ZeroFox Daily Intelligence Brief - June 19, 2023
|by Alpha Team
ZeroFox Daily Intelligence Brief - June 19, 2023
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Please find today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Microsoft Confirms Azure and Outlook Outages Caused by DDoS attacks
- ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert Command and Control
- Eaton Resolves Security Flaw Allowing Remote Access to Thousands of Smart Alarm Systems
- Vulnerabilities: CVE-2023-35857, CVE-2023-35855, and CVE-2023-35856
- Exploits: CVE-2010-2075 and CVE-2012-5932
- Breaches: XSS: Zacks Investment Research Data Breach and BreachForums/XSS: Epic Games Data Breach
Microsoft Confirms Azure and Outlook Outages Caused by DDoS attacks
Microsoft has confirmed that recent outages in Azure, Outlook, and OneDrive web portals were caused by Layer 7 distributed denial-of-service (DDoS) attacks conducted by an entity called Storm-1359, also known as Anonymous Sudan. This Killnet-allied group had recently targeted Scandinavian Airlines and Australian fashion label Not A Man’s Dream, and has threatened to disrupt the “Western banking infrastructure” via attacks on SWIFT and related systems.
ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert Command and Control
Chinese threat actor group ChamelGang is using a new malware strain called "ChamelDoH'' to backdoor Linux systems through DNS-over-HTTPS (DoH) tunneling. The malware presents challenges in detection and prevention, making it difficult for defenders to identify and block malicious requests. The group has previously targeted the fuel, energy, and aviation industries in several countries by leveraging flaws in Microsoft Exchange and RedHat JBoss Enterprise Application servers.
Eaton Resolves Security Flaw Allowing Remote Access to Thousands of Smart Alarm Systems
U.S.-based power and electronics company Eaton has resolved an “insecure direct object reference” (IDOR) security flaw in its cloud software, SecureConnect, that enabled a researcher to remotely access thousands of smart security alarm systems. The vulnerability allowed unauthorized users to sign up and gain access to registered usernames, email addresses, and the location of every connected security alarm system by intercepting and manipulating user group numbers. While the bug was fixed in May 2023, Eaton has not disclosed complete details of the exploit.
VULNERABILITIES
- CVE-2023-35857 - In Siren Investigate before 13.2.2, session keys remain active even after logging out.
- CVE-2023-35855 - A buffer overflow in Counter-Strike through 8684 allows a game server to execute arbitrary code on a remote client's machine by modifying the lservercfgfile console variable.
- CVE-2023-35856 - A buffer overflow in Nintendo Mario Kart Wii RMCP01, RMCE01, RMCJ01, and RMCK01 can be exploited by a game client to execute arbitrary code on a client's machine via a crafted packet.
EXPLOITS
- CVE-2010-2075 : UnrealIRCd 3.2.8.1 - Remote Downloader/Execute
- CVE-2012-5932 : NetIQ Privileged User Manager 2.3.1 - 'ldapagnt_eval()' Perl Remote Code Execution
BREACHES
- XSS: Zacks Investment Research Data Breach : (8,874,860 Records) | Email address, username, password, name, phone number, physical address, and security questions
- BreachForums/XSS: Epic Games Data Breach : (83,063 Records) | Email address and password
Tags: DIB, tlp:green