01/19/2023-01/25/2023. New Microsoft Azure Vulnerability, Git Users Urged to Update Software, Fortinet Flaw, 75k WordPress Sites Impacted By Critical Online Course Plugin Flaws, And More

1. Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks

The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that’s designed to be used by security professionals in their red team operations. Its myriad features for adversary simulation – including dynamic code generation, in-memory payload execution, and process injection – have also made it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold. A hypothetical attack sequence detailed by the Israeli cybersecurity company shows that Sliver could be leveraged for privilege escalation, following it up by credential theft and lateral movement to ultimately take over the domain controller for exfiltration of sensitive data. Sliver has been weaponized in recent years by the Russia-linked APT29 group (aka Cozy Bear) as well as cybercrime operators like Shathak (aka TA551) and Exotic Lily (aka Projector Libra), the latter of which is attributed to the Bumblebee malware loader.

2. New Microsoft Azure Vulnerability Uncovered — EmojiDeploy for RCE Attacks

A new critical remote code execution (RCE) flaw discovered impacting multiple services related to Microsoft Azure could be exploited by a malicious actor to completely take control of a targeted application. The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu. By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim’s Azure application. It could further enable the theft of sensitive data and lateral movement to other Azure services. Microsoft has since fixed the vulnerability as of December 6, 2022, following responsible disclosure on October 26, 2022, in addition to awarding a bug bounty of $30,000. In a hypothetical attack chain devised by Ermetic, an adversary could exploit the CSRF vulnerability in the Kudu SCM panel to defeat safeguards put in place to thwart cross-origin attacks by issuing a specially crafted request to the “/api/zipdeploy” endpoint to deliver a malicious archive (e. g., web shell) and gain remote access.

3. Git Users Urged to Update Software to Prevent Remote Code Execution Attacks

The maintainers of the Git source code version control system have released updates to remediate two critical vulnerabilities that could be exploited by a malicious actor to achieve remote code execution. The flaws, tracked as CVE-2022-23521 and CVE-2022-41903, impacts the following versions of Git: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0. Patched versions include v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1. The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. CVE-2022-41903, also a critical vulnerability, is triggered during an archive operation, leading to code execution by way of an integer overflow flaw that arises when formatting the commit logs. 
Recommendation 
While there are no workarounds for CVE-2022-23521, Git is recommending that users disable “git archive” in untrusted repositories as a mitigation for CVE-2022-41903 in scenarios where updating to the latest version is not an option.

4. GoTo Says Hackers Stole Customers’ Backups And Encryption Key

GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data. At the time, the impact on the client data had yet to become known as the company’s investigation into the incident with the help of cybersecurity firm Mandiant had just begun. The attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility.
The information present in the exfiltrated backups includes the following:

• Central and Pro account usernames
• Central and Pro account passwords (salted and hashed)
• Deployment and provisioning information
• One-to-Many scripts (Central only)
• Multi-factor authentication information
• Licensing and purchasing data like emails, phone numbers, billing address, and last four digits of credit card numbers.
  In response to the situation, GoTo is resetting Central and Pro passwords for impacted customers and automatically migrates accounts to GoTo’s enhanced Identity Management Platform.

5. VMware Fixes Critical Security Bugs In vRealize Log Analysis Tool

VMware released security patches to address vRealize Log Insight vulnerabilities that could enable attackers to gain remote execution on unpatched appliances. The first critical bug patched today is tracked as CVE-2022-31703 and is described as a directory traversal vulnerability that malicious actors can exploit to inject files into the operating system of impacted appliances to achieve remote code execution. The second one (tracked as CVE-2022-31704) is a broken access control flaw that can also be abused to gain remote code execution on vulnerable appliances by injecting maliciously crafted files. Both vulnerabilities are tagged as critical severity with CVSS base scores of 9.8/10 and can be exploited by unauthenticated threat actors in low-complexity attacks that don’t require user interaction. The company said the vulnerabilities were addressed with VMware vRealize Log Insight 8.10.2. None of the security bugs addressed today were tagged as being exploited in the wild.

6.  75k WordPress Sites Impacted By Critical Online Course Plugin Flaws

The WordPress online course plugin ‘LearnPress’ was vulnerable to multiple critical-severity flaws, including pre-auth SQL injection and local file inclusion. The vulnerabilities in the plugin, used in over 100,000 active sites, were discovered by PatchStack between November 30 and December 2, 2022, and reported to the software vendor. The issues were fixed on December 20, 2022, with the release of LearnPress version 4.2.0. However, according to WordPress.org stats, only about 25% have applied the update. This means that roughly 75,000 websites could be using a vulnerable version of LearnPress, exposing themselves to severe security flaws, the exploitation of which can have serious repercussions. 

01/12/2023-01/18/2023. Hackers Can Abuse Legitimate GitHub Codespaces, 3 PyPI Packages Spreading Malware, Zoho ManageEngine PoC Exploit to be Released, And More

1. Hackers Can Abuse Legitimate GitHub Codespaces Feature to Deliver Malware

New research has found that it is possible for threat actors to abuse a legitimate feature in GitHub Codespaces to deliver malware to victim systems. Publicly-shared forwarded ports could be exploited to create a malicious file server using a GitHub account. In a proof-of-concept (PoC) exploit, a threat actor could create a codespace and download malware from an attacker-controlled domain to the environment, and set the visibility of the forwarded port to public, essentially transforming the application to act as a web server hosting rogue payloads. Even more troublingly, the adversary can augment this method to deploy malware and compromise a victim’s environment since each codespace domain associated with the exposed port is unique and unlikely to be flagged by security tools as a malicious domain. Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments.

2. Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems

A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems. The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12). They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times. The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary (“Oxzy.exe”) hosted on Dropbox. The executable, once launched, triggers the retrieval of a next-stage, also a binary named update.exe, that runs in the Windows temporary folder (“%USER%\AppData\Local\Temp\”). update.exe is flagged by antivirus vendors on VirusTotal as an information stealer that’s also capable of dropping additional binaries, one of which is detected by Microsoft as Wacatac. The Windows maker describes the trojan as a threat that “can perform a number of actions of a malicious hacker’s choice on your PC”. 

3. Zoho ManageEngine PoC Exploit to be Released Soon – Patch Before It’s Too Late!

Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept (PoC) exploit code. The issue in question is CVE-2022-47966, an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. This vulnerability allows an unauthenticated adversary to execute arbitrary code. Horizon3.ai has now released Indicators of Compromise (IOCs) associated with the flaw, stating that it was able to successfully reproduce the exploit against ManageEngine ServiceDesk Plus and ManageEngine Endpoint Central products. An attacker in possession of such elevated privileges could weaponize it to steal credentials with the goal of conducting lateral movement. 

4. Microsoft Azure Services Flaws Could’ve Exposed Cloud Resources to Unauthorized Access

Four different Microsoft Azure services have been found vulnerable to server-side request forgery (SSRF) attacks that could be exploited to gain unauthorized access to cloud resources. The security issues in Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins, have since been addressed by Microsoft. The discovered Azure SSRF vulnerabilities allowed an attacker to scan local ports, find new services, endpoints, and sensitive files – providing valuable information on possibly vulnerable servers and services to exploit for initial entry and the location of sensitive information to target. SSRF attacks could have serious consequences as they enable a malicious interloper to read or update internal resources, and worse, pivot to other parts of the network, breach otherwise unreachable systems to extract valuable data. 
Recommendation 
To mitigate such threats, organizations are recommended to validate all input, ensure that servers are configured to only allow necessary inbound and outbound traffic, avoid misconfigurations, and adhere to the principle of least privilege (PoLP). 

5. Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability

A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That’s according to attack surface management platform Censys, which found only 26 out of a total of 6,427 servers to be running a patched version of Cacti (1.2.23 and 1.3.0). The issue in question relates to CVE-2022-46169 (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution. The public disclosure of the vulnerability has also led to “exploitation attempts,” with the Shadowserver Foundation and GreyNoise warning of malicious attacks originating from one IP address located in Ukraine so far.

6. Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software

A “large and resilient infrastructure” comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. The infection chain uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub. The attacks target users searching for cracked versions of software and games on search engines like Google, surfacing fraudulent websites on top by leveraging a technique called search engine optimization (SEO) poisoning to lure victims into downloading and executing the malicious payloads. The poisoned result comes with a download link to the promised software that, upon clicking, triggers a five-stage URL redirection sequence to take the user to a web page displaying a shortened link, which points to a password-protected RAR archive file hosted on GitHub, along with its password. Should the victim uncompress the RAR archive and run the purported setup executable contained within it, either of the two malware families, Raccoon or Vidar, are installed on the system. Users are advised to refrain from downloading pirated software and enforce multi-factor authentication wherever possible to harden accounts. 

7. Alert: Hackers Actively Exploiting Critical “Control Web Panel” RCE Vulnerability

Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022. Control Web Panel, formerly known as CentOS Web Panel, is a popular server administration tool for enterprise-based Linux systems. “login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. In light of active exploitation in the wild, users reliant on the software are advised to apply the patches to mitigate potential threats.

01/05/2023-01/11/2023. Security Flaw in “jsonwebtoken” Library, Malicious PyPI Packages Using Cloudflare Tunnels, Visual Studio Marketplace and Malicious Extensions, Fortinet and Zoho Urge Customers to Patch Vulnerabilities And More

1. Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects

A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request. Tracked as CVE-2022-23529 (CVSS score: 7.6), the issue impacts all versions of the library, including and below 8.5.1, and has been addressed in version 9.0.0. jsonwebtoken, which is developed and maintained by Okta’s Auth0, is a JavaScript module that allows users to decode, verify, and generate JSON web tokens as a means of securely transmitting information between two parties for authorization and authentication. It has over 10 million weekly downloads on the npm software registry and is used by more than 22,000 projects. Therefore, the ability to run malicious code on a server could break confidentiality and integrity guarantees, potentially enabling a bad actor to overwrite arbitrary files on the host and perform any action of their choosing using a poisoned secret key.

2.  Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems. The now-removed packages include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. The malicious code is concealed in the setup script (setup.py) of these libraries, meaning running a “pip install” command is enough to activate the malware deployment process. The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code. But in what’s a novel technique adopted by the threat actor, the attack further attempts to download and install cloudflared, a command-line tool for Cloudflare Tunnel, which offers a “secure way to connect your resources to Cloudflare without a publicly routable IP address.” The idea, in a nutshell, is to leverage the tunnel to remotely access the compromised machine via a Flask-based app, which harbors a trojan dubbed xrat (but codenamed poweRAT by Phylum).

3. Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions

A new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks. The technique could act as an entry point for an attack on many organizations. VS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows. All extensions run with the privileges of the user that has opened the VS Code without any sandbox. This means that the extension can install any program on your computer including ransomwares, wipers, and more. Is it possible for a threat actor to impersonate a popular extension with small variations to the URL. Moreover, the marketplace  allows the adversary to use the same name and extension publisher details, including the project repository information. The research  discovered that the verification badge assigned to authors could be trivially bypassed as the check mark only proves that the extension publisher is the actual owner of a domain. 

4.  New Study Uncovers Text-to-SQL Model Vulnerabilities Allowing Data Theft and DoS Attacks

A group of academics has demonstrated novel attacks that leverage Text-to-SQL models to produce malicious code that could enable adversaries to glean sensitive information and stage denial-of-service (DoS) attacks. To better interact with users, a wide range of database applications employ AI techniques that can translate human questions into SQL queries (namely Text-to-SQL). Crackers can fool Text-to-SQL models to produce malicious code. As such code is automatically executed on the database, the consequence can be pretty severe (e. g., data breaches and DoS attacks).” The findings, which were validated against two commercial solutions BAIDU-UNIT and AI2sql, mark the first empirical instance where natural language processing (NLP) models have been exploited as an attack vector in the wild. The specially crafted payloads, the study discovered, could be weaponized to run malicious SQL queries that, in turn, could permit an attacker to modify backend databases and carry out DoS attacks against the server.

5. CircleCI Urges Customers to Rotate Secrets Following Security Incident

DevOps platform CircleCI urged its customers to rotate all their secrets following an unspecified security incident. The company said an investigation is currently ongoing, but emphasized that “there are no unauthorized actors active in our systems.” Additional details are expected to be shared in the coming days. CircleCI is also recommending users to review internal logs for signs of any unauthorized access starting from December 21, 2022, to January 4, 2023, or until when the secrets are rotated. The software development service did not disclose any further specifics about the breach, but said it has also invalidated all Project API tokens and that they need to be replaced.

6. Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN. The group primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations. Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub. The core idea that undergirds PURPLEURCHIN is the exploitation of computational resources allocated to free and premium accounts on cloud services in order to reap monetary profits on a massive scale before losing access for non-payment of dues. Besides automating the account creation process by leveraging legitimate tools like xdotool and ImageMagick, the threat actor has also been found to take advantage of weakness within the CAPTCHA check on GitHub to further its illicit objectives. This is accomplished by using ImageMagick’s convert command to transform the CAPTCHA images to their RGB complements, followed by using the identify command to extract the skewness of the red channel and selecting the smallest value.