01/05/2023-01/11/2023. Security Flaw in “jsonwebtoken” Library, Malicious PyPI Packages Using Cloudflare Tunnels, Visual Studio Marketplace and Malicious Extensions, Fortinet and Zoho Urge Customers to Patch Vulnerabilities And More

1. Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects

A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request. Tracked as CVE-2022-23529 (CVSS score: 7.6), the issue impacts all versions of the library, including and below 8.5.1, and has been addressed in version 9.0.0. jsonwebtoken, which is developed and maintained by Okta’s Auth0, is a JavaScript module that allows users to decode, verify, and generate JSON web tokens as a means of securely transmitting information between two parties for authorization and authentication. It has over 10 million weekly downloads on the npm software registry and is used by more than 22,000 projects. Therefore, the ability to run malicious code on a server could break confidentiality and integrity guarantees, potentially enabling a bad actor to overwrite arbitrary files on the host and perform any action of their choosing using a poisoned secret key.

2.  Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems. The now-removed packages include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles. The malicious code is concealed in the setup script (setup.py) of these libraries, meaning running a “pip install” command is enough to activate the malware deployment process. The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code. But in what’s a novel technique adopted by the threat actor, the attack further attempts to download and install cloudflared, a command-line tool for Cloudflare Tunnel, which offers a “secure way to connect your resources to Cloudflare without a publicly routable IP address.” The idea, in a nutshell, is to leverage the tunnel to remotely access the compromised machine via a Flask-based app, which harbors a trojan dubbed xrat (but codenamed poweRAT by Phylum).

3. Hackers Can Abuse Visual Studio Marketplace to Target Developers with Malicious Extensions

A new attack vector targeting the Visual Studio Code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks. The technique could act as an entry point for an attack on many organizations. VS Code extensions, curated via a marketplace made available by Microsoft, allow developers to add programming languages, debuggers, and tools to the VS Code source-code editor to augment their workflows. All extensions run with the privileges of the user that has opened the VS Code without any sandbox. This means that the extension can install any program on your computer including ransomwares, wipers, and more. Is it possible for a threat actor to impersonate a popular extension with small variations to the URL. Moreover, the marketplace  allows the adversary to use the same name and extension publisher details, including the project repository information. The research  discovered that the verification badge assigned to authors could be trivially bypassed as the check mark only proves that the extension publisher is the actual owner of a domain. 

4.  New Study Uncovers Text-to-SQL Model Vulnerabilities Allowing Data Theft and DoS Attacks

A group of academics has demonstrated novel attacks that leverage Text-to-SQL models to produce malicious code that could enable adversaries to glean sensitive information and stage denial-of-service (DoS) attacks. To better interact with users, a wide range of database applications employ AI techniques that can translate human questions into SQL queries (namely Text-to-SQL). Crackers can fool Text-to-SQL models to produce malicious code. As such code is automatically executed on the database, the consequence can be pretty severe (e. g., data breaches and DoS attacks).” The findings, which were validated against two commercial solutions BAIDU-UNIT and AI2sql, mark the first empirical instance where natural language processing (NLP) models have been exploited as an attack vector in the wild. The specially crafted payloads, the study discovered, could be weaponized to run malicious SQL queries that, in turn, could permit an attacker to modify backend databases and carry out DoS attacks against the server.

5. CircleCI Urges Customers to Rotate Secrets Following Security Incident

DevOps platform CircleCI urged its customers to rotate all their secrets following an unspecified security incident. The company said an investigation is currently ongoing, but emphasized that “there are no unauthorized actors active in our systems.” Additional details are expected to be shared in the coming days. CircleCI is also recommending users to review internal logs for signs of any unauthorized access starting from December 21, 2022, to January 4, 2023, or until when the secrets are rotated. The software development service did not disclose any further specifics about the breach, but said it has also invalidated all Project API tokens and that they need to be replaced.

6. Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN. The group primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations. Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub. The core idea that undergirds PURPLEURCHIN is the exploitation of computational resources allocated to free and premium accounts on cloud services in order to reap monetary profits on a massive scale before losing access for non-payment of dues. Besides automating the account creation process by leveraging legitimate tools like xdotool and ImageMagick, the threat actor has also been found to take advantage of weakness within the CAPTCHA check on GitHub to further its illicit objectives. This is accomplished by using ImageMagick’s convert command to transform the CAPTCHA images to their RGB complements, followed by using the identify command to extract the skewness of the red channel and selecting the smallest value.

12/28/2022-01/04/2023. PyTorch Machine Learning Framework Compromised, WordPress Security Alert, Exploitation of JasperReports Vulnerabilities And More

1. PyTorch Machine Learning Framework Compromised with Malicious Dependency

The maintainers of the PyTorch package have warned users who have installed the nightly builds of the library between December 25, 2022, and December 30, 2022, to uninstall and download the latest versions following a dependency confusion attack. The PyTorch team said that it became aware of the malicious dependency on December 30. The supply chain attack entailed uploading the malware-laced copy of a legitimate dependency named torchtriton to the Python Package Index (PyPI) code repository. Since package managers like pip check public code registries such as PyPI for a package before private registries, it allowed the fraudulent module to be installed on users’ systems as opposed to the actual version pulled from the third-party index. As mitigations, torchtriton has been removed as a dependency and replaced with pytorch-triton. A dummy package has also been registered on PyPI as a placeholder to prevent further abuse.

2. WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws

WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites. The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network. It’s also capable of injecting JavaScript code retrieved from a remote server in order to redirect the site visitors to an arbitrary website of the attacker’s choice. WordPress users are recommended to keep all the components of the platform up-to-date, including third-party add-ons and themes. It’s also advised to use strong and unique logins and passwords to secure their accounts.
 

3. CISA Warns of Active Exploitation of JasperReports Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two years-old security flaws impacting TIBCO Software’s JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. The first of the two issues, CVE-2018-5430, relates to an information disclosure bug in the server component that could enable an authenticated user to gain read-only access to arbitrary files, including key configurations.

JasperReports Vulnerabilities

The impact includes the possible read-only access by authenticated users to web application configuration files that contain the credentials used by the server. Those credentials could then be used to affect external systems accessed by the JasperReports Server.
CVE-2018-18809 is a directory traversal vulnerability in the JasperReports Library that could permit web server users to access sensitive files on the host, potentially making it possible for an attacker to steal credentials and break into other systems. 
 

4. Thousands of Citrix Servers Still Unpatched for Critical Vulnerabilities

Thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The issues in question are CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8). While CVE-2022-27510 relates to an authentication bypass that could be exploited to gain unauthorized access to Gateway user capabilities, CVE-2022-27518 concerns a remote code execution bug that could enable the takeover of affected systems. Citrix  warned that CVE-2022-27518 is being actively exploited in the wild by threat actors, including the China-linked APT5 state-sponsored group.  According to a new analysis from NCC Group’s Fox-IT research team, thousands of internet-facing Citrix servers are still unpatched, making them an attractive target for hacking crews. This includes over 3,500 Citrix ADC and Gateway servers running version 12.1-65.21 that are susceptible to CVE-2022-27518, as well as more than 500 servers running 12.1-63.22 that are vulnerable to both flaws. A majority of the servers, amounting to no less than 5,000, are running 13.0-88.14, a version that’s immune to CVE-2022-27510 and CVE-2022-27518.

5. Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers

 Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities. One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated permissions on certain product services. An attacker could exploit the weakness for remote code execution.
The second vulnerability is CVE-2022-3157, which affects CompactLogix, GuardLogix (including Compact), and ControlLogix controllers. An attacker can exploit the flaw to launch a denial-of-service (DoS) attack against a device by sending specially crafted CIP requests that cause a “major non-recoverable fault”. The remaining vulnerabilities impact MicroLogix 1100 and 1400 programmable logic controllers (PLCs). One of the security holes, CVE-2022-46670, is a stored cross-site scripting (XSS) issue in the embedded webserver that can be exploited for remote code execution without authentication. The second bug, CVE-2022-3166, is a clickjacking issue that can be exploited by an attacker with network access to the affected device to cause a DoS condition for the webserver application. 
The first two vulnerabilities have been patched with updates. For the last two issues, the vendor has made available mitigations that should prevent attacks.

6. Critical Vulnerabilities Patched in Synology Routers

Taiwan-based networking and storage solutions provider Synology has informed customers about the availability of patches for several critical vulnerabilities, including flaws likely exploited recently at the Pwn2Own hacking contest. The company published two new critical advisories in late December. One of them describes an internally discovered vulnerability affecting Synology VPN Plus Server, which turns routers into an advanced VPN server.
The security hole, tracked as CVE-2022-43931, is an out-of-bounds write issue in the remote desktop functionality of VPN Plus Server. It can allow a remote attacker to execute arbitrary commands. The second advisory describes multiple vulnerabilities impacting the Synology Router Manager (SRM), the operating system that powers the firm’s routers. The flaws can be exploited for arbitrary command execution, denial-of-service (DoS) attacks, and reading arbitrary files. 

22-28/12/2022. Hackers Breach Okta’s GitHub Repositories, W4SP Stealer Discovered in Multiple PyPI Packages, Security Flaws in Ghost CMS Blogging Software And More

1. W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names

Threat actors have published another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines. Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of W4SP Stealer. W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name. The campaign distributing W4SP Stealer gained traction around October 2022.  Since then dozens of additional bogus packages containing W4SP Stealer have been published on PyPI by the persistent threat actors. It’s worth noting that previous versions of the attack chains have been spotted fetching next-stage Python code directly from a public GitHub repository that then drops the credential stealer. 

2.  LastPass Admits to Severe Data Breach, Encrypted Password Vaults Stolen

The August 2022 security breach of LastPass may have been more severe than previously disclosed by the company. The popular password management service  revealed that malicious actors obtained a trove of personal information belonging to its customers that include their encrypted password vaults by using data siphoned from the earlier break-in. Also stolen is “basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service”.  The August 2022 incident involved the miscreants accessing source code and proprietary technical information from its development environment via a single compromised employee account. LastPass said this permitted the unidentified attacker to obtain credentials and keys that were subsequently leveraged to extract information from a backup stored in a cloud-based storage service, which it emphasized is physically separate from its production environment.  LastPass confirmed that the security lapse did not involve access to unencrypted credit card data, as this information was not archived in the cloud storage container. The company did not divulge how recent the backup was, but warned that the threat actor “may attempt to use brute-force to guess your master password and decrypt the copies of vault data they took,” as well as target customers with social engineering and credential stuffing attacks.

3.  GuLoader Malware Utilizing New Techniques to Evade Security Software

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software. New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings. GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader that’s used to distribute remote access trojans such as Remcos on infected machines. A recent GuLoader sample unearthed by CrowdStrike exhibits a three-stage process wherein the VBScript is designed to deliver a next-stage that performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory. The shellcode, besides incorporating the same anti-analysis methods, downloads a final payload of the attacker’s choice from a remote server and executes it on the compromised host. The shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, throwing an error message if the shellcode detects any known analysis of debugging mechanisms. This includes anti-debugging and anti-disassembling checks to detect the presence of a remote debugger and breakpoints, and if found, terminate the shellcode. The shellcode also features scans for virtualization software. An added capability is what the cybersecurity company calls a “redundant code injection mechanism” to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions. In a nutshell, the method involves using assembly instructions to invoke the necessary windows API function to allocate memory (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into that location via process hollowing.

4.  Two New Security Flaws Reported in Ghost CMS Blogging Software

Cybersecurity researchers have detailed two security flaws in the JavaScript-based blogging platform known as Ghost, one of which could be abused to elevate privileges via specially crafted HTTP requests. Tracked as CVE-2022-41654 (CVSS score: 9.6), the authentication bypass vulnerability allows unprivileged users (i.e., members) to make unauthorized modifications to newsletter settings. Cisco Talos, which discovered the shortcoming, said it could enable a member to change the system-wide default newsletter that all users are subscribed to by default. Even worse, the ability of a site administrator to inject JavaScript into the newsletter by default could be exploited to trigger the creation of arbitrary administrator accounts when attempting to edit the newsletter.  The CMS platform blamed the bug due to a “gap” in its API validation, adding it found no evidence that the issue has been exploited in the wild. Also patched by Ghost is an enumeration vulnerability in the login functionality (CVE-2022-41697, CVSS score: 5.3) that could lead to the disclosure of sensitive information.

5. Zerobot Malware Now Spreads By Exploiting Apache Vulnerabilities

The Zerobot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers. The Microsoft Defender for IoT research team also observed that this latest version adds new distributed denial-of-service (DDoS) capabilities. Zerobot has been under active development since at least November, with new versions adding new modules and features to expand the botnet’s attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras. Since early December, the malware’s developers have removed modules that targeted phpMyAdmin servers, Dasan GPON home routers, and D-Link DSL-2750B wireless routers with year-old exploits. The update spotted by Microsoft adds newer exploits to the malware’s toolkit, enabling it to target seven new types of devices and software, including unpatched Apache and Apache Spark servers. 
The  list of modules added to Zerobot 1.1 includes:

• CVE-2017-17105: Zivif PR115-204-P-RS
• CVE-2019-10655: Grandstream
• CVE-2020-25223: WebAdmin of Sophos SG UTM
• CVE-2021-42013: Apache
• CVE-2022-31137: Roxy-WI

Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

6. Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks

 Defiant’s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks. The YITH WooCommerce Gift Cards plugin allows online merchants to create gift cards that their customers can purchase for their friends to use on the ecommerce store. The premium plugin has more than 50,000 installations, its developer says. Tracked as CVE-2022-45359 (CVSS score of 9.8), the exploited vulnerability was reported in November and a patch for it was made available soon after. The issue is described as an arbitrary file upload, allowing attackers to upload executable files to the WordPress sites that use a vulnerable version of the plugin. No authentication is required for successful exploitation. According to the WordPress security firm, an attacker can exploit the vulnerability to place a backdoor on a vulnerable installation, gain remote code execution (RCE), and potentially take over the site. Site admins can identify signs of an attack by checking their logs for POST requests to wp-admin/admin-post.php.
According to Wordfence, observed attacks came from hundreds of IP addresses, but only two IPs were responsible for the majority of exploitation attempts. Site admins are advised to update to YITH WooCommerce Gift Cards premium version 3.20.0 or newer, which contain patches for this vulnerability.