In our latest weekly Threat Brief, we look into a recently discovered critical vulnerability (FG-VD-19-117/CVE-2019-16920) affecting several EOL D-Link router models found by our FortiGuard researchers. This vulnerability could allow for remote code execution without authentication. This occurs when an attacker sends arbitrary input to the device's common gateway interface that could lead to command injection.
We also review a spike in the Winnti backdoor observed over the last couple of months. Winnti is a Remote Access Trojan (RAT) being used against Linux and Windows platforms. It is memory resident, meaning that the malware and its behaviors are hard to detect. While it previously focused a lot of its attacks on the gaming industry to steal information, it most recently also began targeting the pharmaceutical industry.
This week’s report discusses a Quest Software KACE K1000 endpoint management system vulnerability that is very simple to exploit, potentially leading to a breach into managed endpoints and deploying malware implants. The issue relies on sanitized input for parameters that are user supplied and are then used to construct the file names to be handled by the system.
Additionally, we profile a new variant of the Purple Fox Trojan that utilizes new fileless techniques to evade detection. Purple Fox was made known last year when it was discovered as a payload delivered in the RIG Exploit Kit. Unlike its predecessor, which used NSIS, this new variant uses PowerShell, indicating the adoption of new fileless techniques.
OP5 Monitor is a solution based on the Nagios monitoring platform for real-time management, monitoring, and orchestration of IT resources. A CSRF flaw was discovered on the configuration page in OP5 version 7.1.9 and below, which could be abused to run arbitrary code as an unprivileged user.
You can find more details about these and other issues. Click HERE to read our latest newsletter. Click HERE to subscribe to the weekly email distribution.
