11/15/2023-11/22/2023 Malicious PyPI Packages, New Intel CPU Vulnerability, CISA Adds Three Security Flaws to KEV Catalog And More.

1.  27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts

An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads. A defining characteristic of this attack was the utilization of steganography to hide a malicious payload within an innocent-looking image file, which increased the stealthiness of the attack. A common denominator to these packages is the use of the setup.py script to include references to other malicious packages (i.e., pystob and pywool) that deploy a Visual Basic Script (VBScript) in order to download and execute a file named “Runtime.exe” to achieve persistence on the host. The continuous wave of attacks targeting the software supply chain has also prompted the U.S. government to issue new guidance this month for software developers and suppliers to maintain and provide awareness about software security.

2. Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments

Intel has released fixes to close out a high-severity flaw codenamed Reptar that impacts its desktop, mobile, and server CPUs. Tracked as CVE-2023-23583 (CVSS score: 8.8), the issue has the potential to allow escalation of privilege and/or information disclosure and/or denial of service via local access.Successful exploitation of the vulnerability could also permit a bypass of the CPU’s security boundaries. The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash resulting in a Denial of Service to other guest machines running on the same host.

3. LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In

Various threat actors, including LockBit ransomware affiliates, are actively exploiting a critical security flaw (CVE-2023-4966) in Citrix NetScaler ADC and Gateway appliances. This flaw, dubbed Citrix Bleed, enables bypassing password requirements and multifactor authentication, leading to session hijacking. The U.S. CISA, FBI, MS-ISAC, and ASD’s ACSC have issued a joint advisory. Despite Citrix addressing the vulnerability last month, it was weaponized as a zero-day since August 2023. Mandiant is tracking four UNC groups exploiting it globally. LockBit has joined in, using the flaw to execute PowerShell scripts and deploy RMM tools. This incident highlights the ongoing risk of ransomware attacks exploiting exposed service vulnerabilities. Meanwhile, a Check Point study notes that Linux-targeting ransomware, geared towards medium and large organizations, exhibits a trend of simplification in core functionalities.

4. CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three actively exploited vulnerabilities to its catalog. These include CVE-2023-36584 (MotW Security Feature Bypass in Microsoft Windows), CVE-2023-1671 (Sophos Web Appliance Command Injection), and CVE-2020-2551 (Oracle Fusion Middleware Unspecified). CVE-2023-1671 allows critical pre-auth command injection, while CVE-2020-2551 compromises WebLogic Server. Though there are no documented in-the-wild attacks for CVE-2023-1671, Palo Alto Networks reported spear-phishing by the pro-Russian APT group Storm-0978 using CVE-2023-36584. This flaw, patched in October 2023, was part of an exploit chain delivering the RomCom RAT. Federal agencies are urged to apply fixes by December 7, 2023, to safeguard against potential threats.

5. Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Kinsing threat actors are actively exploiting a critical vulnerability (CVE-2023-46604) in Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. Once infiltrated, Kinsing deploys a cryptocurrency mining script, causing damage to infrastructure and degrading system performance. Known for targeting misconfigured containerized environments, Kinsing adapts quickly to exploit newly disclosed flaws, as seen in its recent abuse of the Apache ActiveMQ vulnerability. This flaw allows remote code execution, enabling the installation of the Kinsing malware. The group, aiming for full system compromise, loads its rootkit in /etc/ld.so.preload. Organizations using affected Apache ActiveMQ versions are urged to update promptly. Simultaneously, AhnLab warns of cyber attacks targeting vulnerable Apache web servers for a cryptojacking campaign.

11/08/2023-11/15/2023 BlazeStealer Malware in Python Packages on PyPI, Intel CPU Vulnerability, Unpatched Critical Cloud Director Vulnerability And More.

1. Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments

Intel has issued fixes for a high-severity vulnerability named Reptar affecting desktop, mobile, and server CPUs. Tracked as CVE-2023-23583 with a CVSS score of 8.8, the flaw poses risks of privilege escalation, information disclosure, and denial of service through local access. Successful exploitation could breach CPU security boundaries, leading to a host machine crash in virtualized environments, affecting other guest machines. Google Cloud highlights the vulnerability’s potential for information disclosure and privilege escalation. Intel released updated microcode for affected processors in November 2023, emphasizing no current evidence of active exploits. Simultaneously, AMD addressed the CacheWarp flaw (CVE-2023-20592) in their processors, enabling unauthorized access to SEV-protected VMs.

2. Alert: Microsoft Releases Patch Updates for 5 New Zero-Day Vulnerabilities

Microsoft has addressed 63 security vulnerabilities in its November 2023 updates, with three actively exploited flaws. Among the 63, three are Critical, 56 Important, and four Moderate. Notably, five zero-days include Windows SmartScreen and DWM Core Library vulnerabilities. CVE-2023-36025 allows SmartScreen bypass through a specially crafted Internet Shortcut, while CVE-2023-36033 and CVE-2023-36036 can grant SYSTEM privileges. CISA added these to its Known Exploited Vulnerabilities catalog, advising fixes by December 5, 2023. Microsoft also patched critical remote code execution flaws (CVE-2023-36028, CVE-2023-36397), a heap-based buffer overflow in curl library (CVE-2023-38545), and an Azure CLI information disclosure bug (CVE-2023-36052). The latter could expose plaintext passwords and usernames in log files, with Microsoft addressing the issue in Azure CLI version 2.54 to enhance security against inadvertent usage.

3. Urgent: VMware Warns of Unpatched Critical Cloud Director Vulnerability

VMware is warning about a critical, unpatched security flaw (CVE-2023-34060, CVSS score: 9.8) in Cloud Director affecting instances upgraded to version 10.5. A malicious actor with network access can bypass authentication restrictions on ports 22 and 5480. Notably, this bypass is absent on port 443. VMware acknowledges the vulnerability’s impact is due to the use of an affected version of sssd from the underlying Photon OS. While a fix is pending, VMware provides a workaround via a shell script (“WA_CVE-2023-34060.sh”). The company assures implementing the temporary mitigation will not require downtime or affect Cloud Director functionality. This follows VMware’s recent patch for a critical flaw (CVE-2023-34048) in vCenter Server allowing remote code execution.

4. Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability

The threat actor Lace Tempest, associated with Cl0p ransomware, exploited a zero-day flaw (CVE-2023-47246) in SysAid IT support software in targeted attacks. SysAid has patched the path traversal vulnerability in version 23.3.36. Lace Tempest executed commands through SysAid to deliver a Gracewire malware loader, enabling human-operated activities such as lateral movement, data theft, and ransomware deployment. The attacker uploaded a WAR archive containing a web shell to the SysAid Tomcat web service, providing backdoor access. A PowerShell script executed a loader for Gracewire, and another script erased evidence post-exploitation. The attack involved MeshCentral Agent and PowerShell to download and run Cobalt Strike. Organizations using SysAid are urged to promptly apply patches and scan for signs of exploitation.

5. CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw in the Service Location Protocol (SLP) to its Known Exploited Vulnerabilities catalog (CVE-2023-29552, CVSS score: 7.5). The vulnerability, disclosed by Bitsight and Curesec, is a denial-of-service (DoS) issue enabling significant amplification attacks through spoofed UDP traffic. SLP facilitates system discovery and communication on local area networks (LANs). Though specific details of exploitation are unknown, it poses a risk for DoS attacks with a substantial amplification factor. CISA mandates federal agencies to implement mitigations, including disabling SLP on systems in untrusted networks, by November 29, 2023, to safeguard against potential threats.

6. Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI

Malicious Python packages on the Python Package Index (PyPI) are targeting developers to steal sensitive information. Disguised as obfuscation tools, the packages contain BlazeStealer malware. The eight packages, including Pyobftoexe and Pyobfadvance, were active since January 2023 and downloaded 2,438 times globally before removal. BlazeStealer, run as a Discord bot, grants attackers control over victims’ systems, harvesting data, executing commands, encrypting files, and even causing system shutdown. The malware was distributed via setup.py and init.py files, retrieving a Python script from transfer[.]sh. The majority of downloads originated from the U.S., emphasizing the need for developer vigilance in verifying packages before use. This incident follows Phylum’s discovery of crypto-themed npm modules delivering next-stage malware.

11/01/2023-11/08/2023 Critical Flaws Discovered in Veeam ONE IT Monitoring Software, 48 Malicious npm Packages, Atlassian and Apache Flaws And More.

1. Critical Flaws Discovered in Veeam ONE IT Monitoring Software – Patch Now

Veeam has released security updates to address four flaws in its ONE IT monitoring and analytics platform, two of which are rated critical in severity.
The list of vulnerabilities is as follows –

• CVE-2023-38547 (CVSS score: 9.9) – An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, resulting in remote code execution on the SQL server.
• CVE-2023-38548 (CVSS score: 9.8) – A flaw in Veeam ONE that allows an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.
• CVE-2023-38549 (CVSS score: 4.5) – A cross-site scripting (XSS) vulnerability that allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role.
• CVE-2023-41723 (CVSS score: 4.3) – A vulnerability in Veeam ONE that permits a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.
  Users running the affected versions are recommended to stop the Veeam ONE Monitoring and Reporting services, replace the existing files with the files provided in the hotfix, and restart the two services.

2. 48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install. All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download. The attack chain is triggered post the installation of the package via an install hook in the package.json that calls a JavaScript code to establish a reverse shell to rsh.51pwn[.]com. The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information. The packages, named localization-utils and locute, were found to retrieve the final payload from a dynamically generated Pastebin URL and exfiltrate the information to an actor-controlled Telegram channel.

3. Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws

Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Both vulnerabilities (CVE-2023-22518 and CVE-2023-22515) are critical, allowing threat actors to create unauthorized Confluence administrator accounts and lead to a loss of confidentiality, integrity, and availability. Attack chains involve mass exploitation of vulnerable internet-facing Atlassian Confluence servers to fetch a malicious payload hosted on a remote server, leading to the execution of the ransomware payload on the compromised server. Meanwhile, a severe remote code execution flaw impacting Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) is being weaponized to deliver a Go-based remote access trojan called SparkRAT as well as a ransomware variant that shares similarities with TellYouThePass. The presence of active exploits for CVE-2023-46604 by various threat actors with different goals highlights the urgency of promptly addressing this vulnerability.

4. Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments

Kinsing, a threat group, is actively exploiting the recently disclosed Linux privilege escalation vulnerability, Looney Tunables (CVE-2023-4911), in a new campaign aimed at breaching cloud environments. They’re expanding their cloud-native attacks by extracting Cloud Service Provider (CSP) credentials. This is the first documented exploitation of Looney Tunables, which can provide root privileges. Kinsing is known for swiftly adapting to exploit newly disclosed vulnerabilities, like they did with Openfire (CVE-2023-32315). They start their attacks with a remote code execution flaw in PHPUnit (CVE-2017-9841) to gain initial access and then search for Looney Tunables using a Python-based exploit. Once inside, they deploy a JavaScript web shell to gain backdoor access, allowing for file management and data gathering. Their objective is to extract CSP credentials, a significant shift from their usual cryptocurrency mining activities. This marks the first instance of Kinsing pursuing such data.

5. HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Cybersecurity researchers have identified the exploitation of a critical security flaw (CVE-2023-46604) in the Apache ActiveMQ open-source message broker, allowing remote code execution. Attackers, attributed to the HelloKitty ransomware family, are attempting to deploy ransomware on victim systems. This vulnerability has a maximum CVSS score of 10.0 and has been addressed in ActiveMQ versions released last month. Vulnerable versions of Apache ActiveMQ include 5.15.16, 5.16.7, 5.17.6, or 5.18.3. Since the flaw’s disclosure, a proof-of-concept exploit and technical details have been publicly shared. Successful exploitation leads to the loading of remote binaries, resulting in ransomware actions. Thousands of internet-accessible ActiveMQ instances remain vulnerable, mainly in China, the U.S., Germany, South Korea, and India. Users are urged to update ActiveMQ and scan for compromise indicators immediately.