01/26/2023-02/01/2023. GitHub Breach, Vulnerabilities Uncovered in AMI MegaRAC BMC Software, New Python-based RAT And More

1. GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom

GitHub disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Versions 1.63.0 and 1.63.1 of 1.63.0 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a previous version (1.60.0) of the source code editor. Atom was officially discontinued in December 2022. GitHub Desktop for Windows is not affected.

2. Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software

Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. The issues, collectively tracked as BMC&C, could act as springboard for cyber attacks, enabling threat actors to obtain remote code execution and unauthorized device access with superuser permissions.The two new flaws in question are as follows: CVE-2022-26872 (CVSS score: 8.3) – ​​Password reset interception via API; CVE-2022-40258 (CVSS score: 5.3) – Weak password hashes for Redfish and API.
It’s worth pointing out that the weaknesses are exploitable only in scenarios where the BMCs are exposed to the internet or in cases where the threat actor has already gained initial access into a data center or administrative network by other methods.

3. ISC Releases Security Patches for New BIND DNS Software Vulnerabilities

The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures. The open source software is used by major financial firms, national and international carriers, internet service providers (ISPs), retailers and government entities. All four flaws reside in named, a BIND9 service that functions as an authoritative nameserver for a fixed set of DNS zones or as a recursive resolver for clients on a local network. Successful exploitation of the vulnerabilities could cause the named service to crash or exhaust available memory on a target server. The issues affect versions 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1. CVE-2022-3488 also impacts BIND Supported Preview Edition versions 9.11.4-S1 to 9.11.37-S1. They have been resolved in versions 9.16.37, 9.18.11, 9.19.9, and 9.16.37-S1.

4. PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration

Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems. This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration. The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it’s being actively developed and maintained. 
Two versions of the trojan have been detected (version 1.0 and 1.6), with nearly 1,000 lines of code added to the newer variant to support network scanning features to conduct a reconnaissance of the compromised network and conceal the Python code behind an encryption layer using the fernet module. Other noteworthy functionalities comprise the ability to transfer files from host to C2 or vice versa, record keystrokes, execute system commands, extract passwords and cookies from web browsers, capture clipboard data, and check for the presence of antivirus software.

5. Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices

Researchers are warning about a spike in exploitation attempts weaponizing a now-patched critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022.  The ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months. The vulnerability in question is CVE-2021-35394 (CVSS score: 9.8), a set of buffer overflows and an arbitrary command injection bug that could be weaponized to execute arbitrary code with the highest level of privilege and take over affected appliances. Unit 42 said it discovered three different kinds of payloads distributed as a result of in-the-wild exploitation of the flaw: 

• A script executes a shell command on the targeted server to download additional malware;
• An injected command that writes a binary payload to a file and executes it;
• An injected command that directly reboots the targeted server to cause a denial-of-service (DoS) condition.

6. QNAP Fixes Critical Bug Letting Hackers Inject Malicious Code

QNAP is warning customers to install QTS and QuTS firmware updates that fix a critical security vulnerability allowing remote attackers to inject malicious code on QNAP NAS devices.
The vulnerability is tracked as CVE-2022-27596 and rated by the company as ‘Critical’ (CVSS v3 score: 9.8), impacting QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system. If exploited, this vulnerability allows remote attackers to inject malicious code. SQL injection flaws allow attackers to send specially crafted requests on vulnerable devices to modify legitimate SQL queries to perform unexpected behavior. Furthermore, QNAP released a JSON file describing the severity of the vulnerability, which indicates it is exploitable in low-complexity attacks by remote attackers, without requiring user interaction or privileges on the targeted device.
Recommendation 
QNAP users  should download the update from QNAP’s Download Center after selecting the correct product type and model and applying it manually on their devices.

7. Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA

Proof-of-concept (Poc) code has been released for a now-patched high-severity security flaw in the Windows CryptoAPI that the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) reported to Microsoft last year. An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate. The Windows CryptoAPI offers an interface for developers to add cryptographic services such as encryption/decryption of data and authentication using digital certificates to their applications. CVE-2022-34689 is rooted in the fact that the vulnerable piece of code that’s designed to accept an x.509 certificate carried out a check that solely relied on the certificate’s MD5 fingerprint. MD5, a message-digest algorithm used for hashing, is essentially cryptographically broken as of December 2008 owing to the risk of birthday attacks, a cryptanalytic method used to find collisions in a hash function. The net effect of this shortcoming is that it opens the door for a bad actor to serve a modified version of a legitimate certificate to a victim app, and then create a new certificate whose MD5 hash collides with the rigged certificate and use it to masquerade as the original entity.