06/29/2023-07/05/2023 CVE-2023-27997 RCE Flaw, Critical SQL Injection Flaws, Unpatched WordPress Plugin Flaw And More

1. Alert: 330,000 FortiGate Firewalls Still Unpatched to CVE-2023-27997 RCE Flaw

No less than 330,000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical security flaw affecting Fortinet devices that has come under active exploitation in the wild. Cybersecurity firm Bishop Fox said that out of nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, about 69 percent remain unpatched. CVE-2023-27997 (CVSS score: 9.8), also called XORtigate, is a critical vulnerability impacting Fortinet FortiOS and FortiProxy SSL-VPN appliances that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. Patches were released by Fortinet last month in versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5, although the company acknowledged that the flaw may have been “exploited in a limited number of cases” in attacks targeting government, manufacturing, and critical infrastructure sectors.  Many of the publicly accessible Fortinet devices did not receive an update for the past eight years, with the installations running FortiOS versions 5 and 6.

2. Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution

Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements. The two issues, which were discovered in the search feature of Soko, have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). They were addressed within 24 hours of responsible disclosure on March 17, 2023. The shortcomings identified in the service meant that it could have been possible for a malicious actor to inject specially crafted code, resulting in the exposure of sensitive information. The development comes months after SonarSource uncovered a cross-site scripting (XSS) flaw in an open-source business suite called Odoo that could be exploited to impersonate any victim on a vulnerable Odoo instance as well as exfiltrate valuable data.

3. New Python Tool Checks NPM Packages For Manifest Confusion Issues

A security researcher and sysadmin created a tool to detect manifest mismatches in NPM JavaScript packages. “Manifest confusion” is a security issue in NPM where the package’s manifest data differs between the NPM registry and the ‘package.json’ file, potentially leading to malware or script execution during installation. The inconsistency allows malicious actors to hide scripts or dependencies in the ‘package.json’ file while removing them from the NPM registry. This poses risks like cache poisoning, unknown dependencies, and downgrade attacks. While GitHub hasn’t addressed the problem yet, users can use a Python-based tool by sysadmin Felix Pankratz. By installing the required packages and passing the package’s name as an argument, developers can detect mismatches in version, dependencies, scripts, and package name. Multiple packages can be checked by adding them to a file and using a wrapper script. Understanding the tool’s usage is possible through the help command. Although not widespread, manifest confusion should not be ignored to prevent potential supply-chain attacks.

4. Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts

Around 200,000 WordPress websites are under ongoing attack due to a critical unpatched vulnerability in the Ultimate Member plugin. The vulnerability (CVE-2023-3460) affects all versions, including the latest one released on June 29, 2023. Exploiting the flaw allows unauthenticated attackers to create new user accounts with administrative privileges, granting them complete control over targeted sites. The issue stems from inadequate blocklist logic, enabling attackers to modify the wp_capabilities user meta value and gain full access. Although partial fixes have been released, they are insufficient, and the vulnerability is actively exploitable. Attackers are adding rogue administrator accounts to affected sites, uploading malicious plugins and themes. Users are advised to disable the plugin and conduct audits to identify unauthorized accounts until a comprehensive patch is available.

5. Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign

An active financially motivated campaign is exploiting vulnerable SSH servers to create a covert proxy network. Attackers use SSH for remote access, running malicious scripts that enlist victim servers into a peer-to-peer (P2P) proxy network. This proxyjacking technique allows threat actors to utilize the victim’s unused bandwidth for various services, providing them with reduced resource load and increased stealth compared to cryptojacking. The campaign aims to breach susceptible SSH servers, deploying an obfuscated Bash script that fetches dependencies from a compromised web server. The script terminates competing bandwidth-sharing programs and launches Docker services to profit from the victim’s bandwidth. The attackers also host a cryptocurrency miner on the web server, indicating involvement in both cryptojacking and proxyjacking attacks. The use of proxyware services adds anonymity but can be abused to obfuscate the source of attacks.

6. Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs

Hackers are exploiting a zero-day privilege escalation vulnerability in the ‘Ultimate Member’ WordPress plugin to compromise websites by registering rogue administrator accounts. The flaw, tracked as CVE-2023-3460, affects all versions of the plugin, including the latest one (v2.6.6). While attempts have been made to fix the vulnerability in previous versions, the issue remains exploitable. The attacks were discovered by Wordfence, who found that threat actors exploit the flaw by manipulating the plugin’s registration forms. By setting specific user meta values, attackers can grant themselves administrator access to the targeted site. Indicators of hacked WordPress sites include the appearance of new administrator accounts, usage of specific usernames, access records from known malicious IPs, and the installation of new plugins and themes. Users are advised to update to version 2.6.6 and remain vigilant for security updates.

06/21/2023-06/28/2023 Critical SQL Injection Flaws, New Fortinet’s FortiNAC Vulnerability, Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack And More.

1. Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution

Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. The two issues have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). Soko is a Go software module that powers packages.gentoo.org, offering users an easy way to search through different Portage packages that are available for Gentoo Linux distribution. The SQL injections were exploitable and had the ability to disclose the PostgreSQL server’s version and execute arbitrary commands on the system. The development comes months after SonarSource uncovered a cross-site scripting (XSS) flaw in an open-source business suite called Odoo that could be exploited to impersonate any victim on a vulnerable Odoo instance as well as exfiltrate valuable data.

2. New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain

Cybersecurity researchers found an ongoing campaign targeting the npm ecosystem. The attack involves pairs of packages that work together to fetch and decode additional resources. The order of installation is crucial for a successful attack. The first package stores a token locally, retrieved from a remote server, while the second package passes the token and operating system type in an HTTP GET request to acquire a second script. A decoded Base64 string is executed if it exceeds 100 characters. The endpoint has returned the string “no history available,” suggesting the attack is either a work in progress or time-specific. The threat actor remains unknown, but the attack demonstrates sophisticated supply chain tactics. In a separate discovery, Sonatype found malicious packages on the Python Package Index targeting Windows with a Trojan downloaded from Discord’s servers, while a package called libiobe targeted both Windows and Linux, stealing information from Windows and profiling Linux systems.

3. New Fortinet’s FortiNAC Vulnerability Exposes Networks to Code Execution Attacks

Fortinet has released updates to fix a critical vulnerability in its FortiNAC network access control solution. Tracked as CVE-2023-33299, the flaw allows the execution of arbitrary code through Java untrusted object deserialization. An advisory by Fortinet states that the vulnerability can be exploited by an unauthenticated user sending crafted requests to the tcp/1050 service. The affected versions range from 7.2.0 to 9.4.3. Fortinet also addressed another vulnerability, CVE-2023-33300, which is an improper access control issue affecting versions 7.2.0 to 9.4.3. The discovery of both bugs is credited to Florian Hauser from CODE WHITE. This update comes after the active exploitation of a critical vulnerability in FortiOS and FortiProxy (CVE-2023-27997) and a previously fixed severe bug (CVE-2022-39952) that was later exploited.

4. U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities to its Known Exploited Vulnerabilities catalog. This includes three patched flaws in Apple (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two vulnerabilities in VMware (CVE-2023-20867 and CVE-2023-20887), and one affecting Zyxel devices (CVE-2023-27992). CVE-2023-32434 and CVE-2023-32435 have been exploited in a long-running cyber espionage campaign called Operation Triangulation. The attack involves a malicious iMessage attachment that triggers code execution without user interaction. Kaspersky discovered the campaign and found that the compromised devices are targeted to gather various information and execute operations. Additionally, CISA issued an alert for three vulnerabilities (CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911) in BIND 9 DNS software that could lead to denial-of-service conditions.

5. Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware

A new JavaScript dropper called PindOS has been identified, delivering payloads such as Bumblebee and IcedID. PindOS, tracked by Deep Instinct, contains the name in its “User-Agent” string. Both Bumblebee and IcedID act as loaders, serving as a vehicle for other malware, including ransomware. IcedID has recently shifted its focus solely to malware delivery. Bumblebee replaces the BazarLoader and has been associated with groups like TrickBot and Conti. PindOS’s source code contains Russian comments, indicating potential collaboration between e-crime groups. The loader downloads malicious executables from remote servers using two URLs, with fallback functionality. Each payload is fetched pseudo-randomly, resulting in unique sample hashes. It launches DLL files using the legitimate Windows tool rundll32.exe. The long-term adoption of PindOS by Bumblebee and IcedID actors remains uncertain.

6. Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack

A new study by Aqua has revealed that millions of software repositories on GitHub are susceptible to an attack called RepoJacking. This vulnerability allows threat actors to take over retired organization or user names and publish malicious versions of repositories. When a repository owner changes their username or transfers ownership to another user, a link is created between the old and new names. However, anyone can create the old username and break this link, allowing them to poison the software supply chain. Aqua’s analysis showed that approximately 2.95% of repositories were vulnerable to RepoJacking in June 2019, suggesting a significant number of repositories are at risk. Users are advised to regularly inspect their code for links fetching resources from external GitHub repositories to mitigate this threat.

7. Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

A critical security flaw has been discovered in the WordPress plugin “Abandoned Cart Lite for WooCommerce” installed on over 30,000 websites. The vulnerability, tracked as CVE-2023-2986, allows attackers to gain access to user accounts that have abandoned their shopping carts. The flaw is due to an authentication bypass resulting from insufficient encryption protections. The encryption key is hardcoded, enabling malicious actors to login as a user with an abandoned cart and potentially gain access to higher-level accounts. The issue has been addressed by the plugin developer, Tyche Softwares, with version 5.15.0. In a separate disclosure, an authentication bypass flaw was also found in the “Booking Calendar | Appointment Booking | BookIt” plugin by StylemixThemes, impacting over 10,000 WordPress installs.

06/15/2023-06/21/2023 Vulnerabilities Reported in Microsoft Azure, New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling, Critical Vulnerability in VMware’s Aria Operations Networks And More

1. Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

Microsoft Azure Bastion and Azure Container Registry have been found to have two critical security vulnerabilities that could be exploited for cross-site scripting (XSS) attacks. Unauthorized access to a victim’s session within the compromised Azure service iframe was possible due to these vulnerabilities, leading to unauthorized data access, modifications, and disruption of Azure services. The flaws leverage a weakness in the postMessage iframe, enabling the injection of malicious JavaScript code through embedded endpoints within remote servers. To exploit these weaknesses, threat actors would need to identify vulnerable endpoints with missing X-Frame-Options headers or weak Content Security Policies (CSPs). By crafting appropriate payloads and manipulating the postMessage handler, the attacker can execute their code within the victim’s context. Orca Security demonstrated proof-of-concept exploits targeting Azure Bastion and Azure Container Registry, manipulating the Topology View SVG exporter and Quick Start to execute XSS payloads.

2. Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits

Fraudulent GitHub accounts linked to a fake cybersecurity company are pushing malicious repositories. These repositories claim to be proof-of-concept exploits targeting zero-day vulnerabilities in Discord, Google Chrome, and Microsoft Exchange Server. VulnCheck, the discoverer of this activity, found that the perpetrators created a network of fake accounts and Twitter profiles to make their actions seem legitimate. The rogue repositories were first noticed in May when similar exploits for Signal and WhatsApp were released, but those repositories have been taken down. Notably, the accounts also used photos of real security researchers from reputable firms like Rapid7. The Python script used in the proof-of-concept downloads and executes a malicious binary on the victim’s operating system. Despite the effort invested in creating false identities, the malware is easily detectable. The success of the attackers remains uncertain, but their persistent pursuit suggests confidence in their approach.

3. ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC

ChamelGang, a known threat actor, has been using a new Linux backdoor called ChamelDoH. This malware utilizes DNS-over-HTTPS (DoH) tunneling and allows communication via C++ code. ChamelGang was first exposed by Positive Technologies in September 2021, revealing its attacks on various industries across different countries. The actor exploits vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application, using a passive backdoor called DoorMe. Stairwell discovered the Linux backdoor, which captures system information and enables remote access operations. ChamelDoH’s unique feature is its use of DoH to send DNS TXT requests to a rogue nameserver, making it difficult to block as it utilizes commonly used DNS servers like Cloudflare and Google. Additionally, the use of DoH as a command-and-control method prevents interception and detection by security solutions, turning it into an effective encrypted channel for communication.

4. Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack

Progress Software has revealed a third vulnerability in its MOVEit Transfer application, while the Cl0p cybercrime group has resorted to extortion tactics against affected companies. Tracked as CVE-2023-35708, the flaw is an SQL injection vulnerability that can result in escalated privileges and unauthorized access. Progress Software advises customers to disable HTTP and HTTPS traffic on ports 80 and 443 until a fix is ready. This disclosure follows the revelation of SQL injection vulnerabilities (CVE-2023-35036) that provided unauthorized access to the application’s database content. The Cl0p group has already exploited CVE-2023-34362, and they have listed 27 hacked companies on their darknet leak portal, including US federal agencies. Censys reports that MOVEit servers are primarily used in the financial services, healthcare, IT, and government sectors in the US. According to Kaspersky, ransomware comprises 58% of malware-as-a-service (MaaS) attacks, followed by information stealers (24%) and botnets, loaders, and backdoors (18%).

5. Alert! Hackers Exploiting Critical Vulnerability in VMware’s Aria Operations Networks

VMware has warned that an already patched critical command injection vulnerability in Aria Operations for Networks is being actively exploited. The flaw, known as CVE-2023-20887, enables remote code execution through command injection attacks. Versions 6.x of VMware Aria Operations Networks are affected, and fixes were released on June 7, 2023. Although specific details of the attacks are unknown, VMware confirmed real-world exploitation. Threat intelligence firm GreyNoise identified active exploitation from two IP addresses in the Netherlands. The vulnerability was discovered by researcher Sina Kheirkhah, who released a proof-of-concept. The swift exploitation of newly disclosed vulnerabilities remains a significant threat globally. Mandiant also reported active exploitation of another VMware Tools flaw (CVE-2023-20867) by a suspected Chinese actor called UNC3886, resulting in backdoored Windows and Linux hosts.

6. Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway

A threat actor known as UNC4841has been exploiting a recently patched zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances since October 2022. The flaw, identified as CVE-2023-2868, allows remote code injection and affects versions 5.1.3.001 through 9.2.0.006. Mandiant, appointed to investigate the hack, describes UNC4841 as an aggressive and skilled espionage group. The actor sent targeted organizations emails with malicious TAR file attachments, disguising them as spam. The goal was to execute a reverse shell payload on the ESG devices and deploy three malware strains, establishing persistence and executing arbitrary commands. UNC4841 leveraged compromised devices for lateral movement and data exfiltration. The attacks targeted private and public sector organizations across 16 countries, with government entities comprising almost a third of the victims.

7. Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices

Zyxel has released security updates to address a critical vulnerability in its network-attached storage (NAS) devices. Tracked as CVE-2023-27992, the flaw is a pre-authentication command injection vulnerability that could allow remote execution of arbitrary commands on affected systems. Zyxel warns that an unauthenticated attacker could exploit the flaw by sending a crafted HTTP request. The impacted versions include NAS326, NAS540, and NAS542, which have been patched in their respective newer versions. The alert follows recent additions of two Zyxel firewall vulnerabilities to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. Given the increasing targeting of Zyxel devices by threat actors, customers are strongly advised to apply the security updates promptly to mitigate potential risks.