1. Nighthawk Likely to Become Hackers’ New Post-Exploitation Tool After Cobalt Strike

A nascent and legitimate penetration testing framework known as Nighthawk is likely to gain threat actors’ attention for its Cobalt Strike-like capabilities. Enterprise security firm Proofpoint said it detected the use of the software in mid-September 2022 with a number of test emails sent using generic subject lines such as “Just checking in” and “Hope this works2.” The email messages contained booby-trapped URLs, which, when clicked, redirected the recipients to an ISO image file containing the Nighthawk loader. The obfuscated loader comes with the encrypted Nighthawk payload, a C++-based DLL that uses an elaborate set of features to counter detection and fly under the radar. Of particular note are mechanisms that can prevent endpoint detection solutions from being alerted about newly loaded DLLs in the current process and evade process memory scans by implementing a self-encryption mode.

2. Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products

 Australian software company Atlassian has rolled out security updates to address two critical flaws affecting Bitbucket Server, Data Center, and Crowd products. The issues, tracked as CVE-2022-43781 and CVE-2022-43782, are both rated 9 out of 10 on the CVSS vulnerability scoring system. CVE-2022-43781, which Atlassian said was introduced in version 7.0.0 of Bitbucket Server and Data Center, affects versions 7.0 to 7.21 and 8.0 to 8.4. The weakness has been described as a case of command injection using environment variables in the software, which could allow an adversary with permission to control their username to gain code execution on the affected system. As a temporary workaround, the company is recommending users turn off the “Public Signup” option (Administration > Authentication).

The second vulnerability, CVE-2022-43782, concerns a misconfiguration in Crowd Server and Data Center that could permit an attacker to invoke privileged API endpoints, but only in scenarios where the bad actor is connecting from an IP address added to the Remote Address configuration. Introduced in Crowd 3.0.0 and identified during an internal security review, the shortcoming impacts all new installations, meaning users who upgraded from a version prior to Crowd 3.0.0 are not vulnerable.

3. W4SP Stealer Constantly Targeting Python Developers in Ongoing Supply Chain Attack

An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date. The threat actor is still active and is releasing more malicious packages.The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales.The findings from Checkmarx build on recent reports from Phylum and Check Point, which flagged 30 different modules published on the Python Package Index (PyPI) that were designed to propagate malicious code under the guise of benign-looking packages.

The attack is just the latest threat to target the software supply chain. What makes it notable is the use of steganography to extract a polymorphic malware payload hidden within an image file hosted on Imgur.
The installation of the package ultimately makes way for W4SP Stealer (aka WASP Stealer), an information stealer engineered to exfiltrate Discord accounts, passwords, crypto wallets, and other files of interest to a Discord Webhook.

4. Researchers Discover Hundreds of Amazon RDS Instances Leaking Users’ Personal Data

Hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing personal identifiable information (PII), as new findings from Mitiga, a cloud incident response company, show. Leaking PII in this manner provides a potential treasure trove for threat actors – either during the reconnaissance phase of the cyber kill chain or extortionware/ransomware campaigns.

The root cause of the leaks stems from a feature called public RDS snapshots, which allows for creating a backup of the entire database environment running in the cloud and can be accessed by all AWS accounts. 

Of the 810 snapshots, over 250 of the backups were exposed for 30 days, suggesting that they were likely forgotten. Based on the nature of the information exposed, adversaries could either steal the data for financial gain or leverage it to get a better grasp of a company’s IT environment, which could then act as a stepping stone for covert intelligence gathering efforts.

Recommendation 

It’s highly recommended that RDS snapshots are not publicly accessible in order to prevent potential leak or misuse of sensitive data or any other kind of security threat. 

5. Exploit Released for Actively Abused ProxyNotShell Exchange Bug

Proof-of-concept exploit code has been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell.  Tracked as CVE-2022-41082 and CVE-2022-41040, the two bugs affect Microsoft Exchange Server 2013, 2016, and 2019 and allow attackers to escalate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on compromised servers. Microsoft released security updates to address the two security flaws as part of the November 2022 Patch Tuesday.

One week after Microsoft released ProxyNotShell security updates, security researcher Janggggg released the proof-of-concept (PoC) exploit attackers have used in the wild to backdoor Exchange servers. Attackers have been chaining the two security flaws to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as for lateral movement in their victims’ networks since at least September 2022.

6. This Malware Installs Malicious Browser Extensions to Steal Users’ Passwords and Cryptos

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX. Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack. This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others. ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing arbitrary additional payloads, or executing commands.

The distribution vector used to propagate ViperSoftX is typically done by means of cracked software for Adobe Illustrator and Microsoft Office that are hosted on file-sharing sites. The downloaded executable file comes with a clean version of cracked software along with additional files that set up persistence on the host and harbor the ViperSoftX PowerShell script. Avast said it has detected and blocked over 93,000 infections since the start of 2022, with a majority of the impacted users located in India, the U.S., Italy, Brazil, the U.K., Canada, France, Pakistan, and South Africa.

1. Researchers Uncover PyPI Package Hiding Malicious Code Behind Image File

 A malicious package discovered on the Python Package Index (PyPI) has been found employing a steganographic trick to conceal malicious code within image files. The package in question, named “apicolor,” was uploaded to the Python third-party repository on October 31, 2022, and described as a “Core lib for REST API”. Apicolor, like other rogue packages detected recently, harbors its malicious behavior in the setup script used to specify metadata associated with the package, such as its dependencies. This takes the form of a second package called “judyb” as well as a seemingly harmless PNG file (“8F4D2uF.png”) hosted on Imgur, an image-sharing service.

Malicious PyPI Package 

The judyb code turned out to be a steganography module, responsible [for] hiding and revealing hidden messages inside pictures. The attack chain entails using the judyb package to extract obfuscated Python code embedded within the downloaded image, which, upon decoding, is designed to retrieve and execute a malicious binary from a remote server.

2. Researchers Reported Critical SQLi and Access Flaws in Zendesk Analytics Service

Cybersecurity researchers have disclosed details of now-patched flaws in Zendesk Explore that could have been exploited by an attacker to gain unauthorized access to information from customer accounts that have the feature turned on. The cybersecurity firm said there was no evidence to suggest that the issues were actively exploited in real-world attacks. According to the security software company, exploitation of the shortcoming first requires an attacker to register for the ticketing service of its victim’s Zendesk account as a new external user, a feature that’s likely enabled by default to allow end-users to submit support tickets. The vulnerability relates to an SQL injection in its GraphQL API that could be abused to exfiltrate all information stored in the database as an admin user, including email addresses, tickets, and conversations with live agents. A second flaw concerns a logic access issue associated with a query execution API, which was configured to run the queries without checking if the “user” making the call had adequate permission to do so.

3. Critical RCE Flaw Reported in Spotify’s Backstage Software Catalog and Developer Platform

Spotify’s Backstage has been discovered as vulnerable to a severe security flaw that could be exploited to gain remote code execution by leveraging a recently disclosed bug in a third-party module. The vulnerability (CVSS score: 9.8), at its core, takes advantage of a critical sandbox escape in vm2, a popular JavaScript sandbox library (CVE-2022-36067 aka Sandbreak), that came to light last month. An unauthenticated threat actor can execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin. According to Oxeye, the flaw is rooted in a tool called software templates that can be used to create components within Backstage. 

Screenshot shows Backstage calling the renderTemplate function (that calls renderString2) twice in the event of an error.

While the template engine utilizes vm2 to mitigate the risk associated with running untrusted code, the sandbox escape flaw in the latter made it possible to execute arbitrary system commands outside of the security perimeter.

4. Multiple High-Severity Flaws Affect Widely Used OpenLiteSpeed Web Server Software

Multiple high-severity flaws have been uncovered in the open source OpenLiteSpeed Web Server as well as its enterprise variant that could be weaponized to achieve remote code execution. By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution. The first of the three flaws is a directory traversal flaw (CVE-2022-0072, CVSS score: 5.8), which could be exploited to access forbidden files in the web root directory. The remaining two vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) relate to a case of privilege escalation and command injection, respectively, that could be chained to achieve privileged code execution. A threat actor who managed to gain the credentials to the dashboard, whether by brute-force attacks or social engineering, could exploit the vulnerability in order to execute code on the server.  Multiple versions of OpenLiteSpeed (from 1.5.11 up to 1.7.16) and LiteSpeed (from 5.4.6 up to 6.0.11) are impacted by the issues, which have been addressed in versions 1.7.16.1 and 6.0.12 following responsible disclosure on October 4, 2022.

5. Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines. The search engine poisoning technique is designed to promote a “handful of fake low quality Q&A sites” that share similar website-building templates and are operated by the same threat actor. A notable aspect of the campaign is the ability of the hackers to modify over 100 files per website on average, an approach that contrasts dramatically from other attacks of this kind wherein only a limited number of files are tampered with to reduce footprint and escape detection. This extensive compromise allows the malware to execute the redirects to websites of the attacker’s choice. The ultimate goal of the campaign is to “drive more traffic to their fake sites” and “boost the sites’ authority using fake search result clicks to make Google rank them better so that they get more real organic search traffic.”

6. Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

A recently discovered cyber espionage group dubbed Worok has been found hiding malware in seemingly innocuous image files, corroborating a crucial link in the threat actor’s infection chain. Czech cybersecurity firm Avast said the purpose of the PNG files is to conceal a payload that’s used to facilitate information theft. The Slovak cybersecurity company also documented Worok’s compromise sequence, which makes use of a C++-based loader called CLRLoad to pave the way for an unknown PowerShell script embedded within PNG images, a technique known as steganography. That said, the initial attack vector remains unknown as yet, although certain intrusions have entailed the use of ProxyShell vulnerabilities in Microsoft Exchange Server to deploy the malware.

CLRLoad Malware Loader

Avast’s findings show that the adversarial collective makes use of DLL side-loading upon gaining initial access to execute the CLRLoad malware. PNGLoad, which is launched by CLRLoad, is said to come in two variants, each responsible for decoding the malicious code within the image to launch either a PowerShell script or a .NET C#-based payload.

7. Citrix Issues Patches for Critical Flaw Affecting ADC and Gateway Products

 Citrix has released security updates to address a critical authentication bypass flaw in the application delivery controller (ADC) and Gateway products that could be exploited to take control of affected systems.
Successful exploitation of the issues could enable an adversary to gain authorized access, perform remote desktop takeover, and even circumvent defenses against login brute-force attempts under specific configurations.

• CVE-2022-27510 – Unauthorized access to Gateway user capabilities;
• CVE-2022-27513 – Remote desktop takeover via phishing;
• CVE-2022-27516 – User login brute-force protection functionality bypass.

Exploitation, however, banks on the prerequisite that the appliances are either configured as a VPN (Gateway) or, alternatively, an authentication, authorization and accounting (AAA) virtual server in the case of CVE-2022-27516. One top of that, CVE-2022-27513 and CVE-2022-27516 also apply only when the RDP proxy feature and the user lockout functionality “Max Login Attempts” are set up, respectively.

1. Dozens of PyPIPackages Caught Dropping ‘W4sSP’ Info-Stealing Malware.

Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops “W4SP” info-stealer on infected machines, while others make use of malware purportedly created for “educational purposes” only. The packages are typosquats—that is, threat actors publishing these have intentionally named them similar to known Python libraries in hopes that developers attempting to fetch the real library make a spelling error and inadvertently retrieve one of the malicious ones.

PyPI package ‘typesutil’ is one of the typosquats dropping W4SP infostealer 

As an example, typesutil attack “starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase,” write Phylum researchers. Ultimately, the malware dropped by these packages was W4SP Stealer that exfiltrates your Discord tokens, cookies and saved passwords. All of the packages put together have been downloaded over 5,700 times based on Pepy.tech stats.

2. Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days.

Microsoft’s latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately addressed at the start of the month is an actively exploited flaw in Chromium-based browsers (CVE-2022-3723) that was plugged by Google as part of an out-of-band update late last month. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched. 

The list of actively exploited vulnerabilities, which allow privilege elevation and remote code execution, is as follows:

• CVE-2022-41040 (CVSS score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell);
• CVE-2022-41082 (CVSS score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell);
• CVE-2022-41128 (CVSS score: 8.8) – Windows Scripting Languages Remote Code Execution Vulnerability;
• CVE-2022-41125 (CVSS score: 7.8) – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability.

3. Microsoft Fixes ProxyNotShell Exchange Zero-Days Exploited in Attacks/

Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild. Tracked as CVE-2022-41082 and CVE-2022-41040, the two security bugs affect Microsoft Exchange Server 2013, 2016, and 2019. They enable attackers to escalate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution. Attackers have been chaining the two security flaws to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as for lateral movement in their victims’ networks since at least September 2022. As part of the November 2022 Patch Tuesday, Microsoft finally released security updates to address the two vulnerabilities. It is recommended that you install these updates immediately to be protected against these attacks.

4. VMware Fixes Three Critical Auth Bypass Bugs in Remote Access Tool.

VMware has released security updates to address three critical severity vulnerabilities in the Workspace ONE Assist solution that enable remote attackers to bypass authentication and elevate privileges to admin. The flaws are tracked as CVE-2022-31685 (authentication bypass), CVE-2022-31686 (broken authentication method), and CVE-2022-31687 (broken authentication control) and have received 9.8/10 CVSSv3 base scores. Non-authenticated threat actors can exploit them in low-complexity attacks that don’t require user interaction for privilege escalation. The company patched them with the release of Workspace ONE Assist 22.10 (89993) for Windows customers. VMware also patched a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31688) that enables attackers to inject javascript code in the target user’s window and a session fixation vulnerability (CVE-2022-31689) that allows authentication after obtaining a valid session token.

5. Citrix Urges Admins to Patch Critical ADC, Gateway Auth Bypass.

Citrix is urging customers to install security updates for a critical authentication bypass vulnerability in Citrix ADC and Citrix Gateway. Under specific configurations, the three vulnerabilities can enable attackers to gain unauthorized access to the device, perform remote desktop takeover, or bypass the login brute force protection. Citrix ADC is a load-balancing solution for cloud applications deployed in the enterprise, ensuring uninterrupted availability and optimal performance.The three vulnerabilities affecting both Citrix Gateway and Citrix ADC are the following: CVE-2022-27510; CVE-2022-27513; CVE-2022-27516. Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible.

6. Microsoft WinGet Package Manager Failing Due to CDN Issues.

Microsoft’s WinGet package manager is currently having problems installing or upgrading packages due to the Azure Content Delivery Network (CDN) returning a 0-byte database file. Starting over the weekend, Windows users began reporting that when they attempted to install or upgrade apps using WinGet, they would receive different errors depending on the operation. For example, winget upgrade would display an error stating, “Failed in attempting to update the source: «winget» and winget install would display the error, ‘An unexpected error occurred while executing the command: 0x8a15000f : Data required by the source is missing’.
WinGet displaying error

Windows users posted in a GitHub issue that the problem appears to be a CDN issue causing a zero-byte file to be sent back rather than the complete index of available applications. Like other package managers, WinGet uses a default repository to retrieve the available packages, which for WinGet is located at https://cdn.winget.microsoft.com/cache/source.msix. Microsoft Product Manager Demitrius Nelon has confirmed that they are suffering a CDN issue causing these errors for certain users. If you are using WinGet, your best bet is to wait for Microsoft to fix the CDN issue, and the package manager should automatically begin working again.

7. RomCom RAT Malware Campaign Impersonates KeePass, SolarWinds NPM, Veeam.

The threat actor behind the RomCom RAT (remote access trojan) has refreshed its attack vector and is now abusing well-known software brands for distribution. In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.
The website that impersonates SolarWinds NPM delivers a trojanized version of the free trial and even links to an actual SolarWinds registration form that, if filled out by the victim, leads to being contacted by a real customer support agent.
The spoofed Solarwinds website 
The downloaded app, though, has been modified to include a malicious DLL that downloads and runs a copy of the RomCom RAT from the “C:\Users\user\AppData\Local\Temp\winver.dll” folder. It is unclear at this time how the threat actors are luring potential victims to the sites, but it could be through phishing, SEO poisoning, or forum/social media posts.

8. Researchers Are Poisoning Open-Source Packages. What Should We do? 

In the field of open-source security, researchers often publish malicious packages or poison existing ones with malicious code. These proofs of concepts (POCs) are done in an attempt to verify whether an attacker with malicious intent would be able to cause similar damage — or worse. However, while performing these actions, security researchers should adhere to several guidelines that will enable them to complete their research while keeping the ecosystem safe and clean to the maximum extent possible.
In the article, Aviad Gershon analyzes malicious packages containing ransomware scripts. He concludes that  security professionals need to adhere to certain guidelines while conducting  their research, which among others, include the following:

1. Do No Harm — refrain from breaking existing components.
2. Transparency — declare our activity “for research purposes” to anyone who may encounter it.
3. Discretion — avoid collecting or revealing sensitive data of other parties.