22-28/12/2022. Hackers Breach Okta’s GitHub Repositories, W4SP Stealer Discovered in Multiple PyPI Packages, Security Flaws in Ghost CMS Blogging Software And More

1. W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names

Threat actors have published another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines. Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of W4SP Stealer. W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name. The campaign distributing W4SP Stealer gained traction around October 2022.  Since then dozens of additional bogus packages containing W4SP Stealer have been published on PyPI by the persistent threat actors. It’s worth noting that previous versions of the attack chains have been spotted fetching next-stage Python code directly from a public GitHub repository that then drops the credential stealer. 

2.  LastPass Admits to Severe Data Breach, Encrypted Password Vaults Stolen

The August 2022 security breach of LastPass may have been more severe than previously disclosed by the company. The popular password management service  revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults by using data siphoned from the earlier break-in. Also stolen is “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service”.  The August 2022 incident involved the miscreants accessing source code and proprietary technical information from its development environment via a single compromised employee account. LastPass said this permitted the unidentified attacker to obtain credentials and keys that were subsequently leveraged to extract information from a backup stored in a cloud-based storage service, which it emphasized is physically separate from its production environment.  LastPass confirmed that the security lapse did not involve access to unencrypted credit card data, as this information was not archived in the cloud storage container. The company did not divulge how recent the backup was, but warned that the threat actor “may attempt to use brute-force to guess your master password and decrypt the copies of vault data they took,” as well as target customers with social engineering and credential stuffing attacks.

3.  GuLoader Malware Utilizing New Techniques to Evade Security Software

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software. New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings. GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader that’s used to distribute remote access trojans such as Remcos on infected machines. A recent GuLoader sample unearthed by CrowdStrike exhibits a three-stage process wherein the VBScript is designed to deliver a next-stage that performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory. The shellcode, besides incorporating the same anti-analysis methods, downloads a final payload of the attacker’s choice from a remote server and executes it on the compromised host. The shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, throwing an error message if the shellcode detects any known analysis of debugging mechanisms. This includes anti-debugging and anti-disassembling checks to detect the presence of a remote debugger and breakpoints, and if found, terminate the shellcode. The shellcode also features scans for virtualization software. An added capability is what the cybersecurity company calls a “redundant code injection mechanism” to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions. In a nutshell, the method involves using assembly instructions to invoke the necessary windows API function to allocate memory (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into that location via process hollowing.

4.  Two New Security Flaws Reported in Ghost CMS Blogging Software

Cybersecurity researchers have detailed two security flaws in the JavaScript-based blogging platform known as Ghost, one of which could be abused to elevate privileges via specially crafted HTTP requests. Tracked as CVE-2022-41654 (CVSS score: 9.6), the authentication bypass vulnerability allows unprivileged users (i.e., members) to make unauthorized modifications to newsletter settings. Cisco Talos, which discovered the shortcoming, said it could enable a member to change the system-wide default newsletter that all users are subscribed to by default. Even worse, the ability of a site administrator to inject JavaScript into the newsletter by default could be exploited to trigger the creation of arbitrary administrator accounts when attempting to edit the newsletter.  The CMS platform blamed the bug due to a “gap” in its API validation, adding it found no evidence that the issue has been exploited in the wild. Also patched by Ghost is an enumeration vulnerability in the login functionality (CVE-2022-41697, CVSS score: 5.3) that could lead to the disclosure of sensitive information.

5. Zerobot Malware Now Spreads By Exploiting Apache Vulnerabilities

The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers. The Microsoft Defender for IoT research team also observed that this latest version adds new distributed denial-of-service (DDoS) capabilities. Zerobot has been under active development since at least November, with new versions adding new modules and features to expand the botnet’s attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras. Since early December, the malware’s developers have removed modules that targeted phpMyAdmin servers, Dasan GPON home routers, and D-Link DSL-2750B wireless routers with year-old exploits. The update spotted by Microsoft adds newer exploits to the malware’s toolkit, enabling it to target seven new types of devices and software, including unpatched Apache and Apache Spark servers. 
The  list of modules added to Zerobot 1.1 includes:

• CVE-2017-17105: Zivif PR115-204-P-RS
• CVE-2019-10655: Grandstream
• CVE-2020-25223: WebAdmin of Sophos SG UTM
• CVE-2021-42013: Apache
• CVE-2022-31137: Roxy-WI

Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

6. Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks

 Defiant’s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks. The YITH WooCommerce Gift Cards plugin allows online merchants to create gift cards that their customers can purchase for their friends to use on the ecommerce store. The premium plugin has more than 50,000 installations, its developer says. Tracked as CVE-2022-45359 (CVSS score of 9.8), the exploited vulnerability was reported in November and a patch for it was made available soon after. The issue is described as an arbitrary file upload, allowing attackers to upload executable files to the WordPress sites that use a vulnerable version of the plugin. No authentication is required for successful exploitation. According to the WordPress security firm, an attacker can exploit the vulnerability to place a backdoor on a vulnerable installation, gain remote code execution (RCE), and potentially take over the site. Site admins can identify signs of an attack by checking their logs for POST requests to wp-admin/admin-post.php.
According to Wordfence, observed attacks came from hundreds of IP addresses, but only two IPs were responsible for the majority of exploitation attempts. Site admins are advised to update to YITH WooCommerce Gift Cards premium version 3.20.0 or newer, which contain patches for this vulnerability.