reported, which would expose the phones to remote code execution and denial of service (DoS) attacks. The company warned users that "proof-of-concept exploit code is available" and stated that the "vulnerability has been publicly discussed."
The Cisco IP phone is subject to code execution and denial-of-service attacks. A proof of concept has been released online. This issue exists because of improper input validation of Cisco Discovery Protocol packets. This vulnerability allows an adjacent attacker to trigger a stack overflow. Qian Chen of the Codesafe Team of Legendsec at QI-ANXIN Group first reported the vulnerability to Cisco.
This vulnerability affects Cisco IP phones running 7800 and 8800 firmware. Cisco has not yet released a patch to this issue but offers a mitigation. The mitigation requires disabling the Cisco Discovery Protocol on affected devices. It is recommended that the mitigation be tested before deploying it to production environments.
Royal Ransomware targeting healthcare
The U.S. Department of Health and Human Services (HHS) warned the country’s healthcare organizations last week regarding attacks from the relatively new Royal ransomware gang, noted BleepingComputer on December 8th. The Health Sector Cybersecurity Coordination Center (HC3) revealed that the ransomware group has already been behind multiple attacks against U.S. healthcare orgs.
The Royal Ransomware group has been behind multiple attacks against US healthcare organizations. This group has claimed to have leaked all stolen data. There has been an increased frequency of attacks since September. To gain network access, the Royal group uses social engineering to convince users to install remote access software. Once systems are infected, the group will demand between $250,000 to $2 million dollars. To ensure that the attack is covered by news outlets, the group will then use stolen Twitter accounts to tweet at news organizations with a link to the stolen data.
Increased security awareness training is needed to ensure employees do not randomly install malicious software. Employees should be skeptical of random messages from strangers and verify their identity. Proper training would allow employees to detect potential scams. However, training can only go so far and should be only part of the solution.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.
