01/12/2023-01/18/2023. Hackers Can Abuse Legitimate GitHub Codespaces, 3 PyPI Packages Spreading Malware, Zoho ManageEngine PoC Exploit to be Released, And More

1. Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware

New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. Publicly-shared forwarded ports could be exploited to create a malicious file server using a GitHub account. In a proof-of-concept (PoC) exploit, a threat actor could create a codespace and download malware from an attacker-controlled domain to the environment, and set the visibility of the forwarded port to public, essentially transforming the application to act as a web server hosting rogue payloads. Even more troublingly, the adversary can augment this method to deploy malware and compromise a victim’s environment since each codespace domain associated with the exposed port is unique and unlikely to be flagged by security tools as a malicious domain. Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments.

2. Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems

A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems. The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12). They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times. The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary (“Oxzy.exe”) hosted on Dropbox. The executable, once launched, triggers the retrieval of a next-stage, also a binary named update.exe, that runs in the Windows temporary folder (“%USER%\AppData\Local\Temp\”). update.exe is flagged by antivirus vendors on VirusTotal as an information stealer that’s also capable of dropping additional binaries, one of which is detected by Microsoft as Wacatac. The Windows maker describes the trojan as a threat that “can perform a number of actions of a malicious hacker’s choice on your PC”. 

3. Zoho ManageEngine PoC Exploit to be Released Soon – Patch Before It’s Too Late!

Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept (PoC) exploit code. The issue in question is CVE-2022-47966, an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. This vulnerability allows an unauthenticated adversary to execute arbitrary code. Horizon3.ai has now released Indicators of Compromise (IOCs) associated with the flaw, stating that it was able to successfully reproduce the exploit against ManageEngine ServiceDesk Plus and ManageEngine Endpoint Central products. An attacker in possession of such elevated privileges could weaponize it to steal credentials with the goal of conducting lateral movement. 

4. Microsoft Azure Services Flaws Could’ve Exposed Cloud Resources to Unauthorized Access

Four different Microsoft Azure services have been found vulnerable to server-side request forgery (SSRF) attacks that could be exploited to gain unauthorized access to cloud resources. The security issues in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, have since been addressed by Microsoft. The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and sensitive files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of sensitive information to target. SSRF attacks could have serious consequences as they enable a malicious interloper to read or update internal resources, and worse, pivot to other parts of the network, breach otherwise unreachable systems to extract valuable data. 
Recommendation 
To mitigate such threats, organizations are recommended to validate all input, ensure that servers are configured to only allow necessary inbound and outbound traffic, avoid misconfigurations, and adhere to the principle of least privilege (PoLP). 

5. Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability

A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That’s according to attack surface management platform Censys, which found only 26 out of a total of 6,427 servers to be running a patched version of Cacti (1.2.23 and 1.3.0). The issue in question relates to CVE-2022-46169 (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution. The public disclosure of the vulnerability has also led to “exploitation attempts,” with the Shadowserver Foundation and GreyNoise warning of malicious attacks originating from one IP address located in Ukraine so far.

6. Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software

A “large and resilient infrastructure” comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. The infection chain uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub. The attacks target users searching for cracked versions of software and games on search engines like Google, surfacing fraudulent websites on top by leveraging a technique called search engine optimization (SEO) poisoning to lure victims into downloading and executing the malicious payloads. The poisoned result comes with a download link to the promised software that, upon clicking, triggers a five-stage URL redirection sequence to take the user to a web page displaying a shortened link, which points to a password-protected RAR archive file hosted on GitHub, along with its password. Should the victim uncompress the RAR archive and run the purported setup executable contained within it, either of the two malware families, Raccoon or Vidar, are installed on the system. Users are advised to refrain from downloading pirated software and enforce multi-factor authentication wherever possible to harden accounts. 

7. Alert: Hackers Actively Exploiting Critical “Control Web Panel” RCE Vulnerability

Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022. Control Web Panel, formerly known as CentOS Web Panel, is a popular server administration tool for enterprise-based Linux systems. “login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. In light of active exploitation in the wild, users reliant on the software are advised to apply the patches to mitigate potential threats.