15-21/12/2022 Malicious ‘SentinelOne’ PyPI package, Hackers bombard PyPi platform, Veeam Backup and Replication Vulnerabilities, And More

1.  Hackers Bombard Open Source Repositories with Over 144,000 Malicious Packages

NuGet, PyPi, and npm ecosystems are the target of a new campaign that has resulted in over 144,000 packages being published by unknown threat actors.The packages were part of a new attack vector, with attackers spamming the open source ecosystem with packages containing links to phishing campaigns. Of the 144,294 phishing-related packages that were detected, 136,258 were published on NuGet, 7,824 on PyPi, and 212 on npm. The offending libraries have since been unlisted or taken down. The fake packages themselves claimed to provide hacks, cheats, and free resources in an attempt to trick users into downloading them. The URLs to the rogue phishing pages were embedded in the package description. In all, the massive campaign encompassed more than 65,000 unique URLs on 90 domains.

2. CISA Alert: Veeam Backup and Replication Vulnerabilities Being Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild. The now-patched critical flaws, tracked as CVE-2022-26500 and CVE-2022-26501, are both rated 9.8 on the CVSS scoring system, and could be leveraged to gain control of a target system. The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code. Both the issues that impact product versions 9.5, 10, and 11 have been addressed in versions 10a and 11a. Users of Veeam Backup & Replication 9.5 are advised to upgrade to a supported version.

3. Researchers Discover Malicious PyPI Package Posing as SentinelOne SDK to Steal Data

Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne, a major cybersecurity company, as part of a campaign dubbed SentinelSneak. The package, named SentinelOne and now taken down, is said to have been published between December 8 and 11, 2022, with nearly two dozen versions pushed in quick succession over a period of two days. It claims to offer an easier method to access the company’s APIs, but harbors a malicious backdoor that’s engineered to amass sensitive information from development systems, including access credentials, SSH keys, and configuration data. What’s notable about the fraudulent package is it mimics a legitimate SDK that’s offered by SentinelOne to its customers, potentially tricking developers into downloading the module from PyPI. It’s not immediately clear if the package was weaponized as part of an active supply chain attack, although it has been downloaded more than 1,000 times prior to its removal.

4. Glupteba Botnet Continues to Thrive Despite Google’s Attempts to Disrupt It

 The operators of the Glupteba botnet resurfaced in June 2022 as part of a renewed and “upscaled” campaign, months after Google disrupted the malicious activity. The ongoing attack is suggestive of the malware’s resilience in the face of takedowns. In addition, there was a tenfold increase in TOR hidden services being used as C2 servers since the 2021 campaign. The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear. Specifically, the botnet is designed to search the public Bitcoin blockchain for transactions related to wallet addresses owned by the threat actor so as to fetch the encrypted C2 server address. This is made possible by the OP_RETURN opcode that enables storage of up to 80 bytes of arbitrary data within the signature script.

5. New Agenda Ransomware Variant, Written in Rust, Aiming at Critical Infrastructure

A Rust variant of a ransomware strain known as Agenda has been observed in the wild, making it the latest malware to adopt the cross-platform programming language after BlackCat, Hive, Luna, and RansomExx. Agenda is a ransomware-as-a-service (RaaS) group that has been linked to a spate of attacks primarily targeting manufacturing and IT industries. It expands on the idea of partial encryption (aka intermittent encryption) by configuring parameters that are used to determine the percentage of file content to be encrypted. An analysis of the ransomware binary reveals that encrypted files are given the extension “MmXReVIxLV,” before proceeding to drop the ransom note in every directory. In addition, the Rust version of Agenda is capable of terminating the Windows AppInfo process and disabling User Account Control (UAC), the latter of which helps mitigate the impact of malware by requiring administrative access to launch a program or task. At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack some features seen in the original binaries written in the Golang variant of the ransomware.

6. Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities

Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022. Samba is an open source Windows interoperability suite for Linux, Unix, and macOS operating systems that offers file server, printing, and Active Directory services.
A brief description of each of the weaknesses is below:

• CVE-2022-38023 (CVSS score: 8.1) – Use of weak RC4-HMAC Kerberos encryption type in the Netlogon Secure Channel
• CVE-2022-37966 (CVSS score: 8.1) – An elevation of privilege vulnerability in Windows Kerberos RC4-HMAC
  An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Str

7. Okta Says Its GitHub Account Hacked, Source Code Stolen

Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub source code repositories were hacked this month. 
Earlier this month, GitHub alerted Okta of suspicious access to Okta’s code repositories, states the notification. Despite stealing Okta’s source code, attackers did not gain unauthorized access to the Okta service or customer data, says the company. Okta’s “HIPAA, FedRAMP or DoD customers” remain unaffected as the company “does not rely on the confidentiality of its source code as a means to secure its services.” As such, no customer action is needed.

8. GitHub Announces Free Secret Scanning for All Public Repositories

GitHub said it is making available its secret scanning service to all public repositories on the code hosting platform for free. Secret scanning alerts notify you directly about leaked secrets in your code. Secret scanning is designed to examine repositories for access tokens, private keys, credentials, API keys, and other secrets in over 200 formats that may have been accidentally committed, and generate alerts to prevent their misuse. The security option was previously limited to repositories owned by organizations that use GitHub Enterprise Cloud and have a GitHub Advanced Security license. For customers of GitHub Advanced Security, the protections go a step further by performing the scans for exposed secrets, including custom patterns, during code pushes. The Microsoft subsidiary also said it’s planning to turn on two-factor authentication requirements for “distinct groups of users” starting March 2023 with the goal of expanding it to all GitHub users by the end of next year.