ZeroFox Daily Intelligence Brief - June 21, 2023
|by Alpha Team
ZeroFox Daily Intelligence Brief - June 21, 2023
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Please find today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- VMware: Critical Bug Being Exploited in Attacks on Unpatched Devices
- New DDoS-as-a-Service Botnet "Condi" Exploits TP-Link Routers
- Critical Vulnerabilities Found in Operational Technology (OT) Products from Wago and Schneider
- Vulnerabilities: CVE-2023-31975 and CVE-2019-6502
- Exploits: CVE-2017-12617 and CVE-2017-16894
- Breaches: Telegram: SunCloudPubl[.]zip Botnet Breach and BreachForums/XSS: WarcraftRealms Data Breach
VMware: Critical Bug Being Exploited in Attacks on Unpatched Devices
VMWare has warned users about the active exploitation of a command-injection bug affecting VMware Aria Operations for Networks (previously called vRealize Network Insight). This bug (CVE-2023-20887) allows attackers to execute arbitrary commands on the underlying operating system in low-complexity attacks that do not require user interaction. Network administrators should apply the requisite patches as no workarounds are available to mitigate the effects of the vulnerability.
New DDoS-as-a-Service Botnet "Condi" Exploits TP-Link Routers
A DDoS-as-a-Service botnet named "Condi" has been observed exploiting a high-severity unauthenticated command injection and remote code execution flaw (CVE-2023-1389) in the API of TP-Link Archer AX21 (AX1800) Wi-Fi routers. This router is popular among home users, small offices, shops, and cafes. TP-Link has addressed this bug via a security update in version 1.1.4 Build 20230219.
Critical Vulnerabilities Found in Operational Technology (OT) Products from Wago and Schneider
Three security vulnerabilities have been discovered in OT products from Wago and Schneider Electric. These flaws are part of a larger collection of 61 issues tracked as OT:ICEFALL, affecting 13 vendors. The most significant vulnerability, CVE-2022-46680, exposes plaintext transmission of credentials in Schneider Electric's power meters, potentially enabling unauthorized access. The other two vulnerabilities, CVE-2023-1619 and CVE-2023-1620, relate to denial-of-service (DoS) bugs in WAGO 750 controllers.
VULNERABILITIES
- CVE-2023-31975 - yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.
- CVE-2019-6502 - sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a memory leak.
EXPLOITS
- CVE-2017-12617 - Apache Tomcat Upload Bypass / Remote Code Execution (RCE)
- CVE-2017-16894 - PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize RCE
BREACHES
- Telegram: SunCloudPubl.zip Botnet Breach : (1,163 Records) | Email address and password
- BreachForums/XSS: WarcraftRealms Data Breach : (129,459 Records) | Email address and password
Tags: DIB, tlp:green