03/02/2023-03/08/2023. 3 New Flaws Threatening IT Management Systems, Info Stealer and Trojan in Python Package, LastPass Hack, New Flaws in TPM 2.0 Library And More

1. CISA’s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

CISA has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below:

• CVE-2022-35914 (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability
• CVE-2022-33891 (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability
• CVE-2022-28810 (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

The most critical of the three is CVE-2022-35914, which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI, an open source asset and IT management software package. In October 2022, Shadowserver Foundation noted exploitation attempts against its honeypots. VulnCheck researcher Jacob Baines said a cURL-based PoC and a “mass” scanner were available on GitHub. GreyNoise found 40 malicious IP addresses abusing the shortcoming. The Zerobot botnet exploited an unauthenticated command injection vulnerability in Apache Spark for DDoS attacks. KEV catalog listed a remote code execution flaw in Zoho ManageEngine ADSelfService Plus that was patched in April 2022. Rapid7 detected active exploitation attempts by threat actors. Wallarm found ongoing exploit attempts of two VMware NSX Manager flaws. 

2. Experts Identify Fully-Featured Info Stealer and Trojan in Python Package on PyPI

A malicious Python package uploaded to the Python Package Index (PyPI) has been found to contain a fully-featured information stealer and remote access trojan. The package, named colourfool, was identified by Kroll’s Cyber Threat Intelligence team, with the company calling the malware Colour-Blind. The ‘Colour-Blind’ malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others. colourfool, like other rogue Python modules discovered in recent months, conceals its malicious code in the setup script, which points to a ZIP archive payload hosted on Discord. The file contains a Python script (code.py) that comes with different modules designed to log keystrokes, steal cookies, and even disable security software. The ‘Colour-Blind’ trojan uses a Flask web application to establish remote control via Cloudflare, according to researchers. It is written almost entirely in Python, unlike the PowerShell-dependent poweRAT. The malware steals passwords, takes screenshots and logs keystrokes. Attackers are now publishing malware on Python packages, while others have deployed Rust executables to drop additional malware. “The risk/reward proposition for attackers is well worth the relatively minuscule time and effort,” the researchers said. 

3. LastPass Hack: Engineer’s Failure to Update Plex Software Led to Massive Data Breach

LastPass’s recent data breach occurred due to an engineer failing to update the Plex media software package on their home computer, highlighting the dangers of not keeping software up-to-date. The password management service revealed that an unidentified party used information stolen in an earlier incident and data from a third-party breach to launch a coordinated attack on the cloud storage environment, stealing encrypted password vault data and customer information. The attackers targeted one of four DevOps engineers, exploiting a now-patched flaw in Plex Media Server, CVE-2020-5741, to execute arbitrary Python code on the engineer’s computer and install a keylogger malware. Unfortunately, the engineer had not updated their software, preventing the patch from being activated. Plex released version 1.19.3.2764, which addressed the exploit, in May 2020.

4. New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices

Serious security flaws have been identified in the Trusted Platform Module (TPM) 2.0 reference library specification, which could potentially result in information disclosure or privilege escalation. Cybersecurity company Quarkslab discovered the vulnerabilities in November 2022. One vulnerability involves an out-of-bounds write, while the other concerns an out-of-bounds read. Large tech vendors and organizations that use enterprise computers, servers, IoT devices, and embedded systems that include a TPM can be impacted by the flaws, potentially affecting billions of devices. TPM is a hardware-based solution designed to provide secure cryptographic functions and physical security mechanisms to resist tampering. The flaws result from a lack of necessary length checks, leading to buffer overflows that could enable local information disclosure or privilege escalation. Users are urged to apply the updates released by TCG and other vendors to address the flaws and mitigate supply chain risks.

5. SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics

The Lucky Mouse threat actor has created a Linux version of its malware toolkit SysUpdate, enabling the group to target devices running on the operating system. The updated version dates back to July 2022 and includes new features to evade security software and resist reverse engineering. Lucky Mouse, also known as APT27, Bronze Union, Emissary Panda, and Iron Tiger, uses a variety of malware, including HyperBro, PlugX, and a Linux backdoor called rshell. The group’s campaigns have involved supply chain compromises of legitimate apps to gain remote access to compromised systems. The recent campaign targeted a gambling company in the Philippines using installers masquerading as messaging apps to activate the attack sequence. The Windows version of SysUpdate features process management, screenshots, file operations, and DNS Tunneling to communicate with C2 servers.

6. Proof-of-Concept Released For Critical Microsoft Word RCE bug

A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekene last year discovered the vulnerability in Microsoft Office’sd. The vulnerability was assigned a 9.8 out of 10 severity score. Security researcher Joshua Drak “wwlib.dll” and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable.
A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don’t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. At the moment there is no indication that the vulnerability is being exploited in the wild and Microsoft’s current assessment is that taking advantage of the issue is “less likely.”

7. BlackLotus Bootkit Bypasses UEFI Secure Boot on Patched Windows 11

The BlackLotus UEFI bootkit has been improved with Secure Boot bypass capabilities that enable it to infect fully patched Windows 11 systems. This malware is the first known public example of UEFI malware that can bypass the Secure Boot mechanism, allowing it to disable security protections in the operating system. The malware could impair the BitLocker data protection feature, Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity. UEFI is low-level code that executes when a computer powers up and controls the booting sequence before the operating system starts. The malware emerged last year, promoted on hacking forums as virtually invisible to antivirus agents, and has a feature set that allows it to bypass security measures. Security researchers at ESET have confirmed the malware can bypass the Secure Boot mechanism by leveraging a vulnerability tracked as CVE-2022-21894.

02/23/2023-03/01/2023. ZK Framework Flaw Exploited, PlugX Trojan Disguised as Legitimate Windows Debugger Tool, Attacks Exploiting Zoho ManageEngine Products And More

1. CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting ZK Framework to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2022-36537, the issue impacts versions 8.6.4.1, 9.0.1.2, 9.5.1.3, 9.6.0.1, and 9.6.1. Hackers can retrieve sensitive data via specially crafted requests. The vulnerability has been patched in versions 8.6.4.2, 9.0.1.3, 9.5.1.4, 9.6.0.2, and 9.6.2. The ZK Framework is an open source Java framework that can impact multiple products, including ConnectWise R1Soft Server Backup Manager. The flaw can bypass authentication, upload a backdoored JDBC database driver, and deploy ransomware. The vulnerability has been exploited extensively by hackers to gain initial access and deploy a web shell backdoor. A majority of the infections are located in the US, South Korea, the UK, Canada, Spain, Colombia, Malaysia, Italy, India, and Panama, with 146 R1Soft servers still backdoored as of February 20, 2023

2. PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks

The PlugX remote access trojan has been observed masquerading as an open source Windows debugger tool called x64dbg in an attempt to circumvent security protections and gain control of a target system. As a legitimate application, x32dbg.exe’s valid digital signature can confuse some security tools, allowing attackers to bypass file execution restrictions and maintain persistence, escalate privileges, and fly under the radar. PlugX is known for its multiple functionalities, such as data exfiltration and its ability to use the compromised machine for nefarious purposes. The malware employs a technique called DLL side-loading to plant and then invoke a legitimate application that executes a rogue payload. Persistence is achieved via Windows Registry modifications and the creation of scheduled tasks to ensure continued access even after system restarts. 

3. Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

Multiple threat actors have been exploiting a patched critical vulnerability in various Zoho ManageEngine products since January 20, 2023. The flaw, tracked as CVE-2022-47966 and scoring 9.8 on the CVSS scale, permits unauthenticated attackers to take over vulnerable systems completely. Up to 24 products, including Remote Access Plus, ADSelfService Plus, and Password Manager Pro, among others, are affected. The vulnerability allows unauthenticated remote code execution due to usage of an outdated third-party dependency for XML signature validation, Apache Santuario.
The main objective of the attacks detected to date revolves around deploying tools on vulnerable hosts such as Netcat and Cobalt Strike Beacon. Some intrusions have leveraged the initial access to install AnyDesk software for remote access, while a few others have attempted to install a Windows version of a ransomware strain known as Buhti. Some have also tried to use the ManageEngine flaw as an attack vector to install malware that can execute next-stage payloads.

4. Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries

Cybersecurity researchers are warning of “imposter packages” mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.The descriptions for these packages, for the most part, don’t hint at their malicious intent. Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries. But in reality, they either harbor downloaders that act as a conduit to deliver second-stage malware to infected hosts or information stealers that are designed to exfiltrate sensitive data such as passwords and tokens. Fortinet, which also disclosed similar rogue HTTP packages on PyPI earlier this week, noted their ability to launch a trojan downloader that, in turn, contains a DLL file (Rdudkye.dll) packing a variety of functions. The development is just the latest attempt by malicious actors to poison open source repositories like GitHub, npm, PyPI, and RubyGems to propagate malware to developer systems and mount supply chain attacks. 

5. Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links

Over 15,000 spam packages have been uploaded to the npm repository by threat actors in an attempt to spread phishing links. The attack was carried out through automated processes, creating packages with auto-generated names and closely resembling each other. The attackers used referral IDs of retail websites, earning referral rewards by referring users to phishing sites. The packages were uploaded from multiple user accounts within hours on February 20 and 21, using a Python script that automated the process. The packages included links to phishing campaigns in their README.md files and were disguised as cheats and free resources with names such as “free-tiktok-followers” and “instagram-followers-free.” The attackers designed well-crafted deceptive web pages that urged victims to fill out surveys or redirected them to legitimate e-commerce portals like AliExpress. 

6. LastPass: DevOps Engineer Hacked To Steal Password Vault Data In 2022 Breach

LastPass has revealed further information about a “coordinated second attack,” lasting over two months, which saw a threat actor steal data from Amazon AWS cloud storage servers. LastPass disclosed a data breach in December, where threat actors stole partially encrypted password vault data and customer information. The company has now revealed that the threat actors used information from an August breach, another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer’s computer. As only four LastPass DevOps engineers had access to the decryption keys, the threat actor targeted one of the engineers. They ultimately gained access to the DevOps engineer’s LastPass corporate vault and were able to export the native corporate vault entries and content of shared folders, containing encrypted secure notes with access and decryption keys needed to access AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. The company says they have updated their security posture since the attack.

7. Critical Flaws In WordPress Houzez Theme Exploited To Hijack Websites

Hackers are currently exploiting two critical vulnerabilities in the Houzez theme and plugin for WordPress, primarily used in real estate websites. Patchstack researcher Dave Jong discovered the security flaws and reported them to the vendor ThemeForest, with one fixed in version 2.6.4 and the other in version 2.7.2. However, Patchstack warns that some websites have not applied the security updates, allowing threat actors to exploit the older flaws in ongoing attacks. The first flaw is a security misconfiguration affecting the Houzez Theme plugin version 2.7.1 and older, which can be exploited remotely without requiring authentication to perform privilege escalation. The second flaw impacts versions 2.6.3 and older of the Houzes Login Register plugin, allowing unauthenticated attackers to perform privilege escalation. Attackers are exploiting these vulnerabilities by sending a request to the endpoint that listens for account creation requests, enabling them to take control over the WordPress site. Website owners and administrators should apply available patches immediately.

02/16/2023-02/22/2023. New Vulnerabilities in KEV Catalog, VMware Patches Critical Vulnerability, Vulnerability Discovered in ClamAV Open Source Antivirus Software And More

1. U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog

CISA has added three security flaws to its Known Exploited Vulnerabilities catalog that are currently being actively exploited. IBM Aspera Faspex Code Execution Vulnerability (CVE-2022-47986) is a YAML deserialization flaw that enables a remote attacker to execute code on the system. Mitel MiVoice Connect Code Injection Vulnerability (CVE-2022-41223) and Mitel MiVoice Connect Command Injection Vulnerability (CVE-2022-40765) could allow an authenticated attacker with internal network access to execute arbitrary code. The nature of the attacks is unclear, but the vulnerabilities were patched by Mitel in October 2022. Federal Civilian Executive Branch agencies must apply the necessary updates by March 14, 2023, to secure networks against potential threats. In a related development, CISA released an Industrial Control Systems advisory relating to critical flaws in Mitsubishi Electric’s MELSOFT iQ AppPortal.

2. VMware Patches Critical Vulnerability in Carbon Black App Control Product

 VMware has released patches to address a critical security vulnerability affecting its Carbon Black App Control product. The injection vulnerability, tracked as CVE-2023-20858, carries a CVSS score of 9.1 out of 10 and affects App Control versions 8.7.x, 8.8.x, and 8.9.x. A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input to access the underlying server operating system. VMware has advised customers to update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate risks. In addition, VMware has fixed an XML External Entity (XXE) vulnerability (CVE-2023-20855, CVSS score: 8.8) affecting vRealize Orchestrator, vRealize Automation, and Cloud Foundation. It’s important to install the patches as soon as possible, given the common targeting of Fortinet product vulnerabilities by threat actors in attacks.

3. GoDaddy Discloses Multi-Year Security Breach Causing Malware Installations and Source Code Theft

GoDaddy has reported a multi-year breach that enabled unknown cybercriminals to install malware and exfiltrate source code related to some of its services. The breach occurred in December 2022, and the company identified that an unauthorized third party gained access to servers hosted in its cPanel environment. The attackers installed malware, resulting in the intermittent redirection of customer websites. GoDaddy notes that the ultimate objective of the intrusions was to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities. The company added that the December 2022 incident is connected to two other security events it encountered in March 2020 and November 2021. In the first incident, credentials were compromised, affecting around 28,000 hosting customers and a small number of its personnel, while the second saw a rogue actor gain access to the Managed WordPress provisioning system.

4. Critical RCE Vulnerability Discovered in ClamAV Open Source Antivirus Software

Cisco has issued security updates to fix a severe flaw affecting its ClamAV open-source antivirus engine. The bug, tracked as CVE-2023-20032, has a CVSS score of 9.8 and could lead to remote code execution on vulnerable devices. The issue is a remote code execution vulnerability that resides in the HFS+ file parser component. An attacker could exploit the flaw by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. The weakness affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. The company also addressed a remote information leak vulnerability in ClamAV’s DMG file parser and a denial-of-service vulnerability in Cisco Nexus Dashboard. The company has urged all customers to upgrade to the latest versions of ClamAV to stay secure.

5. Researchers Hijack Popular NPM Package with Millions of Downloads

A popular npm package with over 3.5 million weekly downloads has been found to be vulnerable to an account takeover attack. Illustria, a software supply chain security company, explained that the package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password, enabling access to the package’s associated GitHub account. Attackers can publish trojanized versions to the npm registry, making it possible to conduct supply chain attacks at scale. Illustria did not disclose the name of the module but reached out to the maintainer, who has taken steps to secure the account. The attack bypasses two-factor authentication as the GitHub Action, configured in the repository, automatically publishes packages when new code changes are pushed.

6. New Mirai Malware Variant Infects Linux Devices To Build DDoS Botnet

A new variant of the Mirai botnet, called V3G4, has been detected targeting Linux-based servers and IoT devices to carry out DDoS attacks. The malware infects devices by exploiting weak or default telnet/SSH credentials and hardcoded vulnerabilities.

Once a device is compromised, it is recruited into the botnet. Researchers at Palo Alto Networks have identified V3G4 in three separate campaigns between July and December 2022, all believed to originate from the same threat actor. The botnet uses four different XOR encryption keys, making decoding its functions more challenging. It also terminates processes from a hardcoded list that includes competing botnet malware families. After infecting a device, a Mirai-based payload is dropped onto the system, and the botnet attempts to connect to the hardcoded C2 address. Users can protect themselves by changing default passwords and installing the latest security update.