Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems.
CVE-2022-46169 relates to a critical authentication bypass and command injection flaw in the Cacti server that allowed unauthenticated users to execute arbitrary code. CVE-2021-35394 also concerns an arbitrary command injection vulnerability impacting the Realtek Jungle SDK patched in 2021.
While the latter has been exploited before to distribute botnets such as Mirai, Gafgyt, Mozi, and RedGoBot, the development marks the first time it has been used to deploy MooBot, a Mirai variant known to be active since 2019.
The Cacti flaw, in addition to being exploited for MooBot attacks, has also been observed serving ShellBot payloads since January 2023, when the issue was revealed.
At least three different versions of ShellBot have been detected – viz. PowerBots (C) GohacK, LiGhT’s Modded perlbot v2, and B0tchZ 0.2a – the first two were recently disclosed by AhnLab Security Emergency Response Center (ASEC).
All three variants are capable of masterminding distributed denial-of-service (DDoS) attacks. PowerBots (C) GohacK and B0tchZ 0.2a also feature backdoor capabilities to perform file upload/download and launch reverse shells.
“A compromised victim can be controlled and used as a DDoS bot after receiving commands from the C2 server,” said Fortinet researcher Cara Lin. “Because MooBot can kill other botnet processes and also deploy brute force attacks, administrators should use strong passwords and change them periodically.”
Active Exploitation IBM Aspera Faspex Flaw
The third security vulnerability that has been actively exploited is CVE-2022-47986 (CVSS score: 9.8), critical YAML deserialization issue in IBM’s Aspera Faspex file exchange application.
Bug, patched in December 2022 (version 4.4.2 Tier 2 Patch), have been co-opted by cybercriminals in related ransomware campaigns Buhti and IceFire since February, shortly after the release of the proof-of-concept (PoC) exploit.
Cybersecurity company Rapid7, earlier this week, revealed that one of its customers was compromised by a security flaw, requiring users to move quickly to implement a fix to avert potential risks.
“Because these are typically internet-connected services and the vulnerability has been linked to ransomware group activity, we recommend taking the service offline if patches cannot be installed immediately,” the company said.