11/15/2023-11/22/2023 Malicious PyPI Packages, New Intel CPU Vulnerability, CISA Adds Three Security Flaws to KEV Catalog And More.

1.  27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts

An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads. A defining characteristic of this attack was the utilization of steganography to hide a malicious payload within an innocent-looking image file, which increased the stealthiness of the attack. A common denominator to these packages is the use of the setup.py script to include references to other malicious packages (i.e., pystob and pywool) that deploy a Visual Basic Script (VBScript) in order to download and execute a file named “Runtime.exe” to achieve persistence on the host. The continuous wave of attacks targeting the software supply chain has also prompted the U.S. government to issue new guidance this month for software developers and suppliers to maintain and provide awareness about software security.

2. Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments

Intel has released fixes to close out a high-severity flaw codenamed Reptar that impacts its desktop, mobile, and server CPUs. Tracked as CVE-2023-23583 (CVSS score: 8.8), the issue has the potential to allow escalation of privilege and/or information disclosure and/or denial of service via local access.Successful exploitation of the vulnerability could also permit a bypass of the CPU’s security boundaries. The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash resulting in a Denial of Service to other guest machines running on the same host.

3. LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In

Various threat actors, including LockBit ransomware affiliates, are actively exploiting a critical security flaw (CVE-2023-4966) in Citrix NetScaler ADC and Gateway appliances. This flaw, dubbed Citrix Bleed, enables bypassing password requirements and multifactor authentication, leading to session hijacking. The U.S. CISA, FBI, MS-ISAC, and ASD’s ACSC have issued a joint advisory. Despite Citrix addressing the vulnerability last month, it was weaponized as a zero-day since August 2023. Mandiant is tracking four UNC groups exploiting it globally. LockBit has joined in, using the flaw to execute PowerShell scripts and deploy RMM tools. This incident highlights the ongoing risk of ransomware attacks exploiting exposed service vulnerabilities. Meanwhile, a Check Point study notes that Linux-targeting ransomware, geared towards medium and large organizations, exhibits a trend of simplification in core functionalities.

4. CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three actively exploited vulnerabilities to its catalog. These include CVE-2023-36584 (MotW Security Feature Bypass in Microsoft Windows), CVE-2023-1671 (Sophos Web Appliance Command Injection), and CVE-2020-2551 (Oracle Fusion Middleware Unspecified). CVE-2023-1671 allows critical pre-auth command injection, while CVE-2020-2551 compromises WebLogic Server. Though there are no documented in-the-wild attacks for CVE-2023-1671, Palo Alto Networks reported spear-phishing by the pro-Russian APT group Storm-0978 using CVE-2023-36584. This flaw, patched in October 2023, was part of an exploit chain delivering the RomCom RAT. Federal agencies are urged to apply fixes by December 7, 2023, to safeguard against potential threats.

5. Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Kinsing threat actors are actively exploiting a critical vulnerability (CVE-2023-46604) in Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. Once infiltrated, Kinsing deploys a cryptocurrency mining script, causing damage to infrastructure and degrading system performance. Known for targeting misconfigured containerized environments, Kinsing adapts quickly to exploit newly disclosed flaws, as seen in its recent abuse of the Apache ActiveMQ vulnerability. This flaw allows remote code execution, enabling the installation of the Kinsing malware. The group, aiming for full system compromise, loads its rootkit in /etc/ld.so.preload. Organizations using affected Apache ActiveMQ versions are urged to update promptly. Simultaneously, AhnLab warns of cyber attacks targeting vulnerable Apache web servers for a cryptojacking campaign.