02/09/2023-02/15/2023. Clipper Malware Found in 450+ PyPI Packages, HTTP DDoS Attack Hits Record High, 10,000+ WordPress Sites Infected And More

1.  Python Developers Beware: Clipper Malware Found in 450+ PyPI Packages!

Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with clipper malware.

The mechanism of the attacks

1. The initial vector entails using typosquatting to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others. 
2. After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session. 
3. When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker’s address. This is achieved by creating a Chromium web browser extension in the Windows AppData folder and writing to it the rogue Javascript and a manifest.json file that requests users’ permissions to access and modify the clipboard.

The ultimate goal of the attacks is to hijack cryptocurrency transactions initiated by the compromised developer and reroute them to attacker-controlled wallets instead of the intended recipient.

2. OpenSSL Fixes Multiple New Security Flaws with Latest Update

The OpenSSL Project has released fixes to address several security flaws, including a high-severity bug in the open source encryption toolkit that could potentially expose users to malicious attacks. Tracked as CVE-2023-0286, the issue relates to a case of type confusion that may permit an adversary to read memory contents or enact a denial-of-service. The vulnerability is rooted in the way the popular cryptographic library handles X.509 certificates, and is likely to impact only those applications that have a custom implementation for retrieving a certificate revocation list (CRL) over a network. Type confusion flaws could have serious consequences, as they could be weaponized to deliberately force the program to behave in unintended ways, possibly causing a crash or code execution. The issue has been patched in OpenSSL versions 3.0.8, 1.1.1t, and 1.0.2zg.

3. Massive HTTP DDoS Attack Hits Record High of 71 Million Requests/Second

Web infrastructure company Cloudflare disclosed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at over 71 million requests per second (RPS). The majority of attacks peaked in the ballpark of 50-70 million requests per second (RPS) with the largest exceeding 71 million. The attacks singled out websites secured by its platform and that they emanated from a botnet comprising more than 30,000 IP addresses that belonged to “numerous” cloud providers. Given a sufficiently high amount of requests, the website’s server will not be able to process all of the attack requests along with the legitimate user requests. Users will experience this as website-load delays, timeouts, and eventually not being able to connect to their desired websites at all. 

4. Massive AdSense Fraud Campaign Uncovered – 10,000+ WordPress Sites Infected

The threat actors behind the black hat redirect malware campaign have scaled up their campaign to use more than 70 bogus domains mimicking URL shorteners and infect over 10,800 websites. The main objective is still ad fraud by artificially increasing traffic to pages which contain the AdSense ID which contain Google ads for revenue generation. The campaign is orchestrated to redirect visitors to compromised WordPress sites to fake Q&A portals. It’s possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results. This technique artificially sends Google signals that those pages are performing well in search. What makes the latest campaign significant is the use of Bing search result links and Twitter’s link shortener (t[.]co) service, along with Google, in their redirects, indicating an expansion of the threat actor’s footprint. It’s not known precisely how the WordPress sites become infected in the first place. But once the website is breached, the threat actor injects backdoor PHP code that allows for persistent remote access as well as redirect site visitors.

5. NPM Packages Posing as Speed Testers Install Crypto Miners Instead

A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computer’s resources to mine cryptocurrency for the threat actors. The packages were uploaded onto NPM. Most packages feature a name resembling an internet speed tester, but they are all cryptocurrency miners. Although they share the same objective, CheckPoint’s analysts found that each package employs different coding and methods to accomplish its tasks. The “speedtestspa” package downloads a helper from GitLab and uses it to connect to the cryptocurrency mining pool, whereas “speedtestkas” includes the malicious helper file in the package. The “speedtestbom” package goes a step further by attempting to hide the cryptocurrency mining pool address, so instead of hardcoding it, it connects to an external IP to retrieve it.

Recommendation 

Software developers can minimize the chances of falling victim to those supply chain attacks by carefully reviewing the code in any packages they add to their projects. 

6. Devs Targeted By W4SP Stealer Malware In Malicious PyPi packages

Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers. While the packages have since been removed, they have already been downloaded by hundreds of software developers. These five packages and their download stats are:

• 3m-promo-gen-api – 136 downloads
• Ai-Solver-gen – 132 downloads
• hypixel-coins – 116 downloads
• httpxrequesterv2 – 128 downloads
• httpxrequester – 134 downloads

The mechanism of the attack 

1. The malware first steals data from web browsers, such as Google Chrome, Opera, Brave Browser, Yandex Browser, and Microsoft Edge.
2. It then attempts to steal authentication cookies from Discord, Discord PTB, Discord Canary, and the LightCord client.
3. Finally, the malware will attempt to steal the Atomic Wallet and Exodus cryptocurrency wallets and cookies for The Nations Glory online game.
4. After gathering all data it finds on the compromised machine, the malware uses its ‘upload’ function to upload the stolen data using a Discord webhook, which posts it to the threat actor’s server.

Recommendation 

As package repositories, such as PyPi and NPM, are now commonly used to distribute malware, developers must analyze the code in packages before adding them to their projects.

7. Microsoft WinGet Package Manager Failing From Expired SSL Certificate

Microsoft’s WinGet package manager is currently having problems installing or upgrading packages after WinGet CDN’s SSL/TLS certificate expired. Released in May 2020, the open source Windows Package Manager (WinGet) allows users to install applications directly from the command line.
Windows users began reporting issues when attempting to install or upgrade apps via WinGet. WinGet user shared a screenshot on GitHub of their command line throwing an “InternetOpenUrl() failed” error as they tried running simple WinGet commands. The problem appears to be connected to WinGet CDN’s SSL/TLS certificate that has now expired. Both the warning and the certificate details confirm that WinGet CDN’s certificate stopped being valid over the weekend.

Update, Feb 12th  
The issue was resolved hours after publishing. Demitrius Nelon, Microsoft’s Senior Product Manager states a root cause analysis will follow on Monday.

02/02/2023-02/08/2023. Vulnerabilities in Sunlogin, Atlassian’s Jira Service Management Found Vulnerable, OpenSSH Releases Patch And More

1. Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework

Threat actors are leveraging known flaws in Sunlogin software to deploy the Sliver command-and-control (C2) framework for carrying out post-exploitation activities. Not only did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable Driver) malware to incapacitate security products and install reverse shells. 

The mechanism of the attack 

Attack chains commence with the exploitation of two remote code execution bugs in Sunlogin versions prior to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), followed by delivering Sliver or other malware such as Gh0st RAT and XMRig crypto coin miner. In one instance, the threat actor is said to have weaponized the Sunlogin flaws to install a PowerShell script that, in turn, employs the BYOVD technique to incapacitate security software installed in the system and drop a reverse shell using Powercat.
The BYOVD method abuses a legitimate but vulnerable Windows driver, mhyprot2.sys, that’s signed with a valid certificate to gain elevated permissions and terminate antivirus processes.

2. OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability

The maintainers of OpenSSH have released OpenSSH 9.2 to address a number of security bugs, including a memory safety vulnerability in the OpenSSH server (sshd). Tracked as CVE-2023-25136, the shortcoming has been classified as a pre-authentication double free vulnerability that was introduced in version 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms.The exposure occurs in the chunk of memory freed twice, the ‘options.kex_algorithms. Double free flaws arise when a vulnerable piece of code calls the free() function – which is used to deallocate memory blocks – twice, leading to memory corruption, which, in turn, could lead to a crash or execution of arbitrary code. Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code. 

3. Atlassian’s Jira Service Management Found Vulnerable to Critical Vulnerability

An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. The vulnerability is tracked as CVE-2023-22501 (CVSS score: 9.4) and has been described as a case of broken authentication with low attack complexity. With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. 
The tokens, Atlassian noted, can be obtained in either of the two scenarios –

• If the attacker is included on Jira issues or requests with these users, or
• If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users

4. CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack

The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product. Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.  The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022. Not much is known about the nature of the attacks exploiting the vulnerability, but the development follows the publication of a proof-of-concept (PoC) by cybersecurity firm Viettel on January 16, 2023. 
The second security flaw to be added to the KEV catalog is CVE-2023-22952 (CVSS score: 8.8), which relates to a case of missing input validation in SugarCRM that could result in the injection of arbitrary PHP code. The bug has been fixed in SugarCRM versions 11.0.5 and 12.0.2.

5. Actively Exploited GoAnywhere MFT Zero-Day Gets Emergency Patch

Fortra has released an emergency patch to address an actively exploited zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. The vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT instances whose administrative console is exposed online. The flaw is being exploited in attacks and has provided indicators of compromise for potentially affected customers, including a specific stack trace that would show up in the logs on compromised systems. If this stacktrace is in the logs, it is very likely this system has been the target of attack. Now, it has added an update to its customer dashboard tagged as “time sensitive” and urging customers to patch their instances “as soon as possible.”

6. New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021. VMware described the issue as an OpenSLP heap-overflow vulnerability that could lead to the execution of arbitrary code. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution. 
Recommendation 
Users are recommended to upgrade to the latest version of ESXi to mitigate potential threats as well as restrict access to the OpenSLP service to trusted IP addresses.

01/26/2023-02/01/2023. GitHub Breach, Vulnerabilities Uncovered in AMI MegaRAC BMC Software, New Python-based RAT And More

1. GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom

GitHub disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The following versions of GitHub Desktop for Mac have been invalidated: 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, and 3.1.2. Versions 1.63.0 and 1.63.1 of 1.63.0 of Atom are also expected to stop working as of February 2, 2023, requiring that users downgrade to a previous version (1.60.0) of the source code editor. Atom was officially discontinued in December 2022. GitHub Desktop for Windows is not affected.

2. Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software

Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. The issues, collectively tracked as BMC&C, could act as springboard for cyber attacks, enabling threat actors to obtain remote code execution and unauthorized device access with superuser permissions.The two new flaws in question are as follows: CVE-2022-26872 (CVSS score: 8.3) – ​​Password reset interception via API; CVE-2022-40258 (CVSS score: 5.3) – Weak password hashes for Redfish and API.
It’s worth pointing out that the weaknesses are exploitable only in scenarios where the BMCs are exposed to the internet or in cases where the threat actor has already gained initial access into a data center or administrative network by other methods.

3. ISC Releases Security Patches for New BIND DNS Software Vulnerabilities

The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial-of-service (DoS) condition. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures. The open source software is used by major financial firms, national and international carriers, internet service providers (ISPs), retailers and government entities. All four flaws reside in named, a BIND9 service that functions as an authoritative nameserver for a fixed set of DNS zones or as a recursive resolver for clients on a local network. Successful exploitation of the vulnerabilities could cause the named service to crash or exhaust available memory on a target server. The issues affect versions 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1. CVE-2022-3488 also impacts BIND Supported Preview Edition versions 9.11.4-S1 to 9.11.37-S1. They have been resolved in versions 9.16.37, 9.18.11, 9.19.9, and 9.16.37-S1.

4. PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration

Cybersecurity researchers have unearthed a new attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems. This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration. The malware, dubbed PY#RATION by the cybersecurity firm, comes with a host of capabilities that allows the threat actor to harvest sensitive information. Later versions of the backdoor also sport anti-evasion techniques, suggesting that it’s being actively developed and maintained. 
Two versions of the trojan have been detected (version 1.0 and 1.6), with nearly 1,000 lines of code added to the newer variant to support network scanning features to conduct a reconnaissance of the compromised network and conceal the Python code behind an encryption layer using the fernet module. Other noteworthy functionalities comprise the ability to transfer files from host to C2 or vice versa, record keystrokes, execute system commands, extract passwords and cookies from web browsers, capture clipboard data, and check for the presence of antivirus software.

5. Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices

Researchers are warning about a spike in exploitation attempts weaponizing a now-patched critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022.  The ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months. The vulnerability in question is CVE-2021-35394 (CVSS score: 9.8), a set of buffer overflows and an arbitrary command injection bug that could be weaponized to execute arbitrary code with the highest level of privilege and take over affected appliances. Unit 42 said it discovered three different kinds of payloads distributed as a result of in-the-wild exploitation of the flaw: 

• A script executes a shell command on the targeted server to download additional malware;
• An injected command that writes a binary payload to a file and executes it;
• An injected command that directly reboots the targeted server to cause a denial-of-service (DoS) condition.

6. QNAP Fixes Critical Bug Letting Hackers Inject Malicious Code

QNAP is warning customers to install QTS and QuTS firmware updates that fix a critical security vulnerability allowing remote attackers to inject malicious code on QNAP NAS devices.
The vulnerability is tracked as CVE-2022-27596 and rated by the company as ‘Critical’ (CVSS v3 score: 9.8), impacting QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system. If exploited, this vulnerability allows remote attackers to inject malicious code. SQL injection flaws allow attackers to send specially crafted requests on vulnerable devices to modify legitimate SQL queries to perform unexpected behavior. Furthermore, QNAP released a JSON file describing the severity of the vulnerability, which indicates it is exploitable in low-complexity attacks by remote attackers, without requiring user interaction or privileges on the targeted device.
Recommendation 
QNAP users  should download the update from QNAP’s Download Center after selecting the correct product type and model and applying it manually on their devices.

7. Researchers Release PoC Exploit for Windows CryptoAPI Bug Discovered by NSA

Proof-of-concept (Poc) code has been released for a now-patched high-severity security flaw in the Windows CryptoAPI that the U.S. National Security Agency (NSA) and the U.K. National Cyber Security Centre (NCSC) reported to Microsoft last year. An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate. The Windows CryptoAPI offers an interface for developers to add cryptographic services such as encryption/decryption of data and authentication using digital certificates to their applications. CVE-2022-34689 is rooted in the fact that the vulnerable piece of code that’s designed to accept an x.509 certificate carried out a check that solely relied on the certificate’s MD5 fingerprint. MD5, a message-digest algorithm used for hashing, is essentially cryptographically broken as of December 2008 owing to the risk of birthday attacks, a cryptanalytic method used to find collisions in a hash function. The net effect of this shortcoming is that it opens the door for a bad actor to serve a modified version of a legitimate certificate to a victim app, and then create a new certificate whose MD5 hash collides with the rigged certificate and use it to masquerade as the original entity.