12/13/2023-12/20/2023 Oracle WebLogic Server Vulnerability, Security Vulnerabilities in pfSense Firewall Software, 116 Malware Packages Found on PyPI Repository And More.

1. 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials. The 8220 Gang has a history of leveraging known security flaws to distribute cryptojacking malware. Earlier this May, the group was spotted utilizing another shortcoming in Oracle WebLogic servers (CVE-2017-3506, CVSS score: 7.4) to rope the devices into a crypto mining botnet.

2. New Security Vulnerabilities Uncovered in pfSense Firewall Software – Patch Now

Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw. Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network. A brief description of the flaws is given below: 

• CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
• CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
• CVE-2023-42326 (CVSS score: 8.8) – A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

Reflected XSS attacksoccur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim’s web browser. As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permissions.

3. 116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems

Cybersecurity researchers uncovered 116 malicious packages on the Python Package Index (PyPI), aiming to infect Windows and Linux systems with a custom backdoor. ESET researchers identified these packages, estimating over 10,000 downloads since May 2023. The attackers employ various techniques, including embedding malicious code via test.py and obfuscated forms in init.py and setup.py files. The end goal is compromising hosts with malware, particularly a backdoor for remote command execution, data exfiltration, and screenshots. The backdoor is implemented in Python for Windows and Go for Linux. Alternatively, attack chains may deploy W4SP Stealer or a clipper malware altering clipboard activity to replace wallet addresses. This incident joins a series of compromised Python packages used for supply chain attacks, such as libraries distributing Sordeal Stealer in May 2023 and BlazeStealer last month. The researchers advise Python developers to thoroughly vet downloaded code for these techniques. This discovery follows npm packages targeting a financial institution in an advanced adversary simulation exercise. The module names remain undisclosed for security reasons.

4. Microsoft Discovers Critical RCE Flaw In Perforce Helix Core Server

 Microsoft has uncovered four vulnerabilities, including a critical one, in the widely used Perforce Helix Core Server, a source code management platform prevalent in gaming, government, military, and technology sectors. Discovered during a security review by Microsoft analysts, the flaws pose risks of denial of service (DoS) and arbitrary remote code execution as LocalSystem by unauthenticated attackers. While there’s no observed exploitation in the wild, users are urged to upgrade to version 2023.1/2513900 released on November 7, 2023. The most severe flaw, CVE-2023-45849, allows unauthenticated attackers to execute code as LocalSystem, potentially leading to system control. The other three vulnerabilities also involve DoS risks. Microsoft recommends regular updates, access restrictions, TLS certificates, logging, crash alerts, and network segmentation to enhance protection. For details, consult the official security guide.

5. Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities

Google is emphasizing the role of Clang sanitizers, specifically IntSan and BoundSan, in securing the Android OS cellular baseband against vulnerabilities. These are part of UndefinedBehaviorSanitizer, designed to detect undefined behavior during program execution. While incurring performance overhead, Google activated these sanitizers in critical areas, covering functions parsing messages, libraries handling complex formats, and network stacks for 2G to 5G. Although beneficial, sanitizers don’t address all vulnerability classes, necessitating a transition to memory-safe languages like Rust. In October 2023, Google rewrote Android Virtualization Framework’s firmware in Rust for a memory-safe foundation. As the high-level OS becomes more resilient, Google anticipates increased attention on lower-level components like the baseband, emphasizing the importance of modern toolchains and exploit mitigation technologies