11/01/2023-11/08/2023 Critical Flaws Discovered in Veeam ONE IT Monitoring Software, 48 Malicious npm Packages, Atlassian and Apache Flaws And More.

1. Critical Flaws Discovered in Veeam ONE IT Monitoring Software – Patch Now

Veeam has released security updates to address four flaws in its ONE IT monitoring and analytics platform, two of which are rated critical in severity.
The list of vulnerabilities is as follows –

• CVE-2023-38547 (CVSS score: 9.9) – An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, resulting in remote code execution on the SQL server.
• CVE-2023-38548 (CVSS score: 9.8) – A flaw in Veeam ONE that allows an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.
• CVE-2023-38549 (CVSS score: 4.5) – A cross-site scripting (XSS) vulnerability that allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role.
• CVE-2023-41723 (CVSS score: 4.3) – A vulnerability in Veeam ONE that permits a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.
  Users running the affected versions are recommended to stop the Veeam ONE Monitoring and Reporting services, replace the existing files with the files provided in the hotfix, and restart the two services.

2. 48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install. All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download. The attack chain is triggered post the installation of the package via an install hook in the package.json that calls a JavaScript code to establish a reverse shell to rsh.51pwn[.]com. The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information. The packages, named localization-utils and locute, were found to retrieve the final payload from a dynamically generated Pastebin URL and exfiltrate the information to an actor-controlled Telegram channel.

3. Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws

Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Both vulnerabilities (CVE-2023-22518 and CVE-2023-22515) are critical, allowing threat actors to create unauthorized Confluence administrator accounts and lead to a loss of confidentiality, integrity, and availability. Attack chains involve mass exploitation of vulnerable internet-facing Atlassian Confluence servers to fetch a malicious payload hosted on a remote server, leading to the execution of the ransomware payload on the compromised server. Meanwhile, a severe remote code execution flaw impacting Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) is being weaponized to deliver a Go-based remote access trojan called SparkRAT as well as a ransomware variant that shares similarities with TellYouThePass. The presence of active exploits for CVE-2023-46604 by various threat actors with different goals highlights the urgency of promptly addressing this vulnerability.

4. Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments

Kinsing, a threat group, is actively exploiting the recently disclosed Linux privilege escalation vulnerability, Looney Tunables (CVE-2023-4911), in a new campaign aimed at breaching cloud environments. They’re expanding their cloud-native attacks by extracting Cloud Service Provider (CSP) credentials. This is the first documented exploitation of Looney Tunables, which can provide root privileges. Kinsing is known for swiftly adapting to exploit newly disclosed vulnerabilities, like they did with Openfire (CVE-2023-32315). They start their attacks with a remote code execution flaw in PHPUnit (CVE-2017-9841) to gain initial access and then search for Looney Tunables using a Python-based exploit. Once inside, they deploy a JavaScript web shell to gain backdoor access, allowing for file management and data gathering. Their objective is to extract CSP credentials, a significant shift from their usual cryptocurrency mining activities. This marks the first instance of Kinsing pursuing such data.

5. HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Cybersecurity researchers have identified the exploitation of a critical security flaw (CVE-2023-46604) in the Apache ActiveMQ open-source message broker, allowing remote code execution. Attackers, attributed to the HelloKitty ransomware family, are attempting to deploy ransomware on victim systems. This vulnerability has a maximum CVSS score of 10.0 and has been addressed in ActiveMQ versions released last month. Vulnerable versions of Apache ActiveMQ include 5.15.16, 5.16.7, 5.17.6, or 5.18.3. Since the flaw’s disclosure, a proof-of-concept exploit and technical details have been publicly shared. Successful exploitation leads to the loading of remote binaries, resulting in ransomware actions. Thousands of internet-accessible ActiveMQ instances remain vulnerable, mainly in China, the U.S., Germany, South Korea, and India. Users are urged to update ActiveMQ and scan for compromise indicators immediately.