07/06/2023-07/12/2023 Python-Based PyLoose Fileless Attack, New Linux Kernel ‘StackRot’ Privilege Escalation Vulnerability, Microsoft Releases Patches for 132 Vulnerabilities And More.

1. Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining

A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner. The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique.The cloud security firm said it found nearly 200 instances where the attack method was employed for cryptocurrency mining. No other details about the threat actor are currently known other than the fact that they possess sophisticated capabilities. In the infection chain documented by Wiz, initial access is achieved through the exploitation of a publicly accessible Jupyter Notebook service that allowed for the execution of system commands using Python modules.

2. Researchers Uncover New Linux Kernel ‘StackRot’ Privilege Escalation Vulnerability

A new security flaw in the Linux kernel, called StackRot (CVE-2023-3269, CVSS score: 7.8), has been discovered. It affects Linux versions 6.1 to 6.4 but has not been exploited in the wild. The vulnerability exists in the memory management subsystem, making it widespread and requiring minimal capabilities to trigger. However, exploiting it is considered challenging due to delayed memory deallocation. The flaw was responsibly disclosed on June 15, 2023, and has been patched in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023. A proof-of-concept (PoC) exploit and more technical details will be released soon. The vulnerability stems from a data structure called maple tree, introduced in Linux kernel 6.1 to manage virtual memory areas (VMAs). It is described as a use-after-free bug that can be exploited by a local user to gain elevated privileges.

3. Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack

Microsoft has released updates addressing 132 new security flaws, including six zero-day vulnerabilities actively exploited in the wild. Among the vulnerabilities, nine are rated Critical and 122 are rated Important.
The list of issues that have come under active exploitation is as follows –

• CVE-2023-32046 (CVSS score: 7.8) – Windows MSHTML Platform Elevation of Privilege Vulnerability
• CVE-2023-32049 (CVSS score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability
• CVE-2023-35311 (CVSS score: 8.8) – Microsoft Outlook Security Feature Bypass Vulnerability
• CVE-2023-36874 (CVSS score: 7.8) – Windows Error Reporting Service Elevation of Privilege Vulnerability
• CVE-2023-36884 (CVSS score: 8.3) – Office and Windows HTML Remote Code Execution Vulnerability (Also publicly known at the time of the release)
• ADV230001 – Malicious use of Microsoft-signed drivers for post-exploitation activity (no CVE assigned).

One flaw, CVE-2023-36884, is being actively exploited through specially-crafted Microsoft Office documents related to the Ukrainian World Congress. Microsoft has identified the intrusion campaign as the work of the Russian cybercriminal group Storm-0978, also known as RomCom. The group is deploying Underground ransomware and a backdoor similar to RomCom RAT.

4. Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures

A Windows policy loophole is being exploited by threat actors, primarily native Chinese speakers, to forge signatures on kernel-mode drivers. By altering the signing date of drivers, malicious and unverified drivers can be loaded, bypassing Windows certificate policies. Cisco Talos discovered open-source tools like HookSignTool and FuckCertVerifyTimeValidity being used to forge signatures and bypass security measures. These tools manipulate the signing timestamp and remove the need for valid certificates, enabling the deployment of thousands of malicious signed drivers without Microsoft verification. Threat actors have gained administrative privileges on compromised systems prior to using these drivers. Microsoft has taken steps to block the certificates and suspend developer program accounts involved. The use of rogue kernel-mode drivers allows threat actors to establish persistence and interfere with security software.

5. Revolut Faces $20 Million Loss as Attackers Exploit Payment System Weakness

Malicious actors exploited an unknown flaw in Revolut’s payment systems to steal more than $20 million of the company’s funds in early 2022. The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly. The fault stemmed from discrepancies between Revolut’s U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined. The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by “encouraging individuals to try to make expensive purchases that would go on to be declined.” The refunded amounts would then be withdrawn from ATMs. The exact technical details associated with the flaw are currently unclear.

6. Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software

Progress Software has patched a critical SQL injection vulnerability (CVE-2023-36934) in its popular MOVEit Transfer software, which enables secure file transfer. The flaw could allow unauthenticated attackers to gain unauthorized access to the software’s database. This vulnerability is particularly severe because it can be exploited without valid credentials. However, there have been no reports of active exploitation yet. Progress Software also addressed two other high-severity vulnerabilities: CVE-2023-36932, a SQL injection flaw allowing unauthorized access for logged-in attackers, and CVE-2023-36933, a vulnerability that allows unexpected shutdowns of MOVEit Transfer. These vulnerabilities affect multiple versions of MOVEit Transfer, including 12.1.10 and earlier.

7. JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident

JumpCloud, a cloud-based identity and access management provider, has taken swift action in response to a cybersecurity incident affecting some of its clients. As a precautionary measure, JumpCloud has reset the API keys of affected customers to protect their data. While this reset may cause disruptions to certain functionalities, such as AD import and HRIS integrations, the company emphasizes that it is for the benefit of its clients’ security. JumpCloud is offering support to those needing assistance with resetting or re-establishing their API keys. The incident underscores the importance of API security and the need for robust protective measures. The specifics and scale of the incident, as well as the cause, are currently unknown as JumpCloud actively investigates the matter.