Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT



ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html



Python Infostealer Targeting Gamers

Published: 2023-03-01

Last Updated: 2023-03-01 09:15:08 UTC

by Xavier Mertens (Version: 1)


They are a lot of “gamers” on the Internet. They generate a lot of business around games. Many of them can be downloaded for free, but they have online shops to buy options like extra lives, weapons, suits, packages, etc. Therefore, the business of gaming is very lucrative today[1].


I spotted a malicious Python script that acts as an info stealer focusing on gamers! Based on strings found in the code, the attribution goes to Russia (“????????? ??????” can be translated to "a new connection has been established”).


Today, most Python malicious scripts use Discord as a C2, but this one uses Telegram...


Read the full entry: https://isc.sans.edu/diary/Python+Infostealer+Targeting+Gamers/29596/




URL files and WebDAV used for IcedID (Bokbot) infection

Published: 2023-02-24

Last Updated: 2023-02-24 01:37:45 UTC

by Brad Duncan (Version: 1)


IcedID (also known as Bokbot) is an information stealer/backdoor malware that can lead to other activity like Cobalt Strike and Virtual Network Computing (VNC) traffic.  IcedID is often distributed through email, and we've also seen it delivered by fake software sites from Google ad traffic.


For email-based distribution, we've seen OneNote files as an initial lure this month (here's one example). But these distribution patterns occasionally change.  For example, on Tuesday 2023-02-21, we found a distribution pattern using .url files and WebDAV traffic for an IcedID infection.


Today's diary reviews an infection from Thursday 2023-02-23 generated by one of those .url files.


Read the full entry: https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578/

Internet Storm Center Entries


Recent CVEs




The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.



CVE-2022-39952 - A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39952

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8380




CVE-2023-21716 - Microsoft Word Remote Code Execution Vulnerability

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21716

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716




CVE-2023-0286 - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0286




CVE-2023-21839 - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and  14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. 

CVSS 3.1 Base Score 7.5 (Confidentiality impacts). 

CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21839

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8388




CVE-2023-26253 - In Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bridge.c notify stack-based buffer over-read.

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26253

NVD References: https://github.com/gluster/glusterfs/issues/3954




CVE-2023-0232 - The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0232

NVD References: 

- https://plugins.trac.wordpress.org/changeset/2852711/woolentor-addons/trunk/includes/helper-function.php

- https://wpscan.com/vulnerability/1885a708-0e8a-4f4c-8e26-069bebe9a518




CVE-2023-0938 - A vulnerability classified as critical has been found in SourceCodester Music Gallery Site 1.0. This affects an unknown part of the file music_list.php of the component GET Request Handler. The manipulation of the argument cid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-221553 was assigned to this vulnerability.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0938

NVD References: 

- https://github.com/navaidzansari/CVE_Demo/blob/main/2023/Music%20Gallery%20Site%20-%20SQL%20Injection%201.md

- https://vuldb.com/?ctiid.221553

- https://vuldb.com/?id.221553




CVE-2023-0946 - A vulnerability has been found in SourceCodester Best POS Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file billing/index.php?id=9. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The identifier VDB-221593 was assigned to this vulnerability.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0946

NVD References: 

- https://vuldb.com/?ctiid.221593

- https://vuldb.com/?id.221593




CVE-2023-1040 - A vulnerability, which was classified as critical, has been found in SourceCodester Online Graduate Tracer System 1.0. Affected by this issue is some unknown functionality of the file tracking/admin/add_acc.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-221798 is the identifier assigned to this vulnerability.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1040

NVD References: 

- https://vuldb.com/?ctiid.221798

- https://vuldb.com/?id.221798




CVE-2023-1053 - A vulnerability was found in SourceCodester Music Gallery Site 1.0 and classified as critical. This issue affects some unknown processing of the file view_category.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-221819.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1053

NVD References: 

- https://vuldb.com/?ctiid.221819

- https://vuldb.com/?id.221819




CVE-2023-1054 - A vulnerability was found in SourceCodester Music Gallery Site 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/?page=user/manage. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-221820.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1054

NVD References: 

- https://vuldb.com/?ctiid.221820

- https://vuldb.com/?id.221820




CVE-2023-25158 - GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25158

NVD References: 

- https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b

- https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m




CVE-2023-25157 - GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25157

NVD References: 

- https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d

- https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf




CVE-2023-25813 - Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.

CVSS Score: 10.0 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25813

NVD References: 

- https://github.com/sequelize/sequelize/commit/ccaa3996047fe00048d5993ab2dd43ebadd4f78b

- https://github.com/sequelize/sequelize/issues/14519

- https://github.com/sequelize/sequelize/releases/tag/v6.19.1

- https://github.com/sequelize/sequelize/security/advisories/GHSA-wrh9-cjv3-2hpw




CVE-2023-0104 - The listed versions for Weintek EasyBuilder Pro are vulnerable to a ZipSlip attack caused by decompiling a malicious project file. This may allow an attacker to gain control of the user’s computer or gain access to sensitive data.

CVSS Score: 9.3 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0104

NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-045-01




CVE-2023-0939 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NTN Information Technologies Online Services Software allows SQL Injection.This issue affects Online Services Software: before 1.17.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0939

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0103




CVE-2022-2504 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection.This issue affects SDD-Baro: before 2.8.432.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-2504

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0107




CVE-2023-0754 - The affected products are vulnerable to an integer overflow or wraparound, which could allow an attacker to crash the server and remotely execute arbitrary code.

CVE-2023-0755 - The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0754

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0755

NVD References: https://www.cisa.gov/uscert/ics/advisories/icsa-23-054-01




CVE-2021-4105 - Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion.This issue affects COSLAT Firewall: from 5.24.0.R.20180630 before 5.24.0.R.20210727.

CVSS Score: 10.0 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-4105

NVD References: 

- http://blog.coslat.com/2021/07/onemli-kritik-guncelleme-2021-07-27.html

- https://www.usom.gov.tr/bildirim/tr-23-0108




CVE-2023-26034 - ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.

CVSS Score: 9.6 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26034

NVD References: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-222j-wh8m-xjrx



CVE-2021-3329 - Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack

CVSS Score: 9.6 

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-3329

NVD References: https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-117




CVE-2022-45138 - The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device.

CVE-2022-45140 - The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthenticated remote code execution and full system compromise.

CVSS Score: 9.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45138

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-45140

NVD References: https://cert.vde.com/en/advisories/VDE-2022-060/




CVE-2023-23529 - A type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.2.1, iOS 16.3.1 and iPadOS 16.3.1, Safari 16.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVSS Score: 0 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 ** KEV since 2023-02-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23529

NVD References: 

- https://support.apple.com/en-us/HT213633

- https://support.apple.com/en-us/HT213635

- https://support.apple.com/en-us/HT213638




CVE-2023-0339 - Relative Path Traversal vulnerability in ForgeRock Access Management Web Policy Agent allows Authentication Bypass. This issue affects Access Management Web Policy Agent: all versions up to 5.10.1

CVE-2023-0511 - Relative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass. This issue affects Access Management Java Policy Agent: all versions up to 5.10.1

CVSS Score: 9.1 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0339

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0511

NVD References: 

- https://backstage.forgerock.com/downloads/browse/am/featured/web-agents

- https://backstage.forgerock.com/downloads/browse/am/featured/java-agents

- https://backstage.forgerock.com/knowledge/kb/article/a21576868