8-14/12/2022. Actively Exploited Citrix ADC, Malware Strains Targeting Python and JavaScript Developers, Amazon ECR Public Gallery Vulnerability, And More

1. Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

A threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and seize control. Successful exploitation, however, requires that the Citrix ADC or Citrix Gateway appliance is configured as a SAML service provider (SP) or a SAML identity provider (IdP). Citrix ADC and Citrix Gateway versions 13.1 are not impacted. The company also said there are no workarounds available “beyond disabling SAML authentication or upgrading to a current build.”

2. Malware Strains Targeting Python and JavaScript Developers Through Official Repositories

An active malware campaign is targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains. The typosquatted Python packages all impersonate the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.
The rogue packages embed source code that retrieves Golang-based ransomware binary from a remote server depending on the victim’s operating system and microarchitecture. Successful execution causes the victim’s desktop background to be changed to an actor-controlled image that claims to the U.S. Central Intelligence Agency (CIA). It’s also designed to encrypt files and demand a $100 ransom in cryptocurrency. In a sign that the attack is not limited to PyPI, the adversary has been spotted publishing five different modules in npm: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr. 

3. Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

 The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. The use of GitHub as a virtual dead drop helps the malware blend in. All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. Subsequent investigations into the adversary’s operations have uncovered two distinct intrusion sets: Cluster A, which employs BitLocker and DiskCryptor to conduct opportunistic ransomware attacks for financial gain, and Cluster B, which carries out targeted break-ins for intelligence gathering. This attack entailed the compromise of a VMware Horizon server using the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), ultimately leading to the delivery of the Drokbk binary by means of a compressed ZIP archive hosted on a file transfer service.

4. Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability

A critical security flaw has been disclosed in Amazon Elastic Container Registry (ECR) Public Gallery that could have been potentially exploited to stage a multitude of attacks. By exploiting this vulnerability, a malicious actor could delete all images in the Amazon ECR Public Gallery or update the image contents to inject malicious code. This malicious code is executed on any machine that pulls and runs the image, whether on user’s local machines, Kubernetes clusters or cloud environments. ECR is a container image registry service managed by Amazon Web Services, enabling users to package code as Docker images and deploy the artifacts in a scalable manner. Amazon has since deployed a fix to resolve the weakness as of November 16, 2022, less than 24 hours after it was reported, indicative of the severity of the problem. No customer action is required. 

5. Fortinet Says SSL-VPN Pre-auth RCE Bug Is Exploited in Attacks

Fortinet urges customers to patch their appliances against an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.
The security flaw is tracked as CVE-2022-42475 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to crash devices remotely and potentially perform code execution. A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The company said it’s “aware of an instance where this vulnerability was exploited in the wild,” urging customers to move quickly to apply the updates.
Patches are available in FortiOS versions 7.2.3, 7.0.9, 6.4.11, and 6.2.12 as well as FortiOS-6K7K versions 7.0.8, 6.4.10, 6.2.12, and 6.0.15.

6. New Python Malware Backdoors VMware ESXi Servers For Remote Access

A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.
VMware ESXi is a virtualization platform commonly used in the enterprise to host numerous servers on one device while using CPU and memory resources more effectively.
The new backdoor was discovered by Juniper Networks researchers, who found the backdoor on a VMware ESXi server. However, they could not determine how the server was compromised due to limited log retention. They believe the server may have been compromised using the CVE-2019-5544 and CVE-2020-3992 vulnerabilities in ESXi’s OpenSLP service. While the malware is technically capable of targeting Linux and Unix systems, too, Juniper’s analysts found multiple indications it was designed for attacks against ESXi. To determine if this backdoor has impacted your ESXi servers, check for the existence of the files: /etc/rc.local.d/local.sh, /store/packages/vmtools.py, /etc/vmware/rhttpproxy/endpoints.conf and the additional lines in the “local.sh” file. All configuration files that persist reboots should be scrutinized for suspicious changes and reversed to the correct settings.

7. Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

 The operating system update, released as part of Microsoft’s scheduled Patch Tuesday, addresses a flaw that lets malicious attackers use rigged files to evade MOTW (Mart of the Web) defenses. An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The security defect, tracked as CVE-2022-44698, is marked as publicly disclosed and exploited, adding to the urgency for Windows fleet administrators to prioritize this month’s patches. Microsoft is also calling special attention to CVE-2022-44710, a privilege escalation flaw affecting the DirectX graphics kernel.  Microsoft described the bug as a race condition issue that’s already been publicly disclosed. In all, Microsoft documented at least 52 vulnerabilities in a wide range of operating system components and software products. Six of the 52 bulletins are rated critical, Microsoft’s highest severity rating. The December Patch Tuesday barrage also includes major fixes from VMware, Adobe, Fortinet and Citrix.

8. Google Releases Dev Tool to List Vulnerabilities in Project Dependencies

Google has launched OSV Scanner, a new tool that allows developers to scan for vulnerabilities in open-source software dependencies used in their project. The scanner draws data from OSV.dev, the distributed vulnerability database for open source code that Google released in February 2021, to offer relevant information about known security issues affecting open-source code.
The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases.  The scanner uses openly distributed advisories from authoritative and reliable sources following the OSV schema for vulnerability triage in the installed package version. Currently, the OSV.dev service supports 16 major coding ecosystems, including the Linux Kernel, Android, Debian, Alpine, PyPI, npm, OSS-Fuzz, and Maven. It is the world’s largest open-source vulnerability database, counting 23,000 advisories in 2022 alone.
Google says the next step for OSV Scanner is to improve C/C++ vulnerability support, tackling a very challenging software ecosystem, and integrate standalone CI actions to allow easy scheduling of scans. OSV Scanner is free for everyone to use without restrictions and is available for download via GitHub or the osv.dev website.