15-21/12/2022 Malicious ‘SentinelOne’ PyPI package, Hackers bombard PyPi platform, Veeam Backup and Replication Vulnerabilities, And More

1.  Hackers Bombard Open Source Repositories with Over 144,000 Malicious Packages

NuGet, PyPi, and npm ecosystems are the target of a new campaign that has resulted in over 144,000 packages being published by unknown threat actors.The packages were part of a new attack vector, with attackers spamming the open source ecosystem with packages containing links to phishing campaigns. Of the 144,294 phishing-related packages that were detected, 136,258 were published on NuGet, 7,824 on PyPi, and 212 on npm. The offending libraries have since been unlisted or taken down. The fake packages themselves claimed to provide hacks, cheats, and free resources in an attempt to trick users into downloading them. The URLs to the rogue phishing pages were embedded in the package description. In all, the massive campaign encompassed more than 65,000 unique URLs on 90 domains.

2. CISA Alert: Veeam Backup and Replication Vulnerabilities Being Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild. The now-patched critical flaws, tracked as CVE-2022-26500 and CVE-2022-26501, are both rated 9.8 on the CVSS scoring system, and could be leveraged to gain control of a target system. The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code. Both the issues that impact product versions 9.5, 10, and 11 have been addressed in versions 10a and 11a. Users of Veeam Backup & Replication 9.5 are advised to upgrade to a supported version.

3. Researchers Discover Malicious PyPI Package Posing as SentinelOne SDK to Steal Data

Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne, a major cybersecurity company, as part of a campaign dubbed SentinelSneak. The package, named SentinelOne and now taken down, is said to have been published between December 8 and 11, 2022, with nearly two dozen versions pushed in quick succession over a period of two days. It claims to offer an easier method to access the company’s APIs, but harbors a malicious backdoor that’s engineered to amass sensitive information from development systems, including access credentials, SSH keys, and configuration data. What’s notable about the fraudulent package is it mimics a legitimate SDK that’s offered by SentinelOne to its customers, potentially tricking developers into downloading the module from PyPI. It’s not immediately clear if the package was weaponized as part of an active supply chain attack, although it has been downloaded more than 1,000 times prior to its removal.

4. Glupteba Botnet Continues to Thrive Despite Google’s Attempts to Disrupt It

 The operators of the Glupteba botnet resurfaced in June 2022 as part of a renewed and “upscaled” campaign, months after Google disrupted the malicious activity. The ongoing attack is suggestive of the malware’s resilience in the face of takedowns. In addition, there was a tenfold increase in TOR hidden services being used as C2 servers since the 2021 campaign. The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear. Specifically, the botnet is designed to search the public Bitcoin blockchain for transactions related to wallet addresses owned by the threat actor so as to fetch the encrypted C2 server address. This is made possible by the OP_RETURN opcode that enables storage of up to 80 bytes of arbitrary data within the signature script.

5. New Agenda Ransomware Variant, Written in Rust, Aiming at Critical Infrastructure

A Rust variant of a ransomware strain known as Agenda has been observed in the wild, making it the latest malware to adopt the cross-platform programming language after BlackCat, Hive, Luna, and RansomExx. Agenda is a ransomware-as-a-service (RaaS) group that has been linked to a spate of attacks primarily targeting manufacturing and IT industries. It expands on the idea of partial encryption (aka intermittent encryption) by configuring parameters that are used to determine the percentage of file content to be encrypted. An analysis of the ransomware binary reveals that encrypted files are given the extension “MmXReVIxLV,” before proceeding to drop the ransom note in every directory. In addition, the Rust version of Agenda is capable of terminating the Windows AppInfo process and disabling User Account Control (UAC), the latter of which helps mitigate the impact of malware by requiring administrative access to launch a program or task. At present, its threat actors appear to be migrating their ransomware code to Rust as recent samples still lack some features seen in the original binaries written in the Golang variant of the ransomware.

6. Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities

Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022. Samba is an open source Windows interoperability suite for Linux, Unix, and macOS operating systems that offers file server, printing, and Active Directory services.
A brief description of each of the weaknesses is below:

• CVE-2022-38023 (CVSS score: 8.1) – Use of weak RC4-HMAC Kerberos encryption type in the Netlogon Secure Channel
• CVE-2022-37966 (CVSS score: 8.1) – An elevation of privilege vulnerability in Windows Kerberos RC4-HMAC
  An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Str

7. Okta Says Its GitHub Account Hacked, Source Code Stolen

Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub source code repositories were hacked this month. 
Earlier this month, GitHub alerted Okta of suspicious access to Okta’s code repositories, states the notification. Despite stealing Okta’s source code, attackers did not gain unauthorized access to the Okta service or customer data, says the company. Okta’s “HIPAA, FedRAMP or DoD customers” remain unaffected as the company “does not rely on the confidentiality of its source code as a means to secure its services.” As such, no customer action is needed.

8. GitHub Announces Free Secret Scanning for All Public Repositories

GitHub said it is making available its secret scanning service to all public repositories on the code hosting platform for free. Secret scanning alerts notify you directly about leaked secrets in your code. Secret scanning is designed to examine repositories for access tokens, private keys, credentials, API keys, and other secrets in over 200 formats that may have been accidentally committed, and generate alerts to prevent their misuse. The security option was previously limited to repositories owned by organizations that use GitHub Enterprise Cloud and have a GitHub Advanced Security license. For customers of GitHub Advanced Security, the protections go a step further by performing the scans for exposed secrets, including custom patterns, during code pushes. The Microsoft subsidiary also said it’s planning to turn on two-factor authentication requirements for “distinct groups of users” starting March 2023 with the goal of expanding it to all GitHub users by the end of next year.

8-14/12/2022. Actively Exploited Citrix ADC, Malware Strains Targeting Python and JavaScript Developers, Amazon ECR Public Gallery Vulnerability, And More

1. Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

A threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and seize control. Successful exploitation, however, requires that the Citrix ADC or Citrix Gateway appliance is configured as a SAML service provider (SP) or a SAML identity provider (IdP). Citrix ADC and Citrix Gateway versions 13.1 are not impacted. The company also said there are no workarounds available “beyond disabling SAML authentication or upgrading to a current build.”

2. Malware Strains Targeting Python and JavaScript Developers Through Official Repositories

An active malware campaign is targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains. The typosquatted Python packages all impersonate the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.
The rogue packages embed source code that retrieves Golang-based ransomware binary from a remote server depending on the victim’s operating system and microarchitecture. Successful execution causes the victim’s desktop background to be changed to an actor-controlled image that claims to the U.S. Central Intelligence Agency (CIA). It’s also designed to encrypt files and demand a $100 ransom in cryptocurrency. In a sign that the attack is not limited to PyPI, the adversary has been spotted publishing five different modules in npm: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr. 

3. Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

 The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. The use of GitHub as a virtual dead drop helps the malware blend in. All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. Subsequent investigations into the adversary’s operations have uncovered two distinct intrusion sets: Cluster A, which employs BitLocker and DiskCryptor to conduct opportunistic ransomware attacks for financial gain, and Cluster B, which carries out targeted break-ins for intelligence gathering. This attack entailed the compromise of a VMware Horizon server using the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), ultimately leading to the delivery of the Drokbk binary by means of a compressed ZIP archive hosted on a file transfer service.

4. Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability

A critical security flaw has been disclosed in Amazon Elastic Container Registry (ECR) Public Gallery that could have been potentially exploited to stage a multitude of attacks. By exploiting this vulnerability, a malicious actor could delete all images in the Amazon ECR Public Gallery or update the image contents to inject malicious code. This malicious code is executed on any machine that pulls and runs the image, whether on user’s local machines, Kubernetes clusters or cloud environments. ECR is a container image registry service managed by Amazon Web Services, enabling users to package code as Docker images and deploy the artifacts in a scalable manner. Amazon has since deployed a fix to resolve the weakness as of November 16, 2022, less than 24 hours after it was reported, indicative of the severity of the problem. No customer action is required. 

5. Fortinet Says SSL-VPN Pre-auth RCE Bug Is Exploited in Attacks

Fortinet urges customers to patch their appliances against an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.
The security flaw is tracked as CVE-2022-42475 and is a heap-based buffer overflow bug in FortiOS sslvpnd. When exploited, the flaw could allow unauthenticated users to crash devices remotely and potentially perform code execution. A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The company said it’s “aware of an instance where this vulnerability was exploited in the wild,” urging customers to move quickly to apply the updates.
Patches are available in FortiOS versions 7.2.3, 7.0.9, 6.4.11, and 6.2.12 as well as FortiOS-6K7K versions 7.0.8, 6.4.10, 6.2.12, and 6.0.15.

6. New Python Malware Backdoors VMware ESXi Servers For Remote Access

A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.
VMware ESXi is a virtualization platform commonly used in the enterprise to host numerous servers on one device while using CPU and memory resources more effectively.
The new backdoor was discovered by Juniper Networks researchers, who found the backdoor on a VMware ESXi server. However, they could not determine how the server was compromised due to limited log retention. They believe the server may have been compromised using the CVE-2019-5544 and CVE-2020-3992 vulnerabilities in ESXi’s OpenSLP service. While the malware is technically capable of targeting Linux and Unix systems, too, Juniper’s analysts found multiple indications it was designed for attacks against ESXi. To determine if this backdoor has impacted your ESXi servers, check for the existence of the files: /etc/rc.local.d/local.sh, /store/packages/vmtools.py, /etc/vmware/rhttpproxy/endpoints.conf and the additional lines in the “local.sh” file. All configuration files that persist reboots should be scrutinized for suspicious changes and reversed to the correct settings.

7. Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

 The operating system update, released as part of Microsoft’s scheduled Patch Tuesday, addresses a flaw that lets malicious attackers use rigged files to evade MOTW (Mart of the Web) defenses. An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The security defect, tracked as CVE-2022-44698, is marked as publicly disclosed and exploited, adding to the urgency for Windows fleet administrators to prioritize this month’s patches. Microsoft is also calling special attention to CVE-2022-44710, a privilege escalation flaw affecting the DirectX graphics kernel.  Microsoft described the bug as a race condition issue that’s already been publicly disclosed. In all, Microsoft documented at least 52 vulnerabilities in a wide range of operating system components and software products. Six of the 52 bulletins are rated critical, Microsoft’s highest severity rating. The December Patch Tuesday barrage also includes major fixes from VMware, Adobe, Fortinet and Citrix.

8. Google Releases Dev Tool to List Vulnerabilities in Project Dependencies

Google has launched OSV Scanner, a new tool that allows developers to scan for vulnerabilities in open-source software dependencies used in their project. The scanner draws data from OSV.dev, the distributed vulnerability database for open source code that Google released in February 2021, to offer relevant information about known security issues affecting open-source code.
The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases.  The scanner uses openly distributed advisories from authoritative and reliable sources following the OSV schema for vulnerability triage in the installed package version. Currently, the OSV.dev service supports 16 major coding ecosystems, including the Linux Kernel, Android, Debian, Alpine, PyPI, npm, OSS-Fuzz, and Maven. It is the world’s largest open-source vulnerability database, counting 23,000 advisories in 2022 alone.
Google says the next step for OSV Scanner is to improve C/C++ vulnerability support, tackling a very challenging software ecosystem, and integrate standalone CI actions to allow easy scheduling of scans. OSV Scanner is free for everyone to use without restrictions and is available for download via GitHub or the osv.dev website.

1-7/12/2022. New Go-based Zerobot Botnet, Critical RCE Vulnerability Affecting Quarkus Java Framework, BMC Supply Chain Vulnerabilities And More

1. New Go-based Zerobot Botnet Exploiting Dozen of IoT Vulnerabilities to Expand its Network

 A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software. The botnet contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. The malware is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. Zerobot, upon initialization in the compromised machine, establishes contact with a remote command-and-control (C2) server and awaits further instructions that allow it to run arbitrary commands and launch attacks for different network protocols like TCP, UDP, TLS, HTTP, and ICMP. 

2. Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework

A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems. Tracked as CVE-2022-4116 (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges.The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks that could lead to remote-code execution (RCE). Quarkus, developed by Red Hat, is an open source project that’s used for creating Java applications in containerized and serverless environments. It’s worth pointing out that the issue only impacts developers who are running Quarkus and are tricked into visiting a specially crafted website, which is embedded with malicious JavaScript code designed to install or execute arbitrary payloads. 
The problem identified by Contrast Security lies in the fact that the JavaScript code hosted on a malware-laced website can be weaponized to modify the Quarkus application configuration via an HTTP POST request to trigger code execution.
Recommendation 
Users are recommended to upgrade to version 2.14.2.Final and 2.13.5.Final to safeguard against the flaw. A potential workaround is to move all the non-application endpoints to a random root path.

3. Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware

A version of an open source ransomware toolkit called Cryptonite has been observed in the wild with wiper capabilities due to its “weak architecture and programming.” Cryptonite, unlike other ransomware strains, is not available for sale on the cybercriminal underground, and was instead offered for free by an actor named CYBERDEVILZ until recently through a GitHub repository. The source code and its forks have since been taken down. Written in Python, the malware employs the Fernet module of the cryptography package to encrypt files with a “.cryptn8” extension. But a new sample has been found to lock files with no option to decrypt them back, essentially acting as a destructive data wiper. But this change isn’t a deliberate act on part of the threat actor, but rather stems from a lack of quality assurance that causes the program to crash when attempting to display the ransom note after completing the encryption process. The problem with this flaw is that due to the design simplicity of the ransomware if the program crashes — or is even closed — there is no way to recover the encrypted files. 

4. New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers

Three different security flaws have been disclosed in American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software that could lead to remote code execution on vulnerable servers. The impact of exploiting these vulnerabilities include remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking). The most severe among the issues is CVE-2022-40259 (CVSS score: 9.9), a case of arbitrary code execution via the Redfish API that requires the attacker to already have a minimum level of access on the device (Callback privileges or higher). CVE-2022-40242 (CVSS score: 8.3) relates to a hash for a sysadmin user that can be cracked and abused to gain administrative shell access, while CVE-2022-2827 (CVSS score: 7.5) is a bug in the password reset feature that can be exploited to determine if an account with a specific username exists. The findings once again underscore the importance of securing the firmware supply chain and ensuring that BMC systems are not directly exposed to the internet. 

5. Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems

The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. Ping reads raw IP packets from the network to process responses in the pr_pack() function. The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. As a consequence, the destination buffer could be overflowed by up to 40 bytes when the IP option headers are present. The FreeBSD Project noted that the ping process runs in a capability mode sandbox and is therefore constrained in how it can interact with the rest of the operating system.

6. Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers

A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network. The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo. Tracked as CVE-2022-0543 (CVSS score: 10.0), the weakness pertains to a case of sandbox escape in the Lua scripting engine that could be leveraged to attain remote code execution. The Redigo infection chain is similar in that the adversaries scan for exposed Redis servers on port 6379 to establish initial access, following it up by downloading a shared library “exp_lin.so” from a remote server. This library file comes with an exploit for CVE-2022-0543 to execute a command in order to retrieve Redigo from the same server, in addition to taking steps to mask its activity by simulating legitimate Redis cluster communication over port 6379. It’s not known what the end goal of the attacks are, but it’s suspected that the compromised hosts could be used to steal sensitive information from the database server to further extend their reach.

7. Hackers Hijack Linux Devices Using PRoot Isolated Filesystems

Hackers are abusing the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that work on many Linux distributions.  A Bring Your Own Filesystem attack is when threat actors create a malicious filesystem on their own devices that contain a standard set of tools used to conduct attacks.  This file system is then downloaded and mounted on compromised machines, providing a preconfigured toolkit that can be used to compromise a Linux system further. The attacks typically lead to cryptocurrency mining, although more harmful scenarios are possible. The attacks seen by Sysdig use PRoot to deploy a malicious filesystem on already compromised systems that include network scanning tools like “masscan” and “nmap,” the XMRig cryptominer, and their configuration files.
In most cases, the attackers unpacked the filesystem on ‘/tmp/Proot/’ and then activated the XMRig cryptominer. The attacker launches PRoot, points it at the unpacked malicious filesystem, and specifies the XMRig binary to execute. 

8. Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

An attacker submitting changes to an open source repository on GitHub could cause downstream software projects that include the latest version of a component to compile updates with malicious code. This “artifact poisoning” weakness could affect software projects that use GitHub Actions — a service for automating development pipelines — by triggering the build process when a change is detected in a software dependency. The problem likely affects a large number of open source projects because maintainers typically will run tests on contributed code before they actually analyze the code themselves. The attack takes advantage of the automated build process through GitHub Actions. In the case of the Rust programming language, the vulnerable pattern could have allowed an attacker to execute code in a privileged way as part of the development pipeline, stealing repository secrets and potentially tampering with code. The vulnerability enables an attack similar to the malware-insertion attack that targeted CodeCov and, through that company’s software, its downstream customers.GitHub confirmed the issue and paid a bounty for the information, while Rust fixed its vulnerable pipeline.