05/04/2023-05/10/2023 Critical PaperCut Vulnerability, MSI Data Breach, New Linux Kernel NetFilter Flaw And More

1. Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability

Iranian nation-state groups have been exploiting a critical vulnerability in PaperCut print management software, according to Microsoft’s threat intelligence team. Both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) have been observed exploiting CVE-2023-27350 to gain initial access. While the former is said to be using tools from previous intrusions to connect to their C2 infrastructure, the latter has been able to quickly incorporate proof-of-concept exploits into their operations. Both groups are known state-sponsored actors, with Mango Sandstorm linked to Iran’s Ministry of Intelligence and Security and Mint Sandstorm associated with the Islamic Revolutionary Guard Corps. This comes after cybercrime gang Lace Tempest was found to have abused the same vulnerability to distribute ransomware. PaperCut released a patch for the flaw on March 8, 2023, and Trend Micro’s Zero Day Initiative is expected to release more technical information about it on May 10, 2023.

2. MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web

private code signing keys on a dark website. The leaked data includes firmware image signing keys for 57 PCs and private signing keys for Intel Boot Guard used in 116 MSI products. The impact of the leaked keys extends beyond MSI to device vendors such as Intel, Lenovo, and Supermicro. Intel Boot Guard is a hardware-based security technology that safeguards against tampered UEFI firmware execution. The leak undermines firmware integrity checks, enabling threat actors to sign and deploy malicious updates and payloads undetected. This incident follows a double extortion ransomware attack on MSI by the Money Message gang, but MSI reported a gradual return to normal operations with no major financial impact. Users were advised to obtain firmware/BIOS updates exclusively from the official website and beware of fraudulent emails claiming collaboration with MSI. Notably, this is not the first time UEFI firmware code has been exposed, as a similar incident occurred with Alder Lake BIOS source code in October 2022.

3. New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites. The plugin, which is available both as a free and pro version, has over two million active installations. This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path. Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser. This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible. It’s worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it’s also possible to do so from logged-in users who have access to the plugin.

4. Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised

PHP software package repository Packagist revealed that an “attacker” gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes. The package URLs were then changed to point to the forked repositories. The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages.The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages to a namesake GitHub repository, effectively altering the installation workflow used within Composer environments. Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents.No additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023. It’s also urging users to enable two-factor authentication (2FA) to secure their accounts.

5. Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service

Microsoft Azure API Management service has been found to have three security vulnerabilities, as disclosed by Israeli cloud security firm Ermetic. The vulnerabilities include two server-side request forgery (SSRF) flaws and one unrestricted file upload functionality in the API Management developer portal. Exploiting the SSRF vulnerabilities would allow attackers to send requests from the service’s CORS Proxy and hosting proxy, gaining access to internal Azure assets, bypassing web application firewalls, and potentially causing denial of service. The file upload vulnerability enables attackers to upload malicious files to Azure’s internal workload. Azure API Management is a platform that allows organizations to securely expose their APIs. Microsoft has patched all three vulnerabilities following responsible disclosure. 

6.  GitHub Now Auto-Blocks Token and API key Leaks For All Repos

GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories. This feature proactively prevents leaks by scanning for secrets before ‘git push’ operations are accepted, and it works with 69 token types (API keys, private keys, secret keys, authentication tokens, access tokens, management certificates, credentials, and more) detectable with a low “false positive” detection rate. Since its beta release, software developers who enabled it successfully averted around 17,000 accidental exposures of sensitive information, saving more than 95,000 hours that would’ve been spent revoking, rotating, and remediating compromised secrets, according to GitHub. Today, push protection is generally available for private repositories with a GitHub Advanced Security (GHAS) license. 

7. New Linux Kernel NetFilter Flaw Gives Attackers Root Privileges

A new Linux NetFilter kernel flaw has been discovered, allowing unprivileged local users to escalate their privileges to root level, allowing complete control over a system. The CVE-2023-32233 identifier has been reserved for the vulnerability, but a severity level is yet to be determined. The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem’s internal state. Netfilter is a packet filtering and network address translation (NAT) framework built into the Linux kernel that is managed through front-end utilities, such as IPtables and UFW. Corrupting the system’s internal state leads to a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes in the kernel memory. A Linux kernel source code commit was submitted to address the problem by engineer Pablo Neira Ayuso, introducing two functions that manage the lifecycle of anonymous sets in the Netfilter nf_tables subsystem. By properly managing the activation and deactivation of anonymous sets and preventing further updates, this fix prevents memory corruption and the possibility of attackers exploiting the use-after-free issue to escalate their privileges to root level.

04/26/2023-05/03/2023 New BGP Flaws, Apache Superset Vulnerability, Zyxel Firewall Devices Vulnerable And More

1. CISA Issues Advisory on Critical RCE Affecting ME RTU Remote Terminal Units

(CISA)  released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units. The security vulnerability, tracked as CVE-2023-2131, has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity. Successful exploitation of this vulnerability could allow remote code execution.CISA has also urged entities to adopt guidance issued by NIST to identify, assess, and mitigate supply chain risks, and enroll for the agency’s free Vulnerability Scanning service to pinpoint vulnerable and high-risk devices.

2. Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software

Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It’s currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks. BGP is a gateway protocol that’s designed to exchange routing and reachability information between autonomous systems. It’s used to find the most efficient routes for delivering internet traffic.  Three flaws (CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681) with a CVSS score of 6.5 involve out-of-bounds reads when processing malformed BGP OPEN messages. These flaws could result in a DoS attack, rendering the peer unresponsive by dropping all BGP sessions and routing tables.

3. Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

Three high-severity security vulnerabilities have been added to the KEV catalog: CVE-2023-1389, CVE-2021-45046, and CVE-2023-21839. CVE-2023-1389 concerns a command injection flaw affecting TP-Link Archer AX-21 routers, being exploited by the Mirai botnet since April 11, 2023. CVE-2021-45046 is a remote code execution flaw affecting Apache Log4j2 logging library, with evidence of exploitation attempts over the past 30 days. CVE-2023-21839 is an unspecified vulnerability in Oracle WebLogic Server that allows unauthorized access to sensitive data via T3 and IIOP. All three vulnerabilities have a high CVSS score and pose significant security risks. It is essential to apply patches and security updates promptly to avoid potential security breaches.

4. Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now

Zyxel has released patches for a critical security flaw in its firewall devices, tracked as CVE-2023-28771, which could lead to remote code execution. The vulnerability, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security. The flaw was caused by “improper error message handling” in some firewall versions, enabling unauthenticated attackers to remotely execute OS commands by sending forged packets to an impacted device. Zyxel has addressed a high-severity post-authentication command injection flaw affecting specific firewall versions, which allowed authenticated attackers to remotely execute some OS commands. The firm also fixed five high-severity vulnerabilities and one medium-severity bug impacting numerous firewalls and access point devices, which could result in code execution and a denial-of-service condition.

5. RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts

The RTM Locker ransomware group has developed a new strain capable of infecting Linux machines, marking their first foray into open source operating systems. According to a report by Uptycs, the malware is inspired by the Babuk ransomware’s leaked source code and encrypts files using a combination of asymmetric and symmetric encryption. RTM Locker was first identified by Trellix, which described its developers as a private ransomware-as-a-service (RaaS) provider that avoids high-profile targets to draw as little attention as possible. The Linux version targets ESXi hosts by terminating all virtual machines running on a compromised host before starting the encryption process. The initial infector used to deliver the ransomware is unknown, and the encryption function uses pthreads to speed up execution. After successful encryption, victims must contact the support team within 48 hours via Tox or risk having their data published.

6. Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks

Apache Superset has released fixes for a vulnerability that could lead to remote code execution. Versions up to and including 2.0.1 are impacted by the vulnerability, which relates to the use of a default SECRET_KEY that can be used by attackers to access unauthorized resources on internet-exposed installations. The issue allows an attacker to gain remote code execution, steal credentials, and compromise data. Horizon3.ai’s chief architect, Naveen Sunkavally, warns of “a dangerous default configuration in Apache Superset.” Superset instances that have changed the default value for the SECRET_KEY configuration to a more cryptographically secure random string are not affected by the flaw. The vulnerability is tracked as CVE-2023-27524 and has a CVSS score of 8.9.

04/20/2023-04/27/2023 Critical Patches for Workstation and Fusion Software, SLP Vulnerability, Exploit Released For PaperCut Flaw And More

1. VMware Releases Critical Patches for Workstation and Fusion Software

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution. The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. VMware has also patched two additional shortcomings, which include a local privilege escalation flaw (CVE-2023-20871, CVSS score: 7.3) in Fusion and an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation (CVE-2023-20872, CVSS score: 7.7). While the former could enable a bad actor with read/write access to the host operating system to obtain root access, the latter could result in arbitrary code execution. 

2. New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks

Details have emerged about a high-severity security vulnerability impacting Service Location Protocol (SLP) that could be weaponized to launch volumetric denial-of-service attacks against targets. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2,200 times, potentially making it one of the largest amplification attacks ever reported. The vulnerability, which has been assigned the identifier CVE-2023-29552 (CVSS score: 8.6), is said to impact more than 2,000 global organizations and over 54,000 SLP instances that are accessible over the internet. Successful exploitation of CVE-2023-29552 could allow permit an attacker to take advantage of susceptible SLP instances to launch a reflection amplification attack and overwhelm a target server with bogus traffic. The best option to address CVE-2023-29552 is to upgrade to a supported release line that is not impacted by the vulnerability.

3. Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

Threat actors are employing a previously undocumented “defense evasion tool” dubbed AuKill that’s designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and turn off security mechanisms. By using valid, susceptible drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run.

4. Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that’s then executed every time the posts are opened in a web browser. GoDaddy’s Sucuri found that infected websites had malicious code injected into the “wp_posts” table, which stores posts, pages, and navigation menus. The injected code creates a PHP script with remote code execution backdoor using the file_put_contents function. Sucuri detected over 6,000 instances of this backdoor in the last 6 months, originating from three Russian IP addresses. Attackers established persistent backdoors by misusing the Eval PHP plugin to save rogue pages as drafts. Rogue pages were created with a legitimate site administrator as the author, suggesting successful login as a privileged user. The plugin was used to execute PHP code inside shortcodes, making it easy to reinfect the website and stay hidden.

Recommendation 
Site owners are advised to secure the WP Admin dashboard as well as watch out for any suspicious logins to prevent threat actors from gaining admin access and install the plugin.

5. CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, after evidence of active exploitation. The vulnerabilities are:

• CVE-2023-28432, a MinIO information disclosure vulnerability.
• CVE-2023-27350, an improper access control vulnerability in PaperCut MF/NG.
• CVE-2023-2136, a Google Chrome Skia integer overflow vulnerability.

MinIO maintainers said the information disclosure flaw disclosed all environment variables in a cluster deployment. As many as 18 unique malicious IP addresses from five countries attempted to exploit the flaw over the past 30 days. Threat intelligence firm GreyNoise also noted that an older version of MinIO that’s vulnerable to CVE-2023-28432 was being used in a reference implementation provided by OpenAI for developers to integrate their plugins to ChatGPT. Another flaw affecting PaperCut print management software has been addressed by the vendor.

6. Two Critical Flaws Found in Alibaba Cloud’s PostgreSQL Databases

A chain of two critical flaws has been disclosed in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers. The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers’ PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services. In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server. Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

7. Exploit Released For PaperCut Flaw Abused To Hijack Servers

Attackers are exploiting severe vulnerabilities in the widely-used PaperCut MF/NG print management software to install Atera remote management software to take over servers.
The software’s developer claims it’s used by more than 100 million users from over 70,000 companies worldwide.
The two security flaws (tracked as CVE-2023-27350 and CVE-2023-27351) allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don’t require user interaction.
Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. It is  recommended upgrading to one of these versions containing the fix.