In a recent analysis conducted by Bishop Fox, it has been discovered that over 178,000 SonicWall firewalls are susceptible to security flaws when exposed over the internet.
These vulnerabilities could lead to a denial-of-service (DoS) condition and remote code execution (RCE).
Vulnerability Details
- CVE-2022-22274 (CVSS score: 9.4)
- CVE-2023-0656 (CVSS score: 7.5)
| Technical Analysis | |
| Analyst: | Jon Williams, Senior Security Engineer at Bishop Fox |
| Code Vulnerability: | Both issues stem from the same vulnerable code pattern |
| Exploit Paths: | Exploitable at different HTTP URI paths |
| Potential Exploitation: | No current reports of exploitation in the wild |
| Proof-of-Concept (PoC): | SSD Secure Disclosure team published a PoC for CVE-2023-0656 in April 2023 |
| Impact on Devices: | This could lead to repeated crashes, forcing the appliance into maintenance |
| Administrative Action: | Requires administrative action to restore standard functionality |
Bishop Fox’s research revealed that over 146,000 publicly accessible devices remain vulnerable to a bug published almost two years ago, indicating a concerning level of exposure.
Remcos RAT Spreading Through WebHards in South Korea
A concerning discovery has been made regarding the propagation of the Remcos Remote Access Trojan (RAT) in South Korea.
The cybercriminals behind this threat are employing a stealthy approach, disguising the RAT as adult-themed games and distributing it through popular online file storage systems known as WebHards.
WebHards as a Vehicle
WebHards, commonly used in South Korea for online file storage and sharing, have previously been associated with delivering malware such as njRAT, UDP RAT, and DDoS botnets.
The latest analysis from AhnLab Security Emergency Response Center (ASEC) reveals a shift in tactics, with Remcos RAT now being distributed using this method.
Understanding Remcos RAT
Remcos RAT, initially marketed as a legitimate remote administration tool by the German firm Breaking Security in 2016, has evolved into a powerful weapon for adversaries.
It enables unauthorized remote control and surveillance of compromised hosts, allowing threat actors to exfiltrate sensitive data.
Inferno Drainer Scheme, A Year of Deceptive Tactics
Operators behind the now-defunct Inferno Drainer engaged in a sophisticated scheme, generating more than 16,000 unique malicious domains between 2022 and 2023.
The strategy involved deploying high-quality phishing pages, enticing users to link their cryptocurrency wallets to the attackers’ infrastructure. Spoofing Web3 protocols, victims were deceived into authorizing transactions.
The Year of Threats Has Just Started!
Group-IB suggests that the success of Inferno Drainer could lead to the emergence of new drainers and an increase in malicious scripts mimicking Web3 protocols in 2024.
Remcos RAT’s capabilities include keylogging, audio recording, screenshot capture, and more. These features highlight its potential to compromise user privacy, extract sensitive data, and manipulate systems.
These capabilities remind us that we need to be extra secure this year as malware techniques improve.
Marrium Akhtar
January 17, 2024
4 months ago
