Rose debug info
---------------

how human behavior affects security

Later Ctrl + ↑

Programmer’s Digest #47

08/29/2023-09/06/2023 Hackers Exploit MinIO Storage System Vulnerabilities, GitLab Outage vs. Continuous Code Development, Threat Actors Targeting Microsoft SQL Servers And More.

1. New Python Variant of Chaes Malware Targets Banking and Logistics Industries

The banking and logistics sectors face a renewed malware threat known as Chaes, which has undergone significant updates. Originally written in Python to evade detection, Chaes now features enhanced communication protocols. Lucifer, the group behind Chaes, breached over 800 WordPress websites in early 2022. The latest variant, Chae$ 4, exhibits substantial improvements, including broader service targeting for credential theft. Despite these changes, the malware’s delivery method remains consistent. Victims visiting compromised websites are prompted to download software, initiating the ChaesCore module, responsible for connecting to a command-and-control server.Chaes maintains persistence through scheduled tasks and communicates via WebSockets. The malware’s emphasis on cryptocurrency theft underscores its financial motivation, using tactics like Module Packer to modify browser shortcuts. It leverages Google’s DevTools Protocol for extensive control over web browsers.

2. Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

An unknown threat actor has targeted the MinIO high-performance object storage system, exploiting critical vulnerabilities (CVE-2023-28432 and CVE-2023-28434) to gain unauthorized access and execute code on affected servers. The attacker used a publicly available exploit chain to backdoor the MinIO instance. These vulnerabilities, with CVSS scores of 7.5 and 8.8, can expose sensitive data and enable remote code execution on the compromised system. The attacker leveraged the flaws to obtain admin credentials, replace the MinIO client with a trojanized version, and create a deceptive update. This trojanized binary establishes a backdoor, receiving and executing commands via HTTP requests. A downloader script, compatible with both Windows and Linux, profiles compromised hosts to determine subsequent actions, reflecting the attacker’s advanced capabilities. 

3. PoC Exploit Released for Critical VMware Aria’s SSH Auth Bypass Vulnerability

Proof-of-concept (PoC) exploit code has emerged for a recently patched critical vulnerability (CVE-2023-34039) in VMware Aria Operations for Networks. This flaw allows an attacker to bypass SSH authentication, rated at 9.8 in severity. It stems from a lack of unique cryptographic key generation, with hardcoded keys present in versions 6.0 to 6.10.

Additionally, VMware addressed CVE-2023-20890, an arbitrary file write vulnerability, which could grant administrative access to write files in arbitrary locations, enabling remote code execution. This PoC release coincides with VMware fixing a high-severity SAML token signature bypass flaw (CVE-2023-20900), impacting Windows and Linux versions of VMware Tools. It allows attackers with man-in-the-middle network access to bypass SAML token signature verification for VMware Tools Guest Operations.
Simultaneously, Fortinet FortiGuard Labs warned of ongoing exploitation of Adobe ColdFusion vulnerabilities by threat actors to deploy cryptocurrency miners and hybrid bots like Satan DDoS and RudeMiner, capable of cryptojacking and DDoS attacks. Users are urged to apply updates promptly for security.

4. GitLab Outage vs. Continuous Code Development

GitLab as a hosting service has shown to be a very solid option, but it is not without flaws. It is widely recommended to use third-party backup software. Please keep in mind that your source code, projects, Intellectual Property, hours of labor, and thousands of dollars are on the line. Every company’s disaster recovery and business continuity strategy should include a backup strategy suited for their needs. One of the biggest GitLab outages occurred in 2017 and lasted for six hours. It happened because of human error – the unintentional deletion of data from major database servers. Unfortunately, GitLab erased some production data and was unable to retrieve it in the end. Database and data modifications, including projects, comments, user accounts, issues, and snippets were lost.

To prepare for gaps in continuous code development, the company needs to come up with a sufficient backup strategy. First, you must specify the two most crucial parameters: Recovery Point Objective (RPO) and Recovery Time Objective (RTO). The highest volume of data that may be lost following a recovery from a disaster, failure, or equivalent event before data loss exceeds what is acceptable to a business is described as RPO. RTO refers to the amount of time and service level required to restore a business process following a disaster to prevent the unacceptably negative effects of a loss of continuity.

GitProtect for GitLab provides a comprehensive set of data recovery tools. It’s adaptable, with point-in-time recovery to any location – whether a local device or a remote repository is preferred.

5. Five Open-Source Projects to Secure Access to Your Applications

If you are like most devs, then securing your applications is one of those things that you do not want to (and should not) handle yourself.

  • Authentication. Authentication is your app’s first line of defense. The process focuses on securing access to your application by verifying that the user is who they claim to be prior to logging them in.
  • Keycloak is a Java-based open-source application authentication project. It provides SSO, user management, and user federation capabilities.
  • Dex is a Go-based open-source service that uses OpenID Connect to authenticate users for other applications. It is a CNCF sandbox project that works with any application that supports OIDC. It adds an array of protocols for querying the authentication platforms and identity providers it is connected to.
  • Open Policy Agent (OPA) provides a general purpose decision engine for enforcing authorization logic, along with a domain specific language for writing that logic as authorization policies (Rego). These policies are stored and versioned in their own repos and treated like any other code.
  • OpenFGA is a CNCF sandbox project that provides a relationship-based access control (ReBAC) system. In ReBAC systems, permissions are based on relationships between subjects (users/groups) and application resources. They are also graph-based systems, built for scale and speed.

6. Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges

Okta, an identity services provider, has issued a warning about a recent surge in social engineering attacks targeting IT service desk personnel. The attackers aim to convince service desk staff to reset all multi-factor authentication (MFA) factors for highly privileged users. Once successful, they exploit Okta Super Administrator accounts to impersonate individuals within the compromised organization. These attacks occurred between July 29 and August 19, 2023.

The threat actor responsible remains unidentified, but the tactics resemble those associated with Muddled Libra, which shares some similarities with Scattered Spider and Scatter Swine. The attacks center around a commercial phishing kit called 0ktapus, which enables the creation of fake authentication portals to harvest credentials and MFA codes.

To counter these threats, Okta recommends implementing phishing-resistant authentication, enhancing help desk identity verification procedures, enabling end-user notifications for new devices and suspicious activities, and reviewing and limiting Super Administrator role usage.

7. Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

Threat actors are exploiting vulnerable Microsoft SQL (MS SQL) servers to distribute Cobalt Strike and the ransomware strain FreeWorld in a campaign named DB#JAMMER. The attackers use enumeration, RAT payloads, exploitation tools, credential stealers, and ransomware payloads, primarily FreeWorld. They gain initial access through MS SQL server brute-forcing, proceed to enumerate the database, and leverage xp_cmdshell for further reconnaissance. The attackers then establish persistence, disable the system firewall, and transfer malicious tools, including Cobalt Strike, using remote SMB shares. The campaign also involves lateral movement and attempts at RDP persistence through Ngrok. Strong passwords for publicly exposed services are crucial to prevent such attacks.

8. North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Three more malicious Python packages have been discovered on the PyPI repository as part of the VMConnect supply chain attack, which is believed to involve North Korean state-sponsored threat actors. These packages, named tablediter, request-plus, and requestspro, mimic popular Python tools and download an unknown second-stage malware.

The packages are designed to appear trustworthy, using typosquatting to impersonate legitimate packages like prettytable and requests. Tablediter runs a remote server to retrieve and execute a Base64-encoded payload. It now waits until the compromised application imports the package and calls its functions to avoid detection.

Request-plus and requestspro collect information from infected machines and transmit it to a command-and-control (C2) server. The server responds with a token, which the infected host sends back to a different URL on the same C2 server to receive a double-encoded Python module and a download URL. This token-based approach mirrors a previous npm campaign associated with North Korean actors, suggesting a common tactic for delivering second-stage malware.

2023   digest   programmers'

Programmer’s Digest #46

08/23/2023-08/30/2023 Malicious Rust Libraries, Barracuda Email Gateways Vulnerable, Malicious npm Packages Target Roblox And More.

1. Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel

Malicious packages were found on Rust’s crate registry, uploaded from August 14 to 16, 2023, by user “amaperf,” according to Phylum. The removed packages included postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. These modules aimed to collect OS info and send it to a Telegram channel, implying early-stage infiltration. The attacker likely sought to compromise developer machines for future rogue updates. Developers are prime targets due to access to keys, infrastructure, and IP. This echoes past supply chain attacks on crates.io, like CrateDepression in 2022. Phylum also revealed an npm package, emails-helper, exfiltrating data and deploying attack tools via HTTP and DNS. Vigilance during software activities is crucial.

2. Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches

The FBI warns that despite patches, Barracuda Networks Email Security Gateway (ESG) appliances remain vulnerable to Chinese hacking groups, calling fixes “ineffective.” The CVE-2023-2868 flaw, present from October 2022, allows unauthorized admin-level command execution in ESG 5.1.3.001 to 9.2.0.006. The China-linked UNC4841 activity cluster uses this breach to deploy multiple malware types like SALTWATER, SEASIDE, and more, enabling data exfiltration and persistence. The FBI advises replacing compromised ESG devices and scanning for suspicious traffic. Barracuda recommends replacement for impacted customers, offering no-cost replacements to affected ESG devices. Devices showing notifications indicate compromise, but only a subset of ESG appliances were impacted.

3. WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders

The WinRAR flaw, CVE-2023-38831, exploited since April 2023, lets attackers trick users into running malicious scripts disguised as image or text files within archives. Group-IB discovered attacks in July via manipulated ZIP/RAR files on trading forums like Forex Station. Malware such as DarkMe, GuLoader, and Remcos RAT is distributed, targeting traders. Up to 130 devices have been compromised, allowing cybercriminals to access broker accounts. The exploit creates a deceptive archive with an image and script that triggers further stages, evading suspicion. The attacks have spanned various locations, targeting no specific industry or country. DarkMe is linked to EvilNum, tied to DarkCasino’s 2022 phishing campaign. GuLoader delivers Remcos RAT from a remote server using this technique.

4. Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw

Thousands of Openfire XMPP servers remain vulnerable to CVE-2023-32315, allowing unauthenticated attackers to access privileged pages. Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire’s administrative console that could permit an unauthenticated attacker to access otherwise restricted pages reserved for privileged users. It affects all versions of the software released since April 2015, starting with version 3.10.0. It was remediated by its developer, Ignite Realtime, earlier this May with the release of versions 4.6.8, 4.7.5, and 4.8.0.  While public exploits create admin users to upload code, VulnCheck’s method is quieter, extracting JSESSIONID and CSRF token from ‘plugin-admin.jsp’ for uploading a JAR plugin. This approach avoids audit logs, leaving few traces. Active exploitation has been observed, including by the Kinsing crypto botnet. It’s advised to update Openfire servers to versions 4.6.8, 4.7.5, or 4.8.0 to counter this threat.

5. Attacks on Citrix NetScaler Systems Linked to Ransomware Actor

Linked to FIN8, a threat actor targets unpatched Citrix NetScaler systems via CVE-2023-3519, executing domain-wide attacks. Monitored by Sophos since August, the actor injects payloads, employs BlueVPS malware, deploys obfuscated PowerShell scripts, and places PHP webshells on victims’ devices. Similarities to a previous attack led analysts to connect the two, identifying the threat actor as ransomware-focused.

Citrix suffered from the actively exploited CVE-2023-3519 code injection flaw in its NetScaler ADC and Gateway products. Despite a July 18th patch release, evidence showed cybercriminals selling exploits since July 6th. Thousands of compromised Citrix servers with injected payloads were discovered. A threat actor known as ‘STAC4663’ was tracked exploiting the flaw, possibly linked to FIN8 and the BlackCat/ALPHV ransomware campaign. The recent payload, injected into “wuauclt.exe” or “wmiprvse.exe,” hints at ransomware. Over 31,000 vulnerable Citrix instances remained even after a month of patch availability.

2023   digest   programmers'

Programmer’s Digest #45

08/16/2023-08/23/2023 Critical Adobe ColdFusion Flaw, Malicious npm Packages, Critical Zero-Day Flaw Being Actively Exploited And More.

1. Over a Dozen Malicious npm Packages Target Roblox Game Developers

More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber. The malicious packages [...] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions. 

The packages were cumulatively downloaded 963 times before they were taken down. The names of the rogue packages are as follows:

  • noblox.js-vps (versions 4.14.0 to 4.23.0)
  • noblox.js-ssh (versions 4.2.3 to 4.2.5)
  • noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)

This is not the first time Luna Token Grabber has been spotted in the wild. Earlier this June, Trellix disclosed details of a new Go-based information stealer called Skuld that overlaps with the malware strain.

2. Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software

Software services provider Ivanti has issued a warning about a critical zero-day vulnerability affecting Ivanti Sentry (formerly MobileIron Sentry), currently being exploited in the wild. Tracked as CVE-2023-38035, the flaw allows unauthenticated access to sensitive APIs, enabling unauthorized users to change configurations, execute system commands, and write files onto the system. Although the vulnerability has a high CVSS score of 9.8, the risk of exploitation is low for clients not exposing port 8443 to the internet. Mnemonic, a Norwegian cybersecurity firm, discovered and reported the flaw, which can be weaponized in conjunction with other recently disclosed vulnerabilities if port 8443 is inaccessible. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog.

3. Critical Adobe ColdFusion Flaw Added to CISA’s Exploited Vulnerability Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier) that could result in arbitrary code execution in the context of the current user without requiring any interaction. Deserialization  refers to the process of reconstructing a data structure or an object from a byte stream. But when it’s performed without validating its source or sanitizing its contents, it can lead to unexpected consequences such as code execution or denial-of-service (DoS). It was patched by Adobe as part of updates issued in March 2023. As of writing, it’s immediately not clear how the flaw is being abused in the wild.

4. New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC

A significant security flaw in WinRAR has been revealed, allowing potential remote code execution on Windows systems. Tracked as CVE-2023-40477 with a CVSS score of 7.8, the vulnerability arises from improper validation when processing recovery volumes. This could lead to memory access beyond allocated buffers, permitting an attacker to execute code within the current process. Exploiting the flaw necessitates user interaction, luring them to a malicious page or an infected archive file. Discovered by security researcher “goodbyeselene” on June 8, 2023, the issue was resolved in WinRAR 6.23, released on August 2, 2023. Users should update to the latest version to mitigate potential risks.

5. New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities

A new financially-driven operation named LABRAT has exploited a patched critical vulnerability in GitLab for cryptojacking and proxyjacking. This campaign employs stealthy cross-platform malware, kernel-based rootkits, and legitimate services like TryCloudflare to obfuscate its presence. The attackers also use compiled binaries in Go and .NET to remain hidden while providing backdoor access to compromised systems, potentially leading to further attacks, data theft, and ransomware. The attack chain exploits CVE-2021-22205 for remote code execution, followed by retrieving a dropper shell script from a C2 server. The attackers utilize TryCloudflare and a Solr server for covert communication and privilege escalation. Payloads include utilities for remote access and cryptojacking, all aimed at financial gain. GitLab has patched the vulnerability, urging affected users to follow security protocols.

6. CISA Adds Citrix ShareFile Flaw to KEV Catalog Due to In-the-Wild Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zones controller to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active in-the-wild exploitation. Tracked as CVE-2023-24489 (CVSS score: 9.8), the shortcoming has been described as an improper access control bug that, if successfully exploited, could allow an unauthenticated attacker to compromise vulnerable instances remotely. The problem is rooted in ShareFile’s handling of cryptographic operations, enabling adversaries to upload arbitrary files, resulting in remote code execution. This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. The incident affected less than 3% of its install base (2,800 customers), that there was no data theft observed.

2023   digest   programmers'
Earlier Ctrl + ↓