03/24/2023-03/29/2023 New MacStealer macOS Malware, Malicious Python Package, Critical WooCommerce Payments Plugin Flaw And More

1. New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords

A new information-stealing malware has set its sights on Apple’s macOS operating system to siphon sensitive information from compromised devices. Dubbed MacStealer, it’s the latest example of a threat that uses Telegram as a command-and-control (C2) platform to exfiltrate data. It primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs. MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It also features support for harvesting Microsoft Office files, images, archives, and Python scripts. Stealer malware is typically spread through different channels, including email attachments, bogus software downloads, and other social engineering techniques.

2. Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data

A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware. The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials and other valuable data. It has since been taken down, but not before attracting a total of 183 downloads. The package incorporates its malicious behavior in a setup script that’s packed with thousands of seemingly legitimate code strings. These strings include a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package.

3. GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations

GitHub replaced its RSA SSH host key used for Git operations after it was briefly exposed in a public repository. The change, carried out at 05:00 UTC on March 24, 2023, was done as a precaution to prevent impersonation or eavesdropping by bad actors. However, the move only affects Git operations using RSA, not Web traffic to GitHub.com or Git operations via HTTPS. The company, owned by Microsoft, said the exposed SSH private key was not exploited and didn’t reveal how long it was exposed. GitHub emphasized that there was no compromise of its systems or customer information, and the incident was due to “inadvertent publishing of private information.” Users of GitHub Actions may experience failed workflow runs if using actions/checkout with the ssh-key option, and the company is updating the action.

4. Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores. It impacts versions 4.8.0 through 5.6.1. The vulnerability appears to reside in a PHP file called “class-platform-checkout-session.php”. WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the software. Patched versions include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2. Furthermore, the maintainers of the e-commerce plugin noted that it’s disabling the WooPay beta program owing to concerns that the security defect has the potential to impact the payment checkout service.

5. CloudPanel Installations Use The Same SSL Certificate Private Key

Self-hosted web administration solution CloudPanel was found to have several security issues, including using the same SSL certificate private key across all installations and unintentional overwriting of firewall rules to default to weaker settings.  At the time of writing, the two issues mentioned above remained unfixed, while the software developer addressed a third security problem concerning the installation script. The first issue concerns the trustworthiness “curl to bash” installation procedure as it downloaded code without an integrity check, which the vendor promptly addressed by publishing a cryptographically secure checksum of the installation script. The second problem is that the CloudPanel installation script will reset a server’s pre-existing Uncomplicated Firewall (ufw) rules and introduce a far more permissive ruleset. The third flaw is tracked as CVE-2023-0391 and is caused by the CloudPanel installs using a static SSL certificate, enabling attackers to find CloudPanel instances using the certificate’s thumbprint. 

# 6. Exchange Online To Block Emails From Vulnerable On-Prem Servers
Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from “persistently vulnerable Exchange servers” 90 days after the admins are pinged to secure them. As Redmond explains, these are Exchange servers in on-premises or hybrid environments that run end-of-life software or haven’t been patched against known security bugs. Microsoft says this new Exchange Online “transport-based enforcement system” has three distinct functions: reporting, throttling, and blocking. The new system’s primary goal is to help Exchange admins identify unpatched or unsupported on-prem Exchange servers, allowing them to upgrade or patch them before they become security risks.
However, it will also be able to throttle and eventually block emails from Exchange servers that haven’t been remediated before reaching Exchange Online mailboxes.