06/01/2023-06/07/2023 Malicious PyPI Packages, Google Issues Patch for New Chrome Vulnerability, Urgent WordPress Update And More

1. Malicious PyPI Packages Using Compiled Python Code to Bypass Detection

Researchers have uncovered a new attack on the Python Package Index (PyPI) repository that evades detection by security tools. This attack is believed to be the first of its kind to utilize compiled Python code, specifically Python bytecode (PYC) files, for direct execution.The targeted package, fshec2, was removed from the third-party software registry following responsible disclosure. PYC files are generated by the Python interpreter during program execution and contain compiled code. The malicious package, according to a software supply chain security firm, consists of three files: init.py, main.py, and full.pyc.

The main.py file, imported by init.py, is responsible for loading the Python compiled module from full.pyc using the importlib package. Reverse-engineering the PYC file reveals its intent to gather user information, hostnames, directory listings, and execute commands received from a hardcoded server (13.51.44[.]246).

2. Zero-Day Alert: Google Issues Patch for New Chrome Vulnerability – Update Now!

Google has released security updates for its Chrome web browser to address a high-severity vulnerability (CVE-2023-3079) actively being exploited in the wild. The flaw is a type confusion bug in the V8 JavaScript engine. The exploit, which could potentially lead to heap corruption, can be triggered by a crafted HTML page. Google has not provided specific details about the attacks but has confirmed the existence of an exploit. This marks the third zero-day vulnerability addressed by Google in Chrome this year. Users are advised to update to version 114.0.5735.110 (Windows) or 114.0.5735.106 (macOS and Linux) to mitigate potential threats. Additionally, users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should apply the fixes as soon as they are available.

3. Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack

Researchers have discovered an ongoing Magecart-style web skimmer campaign designed to steal personally identifiable information and credit card data from e-commerce websites. What sets this campaign apart is that the compromised sites are being used as “makeshift” command-and-control servers, allowing the attackers to distribute malicious code without detection. Akamai, a web security company, found victims across North America, Latin America, and Europe, putting the personal data of thousands of site visitors at risk. The attackers employ various evasion techniques, such as obfuscation with Base64 and masking the attack to resemble popular third-party services like Google Analytics. By hacking into vulnerable legitimate sites, the attackers leverage the reputation of these domains. The attacks have been ongoing for almost a month and target e-commerce platforms like Magento, WooCommerce, WordPress, and Shopify. The skimmer code, disguised as third-party services, intercepts and exfiltrates data to an actor-controlled server using obfuscation and encoded strings to avoid detection.

4. Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical vulnerability in the popular Jetpack plugin, which is installed on over five million sites. The vulnerability, discovered during an internal security audit, affects an API present in the plugin since version 2.0, released in November 2012. The flaw could potentially be exploited by authors on a site to manipulate any files in the WordPress installation. Jetpack has released 102 new versions to fix the bug. While there is no evidence of exploitation in the wild, it is not uncommon for vulnerabilities in widely used WordPress plugins to be targeted by malicious actors. This is not the first time Jetpack has faced severe security weaknesses, as previous incidents have prompted WordPress to enforce mandatory patch installations. Additionally, a security flaw in the Gravity Forms plugin has been revealed, allowing unauthenticated users to inject arbitrary PHP code. The issue has been resolved in the latest version of the plugin.

5. Zyxel Firewalls Under Attack! Urgent Patching Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two recently disclosed vulnerabilities in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The buffer overflow vulnerabilities, known as CVE-2023-33009 and CVE-2023-33010, could lead to denial-of-service (DoS) attacks and remote code execution. Zyxel released patches for these security flaws on May 24, 2023. Affected devices include ATP, USG FLEX, USG FLEX50(W)/USG20(W)-VPN, VPN, and ZyWALL/USG. The specific details of the attacks are unknown, but this development follows the active exploitation of another Zyxel firewall flaw (CVE-2023-28771) by the Mirai botnet. Federal Civilian Executive Branch agencies have been instructed to address the vulnerabilities by June 26, 2023, to protect their networks. Zyxel has issued guidance advising customers to disable unnecessary services and ports to enhance security.

6. Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App

Microsoft has attributed the active exploitation of a critical vulnerability in Progress Software MOVEit Transfer to the threat actor known as Lace Tempest. This threat actor, also known as Storm-0950, is associated with ransomware groups such as FIN11, TA505, and Evil Corp, and operates the Cl0p extortion site. The vulnerability in question, identified as CVE-2023-34362, allows remote attackers to execute arbitrary code by exploiting an SQL injection flaw in MOVEit Transfer. Microsoft’s Threat Intelligence team has observed the deployment of web shells with data exfiltration capabilities following exploitation. Approximately 3,000 exposed hosts utilizing MOVEit Transfer have been identified. The activity has been tracked by Mandiant as UNC4857, with connections to FIN11. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the vulnerability in its Known Exploited Vulnerabilities catalog and recommends applying vendor-provided patches by June 23, 2023.

05/25/2023-05/31/2023 PyPI Implements Mandatory Two-Factor Authentication, Critical OAuth Vulnerability, Zyxel Issues Critical Security Patches And More

1. PyPI Implements Mandatory Two-Factor Authentication for Project Owners

The Python Package Index (PyPI) announced that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year. The enforcement also includes organization maintainers, but does not extend to every single user of the service. The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale. PyPI, like other open source repositories such as npm, has witnessed innumerable instances of malware and package impersonation.

2. Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

A critical security vulnerability in the OAuth implementation of Expo.io has been disclosed. The vulnerability, known as CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. Salt Labs, an API security firm, reported that the flaw exposed services using Expo.io to credential leakage, allowing attackers to hijack accounts and access sensitive data. Exploiting the vulnerability could enable threat actors to carry out unauthorized actions on behalf of compromised users across platforms like Facebook, Google, and Twitter. It’s important to note that successful attacks required Expo.io sites and applications to have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party provider. The vulnerability could be exploited by tricking users into clicking on a malicious link, distributed through methods such as email, SMS, or dubious websites. Expo.io released a hotfix shortly after responsible disclosure and advised users to migrate from AuthSession API proxies to direct registration of deep link URL schemes with authentication providers to enable SSO. Expo.io clarified that the vulnerability was due to storing an app’s callback URL before user confirmation.

3. Severe Flaw in Google Cloud’s Cloud SQL Service Exposed Confidential Data

A security flaw has been disclosed in Google Cloud Platform’s Cloud SQL service, which could allow unauthorized access to sensitive data. According to Israeli cloud security firm Dig, the vulnerability could enable an attacker to escalate privileges from a basic Cloud SQL user to a sysadmin, gaining access to internal GCP data, customer data, secrets, sensitive files, and passwords. Cloud SQL is a managed solution for creating databases for cloud-based applications using MySQL, PostgreSQL, and SQL Server. The attack chain identified by Dig exploited a security gap in the SQL Server associated with the cloud platform, allowing the attacker to elevate their privileges to an administrator role.
With the elevated permissions, the attacker could exploit another misconfiguration to gain system administrator rights and take full control of the database server. This would provide access to all files on the underlying operating system, enabling the attacker to extract passwords and potentially launch further attacks.
The exposure of internal data, including secrets, URLs, and passwords, poses a significant security incident for cloud providers and their customers, according to Dig researchers Ofir Balassiano and Ofir Shaty.

4. Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months

Barracuda, an enterprise security firm, revealed that threat actors have been exploiting a recently patched zero-day vulnerability in its Email Security Gateway (ESG) appliances since October 2022. The critical flaw, identified as CVE-2023-2868, allows remote attackers to execute code on vulnerable installations. The vulnerability affects versions 5.1.3.001 through 9.2.0.006. Barracuda released patches on May 20 and May 21 to address the issue.
The attacks, which were active for at least seven months before discovery, involved the use of three malware strains: SALTWATER, SEASPY, and SEASIDE. SALTWATER is a trojanized module capable of uploading or downloading files, executing commands, and proxying malicious traffic. SEASPY is an x64 ELF backdoor with persistence capabilities, activated by a magic packet. SEASIDE is a Lua-based module that establishes reverse shells via SMTP commands.
Mandiant, owned by Google, noted code overlaps between SEASPY and cd00r. The attacks have not been attributed to any known threat actor or group. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023.

5. Zyxel Issues Critical Security Patches for Firewall and VPN Products

Zyxel has released software updates to address two critical buffer overflow vulnerabilities, identified as CVE-2023-33009 and CVE-2023-33010, affecting certain firewall and VPN products. The flaws, rated 9.8 out of 10 on the CVSS scoring system, could allow remote attackers to execute code and cause denial-of-service (DoS) conditions. The impacted devices include ATP, USG FLEX, USG FLEX50(W) / USG20(W)-VPN, VPN, and ZyWALL/USG models.
Security researchers from TRAPA Security and STAR Labs SG discovered and reported the vulnerabilities. This advisory follows Zyxel’s recent fixes for another critical flaw, CVE-2023-28771, which allowed remote code execution on firewall devices. That vulnerability was also credited to TRAPA Security and was exploited by threat actors associated with the Mirai botnet.
It is crucial for Zyxel users to apply the provided software updates promptly to mitigate the risks associated with these security vulnerabilities.

6. GUAC 0.1 Beta: Google’s Breakthrough Framework for Secure Software Supply Chains

Google has introduced GUAC (Graph for Understanding Artifact Composition), a beta version aimed at helping organizations enhance the security of their software supply chains. GUAC is an open-source framework offered as an API, enabling developers to integrate their own tools and policy engines.

It aggregates software security metadata from various sources into a graph database, facilitating the analysis of relationships between software components. By utilizing Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, and other data sources, GUAC assists in assessing risk profiles and visualizing artifact relationships. The objective is to address supply chain attacks effectively, generate patch plans, and promptly respond to security incidents. Google provided an example scenario where GUAC certifies a compromised builder and queries for affected artifacts.

05/18/2023-05/24/2023 PyPI Repository Under Attack, NPM Packages for Node.js Hiding Dangerous TurkoRat Malware, Malicious Windows Kernel Drivers And More

1. PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted

The maintainers of Python Package Index (PyPI) have temporarily disabled the ability for users to sign up and upload new packages until further notice. No additional details about the nature of the malware and the threat actors involved in publishing those rogue packages to PyPI were disclosed. The decision to freeze new user and project registrations comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments. Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malware campaign that leverages OpenAI ChatGPT-themed lures to bait developers into downloading a malicious Python module capable of stealing clipboard content in order to hijack cryptocurrency transactions. ReversingLabs, in a similar discovery, identified multiple npm packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the npm repository that drops a trojan called TurkoRat.

2. npm Packages Caught Serving TurkoRAT Binaries That Mimic NodeJS

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan.
These packages, given their stealthiness and a very low detection rate, had been present on npm for over two months prior to their detection by the researchers.
Software security firm ReversingLabs analyzed three npm packages that were present on the npmjs.com registry for over two months. 

Initially appearing legitimate, the package named nodejs-encrypt-agent raised concerns due to discrepancies. Further investigation by ReversingLabs revealed that the package contained a malicious portable executable (PE) file named ‘lib.exe.’ Despite its large size of approximately 100 MB, the file closely resembled a real NodeJS application, making it difficult to detect. The PE file was found to run a customizable infostealer called TurkoRAT, designed to steal sensitive information such as login credentials and crypto wallets, while evading sandbox environments and debuggers. Another package, nodejs-cookie-proxy-agent, disguised the malicious executable as a dependency named axios-proxy. ReversingLabs detected and reported these malicious packages, emphasizing the ongoing risk of unvetted open source packages to software supply chain security.

3. Privacy Sandbox Initiative: Google to Phase Out Third-Party Cookies Starting 2024

Google has announced plans to officially flip the switch on its twice-delayed Privacy Sandbox initiatives as it slowly works its way to deprecate support for third-party cookies in Chrome browser. To that end, the search and advertising giant said it intends to phase out third-party cookies for 1% of Chrome users globally in the first quarter of 2024. This will support developers in conducting real world experiments that assess the readiness and effectiveness of their products without third-party cookies. Prior to rolling this out, Google said it would introduce the ability for third-party developers to simulate the process for a configurable subset of their users (up to 10%) in Q4 2023. Privacy Sandbox is a two-pronged project for the web and Android that aims to limit covert tracking by eliminating the need for third-party cookies and cross-app identifiers and still serving relevant content and ads in a privacy-preserving manner.

4. Malicious Windows Kernel Drivers Used In BlackCat Ransomware Attacks

BlackCat employed signed malicious Windows kernel drivers to evade security software detection during attacks. The driver, an improved version of the ‘POORTRY’ malware, was spotted by Trend Micro and previously identified by Microsoft, Mandiant, Sophos, and SentinelOne in ransomware attacks. POORTRY, a Windows kernel driver, was signed using stolen keys from legitimate accounts in Microsoft’s Windows Hardware Developer Program. While security software is typically protected from termination or tampering, Windows kernel drivers have the highest privileges and can terminate nearly any process. The ransomware actors initially used the Microsoft-signed POORTRY driver, but its high detection rates and revoked code-signing keys prompted them to deploy an updated version. The updated POORTRY kernel driver, signed using a stolen or leaked cross-signing certificate, helps the BlackCat ransomware operation elevate privileges on compromised machines and terminate security-related processes.

5. KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim’s master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month. The vulnerability has to do with how a custom text box field used for entering the master password handles user input. Specifically, it has been found to leave traces of every character the user types in the program memory. This leads to a scenario whereby an attacker could dump the program’s memory and reassemble the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.

6. Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover

UNC3944, a financially motivated cyber actor also known as Roasted 0ktapus, has been exploiting Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools. This unique attack method evades traditional detection methods in Azure, granting the attacker full administrative access to compromised VMs. UNC3944, which emerged last year, utilizes SIM swapping attacks to breach telecommunications and business process outsourcing companies. Mandiant, owned by Google, discovered UNC3944 using a loader named STONESTOP to install a malicious signed driver called POORTRY. This driver terminates security processes and deletes files as part of a BYOVD attack. The initial access likely involves SMS phishing messages targeting privileged users to obtain their credentials and perform a SIM swap. With elevated access, UNC3944 leverages Azure VM extensions and the serial console to gain administrative control. PowerShell is used to deploy legitimate remote administration tools, demonstrating the use of living-off-the-land techniques to evade detection and advance the attack.