Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
XSS Vulnerability in Cisco Prime Collaboration Deployment
Cisco has disclosed a cross-site scripting (XSS) vulnerability in the user interface of its Prime Collaboration Deployment server management platform, version 14 and earlier. The vulnerability, which arises from a lack of proper sanitization of user input, could allow an attacker to execute malicious JavaScript code in the browser of an authenticated user of the platform, possibly leading to theft of credentials, malware infection or other exploits.
Worse still, the vulnerability is available to unauthenticated remote attackers. There is, as yet, no workaround for this vulnerability, although Cisco obvious plans to release a software update.
Cisco Security, Cisco Prime Collaboration Deployment Cross-Site Scripting Vulnerability, security advisory, 26 April 2023. Available online at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pcd-xss-jDXpjm7.
PingPull Malware Now Targets Linux
PingPull is a remote access trojan for Windows, generally operated by a Chinese APT calleded Alloy Taurus, a.k.a. GALLIUM. The RAT allows its operators to execute commands and access a shell on the victim systems, which are generally telcos or military/government organizations in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Russia and Vietnam. However, following publication of a report on their operations by Palo Alto's Unit 42, the group abandoned their infrastructure and went to ground.
Now, Unit 42 researchers have identified a new variant of PingPull, this time targeting Linux systems, indicating that Alloy Taurus is back in business, with new infrastructure. The new variant seems to share some functionality, and perhaps some code, with the earlier China Chopper RAT. Alloy Taurus has also been operating another backdoor, called Sword2033, on the same infrastructure.
It also seems that Allow Taurus has now expanded its cyber-espionage interests to financial institutions, and it has also been observed operating in South Africa and Nepal.
Unit 42, Chinese Alloy Taurus Updates PingPull Malware, report, 26 April 2023. Available online at https://unit42.paloaltonetworks.com/alloy-taurus/#post-127879-_wven14kmgum2.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.