11/29/2023-12/06/2023 Repositories on GitHub Vulnerable, UEFI Vulnerabilities, Cloud Pentest 101 And More.

1.  15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

Recent research identified over 15,000 vulnerable Go module repositories on GitHub at risk of “repojacking.” Jacob Baines, CTO at VulnCheck, highlighted 9,000 repositories vulnerable due to username changes and 6,000 due to account deletion. These repositories encompass at least 800,000 Go module versions. Unlike npm or PyPI, Go modules on GitHub or Bitbucket lack centralized control, making them prone to abuse.
GitHub employs protective measures, like repository namespace retirement, but VulnCheck notes its ineffectiveness for Go modules, as they are cached, allowing potential bypass. 
It’s important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from.

2. CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks

A CACTUS ransomware campaign is leveraging recently disclosed vulnerabilities in the Qlik Sense cloud analytics platform for initial access, marking the first documented instance of such an attack. Arctic Wolf researchers have noted exploitation of three disclosed flaws in the past three months:

• CVE-2023-41265 (CVSS score: 9.9): An HTTP Request Tunneling vulnerability enabling remote privilege escalation.
• CVE-2023-41266 (CVSS score: 6.5): A path traversal flaw allowing unauthorized transmission of HTTP requests.
• CVE-2023-48365 (CVSS score: 9.9): An unauthenticated remote code execution vulnerability stemming from improper validation of HTTP headers.

Arctic Wolf observed attackers exploiting these vulnerabilities to abuse the Qlik Sense Scheduler service, downloading tools for persistence and remote control, including ManageEngine UEMS and AnyDesk. The campaign concludes with CACTUS ransomware deployment and data exfiltration using rclone.

3.  LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks

The Unified Extensible Firmware Interface (UEFI) code from multiple independent firmware vendors is susceptible to high-impact vulnerabilities collectively known as LogoFAIL, as identified by Binarly. Exploiting flaws in embedded image parsing libraries, threat actors can use this to deliver a malicious payload, bypassing security technologies like Secure Boot and Intel Boot Guard. The vulnerabilities, affecting both x86 and ARM devices, allow attackers to inject a malicious logo image into the EFI system partition during the boot phase, delivering persistent malware. Unlike previous exploits, LogoFAIL doesn’t compromise runtime integrity but poses a significant risk, impacting major firmware vendors and numerous devices from Intel, Acer, Lenovo, and others.  

4. Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks

 Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under “limited, targeted exploitation” back in October 2023.

The vulnerabilities are as follows –

• CVE-2023-33063 (CVSS score: 7.8) – Memory corruption in DSP Services during a remote call from HLOS to DSP.
• CVE-2023-33106 (CVSS score: 8.4) – Memory corruption in Graphics while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.
• CVE-2023-33107 (CVSS score: 8.4) – Memory corruption in Graphics Linux while assigning shared virtual memory region during IOCTL call.

Google’s Threat Analysis Group and Google Project Zero revealed back in October 2023 that the three flaws, along with CVE-2022-22071 (CVSS score: 8.4), have been exploited in the wild as part of limited, targeted attacks. It’s currently not known how these shortcomings have been weaponized, and who are behind the attacks. 

5. DJVU Ransomware’s Latest Variant ‘Xaro’ Disguised as Cracked Software

 A new variant of the DJVU ransomware, dubbed Xaro by cybersecurity firm Cybereason, is spreading through cracked software. Unlike previous DJVU attacks, Xaro appends the .xaro extension to files, demanding a ransom for decryption. It is distributed as an archive file from dubious sources posing as legitimate freeware sites. Upon opening, it executes a fake installer for CutePDF, actually a pay-per-install malware downloader called PrivateLoader. PrivateLoader contacts a command-and-control server, downloading various malware families like RedLine Stealer and Vidar, in addition to dropping Xaro. This approach aims to ensure attack success, even if security software blocks some payloads. Xaro encrypts files, deploys Vidar infostealer, and demands a $980 ransom, reducing to $490 within 72 hours. The incident highlights the risks of downloading from untrusted sources, emphasizing the use of caution for defending against covertly deployed malware.