05/11/2023-05/17/2023 11 New Vulnerabilities Expose OT Networks, New Flaw in WordPress Plugin, New Stealthy Variant of Linux Backdoor And More

1. Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

Several security vulnerabilities in cloud management platforms linked to three industrial cellular router vendors were revealed by Israeli cybersecurity firm OTORIO at the Black Hat Asia 2023 conference. These vulnerabilities could expose operational technology (OT) networks to external attacks, impacting critical infrastructure sectors like substations, water utilities, oil fields, and pipelines. The weaknesses affect the cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks. Exploiting the vulnerabilities could enable remote code execution, full control over devices and OT networks, exfiltration of sensitive information, and unauthorized access with elevated permissions. The flaws involve weak asset registration mechanisms, security configuration flaws, and issues in external APIs and interfaces. Collaboration with Claroty also led to the discovery of additional vulnerabilities in Teltonika Networks’ RMS and RUT router firmware, allowing arbitrary code execution and command injection.

2. New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems

MichaelKors, a new ransomware-as-a-service (RaaS) operation, has recently emerged, targeting Linux and VMware ESXi systems as of April 2023. Cybersecurity firm CrowdStrike has observed an increasing trend of cybercriminals focusing on ESXi, despite its lack of support for third-party agents or antivirus software. This makes the widely used ESXi hypervisor an appealing target for attackers, a technique known as hypervisor jackpotting. Furthermore, leaked Babuk source code from September 2021 has been utilized by 10 different ransomware families, including Conti and REvil, to develop lockers for VMware ESXi hypervisors. Various e-crime groups such as ALPHV (BlackCat), Black Basta, Defray, and others have also updated their tactics to target ESXi. Attackers exploit compromised credentials, gain elevated privileges, and leverage known vulnerabilities to breach ESXi hypervisors and gain unrestricted access to underlying resources. To mitigate the impact of hypervisor jackpotting, organizations are recommended to avoid direct access to ESXi hosts, enable two-factor authentication, take periodic backups of ESXi datastore volumes, apply security updates, and conduct security posture reviews.

3. XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

Researchers have uncovered an ongoing phishing campaign, named MEME#4CHAN, that utilizes a unique attack chain to distribute the XWorm malware. The attacks have primarily targeted manufacturing firms and healthcare clinics in Germany. The campaign employs meme-filled PowerShell code and heavily obfuscated XWorm payloads to infect victims. The attackers use reservation-themed lures in phishing emails, tricking recipients into opening malicious documents. Rather than relying on macros, the threat actors exploit the Follina vulnerability to drop an obfuscated PowerShell script. This script bypasses Antimalware Scan Interface (AMSI), disables Microsoft Defender, establishes persistence, and executes the .NET binary containing XWorm. The PowerShell script includes a variable named “$CHOTAbheem,” possibly indicating a Middle Eastern or Indian background of the attackers, although attribution remains unconfirmed. XWorm is a readily available malware with various features for stealing sensitive information from infected systems.

4. New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows

A new variant of a Linux backdoor called BPFDoor has been discovered by cybersecurity firm Deep Instinct. BPFDoor, previously documented by PwC and Elastic Security Labs in May 2022, is associated with a Chinese threat actor known as Red Menshen. The malware is designed to establish persistent remote access to compromised environments, particularly targeting telecom providers in the Middle East and Asia. BPFDoor utilizes Berkeley Packet Filters (BPF) technology for network communications and command execution, enabling threat actors to evade firewalls and filter unnecessary data. The latest variant of BPFDoor demonstrates increased evasiveness by removing hard-coded indicators, incorporating encryption with libtomcrypt, and utilizing a reverse shell for command-and-control communication. It avoids termination by ignoring operating system signals and establishes an encrypted reverse shell session with the C2 server. BPFDoor’s ability to remain undetected for an extended period reflects its sophistication, as cybercriminals increasingly target Linux systems prevalent in enterprise and cloud environments.

5. New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation

A security vulnerability has been discovered in the Essential Addons for Elementor WordPress plugin, potentially allowing attackers to gain elevated privileges. The flaw, tracked as CVE-2023-32243, was addressed in version 5.7.2 of the plugin. Successful exploitation of the vulnerability could enable an unauthenticated user to reset the password of any user on the affected site. This could result in the compromise of administrator accounts and complete control over the website. The issue has existed since version 5.4.0 of the plugin. The disclosure follows a previous severe flaw found in the same plugin, and it coincides with a wave of attacks targeting WordPress sites with SocGholish malware. The attackers are using compression techniques to conceal the malware and evade detection. Additionally, a malvertising campaign has been identified that tricks visitors to adult websites with fake Windows update ads, leading to the installation of the “Invalid Printer” loader, which can deploy the Aurora information stealer malware.

6. Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems

The leak of the Babuk ransomware code in September 2021 has led to the development of multiple ransomware families targeting VMware ESXi systems. As many as nine different ransomware variants have emerged since late 2022 and early 2023, all based on the leaked Babuk source code. The availability of the source code has allowed cybercriminals with limited expertise to target Linux systems effectively. Among the ransomware strains based on the Babuk code are Cylance, Rorschach (also known as BabLock), and RTM Locker. The analysis by SentinelOne also reveals overlaps between Babuk and other ransomware families like Conti and REvil (also known as REvix), indicating the adoption of Babuk features in their code. Additional ransomware families, such as LOCK4, DATAF, Mario, Play, and Babuk 2023 (also known as XVGV), have also incorporated various elements from the Babuk code. However, there are no significant similarities found between Babuk and ALPHV, Black Basta, Hive, LockBit, ESXiArgs, suggesting a misattribution. SentinelOne also notes that actors may turn to Babuk’s Go-based NAS locker, as Go programming language continues to gain popularity among threat actors. In a separate development, threat actors associated with the Royal ransomware, believed to be former members of Conti, have introduced an ELF variant capable of targeting Linux and ESXi environments, expanding their attack capabilities.

7. Hackers Use Azure Serial Console For Stealthy Access To VMs

A financially motivated cybergang tracked by Mandiant as ‘UNC3944’ is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.
From there, the attackers abuse the Azure Serial Console to install remote management software for persistence and abuse Azure Extensions for stealthy surveillance.
Mandiant reports that UNC3944 has been active since at least May 2022, and their campaign aims at stealing data from victim organizations using Microsoft’s cloud computing service.
UNC3944 was previously attributed to creating the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit to terminate security software.
The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.

05/04/2023-05/10/2023 Critical PaperCut Vulnerability, MSI Data Breach, New Linux Kernel NetFilter Flaw And More

1. Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability

Iranian nation-state groups have been exploiting a critical vulnerability in PaperCut print management software, according to Microsoft’s threat intelligence team. Both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) have been observed exploiting CVE-2023-27350 to gain initial access. While the former is said to be using tools from previous intrusions to connect to their C2 infrastructure, the latter has been able to quickly incorporate proof-of-concept exploits into their operations. Both groups are known state-sponsored actors, with Mango Sandstorm linked to Iran’s Ministry of Intelligence and Security and Mint Sandstorm associated with the Islamic Revolutionary Guard Corps. This comes after cybercrime gang Lace Tempest was found to have abused the same vulnerability to distribute ransomware. PaperCut released a patch for the flaw on March 8, 2023, and Trend Micro’s Zero Day Initiative is expected to release more technical information about it on May 10, 2023.

2. MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web

private code signing keys on a dark website. The leaked data includes firmware image signing keys for 57 PCs and private signing keys for Intel Boot Guard used in 116 MSI products. The impact of the leaked keys extends beyond MSI to device vendors such as Intel, Lenovo, and Supermicro. Intel Boot Guard is a hardware-based security technology that safeguards against tampered UEFI firmware execution. The leak undermines firmware integrity checks, enabling threat actors to sign and deploy malicious updates and payloads undetected. This incident follows a double extortion ransomware attack on MSI by the Money Message gang, but MSI reported a gradual return to normal operations with no major financial impact. Users were advised to obtain firmware/BIOS updates exclusively from the official website and beware of fraudulent emails claiming collaboration with MSI. Notably, this is not the first time UEFI firmware code has been exposed, as a similar incident occurred with Alder Lake BIOS source code in October 2022.

3. New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites. The plugin, which is available both as a free and pro version, has over two million active installations. This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path. Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser. This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible. It’s worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it’s also possible to do so from logged-in users who have access to the plugin.

4. Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised

PHP software package repository Packagist revealed that an “attacker” gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes. The package URLs were then changed to point to the forked repositories. The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages.The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages to a namesake GitHub repository, effectively altering the installation workflow used within Composer environments. Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents.No additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023. It’s also urging users to enable two-factor authentication (2FA) to secure their accounts.

5. Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service

Microsoft Azure API Management service has been found to have three security vulnerabilities, as disclosed by Israeli cloud security firm Ermetic. The vulnerabilities include two server-side request forgery (SSRF) flaws and one unrestricted file upload functionality in the API Management developer portal. Exploiting the SSRF vulnerabilities would allow attackers to send requests from the service’s CORS Proxy and hosting proxy, gaining access to internal Azure assets, bypassing web application firewalls, and potentially causing denial of service. The file upload vulnerability enables attackers to upload malicious files to Azure’s internal workload. Azure API Management is a platform that allows organizations to securely expose their APIs. Microsoft has patched all three vulnerabilities following responsible disclosure. 

6.  GitHub Now Auto-Blocks Token and API key Leaks For All Repos

GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories. This feature proactively prevents leaks by scanning for secrets before ‘git push’ operations are accepted, and it works with 69 token types (API keys, private keys, secret keys, authentication tokens, access tokens, management certificates, credentials, and more) detectable with a low “false positive” detection rate. Since its beta release, software developers who enabled it successfully averted around 17,000 accidental exposures of sensitive information, saving more than 95,000 hours that would’ve been spent revoking, rotating, and remediating compromised secrets, according to GitHub. Today, push protection is generally available for private repositories with a GitHub Advanced Security (GHAS) license. 

7. New Linux Kernel NetFilter Flaw Gives Attackers Root Privileges

A new Linux NetFilter kernel flaw has been discovered, allowing unprivileged local users to escalate their privileges to root level, allowing complete control over a system. The CVE-2023-32233 identifier has been reserved for the vulnerability, but a severity level is yet to be determined. The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem’s internal state. Netfilter is a packet filtering and network address translation (NAT) framework built into the Linux kernel that is managed through front-end utilities, such as IPtables and UFW. Corrupting the system’s internal state leads to a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes in the kernel memory. A Linux kernel source code commit was submitted to address the problem by engineer Pablo Neira Ayuso, introducing two functions that manage the lifecycle of anonymous sets in the Netfilter nf_tables subsystem. By properly managing the activation and deactivation of anonymous sets and preventing further updates, this fix prevents memory corruption and the possibility of attackers exploiting the use-after-free issue to escalate their privileges to root level.

04/26/2023-05/03/2023 New BGP Flaws, Apache Superset Vulnerability, Zyxel Firewall Devices Vulnerable And More

1. CISA Issues Advisory on Critical RCE Affecting ME RTU Remote Terminal Units

(CISA)  released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units. The security vulnerability, tracked as CVE-2023-2131, has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity. Successful exploitation of this vulnerability could allow remote code execution.CISA has also urged entities to adopt guidance issued by NIST to identify, assess, and mitigate supply chain risks, and enroll for the agency’s free Vulnerability Scanning service to pinpoint vulnerable and high-risk devices.

2. Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software

Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It’s currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks. BGP is a gateway protocol that’s designed to exchange routing and reachability information between autonomous systems. It’s used to find the most efficient routes for delivering internet traffic.  Three flaws (CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681) with a CVSS score of 6.5 involve out-of-bounds reads when processing malformed BGP OPEN messages. These flaws could result in a DoS attack, rendering the peer unresponsive by dropping all BGP sessions and routing tables.

3. Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

Three high-severity security vulnerabilities have been added to the KEV catalog: CVE-2023-1389, CVE-2021-45046, and CVE-2023-21839. CVE-2023-1389 concerns a command injection flaw affecting TP-Link Archer AX-21 routers, being exploited by the Mirai botnet since April 11, 2023. CVE-2021-45046 is a remote code execution flaw affecting Apache Log4j2 logging library, with evidence of exploitation attempts over the past 30 days. CVE-2023-21839 is an unspecified vulnerability in Oracle WebLogic Server that allows unauthorized access to sensitive data via T3 and IIOP. All three vulnerabilities have a high CVSS score and pose significant security risks. It is essential to apply patches and security updates promptly to avoid potential security breaches.

4. Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now

Zyxel has released patches for a critical security flaw in its firewall devices, tracked as CVE-2023-28771, which could lead to remote code execution. The vulnerability, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security. The flaw was caused by “improper error message handling” in some firewall versions, enabling unauthenticated attackers to remotely execute OS commands by sending forged packets to an impacted device. Zyxel has addressed a high-severity post-authentication command injection flaw affecting specific firewall versions, which allowed authenticated attackers to remotely execute some OS commands. The firm also fixed five high-severity vulnerabilities and one medium-severity bug impacting numerous firewalls and access point devices, which could result in code execution and a denial-of-service condition.

5. RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts

The RTM Locker ransomware group has developed a new strain capable of infecting Linux machines, marking their first foray into open source operating systems. According to a report by Uptycs, the malware is inspired by the Babuk ransomware’s leaked source code and encrypts files using a combination of asymmetric and symmetric encryption. RTM Locker was first identified by Trellix, which described its developers as a private ransomware-as-a-service (RaaS) provider that avoids high-profile targets to draw as little attention as possible. The Linux version targets ESXi hosts by terminating all virtual machines running on a compromised host before starting the encryption process. The initial infector used to deliver the ransomware is unknown, and the encryption function uses pthreads to speed up execution. After successful encryption, victims must contact the support team within 48 hours via Tox or risk having their data published.

6. Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks

Apache Superset has released fixes for a vulnerability that could lead to remote code execution. Versions up to and including 2.0.1 are impacted by the vulnerability, which relates to the use of a default SECRET_KEY that can be used by attackers to access unauthorized resources on internet-exposed installations. The issue allows an attacker to gain remote code execution, steal credentials, and compromise data. Horizon3.ai’s chief architect, Naveen Sunkavally, warns of “a dangerous default configuration in Apache Superset.” Superset instances that have changed the default value for the SECRET_KEY configuration to a more cryptographically secure random string are not affected by the flaw. The vulnerability is tracked as CVE-2023-27524 and has a CVSS score of 8.9.