Cyber Security Weekly Briefing, 23-29 July
New Critical Vulnerability in SonicWall Products
Researchers from DBappSecurity HAT lab have discovered a critical vulnerability that affects several SonicWall Analytics On-Prem and SonicWall Global Management System products. The vulnerability, a SQL injection flaw, has been labelled CVE-2022-22280, with CVSS 9.4, and grants the attacker with access to sensitive information, and the possibility to bypass authentication and delete information from databases. The vulnerability is considered critical given that it does not require authentication, user interaction nor is complex to be exploited. So far, no active exploitation of the flaw has been detected nor any exploits have been found. The vulnerability affects Analytics On-prem versions 18.104.22.168-2520 and prior , as well as SonicWall Global Management System versiones 9.3.1-SP2-Hotfix1 and prior . Finally, SonicWall has urged all organizations using these products to install the new security patch as soon as possible.
Analysis of new CosmicStrand rootkit
Researchers with SecureList have discovered a new advanced rootkit for UEFI firmware for Windows that has received the name CosmicStrand. This type of malware is highly evasive and persistent, as it remains on the victim's system even after several reboots. As per the infection chain, CosmicStrand attacks on kernel level, aiming at firmware images from Gigabyte or ASUS' motherboards. These firmware images are modified in the CSMCORE DXE controller to execute a code chain during system boot that downloads the payload hosted on Windows. According to researchers, the modifications on the firmware images could be achieved by exploiting a vulnerability. This would imply that the attackers had previous access to the victim's computer to extract, modify and overwrite the motherboard's firmware. The countries where this operation is taking place so far are China, Vietnam and Iran. Plus, the victims are normally users with free versions of the products impacted.
0-day vulnerability in PrestaShop exploited against e-commerce stores
The exploitation of a 0-day vulnerability has been detected in PrestaShop, the most popular open source e-commerce platform in Europe and Latin America, used by around 300,000 customers worldwide. PrestaShop reported that the attackers were exploiting a combination of vulnerabilities to inject malicious code into websites using its software, allowing them to execute arbitrary code with the purpose of stealing e-commerce customers payment information. Among the exploited flaws, the PrestaShop team detected a SQL injection 0-day (CVE-2022-36408 ) that has been fixed in the version 22.214.171.124, however, they state that there may be more methods to carry out this attack. In addition, PrestaShop has published a series of tests to verify the attack, as well as recommendations to keep the e-commerce site secure such as keeping the software updated and disabling the MySQL Smarty Cache function, used by the attackers to carry out the attacks.