04/13/2023-04/19/2023 Critical Flaws in vm2 JavaScript Library, APT41’s Use of Open Source GC2 Tool, Kodi Confirms Data Breach And More

1. Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution 

A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections.Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively. Successful exploitation of the bugs, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could lead to the execution of arbitrary code on the underlying system.

2. Google Uncovers APT41’s Use of Open Source GC2 Tool to Target Media and Job Sites

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google’s infrastructure for malicious ends. The tech giant’s Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO. The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the Go-based GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands. In addition to exfiltration via Drive, GC2 enables the attacker to download additional files from Drive onto the victim system.

3. Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The tech giant acknowledged that “an exploit for CVE-2023-2033 exists in the wild,” but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.

Recommendation
Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

4. Vice Society Ransomware Using Stealthy PowerShell Tool for Data Exfiltration

Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks. Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms. These methods can also hide within the general operating environment, providing subversion to the threat actor. The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The discovery of the data exfiltration script illustrates the ongoing threat of double extortion in the ransomware landscape. It also serves as a reminder for organizations to prioritize robust security protections and stay vigilant against evolving threats.

5. Kodi Confirms Data Breach: 400K User Records and Private Messages Stolen

Kodi, an open source media player software provider, has confirmed a data breach after a cyber attack. Threat actors stole user data and private messages from the company’s MyBB forum database, and attempted to sell the data dump to a cybercrime marketplace. They also created database backups, which were downloaded and deleted. The account used by the threat actors has been disabled, and Kodi has taken down its forum while commissioning a new server. The company emphasized that there is no evidence of unauthorized access to the server hosting the MyBB software. The breach affected 400,635 users, whose forum posts, messages, and personal information were compromised. Kodi plans to redeploy the forum on the latest version of the MyBB software.

6. New Python-Based “Legion” Hacking Tool Emerges on Telegram

Legion, a Python-based credential harvester and hacking tool, is being marketed on Telegram as a way for cybercriminals to break into various online services for further exploitation. The malware includes modules to exploit unpatched versions of Apache, conduct remote code execution attacks, and brute-force cPanel and WebHost Manager accounts. It is designed to exploit web servers running content management systems, PHP, or PHP-based frameworks like Laravel. The primary goal is to hijack the services and weaponize the infrastructure for follow-on attacks, including mass spam and opportunistic phishing campaigns. Legion also retrieves AWS credentials from insecure or misconfigured web servers and delivers SMS spam messages to users of US mobile networks. The origins of the threat actor remain unknown.

7. Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation. The first vulnerability (CVE-2023-20963) is an Android Framework Privilege Escalation Vulnerability with a CVSS score of 7.8. Google has acknowledged that the vulnerability may be under limited, targeted exploitation. The second vulnerability (CVE-2023-29492) is an insecure deserialization vulnerability in Novi Survey software that allows attackers to execute code on the server remotely. The vulnerability was addressed by the software provider earlier this week. The development follows reports that Android apps from Chinese e-commerce company Pinduoduo were weaponized as a zero-day to steal data and control devices, exploiting the Android Framework Privilege Escalation Vulnerability. Google suspended Pinduoduo’s official app from the Play Store in March due to malware identified in off-Play versions of the software.

04/06/2023-04/12/2023 Newly Discovered “By-Design” Flaw in Microsoft Azure, Over 1 Million WordPress Sites Infected, Critical Remote Code Execution Flaw in vm2 Sandbox Library And More

1. Newly Discovered “By-Design” Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

A “by-design flaw” uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code. The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts. According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key. Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE). 

Recommendation 
As mitigations, it’s recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead.

2. Hackers Flood NPM with Bogus Packages Causing a DoS Attack

Threat actors flooded the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack. The threat actors create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems’ good reputation on search engines. The attacks caused a denial-of-service (DoS) that made NPM unstable with sporadic ‘Service Unavailable’ errors. While similar campaigns were recently observed propagating phishing links, the latest wave pushed the number of package versions to 1.42 million, a dramatic uptick from the approximate 800,000 packages released on npm. The attack technique leverages the fact that open source repositories are ranked higher on search engine results to create rogue websites and upload empty npm modules with links to those sites in the README.md files.

3. Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

Since 2017, over one million WordPress websites have been affected by a malware campaign called Balada Injector, according to GoDaddy’s Sucuri. The campaign utilizes known and newly discovered theme and plugin vulnerabilities to breach WordPress sites, with attacks occurring in waves every few weeks. The campaign relies on over 100 domains and multiple methods to take advantage of known security flaws. The malware allows for the generation of fake WordPress admin users, harvests data stored in the underlying hosts, and leaves backdoors for persistent access. The campaign also searches for writable directories that belong to other sites with the same server account and file permissions. This means compromising one site can potentially grant access to several other sites.

4. Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15.

“A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” vm2 disclosed in an advisory. The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions. 

5. SAP Releases Security Updates For Two Critical-Severity Flaws

Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform.

In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins. SAP has fixed three critical issues in its latest update. The first issue, CVE-2023-27267, impacts the OSCommand Bridge of SAP Diagnostics Agent 720, allowing an attacker to execute scripts and fully compromise the system. The second issue, CVE-2023-28765, affects SAP BusinessObjects Business Intelligence Platform versions 420 and 430, enabling an attacker to access users’ passwords and take over their accounts. The third issue, CVE-2023-29186, is a directory traversal flaw affecting SAP NetWeaver versions 707, 737, 747, and 757, allowing an attacker to upload and overwrite files on the SAP server.

The remaining 11 security flaws disclosed in SAP’s latest security bulletin concern low to medium-severity vulnerabilities.

6. Microsoft April 2023 Patch Tuesday fixes 1 Zero-day, 97 Flaws

​Today is Microsoft’s April 2023 Patch Tuesday, and security updates fix one actively exploited zero-day vulnerability and a total of 97 flaws.
Seven vulnerabilities have been classified as ‘Critical’ for allowing remote code execution, the most serious of vulnerabilities.

The number of bugs in each vulnerability category is listed below:

• 20 Elevation of Privilege Vulnerabilities,
• Security Feature Bypass Vulnerabilities,
• 45 Remote Code Execution Vulnerabilities,
• 10 Information Disclosure Vulnerabilities,
• 9 Denial of Service Vulnerabilities,
• 6 Spoofing Vulnerabilities.

To learn more about the non-security updates released today, you can review articles on the new Windows 11 KB5025239 cumulative update and Windows 10 KB5025221 and KB5025229 updates.

03/30/2023-04/05/2023 Azure AD Vulnerability Fixed, Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities, “Super FabriXss” Vulnerability in Microsoft Azure SFX And More

1. Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps

Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several “high-impact” applications to unauthorized access. One of these apps is a content management system (CMS) that powers Bing.com and allowed to not only modify search results, but also launch high-impact XSS attacks on Bing users. The crux of the vulnerability stems from what’s called “Shared Responsibility confusion,” wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access. A malicious actor with the same access could’ve hijacked the most popular search results with the same payload and leak sensitive data from millions of users.

2. Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation

Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems.This entails the abuse of CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot). CVE-2022-46169 relates to a critical authentication bypass and command injection flaw in Cacti servers that allows an unauthenticated user to execute arbitrary code. CVE-2021-35394 also concerns an arbitrary command injection vulnerability impacting the Realtek Jungle SDK that was patched in 2021. At least three different versions of ShellBot have been detected – viz. PowerBots (C) GohacK, LiGhT’s Modded perlbot v2, and B0tchZ 0.2a. All three variants are capable of orchestrating distributed denial-of-service (DDoS) attacks. PowerBots (C) GohacK and B0tchZ 0.2a also feature backdoor capabilities to carry out file uploads/downloads and launch a reverse shell. Compromised victims can be controlled and used as DDoS bots after receiving a command from a C2 server.

3. Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled. This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges. After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site.
The flaw is currently being abused in the wild from several IP addresses intending to upload arbitrary PHP and ZIP archive files.

Recommendation
Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.

4. Researchers Detail Severe “Super FabriXss” Vulnerability in Microsoft Azure SFX

Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution. Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed “Super FabriXss” by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication. XSS refers to a kind of client-side code injection attack that makes it possible to upload malicious scripts into otherwise trusted websites. The scripts then get executed every time a victim visits the compromised website, thereby leading to unintended consequences.
This attack takes advantage of the Cluster Type Toggle options under the Events Tab in the Service Fabric platform that allows an attacker to overwrite an existing Compose deployment by triggering an upgrade with a specially crafted URL from XSS Vulnerability.

5. AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services

A new “comprehensive toolset” called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns. The primary use of AlienFox is to enumerate misconfigured hosts via scanning platforms like LeakIX and SecurityTrails, and subsequently leverage various scripts in the toolkit to extract credentials from configuration files exposed on the servers. Specifically, it entails searching for susceptible servers associated with popular web frameworks, including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. Attacks involving AlienFox are said to be opportunistic, with the scripts capable of gathering sensitive data pertaining to AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho.

6. ALPHV Ransomware Exploits Veritas Backup Exec Bugs Ror Initial Access

An ALPHV/BlackCat ransomware affiliate was observed exploiting three vulnerabilities impacting the Veritas Backup product for initial access to the target network. Mandiant tracks the ALPHV affiliate as ‘UNC4466’ and notes that the method is a deviation from the typical intrusion that relies on stolen credentials.
The high-severity flaws targeted by UNC4466 are:

• CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
• CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
• CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
  All three flaws impact the Veritas Backup software. The vendor disclosed them in March 2021 and released a fix with version 21.2. However, despite over two years having passed since then, many endpoints remain vulnerable as they have not updated to a safe version.

7. Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions

Microsoft has announced plans to automatically block embedded files with “dangerous extensions” in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files. That’s going to change going forward. Microsoft said it intends to prevent users from directly opening an embedded file with a dangerous extension and display the message: “Your administrator has blocked your ability to open this file type in OneNote.” The update is expected to start rolling out with Version 2304 later this month and only impacts OneNote for Microsoft 365 on devices running Windows. Users who opt to still open the embedded file can do so by first saving the file locally to their device and then opening it from there.