06/15/2023-06/21/2023 Vulnerabilities Reported in Microsoft Azure, New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling, Critical Vulnerability in VMware’s Aria Operations Networks And More

1. Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry

Microsoft Azure Bastion and Azure Container Registry have been found to have two critical security vulnerabilities that could be exploited for cross-site scripting (XSS) attacks. Unauthorized access to a victim’s session within the compromised Azure service iframe was possible due to these vulnerabilities, leading to unauthorized data access, modifications, and disruption of Azure services. The flaws leverage a weakness in the postMessage iframe, enabling the injection of malicious JavaScript code through embedded endpoints within remote servers. To exploit these weaknesses, threat actors would need to identify vulnerable endpoints with missing X-Frame-Options headers or weak Content Security Policies (CSPs). By crafting appropriate payloads and manipulating the postMessage handler, the attacker can execute their code within the victim’s context. Orca Security demonstrated proof-of-concept exploits targeting Azure Bastion and Azure Container Registry, manipulating the Topology View SVG exporter and Quick Start to execute XSS payloads.

2. Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits

Fraudulent GitHub accounts linked to a fake cybersecurity company are pushing malicious repositories. These repositories claim to be proof-of-concept exploits targeting zero-day vulnerabilities in Discord, Google Chrome, and Microsoft Exchange Server. VulnCheck, the discoverer of this activity, found that the perpetrators created a network of fake accounts and Twitter profiles to make their actions seem legitimate. The rogue repositories were first noticed in May when similar exploits for Signal and WhatsApp were released, but those repositories have been taken down. Notably, the accounts also used photos of real security researchers from reputable firms like Rapid7. The Python script used in the proof-of-concept downloads and executes a malicious binary on the victim’s operating system. Despite the effort invested in creating false identities, the malware is easily detectable. The success of the attackers remains uncertain, but their persistent pursuit suggests confidence in their approach.

3. ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC

ChamelGang, a known threat actor, has been using a new Linux backdoor called ChamelDoH. This malware utilizes DNS-over-HTTPS (DoH) tunneling and allows communication via C++ code. ChamelGang was first exposed by Positive Technologies in September 2021, revealing its attacks on various industries across different countries. The actor exploits vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application, using a passive backdoor called DoorMe. Stairwell discovered the Linux backdoor, which captures system information and enables remote access operations. ChamelDoH’s unique feature is its use of DoH to send DNS TXT requests to a rogue nameserver, making it difficult to block as it utilizes commonly used DNS servers like Cloudflare and Google. Additionally, the use of DoH as a command-and-control method prevents interception and detection by security solutions, turning it into an effective encrypted channel for communication.

4. Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack

Progress Software has revealed a third vulnerability in its MOVEit Transfer application, while the Cl0p cybercrime group has resorted to extortion tactics against affected companies. Tracked as CVE-2023-35708, the flaw is an SQL injection vulnerability that can result in escalated privileges and unauthorized access. Progress Software advises customers to disable HTTP and HTTPS traffic on ports 80 and 443 until a fix is ready. This disclosure follows the revelation of SQL injection vulnerabilities (CVE-2023-35036) that provided unauthorized access to the application’s database content. The Cl0p group has already exploited CVE-2023-34362, and they have listed 27 hacked companies on their darknet leak portal, including US federal agencies. Censys reports that MOVEit servers are primarily used in the financial services, healthcare, IT, and government sectors in the US. According to Kaspersky, ransomware comprises 58% of malware-as-a-service (MaaS) attacks, followed by information stealers (24%) and botnets, loaders, and backdoors (18%).

5. Alert! Hackers Exploiting Critical Vulnerability in VMware’s Aria Operations Networks

VMware has warned that an already patched critical command injection vulnerability in Aria Operations for Networks is being actively exploited. The flaw, known as CVE-2023-20887, enables remote code execution through command injection attacks. Versions 6.x of VMware Aria Operations Networks are affected, and fixes were released on June 7, 2023. Although specific details of the attacks are unknown, VMware confirmed real-world exploitation. Threat intelligence firm GreyNoise identified active exploitation from two IP addresses in the Netherlands. The vulnerability was discovered by researcher Sina Kheirkhah, who released a proof-of-concept. The swift exploitation of newly disclosed vulnerabilities remains a significant threat globally. Mandiant also reported active exploitation of another VMware Tools flaw (CVE-2023-20867) by a suspected Chinese actor called UNC3886, resulting in backdoored Windows and Linux hosts.

6. Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway

A threat actor known as UNC4841has been exploiting a recently patched zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances since October 2022. The flaw, identified as CVE-2023-2868, allows remote code injection and affects versions 5.1.3.001 through 9.2.0.006. Mandiant, appointed to investigate the hack, describes UNC4841 as an aggressive and skilled espionage group. The actor sent targeted organizations emails with malicious TAR file attachments, disguising them as spam. The goal was to execute a reverse shell payload on the ESG devices and deploy three malware strains, establishing persistence and executing arbitrary commands. UNC4841 leveraged compromised devices for lateral movement and data exfiltration. The attacks targeted private and public sector organizations across 16 countries, with government entities comprising almost a third of the victims.

7. Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices

Zyxel has released security updates to address a critical vulnerability in its network-attached storage (NAS) devices. Tracked as CVE-2023-27992, the flaw is a pre-authentication command injection vulnerability that could allow remote execution of arbitrary commands on affected systems. Zyxel warns that an unauthenticated attacker could exploit the flaw by sending a crafted HTTP request. The impacted versions include NAS326, NAS540, and NAS542, which have been patched in their respective newer versions. The alert follows recent additions of two Zyxel firewall vulnerabilities to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. Given the increasing targeting of Zyxel devices by threat actors, customers are strongly advised to apply the security updates promptly to mitigate potential risks.

06/08/2023-06/14/2023 Critical FortiOS and FortiProxy Vulnerability, Spoofing Bug in Microsoft Visual Studio Installer, New Critical MOVEit Transfer SQL Injection Vulnerabilities And More

1. Critical FortiOS and FortiProxy Vulnerability Likely Exploited – Patch Now!

Fortinet has revealed a critical flaw, CVE-2023-27997, affecting FortiOS and FortiProxy, which may have been exploited in a limited number of attacks targeting government, manufacturing, and critical infrastructure sectors. The vulnerability is a heap-based buffer overflow issue in FortiOS and FortiProxy SSL-VPN, allowing remote attackers to execute arbitrary code via crafted requests. The flaw was discovered by LEXFO security researchers and addressed by Fortinet on June 9, 2023, in various versions of their software. The discovery coincided with a code audit following the active exploitation of a similar flaw in December 2022. Fortinet did not attribute the recent exploitation to the Chinese state-sponsored actor known as Volt Typhoon, but they anticipate all threat actors, including Volt Typhoon, to continue exploiting unpatched vulnerabilities in widely used software and devices.

# 2. Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer
Security researchers have discovered a potentially dangerous flaw in the Microsoft Visual Studio installer that enables malicious actors to impersonate legitimate publishers and distribute harmful extensions. Exploiting this vulnerability, threat actors can compromise systems, steal sensitive data, modify code, or gain full control of a targeted system. The flaw, known as CVE-2023-28299, has a CVSS score of 5.5 and was addressed by Microsoft in their April 2023 Patch Tuesday updates. The bug allows spoofed publisher digital signatures by introducing newline characters to the “DisplayName” tag in the “extension.vsixmanifest” file. By bypassing the restriction on entering information in the “product name” extension property, the attacker can suppress warnings about the lack of a digital signature, tricking developers into installing the malicious extension. This could be achieved through phishing emails disguised as legitimate software updates, potentially granting unauthorized access and facilitating further network infiltration and data theft.

3. New Critical MOVEit Transfer SQL Injection Vulnerabilities Discovered – Patch Now!

Progress Software has released patches for SQL injection vulnerabilities in its MOVEit Transfer application that could be exploited to steal sensitive information. The vulnerabilities, affecting all versions of the service, allow unauthorized access to the MOVEit Transfer database. By submitting a crafted payload to an application endpoint, an attacker can modify and disclose database content. The flaws have been addressed in specific versions of MOVEit Transfer, including cloud instances. The cybersecurity firm Huntress discovered and reported the vulnerabilities during a code review. So far, there is no evidence of exploitation in the wild. However, the previously reported vulnerability (CVE-2023-34362) in MOVEit Transfer has been actively exploited by the Cl0p ransomware gang, leading to the publication of a proof-of-concept exploit by Horizon3.ai. The gang has been targeting managed file transfer platforms since December 2020 and has been experimenting with exploiting CVE-2023-34362 since July 2021.

4. Experts Unveil Exploit for Recent Windows Vulnerability Under Active Exploitation

Details have emerged about a now-patched actively exploited security flaw in Microsoft Windows that could be abused by a threat actor to gain elevated privileges on affected systems. The vulnerability, tracked as CVE-2023-29336, is rated 7.8 for severity and concerns an elevation of privilege bug in the Win32k component. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra were credited with discovering and reporting the flaw. Win32k.sys is a kernel-mode driver and an integral part of the Windows architecture, being responsible for graphical device interface (GUI) and window management. While the exact specifics surrounding in-the-wild abuse of the flaw is presently not known, Numen Cyber has deconstructed the patch released by Microsoft to craft a proof-of-concept (PoC) exploit for Windows Server 2016. The Singapore-based cybersecurity company said the vulnerability relied on the leaked kernel handle address in the heap memory to ultimately obtain a read-write primitive. 

5. Urgent Security Updates: Cisco and VMware Address Critical Vulnerabilities

VMware has released security updates to address three vulnerabilities in Aria Operations for Networks. The most critical flaw is a command injection vulnerability (CVE-2023-20887) that could allow remote code execution. Another deserialization vulnerability (CVE-2023-20888) and an information disclosure bug (CVE-2023-20889) have also been patched. These vulnerabilities could permit attackers with network access to achieve remote code execution or obtain sensitive data. The affected versions are 6.x of VMware Aria Operations for Networks, and the issues have been fixed in versions 6.2 to 6.10. Similarly, Cisco has addressed a critical privilege escalation flaw (CVE-2023-20105) in its Expressway Series and TelePresence Video Communication Server (VCS), allowing an attacker to elevate their privileges. Another high-severity vulnerability (CVE-2023-20192) permits command execution and system configuration modification. Cisco has provided workarounds and released updates for these vulnerabilities. While there is no evidence of exploitation, it is crucial to apply the patches promptly. Additionally, three security bugs have been discovered in RenderDoc, an open-source graphics debugger, which could allow for elevated privileges and arbitrary code execution.

06/01/2023-06/07/2023 Malicious PyPI Packages, Google Issues Patch for New Chrome Vulnerability, Urgent WordPress Update And More

1. Malicious PyPI Packages Using Compiled Python Code to Bypass Detection

Researchers have uncovered a new attack on the Python Package Index (PyPI) repository that evades detection by security tools. This attack is believed to be the first of its kind to utilize compiled Python code, specifically Python bytecode (PYC) files, for direct execution.The targeted package, fshec2, was removed from the third-party software registry following responsible disclosure. PYC files are generated by the Python interpreter during program execution and contain compiled code. The malicious package, according to a software supply chain security firm, consists of three files: init.py, main.py, and full.pyc.

The main.py file, imported by init.py, is responsible for loading the Python compiled module from full.pyc using the importlib package. Reverse-engineering the PYC file reveals its intent to gather user information, hostnames, directory listings, and execute commands received from a hardcoded server (13.51.44[.]246).

2. Zero-Day Alert: Google Issues Patch for New Chrome Vulnerability – Update Now!

Google has released security updates for its Chrome web browser to address a high-severity vulnerability (CVE-2023-3079) actively being exploited in the wild. The flaw is a type confusion bug in the V8 JavaScript engine. The exploit, which could potentially lead to heap corruption, can be triggered by a crafted HTML page. Google has not provided specific details about the attacks but has confirmed the existence of an exploit. This marks the third zero-day vulnerability addressed by Google in Chrome this year. Users are advised to update to version 114.0.5735.110 (Windows) or 114.0.5735.106 (macOS and Linux) to mitigate potential threats. Additionally, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the fixes as soon as they are available.

3. Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack

Researchers have discovered an ongoing Magecart-style web skimmer campaign designed to steal personally identifiable information and credit card data from e-commerce websites. What sets this campaign apart is that the compromised sites are being used as “makeshift” command-and-control servers, allowing the attackers to distribute malicious code without detection. Akamai, a web security company, found victims across North America, Latin America, and Europe, putting the personal data of thousands of site visitors at risk. The attackers employ various evasion techniques, such as obfuscation with Base64 and masking the attack to resemble popular third-party services like Google Analytics. By hacking into vulnerable legitimate sites, the attackers leverage the reputation of these domains. The attacks have been ongoing for almost a month and target e-commerce platforms like Magento, WooCommerce, WordPress, and Shopify. The skimmer code, disguised as third-party services, intercepts and exfiltrates data to an actor-controlled server using obfuscation and encoded strings to avoid detection.

4. Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical vulnerability in the popular Jetpack plugin, which is installed on over five million sites. The vulnerability, discovered during an internal security audit, affects an API present in the plugin since version 2.0, released in November 2012. The flaw could potentially be exploited by authors on a site to manipulate any files in the WordPress installation. Jetpack has released 102 new versions to fix the bug. While there is no evidence of exploitation in the wild, it is not uncommon for vulnerabilities in widely used WordPress plugins to be targeted by malicious actors. This is not the first time Jetpack has faced severe security weaknesses, as previous incidents have prompted WordPress to enforce mandatory patch installations. Additionally, a security flaw in the Gravity Forms plugin has been revealed, allowing unauthenticated users to inject arbitrary PHP code. The issue has been resolved in the latest version of the plugin.

5. Zyxel Firewalls Under Attack! Urgent Patching Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two recently disclosed vulnerabilities in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The buffer overflow vulnerabilities, known as CVE-2023-33009 and CVE-2023-33010, could lead to denial-of-service (DoS) attacks and remote code execution. Zyxel released patches for these security flaws on May 24, 2023. Affected devices include ATP, USG FLEX, USG FLEX50(W)/USG20(W)-VPN, VPN, and ZyWALL/USG. The specific details of the attacks are unknown, but this development follows the active exploitation of another Zyxel firewall flaw (CVE-2023-28771) by the Mirai botnet. Federal Civilian Executive Branch agencies have been instructed to address the vulnerabilities by June 26, 2023, to protect their networks. Zyxel has issued guidance advising customers to disable unnecessary services and ports to enhance security.

6. Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App

Microsoft has attributed the active exploitation of a critical vulnerability in Progress Software MOVEit Transfer to the threat actor known as Lace Tempest. This threat actor, also known as Storm-0950, is associated with ransomware groups such as FIN11, TA505, and Evil Corp, and operates the Cl0p extortion site. The vulnerability in question, identified as CVE-2023-34362, allows remote attackers to execute arbitrary code by exploiting an SQL injection flaw in MOVEit Transfer. Microsoft’s Threat Intelligence team has observed the deployment of web shells with data exfiltration capabilities following exploitation. Approximately 3,000 exposed hosts utilizing MOVEit Transfer have been identified. The activity has been tracked by Mandiant as UNC4857, with connections to FIN11. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the vulnerability in its Known Exploited Vulnerabilities catalog and recommends applying vendor-provided patches by June 23, 2023.