03/24/2023-03/29/2023 New MacStealer macOS Malware, Malicious Python Package, Critical WooCommerce Payments Plugin Flaw And More

1. New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords

A new information-stealing malware has set its sights on Apple’s macOS operating system to siphon sensitive information from compromised devices. Dubbed MacStealer, it’s the latest example of a threat that uses Telegram as a command-and-control (C2) platform to exfiltrate data. It primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs. MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It also features support for harvesting Microsoft Office files, images, archives, and Python scripts. Stealer malware is typically spread through different channels, including email attachments, bogus software downloads, and other social engineering techniques.

2. Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data

A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware. The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials and other valuable data. It has since been taken down, but not before attracting a total of 183 downloads. The package incorporates its malicious behavior in a setup script that’s packed with thousands of seemingly legitimate code strings. These strings include a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package.

3. GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations

GitHub replaced its RSA SSH host key used for Git operations after it was briefly exposed in a public repository. The change, carried out at 05:00 UTC on March 24, 2023, was done as a precaution to prevent impersonation or eavesdropping by bad actors. However, the move only affects Git operations using RSA, not Web traffic to GitHub.com or Git operations via HTTPS. The company, owned by Microsoft, said the exposed SSH private key was not exploited and didn’t reveal how long it was exposed. GitHub emphasized that there was no compromise of its systems or customer information, and the incident was due to “inadvertent publishing of private information.” Users of GitHub Actions may experience failed workflow runs if using actions/checkout with the ssh-key option, and the company is updating the action.

4. Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores. It impacts versions 4.8.0 through 5.6.1. The vulnerability appears to reside in a PHP file called “class-platform-checkout-session.php”. WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the software. Patched versions include 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2. Furthermore, the maintainers of the e-commerce plugin noted that it’s disabling the WooPay beta program owing to concerns that the security defect has the potential to impact the payment checkout service.

5. CloudPanel Installations Use The Same SSL Certificate Private Key

Self-hosted web administration solution CloudPanel was found to have several security issues, including using the same SSL certificate private key across all installations and unintentional overwriting of firewall rules to default to weaker settings.  At the time of writing, the two issues mentioned above remained unfixed, while the software developer addressed a third security problem concerning the installation script. The first issue concerns the trustworthiness “curl to bash” installation procedure as it downloaded code without an integrity check, which the vendor promptly addressed by publishing a cryptographically secure checksum of the installation script. The second problem is that the CloudPanel installation script will reset a server’s pre-existing Uncomplicated Firewall (ufw) rules and introduce a far more permissive ruleset. The third flaw is tracked as CVE-2023-0391 and is caused by the CloudPanel installs using a static SSL certificate, enabling attackers to find CloudPanel instances using the certificate’s thumbprint. 

# 6. Exchange Online To Block Emails From Vulnerable On-Prem Servers
Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from “persistently vulnerable Exchange servers” 90 days after the admins are pinged to secure them. As Redmond explains, these are Exchange servers in on-premises or hybrid environments that run end-of-life software or haven’t been patched against known security bugs. Microsoft says this new Exchange Online “transport-based enforcement system” has three distinct functions: reporting, throttling, and blocking. The new system’s primary goal is to help Exchange admins identify unpatched or unsupported on-prem Exchange servers, allowing them to upgrade or patch them before they become security risks.
However, it will also be able to throttle and eventually block emails from Exchange servers that haven’t been remediated before reaching Exchange Online mailboxes.

03/16/2023-03/23/2023 Rogue NuGet Packages Infect .NET Developers, New ShellBot DDoS Malware Variants, Adobe ColdFusion Vulnerability Exploited in the Wild And More

1. CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems

 CISA has released eight Industrial Control Systems (ICS) advisories, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation. This includes 13 security vulnerabilities in Delta Electronics’ InfraSuite Device Master, a real-time device monitoring software. All versions prior to 1.0.5 are affected by the issues. Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code. At the top of the list is CVE-2023-1133 (CVSS score: 9.8), a critical flaw that arises from the fact that InfraSuite Device Master accepts unverified UDP packets and deserializes the content, thereby allowing an unauthenticated remote attacker to execute arbitrary code.

2. Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware

The NuGet repository is the target of a new “sophisticated and highly-malicious attack” aiming to infect .NET developer systems with cryptocurrency stealer malware. The 13 rogue packages, which were downloaded more than 160,000 times over the past month, have since been taken down. The packages contained a PowerShell script that would execute upon installation and trigger a download of a ‘second stage’ payload, which could be remotely executed. Three of the most downloaded packages – Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API – alone accounted for 166,000 downloads, although it’s also possible that the threat actors artificially inflated the download counts using bots to make them appear more legitimate. The use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, in which fake packages are assigned names that are similar to legitimate packages, in order to trick developers into downloading them. 

3. New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers

A new cyber attack campaign is targeting poorly managed Linux SSH servers using a malware called ShellBot. This DDoS Bot malware is written in Perl and communicates via IRC protocol. Hackers use scanner malware to identify servers with open SSH port 22 and weak credentials. They then initiate a dictionary attack using a list of known SSH credentials to breach the server and install the ShellBot payload. Once installed, ShellBot communicates with a remote server via IRC protocol, allowing it to carry out DDoS attacks and exfiltrate data. The attack campaign involves three different ShellBot versions, with the first two offering various DDoS attack commands using HTTP, TCP, and UDP protocols. The third version, PowerBots, offers backdoor-like capabilities such as granting reverse shell access and uploading arbitrary files from the compromised host. If ShellBot is installed, Linux servers can be used as DDoS bots to attack specific targets after receiving commands from the attackers.

4. CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution. It’s worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, both of which are no longer supported by the software company as they have reached end-of-life (EoL). While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it’s aware of the flaw being “exploited in the wild in very limited attacks.”

5. New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks

A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. Among the methods used to distribute the malware are the exploitation of exposed Hadoop YARN servers and security flaws in Realtek SDK devices (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8). The malware, like other DDoS botnets of its kind, is capable of contacting a command-and-control (C2) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.
The findings also come as Microsoft revealed that TCP attacks emerged as the most frequent form of DDoS attack encountered in 2022, accounting for 63% of all attack traffic, followed by UDP floods and amplification attacks (22%), and packet anomaly attacks (15%).

6. NordVPN Open Sources Its Linux VPN Client And Libraries

Nord Security has released the source code of its Linux NordVPN client and networking libraries to increase transparency and address users’ security concerns. As part of this, the company has made its NordVPN MeshNet private tunneling feature free for all users who install their software, even if they do not have a paid subscription. This feature allows users to create private tunnels between other NordVPN users to access the internet through the shared network or access internal devices. NordVPN has released the source code for its Linux applications and two libraries, Libtelio and Libdrop, on its GitHub page, encouraging the coding community to scrutinize and improve its code. The company also offers a bug bounty program, with critical vulnerabilities receiving bounties ranging from $10,000 to $50,000

7. SAP Releases Security Updates Fixing Five Critical Vulnerabilities

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks. The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver.
More specifically, the five flaws fixed this time are the following:

• CVE-2023-23857: Critical severity (CVSS v3: 9.8) information disclosure, data manipulation, and DoS flaw impacting SAP NetWeaver AS for Java, version 7.50. The bug allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API.
• CVE-2023-25616: Critical severity (CVSS v3: 9.9) code injection vulnerability in SAP Business Intelligence Platform, allowing an attacker to access resources only available to privileged users. 
• CVE-2023-27269: Critical severity (CVSS v3: 9.6) directory traversal problem impacting SAP NetWeaver Application Server for ABAP. 
• CVE-2023-27500: Critical severity (CVSS v3: 9.6) directory traversal in SAP NetWeaver AS for ABAP.
• CVE-2023-25617: Critical severity (CVSS v3: 9.0) command execution vulnerability in SAP Business Objects Business Intelligence Platform, versions 420 and 430. 

03/08/2023-03/15/2023. Jenkins Security Alert, IceFire Ransomware Exploits IBM Aspera Faspex, Actively Exploited Plex Bug After LastPass Breach And More.

1. New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access

Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610, is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. A buffer underwrite (‘buffer underflow’) vulnerability in FortiOS and FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests. Underflow bugs, also called buffer underruns, occur when the input data is shorter than the reserved space, causing unpredictable behavior or leakage of sensitive data from memory.Other possible consequences include memory corruption that could either be weaponized to induce a crash or execute arbitrary code. Fixes are available in FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0; FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10; and FortiProxy versions 2.0.12, 7.0.9, and 7.0.9.

2. Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable. Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim’s Jenkins server, potentially leading to a complete compromise of the Jenkins server. Once the victim opens the ‘Available Plugin Manager’ on their Jenkins server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server utilizing the Script Console API. Since it’s also a case of stored XSS wherein the JavaScript code is injected into the server, the vulnerability can be activated without having to install the plugin or even visit the URL to the plugin in the first place.

3. Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware

Sunlogin and AweSun remote desktop programs have security vulnerabilities that are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC) reported that this marks the continued abuse of the flaws to deliver various payloads, including the Sliver post-exploitation framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware. PlugX is the latest addition to this list. The backdoor is notable for its ability to start arbitrary services, download and execute files from an external source, and drop plugins that can harvest data and propagate using Remote Desktop Protocol (RDP). “New features are being added to [PlugX] even to this day as it continues to see steady use in attacks,” ASEC said.

4.  IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks

IceFire ransomware, which was previously known to target Windows-based systems, has shifted its focus towards Linux enterprise networks. Cybersecurity company SentinelOne reported that the ransomware is exploiting a recently disclosed vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986) to carry out the intrusions. The attacks have primarily targeted media and entertainment organizations in Turkey, Iran, Pakistan, and the U.A.E. The ransomware binary targeting Linux is capable of avoiding encrypting certain paths, allowing the infected machine to continue functioning. Linux systems are typically more difficult to deploy ransomware against, but actors are turning to exploiting application vulnerabilities to overcome this challenge. Meanwhile, Fortinet FortiGuard Labs has disclosed a new LockBit ransomware campaign using “evasive tradecraft” to bypass MotW protections. 

5. CISA Warns Of Actively Exploited Plex Bug After LastPass Breach

CISA has added a three-year-old remote code execution (RCE) vulnerability in Plex Media Server to its list of security flaws exploited in attacks. CVE-2020-5741 allows attackers with admin privileges to execute arbitrary Python code remotely without user interaction. The vulnerability was patched with the release of Plex Media Server 1.19.3 in May 2020. The attack involves exploiting the Camera Upload feature by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled. CISA did not provide any details on the attacks. However, this could be related to the recent LastPass data breach after a third-party media software RCE bug was abused to install a keylogger on a senior DevOps engineer’s computer, leading to the theft of credentials and critical backups.

6. New GoBruteforcer Malware Targets phpMyAdmin, MySQL, FTP, Postgres

GoBruteforcer is a new Golang-based botnet malware that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services. Once it detects an open port accepting connections, it attempts to log in using hard-coded credentials and deploys an IRC bot on compromised phpMyAdmin systems or a PHP web shell on other targeted services. It then reaches out to its command-and-control server and waits for instructions that will be delivered via the previously installed IRC bot or web shell. The botnet uses a multiscan module to find potential victims within a Classless Inter-Domain Routing (CIDR), which grants it a broad selection of targets to infiltrate networks. GoBruteforcer is likely under active development, and its operators are expected to adapt their tactics and capabilities for targeting web servers and stay ahead of security defenses.

7. New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide

An updated version of a botnet malware called Prometei has infected more than 10,000 systems worldwide. Prometei, first observed in 2016, is a modular botnet that features a large repertoire of components and several proliferation methods, some of which also include the exploitation of ProxyLogon Microsoft Exchange Server flaws. The cross-platform botnet’s motivations are financial, primarily leveraging its pool of infected hosts to mine cryptocurrency and harvest credentials. The latest variant of Prometei (called v3) improves upon its existing features to challenge forensic analysis and further burrow its access on victim machines. The attack sequence proceeds thus: Upon gaining a successful foothold, a PowerShell command is executed to download the botnet malware from a remote server. Prometei’s main module is then used to retrieve the actual crypto-mining payload and other auxiliary components on the system. Some of these support modules function as spreader programs designed to propagate the malware through Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).