02/23/2023-03/01/2023. ZK Framework Flaw Exploited, PlugX Trojan Disguised as Legitimate Windows Debugger Tool, Attacks Exploiting Zoho ManageEngine Products And More

1. CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting ZK Framework to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2022-36537, the issue impacts versions 8.6.4.1, 9.0.1.2, 9.5.1.3, 9.6.0.1, and 9.6.1. Hackers can retrieve sensitive data via specially crafted requests. The vulnerability has been patched in versions 8.6.4.2, 9.0.1.3, 9.5.1.4, 9.6.0.2, and 9.6.2. The ZK Framework is an open source Java framework that can impact multiple products, including ConnectWise R1Soft Server Backup Manager. The flaw can bypass authentication, upload a backdoored JDBC database driver, and deploy ransomware. The vulnerability has been exploited extensively by hackers to gain initial access and deploy a web shell backdoor. A majority of the infections are located in the US, South Korea, the UK, Canada, Spain, Colombia, Malaysia, Italy, India, and Panama, with 146 R1Soft servers still backdoored as of February 20, 2023

2. PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks

The PlugX remote access trojan has been observed masquerading as an open source Windows debugger tool called x64dbg in an attempt to circumvent security protections and gain control of a target system. As a legitimate application, x32dbg.exe’s valid digital signature can confuse some security tools, allowing attackers to bypass file execution restrictions and maintain persistence, escalate privileges, and fly under the radar. PlugX is known for its multiple functionalities, such as data exfiltration and its ability to use the compromised machine for nefarious purposes. The malware employs a technique called DLL side-loading to plant and then invoke a legitimate application that executes a rogue payload. Persistence is achieved via Windows Registry modifications and the creation of scheduled tasks to ensure continued access even after system restarts. 

3. Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

Multiple threat actors have been exploiting a patched critical vulnerability in various Zoho ManageEngine products since January 20, 2023. The flaw, tracked as CVE-2022-47966 and scoring 9.8 on the CVSS scale, permits unauthenticated attackers to take over vulnerable systems completely. Up to 24 products, including Remote Access Plus, ADSelfService Plus, and Password Manager Pro, among others, are affected. The vulnerability allows unauthenticated remote code execution due to usage of an outdated third-party dependency for XML signature validation, Apache Santuario.
The main objective of the attacks detected to date revolves around deploying tools on vulnerable hosts such as Netcat and Cobalt Strike Beacon. Some intrusions have leveraged the initial access to install AnyDesk software for remote access, while a few others have attempted to install a Windows version of a ransomware strain known as Buhti. Some have also tried to use the ManageEngine flaw as an attack vector to install malware that can execute next-stage payloads.

4. Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries

Cybersecurity researchers are warning of “imposter packages” mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.The descriptions for these packages, for the most part, don’t hint at their malicious intent. Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries. But in reality, they either harbor downloaders that act as a conduit to deliver second-stage malware to infected hosts or information stealers that are designed to exfiltrate sensitive data such as passwords and tokens. Fortinet, which also disclosed similar rogue HTTP packages on PyPI earlier this week, noted their ability to launch a trojan downloader that, in turn, contains a DLL file (Rdudkye.dll) packing a variety of functions. The development is just the latest attempt by malicious actors to poison open source repositories like GitHub, npm, PyPI, and RubyGems to propagate malware to developer systems and mount supply chain attacks. 

5. Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links

Over 15,000 spam packages have been uploaded to the npm repository by threat actors in an attempt to spread phishing links. The attack was carried out through automated processes, creating packages with auto-generated names and closely resembling each other. The attackers used referral IDs of retail websites, earning referral rewards by referring users to phishing sites. The packages were uploaded from multiple user accounts within hours on February 20 and 21, using a Python script that automated the process. The packages included links to phishing campaigns in their README.md files and were disguised as cheats and free resources with names such as “free-tiktok-followers” and “instagram-followers-free.” The attackers designed well-crafted deceptive web pages that urged victims to fill out surveys or redirected them to legitimate e-commerce portals like AliExpress. 

6. LastPass: DevOps Engineer Hacked To Steal Password Vault Data In 2022 Breach

LastPass has revealed further information about a “coordinated second attack,” lasting over two months, which saw a threat actor steal data from Amazon AWS cloud storage servers. LastPass disclosed a data breach in December, where threat actors stole partially encrypted password vault data and customer information. The company has now revealed that the threat actors used information from an August breach, another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer’s computer. As only four LastPass DevOps engineers had access to the decryption keys, the threat actor targeted one of the engineers. They ultimately gained access to the DevOps engineer’s LastPass corporate vault and were able to export the native corporate vault entries and content of shared folders, containing encrypted secure notes with access and decryption keys needed to access AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. The company says they have updated their security posture since the attack.

7. Critical Flaws In WordPress Houzez Theme Exploited To Hijack Websites

Hackers are currently exploiting two critical vulnerabilities in the Houzez theme and plugin for WordPress, primarily used in real estate websites. Patchstack researcher Dave Jong discovered the security flaws and reported them to the vendor ThemeForest, with one fixed in version 2.6.4 and the other in version 2.7.2. However, Patchstack warns that some websites have not applied the security updates, allowing threat actors to exploit the older flaws in ongoing attacks. The first flaw is a security misconfiguration affecting the Houzez Theme plugin version 2.7.1 and older, which can be exploited remotely without requiring authentication to perform privilege escalation. The second flaw impacts versions 2.6.3 and older of the Houzes Login Register plugin, allowing unauthenticated attackers to perform privilege escalation. Attackers are exploiting these vulnerabilities by sending a request to the endpoint that listens for account creation requests, enabling them to take control over the WordPress site. Website owners and administrators should apply available patches immediately.