04/20/2023-04/27/2023 Critical Patches for Workstation and Fusion Software, SLP Vulnerability, Exploit Released For PaperCut Flaw And More

1. VMware Releases Critical Patches for Workstation and Fusion Software

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution. The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. VMware has also patched two additional shortcomings, which include a local privilege escalation flaw (CVE-2023-20871, CVSS score: 7.3) in Fusion and an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation (CVE-2023-20872, CVSS score: 7.7). While the former could enable a bad actor with read/write access to the host operating system to obtain root access, the latter could result in arbitrary code execution. 

2. New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks

Details have emerged about a high-severity security vulnerability impacting Service Location Protocol (SLP) that could be weaponized to launch volumetric denial-of-service attacks against targets. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2,200 times, potentially making it one of the largest amplification attacks ever reported. The vulnerability, which has been assigned the identifier CVE-2023-29552 (CVSS score: 8.6), is said to impact more than 2,000 global organizations and over 54,000 SLP instances that are accessible over the internet. Successful exploitation of CVE-2023-29552 could allow permit an attacker to take advantage of susceptible SLP instances to launch a reflection amplification attack and overwhelm a target server with bogus traffic. The best option to address CVE-2023-29552 is to upgrade to a supported release line that is not impacted by the vulnerability.

3. Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

Threat actors are employing a previously undocumented “defense evasion tool” dubbed AuKill that’s designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and turn off security mechanisms. By using valid, susceptible drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run.

4. Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that’s then executed every time the posts are opened in a web browser. GoDaddy’s Sucuri found that infected websites had malicious code injected into the “wp_posts” table, which stores posts, pages, and navigation menus. The injected code creates a PHP script with remote code execution backdoor using the file_put_contents function. Sucuri detected over 6,000 instances of this backdoor in the last 6 months, originating from three Russian IP addresses. Attackers established persistent backdoors by misusing the Eval PHP plugin to save rogue pages as drafts. Rogue pages were created with a legitimate site administrator as the author, suggesting successful login as a privileged user. The plugin was used to execute PHP code inside shortcodes, making it easy to reinfect the website and stay hidden.

Recommendation 
Site owners are advised to secure the WP Admin dashboard as well as watch out for any suspicious logins to prevent threat actors from gaining admin access and install the plugin.

5. CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, after evidence of active exploitation. The vulnerabilities are:

• CVE-2023-28432, a MinIO information disclosure vulnerability.
• CVE-2023-27350, an improper access control vulnerability in PaperCut MF/NG.
• CVE-2023-2136, a Google Chrome Skia integer overflow vulnerability.

MinIO maintainers said the information disclosure flaw disclosed all environment variables in a cluster deployment. As many as 18 unique malicious IP addresses from five countries attempted to exploit the flaw over the past 30 days. Threat intelligence firm GreyNoise also noted that an older version of MinIO that’s vulnerable to CVE-2023-28432 was being used in a reference implementation provided by OpenAI for developers to integrate their plugins to ChatGPT. Another flaw affecting PaperCut print management software has been addressed by the vendor.

6. Two Critical Flaws Found in Alibaba Cloud’s PostgreSQL Databases

A chain of two critical flaws has been disclosed in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers. The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers’ PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services. In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server. Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

7. Exploit Released For PaperCut Flaw Abused To Hijack Servers

Attackers are exploiting severe vulnerabilities in the widely-used PaperCut MF/NG print management software to install Atera remote management software to take over servers.
The software’s developer claims it’s used by more than 100 million users from over 70,000 companies worldwide.
The two security flaws (tracked as CVE-2023-27350 and CVE-2023-27351) allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don’t require user interaction.
Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. It is  recommended upgrading to one of these versions containing the fix. 

04/13/2023-04/19/2023 Critical Flaws in vm2 JavaScript Library, APT41’s Use of Open Source GC2 Tool, Kodi Confirms Data Breach And More

1. Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution 

A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections.Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively. Successful exploitation of the bugs, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could lead to the execution of arbitrary code on the underlying system.

2. Google Uncovers APT41’s Use of Open Source GC2 Tool to Target Media and Job Sites

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google’s infrastructure for malicious ends. The tech giant’s Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO. The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the Go-based GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands. In addition to exfiltration via Drive, GC2 enables the attacker to download additional files from Drive onto the victim system.

3. Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The tech giant acknowledged that “an exploit for CVE-2023-2033 exists in the wild,” but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.

Recommendation
Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

4. Vice Society Ransomware Using Stealthy PowerShell Tool for Data Exfiltration

Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks. Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms. These methods can also hide within the general operating environment, providing subversion to the threat actor. The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The discovery of the data exfiltration script illustrates the ongoing threat of double extortion in the ransomware landscape. It also serves as a reminder for organizations to prioritize robust security protections and stay vigilant against evolving threats.

5. Kodi Confirms Data Breach: 400K User Records and Private Messages Stolen

Kodi, an open source media player software provider, has confirmed a data breach after a cyber attack. Threat actors stole user data and private messages from the company’s MyBB forum database, and attempted to sell the data dump to a cybercrime marketplace. They also created database backups, which were downloaded and deleted. The account used by the threat actors has been disabled, and Kodi has taken down its forum while commissioning a new server. The company emphasized that there is no evidence of unauthorized access to the server hosting the MyBB software. The breach affected 400,635 users, whose forum posts, messages, and personal information were compromised. Kodi plans to redeploy the forum on the latest version of the MyBB software.

6. New Python-Based “Legion” Hacking Tool Emerges on Telegram

Legion, a Python-based credential harvester and hacking tool, is being marketed on Telegram as a way for cybercriminals to break into various online services for further exploitation. The malware includes modules to exploit unpatched versions of Apache, conduct remote code execution attacks, and brute-force cPanel and WebHost Manager accounts. It is designed to exploit web servers running content management systems, PHP, or PHP-based frameworks like Laravel. The primary goal is to hijack the services and weaponize the infrastructure for follow-on attacks, including mass spam and opportunistic phishing campaigns. Legion also retrieves AWS credentials from insecure or misconfigured web servers and delivers SMS spam messages to users of US mobile networks. The origins of the threat actor remain unknown.

7. Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation. The first vulnerability (CVE-2023-20963) is an Android Framework Privilege Escalation Vulnerability with a CVSS score of 7.8. Google has acknowledged that the vulnerability may be under limited, targeted exploitation. The second vulnerability (CVE-2023-29492) is an insecure deserialization vulnerability in Novi Survey software that allows attackers to execute code on the server remotely. The vulnerability was addressed by the software provider earlier this week. The development follows reports that Android apps from Chinese e-commerce company Pinduoduo were weaponized as a zero-day to steal data and control devices, exploiting the Android Framework Privilege Escalation Vulnerability. Google suspended Pinduoduo’s official app from the Play Store in March due to malware identified in off-Play versions of the software.

04/06/2023-04/12/2023 Newly Discovered “By-Design” Flaw in Microsoft Azure, Over 1 Million WordPress Sites Infected, Critical Remote Code Execution Flaw in vm2 Sandbox Library And More

1. Newly Discovered “By-Design” Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers

A “by-design flaw” uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code. The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts. According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key. Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE). 

Recommendation 
As mitigations, it’s recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead.

2. Hackers Flood NPM with Bogus Packages Causing a DoS Attack

Threat actors flooded the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack. The threat actors create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems’ good reputation on search engines. The attacks caused a denial-of-service (DoS) that made NPM unstable with sporadic ‘Service Unavailable’ errors. While similar campaigns were recently observed propagating phishing links, the latest wave pushed the number of package versions to 1.42 million, a dramatic uptick from the approximate 800,000 packages released on npm. The attack technique leverages the fact that open source repositories are ranked higher on search engine results to create rogue websites and upload empty npm modules with links to those sites in the README.md files.

3. Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

Since 2017, over one million WordPress websites have been affected by a malware campaign called Balada Injector, according to GoDaddy’s Sucuri. The campaign utilizes known and newly discovered theme and plugin vulnerabilities to breach WordPress sites, with attacks occurring in waves every few weeks. The campaign relies on over 100 domains and multiple methods to take advantage of known security flaws. The malware allows for the generation of fake WordPress admin users, harvests data stored in the underlying hosts, and leaves backdoors for persistent access. The campaign also searches for writable directories that belong to other sites with the same server account and file permissions. This means compromising one site can potentially grant access to several other sites.

4. Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15.

“A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” vm2 disclosed in an advisory. The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions. 

5. SAP Releases Security Updates For Two Critical-Severity Flaws

Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform.

In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins. SAP has fixed three critical issues in its latest update. The first issue, CVE-2023-27267, impacts the OSCommand Bridge of SAP Diagnostics Agent 720, allowing an attacker to execute scripts and fully compromise the system. The second issue, CVE-2023-28765, affects SAP BusinessObjects Business Intelligence Platform versions 420 and 430, enabling an attacker to access users’ passwords and take over their accounts. The third issue, CVE-2023-29186, is a directory traversal flaw affecting SAP NetWeaver versions 707, 737, 747, and 757, allowing an attacker to upload and overwrite files on the SAP server.

The remaining 11 security flaws disclosed in SAP’s latest security bulletin concern low to medium-severity vulnerabilities.

6. Microsoft April 2023 Patch Tuesday fixes 1 Zero-day, 97 Flaws

​Today is Microsoft’s April 2023 Patch Tuesday, and security updates fix one actively exploited zero-day vulnerability and a total of 97 flaws.
Seven vulnerabilities have been classified as ‘Critical’ for allowing remote code execution, the most serious of vulnerabilities.

The number of bugs in each vulnerability category is listed below:

• 20 Elevation of Privilege Vulnerabilities,
• Security Feature Bypass Vulnerabilities,
• 45 Remote Code Execution Vulnerabilities,
• 10 Information Disclosure Vulnerabilities,
• 9 Denial of Service Vulnerabilities,
• 6 Spoofing Vulnerabilities.

To learn more about the non-security updates released today, you can review articles on the new Windows 11 KB5025239 cumulative update and Windows 10 KB5025221 and KB5025229 updates.