04/06/2023-04/12/2023 Newly Discovered “By-Design” Flaw in Microsoft Azure, Over 1 Million WordPress Sites Infected, Critical Remote Code Execution Flaw in vm2 Sandbox Library And More

1. Newly Discovered “By-Design” Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

A “by-design flaw” uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code. The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts. According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key. Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE). 

Recommendation 
As mitigations, it’s recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead.

2. Hackers Flood NPM with Bogus Packages Causing a DoS Attack

Threat actors flooded the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack. The threat actors create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems’ good reputation on search engines. The attacks caused a denial-of-service (DoS) that made NPM unstable with sporadic ‘Service Unavailable’ errors. While similar campaigns were recently observed propagating phishing links, the latest wave pushed the number of package versions to 1.42 million, a dramatic uptick from the approximate 800,000 packages released on npm. The attack technique leverages the fact that open source repositories are ranked higher on search engine results to create rogue websites and upload empty npm modules with links to those sites in the README.md files.

3. Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

Since 2017, over one million WordPress websites have been affected by a malware campaign called Balada Injector, according to GoDaddy’s Sucuri. The campaign utilizes known and newly discovered theme and plugin vulnerabilities to breach WordPress sites, with attacks occurring in waves every few weeks. The campaign relies on over 100 domains and multiple methods to take advantage of known security flaws. The malware allows for the generation of fake WordPress admin users, harvests data stored in the underlying hosts, and leaves backdoors for persistent access. The campaign also searches for writable directories that belong to other sites with the same server account and file permissions. This means compromising one site can potentially grant access to several other sites.

4. Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15.

“A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” vm2 disclosed in an advisory. The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions. 

5. SAP Releases Security Updates For Two Critical-Severity Flaws

Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform.

In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins. SAP has fixed three critical issues in its latest update. The first issue, CVE-2023-27267, impacts the OSCommand Bridge of SAP Diagnostics Agent 720, allowing an attacker to execute scripts and fully compromise the system. The second issue, CVE-2023-28765, affects SAP BusinessObjects Business Intelligence Platform versions 420 and 430, enabling an attacker to access users’ passwords and take over their accounts. The third issue, CVE-2023-29186, is a directory traversal flaw affecting SAP NetWeaver versions 707, 737, 747, and 757, allowing an attacker to upload and overwrite files on the SAP server.

The remaining 11 security flaws disclosed in SAP’s latest security bulletin concern low to medium-severity vulnerabilities.

6. Microsoft April 2023 Patch Tuesday fixes 1 Zero-day, 97 Flaws

​Today is Microsoft’s April 2023 Patch Tuesday, and security updates fix one actively exploited zero-day vulnerability and a total of 97 flaws.
Seven vulnerabilities have been classified as ‘Critical’ for allowing remote code execution, the most serious of vulnerabilities.

The number of bugs in each vulnerability category is listed below:

• 20 Elevation of Privilege Vulnerabilities,
• Security Feature Bypass Vulnerabilities,
• 45 Remote Code Execution Vulnerabilities,
• 10 Information Disclosure Vulnerabilities,
• 9 Denial of Service Vulnerabilities,
• 6 Spoofing Vulnerabilities.

To learn more about the non-security updates released today, you can review articles on the new Windows 11 KB5025239 cumulative update and Windows 10 KB5025221 and KB5025229 updates.