1. CISA warns of submarine backdoor used in Barracuda ESG attack
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert for a malware variant tracked as SUBMARINE Backdoor exploiting the vulnerability CVE-223-2868 in the Barracuda Email Security Gateway ( ESG) device. The CVE-223-2868 vulnerability exists in the email attachment blocking module, which threat actors exploit to gain unauthorized access to a subset of ESG devices.
Reference: CISA warns about SUBMARINE Backdoor employed in Barracuda ESG attacksSecurity Affairs
2. Researchers find AWS SSM Agent misused as a covert remote access Trojan horse Researchers find AWS SSM Agent misused as a covert remote access Trojan horse
Cybersecurity researchers have discovered a new post-exploitation exploitation technique in Amazon Web Services (AWS) that allows the AWS Systems Manager Agent (SSM Agent) to run as a remote access Trojan in Windows and Linux environments. SSM agent is software installed on Amazon Elastic Compute Cloud (Amazon EC2) instances. Administrators can update, manage and configure their AWS resources through a unified interface. If an attacker achieves high-privilege access on the endpoint where SSM agent is installed, then The SSM agent can be repurposed to continue malicious activity.
参考链接:Researchers Uncover AWS SSM Agent Misuse as a Covert Remote Access TrojanResearchers Uncover AWS SSM Agent Misuse as a Covert Remote Access TrojanResearchers Uncover AWS SSM Agent Misuse as a Covert Remote Access Trojan
3. WordPress Ninja Forms Plugin Exposed Serious Vulnerabilities
The popular WordPress form-building plugin Ninja Forms contains three vulnerabilities that could allow attackers to achieve privilege escalation and steal user data. Any website that supports membership and user registration using a vulnerable version of the form plugin is vulnerable to a massive data breach due to the vulnerability.
Reference link: https://www.bleepingcomputer.com/news/security/wordpress-ninja-forms-plugin-flaw-lets-hackers-steal-submitted-data/#google_vignette
4. In the ongoing attack, hundreds of Citrix servers use web shells for backdoor attacks
Hundreds of Citrix Netscaler ADC and Gateway servers have been compromised and backdoored against the tracked CVE-223-3519 critical remote code execution (RCE) vulnerability. The flaw was previously exploited as a zero-day exploit to compromise the networks of critical U.S. infrastructure organizations. According to researchers, in these attacks, attackers deployed web shells on at least 640 Citrix servers, and the number detected was far lower. in the quantity believed to exist. The vulnerability primarily affects unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA proxy, CVPN, RDP proxy) or authentication virtual servers (AAA servers).
Reference link: https://www.bleepingcomputer.com/news/security/over-640-citrix-servers-backdoored-with-web-shells-in-ongoing-attacks/
5. PaperCut printer management program exposed remote code execution vulnerability
A remote code execution vulnerability has been reported in PaperCut MF and NG, affecting versions 22.0.9 and earlier of all supported operating systems. The vulnerability stems from insufficient access controls. Therefore, an unauthenticated remote user could exploit this vulnerability to bypass authentication and execute code in the context of SYSTEM. These vulnerabilities are related to being exploited in the wild in other vendors' print management software, which is of great concern given that nearly every enterprise organization has networked printers.
Reference link: https://blogs.juniper.net/en-us/threat-research/cve-2023-27350-papercut-ng-and-mf-remote-code-execution-vulnerability