Security News

Proof-of-concept exploit code has been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell. Microsoft released security updates to address the two security flaws as part of the November 2022 Patch Tuesday, even though ProxyNotShell attacks have been detected since at least September 2022.

Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server. "Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," CISA noted.

The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell remote code execution vulnerability. After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency's network.

Older versions of the Spotify Backstage development portal builder are vulnerable to a critical unauthenticated remote code execution flaw allowing attackers to run commands on publicly exposed systems. Oxeye confirmed the impact in Backstage and alerted Spotify on August 18, 2022.

Proof-of-concept exploit code is now available for a pre-authentication remote code execution vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances. The flaw is in the XStream open-source library used by the two VMware products and was assigned an almost maximum CVSSv3 base score of 9.8/10 by VMware.

Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw.

Security researchers observed malicious campaigns leveraging a critical vulnerability in VMware Workspace One Access to deliver various malware, including the RAR1Ransom tool that locks files in password-protected archives. Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.

A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victim's resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report.

Fortinet urges customers to urgently patch their appliances against a critical authentication bypass FortiOS, FortiProxy, and FortiSwitchManager vulnerability exploited in attacks. The company released security updates to address the flaw last week and it also advised customers in private alerts to disable remote management user interfaces on affected devices "With the utmost urgency" to block attacks if they can't immediately patch.

A proof-of-concept exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches. "FortiOS exposes a management web portal that allows a user to configure the system," Horizon3.