1. Dozens of PyPIPackages Caught Dropping ‘W4sSP’ Info-Stealing Malware.

Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops “W4SP” info-stealer on infected machines, while others make use of malware purportedly created for “educational purposes” only. The packages are typosquats—that is, threat actors publishing these have intentionally named them similar to known Python libraries in hopes that developers attempting to fetch the real library make a spelling error and inadvertently retrieve one of the malicious ones.

PyPI package ‘typesutil’ is one of the typosquats dropping W4SP infostealer 

As an example, typesutil attack “starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase,” write Phylum researchers. Ultimately, the malware dropped by these packages was W4SP Stealer that exfiltrates your Discord tokens, cookies and saved passwords. All of the packages put together have been downloaded over 5,700 times based on Pepy.tech stats.

2. Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days.

Microsoft’s latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately addressed at the start of the month is an actively exploited flaw in Chromium-based browsers (CVE-2022-3723) that was plugged by Google as part of an out-of-band update late last month. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched. 

The list of actively exploited vulnerabilities, which allow privilege elevation and remote code execution, is as follows:

• CVE-2022-41040 (CVSS score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell);
• CVE-2022-41082 (CVSS score: 8.8) – Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell);
• CVE-2022-41128 (CVSS score: 8.8) – Windows Scripting Languages Remote Code Execution Vulnerability;
• CVE-2022-41125 (CVSS score: 7.8) – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability.

3. Microsoft Fixes ProxyNotShell Exchange Zero-Days Exploited in Attacks/

Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild. Tracked as CVE-2022-41082 and CVE-2022-41040, the two security bugs affect Microsoft Exchange Server 2013, 2016, and 2019. They enable attackers to escalate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution. Attackers have been chaining the two security flaws to deploy Chinese Chopper web shells on compromised servers for persistence and data theft, as well as for lateral movement in their victims’ networks since at least September 2022. As part of the November 2022 Patch Tuesday, Microsoft finally released security updates to address the two vulnerabilities. It is recommended that you install these updates immediately to be protected against these attacks.

4. VMware Fixes Three Critical Auth Bypass Bugs in Remote Access Tool.

VMware has released security updates to address three critical severity vulnerabilities in the Workspace ONE Assist solution that enable remote attackers to bypass authentication and elevate privileges to admin. The flaws are tracked as CVE-2022-31685 (authentication bypass), CVE-2022-31686 (broken authentication method), and CVE-2022-31687 (broken authentication control) and have received 9.8/10 CVSSv3 base scores. Non-authenticated threat actors can exploit them in low-complexity attacks that don’t require user interaction for privilege escalation. The company patched them with the release of Workspace ONE Assist 22.10 (89993) for Windows customers. VMware also patched a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31688) that enables attackers to inject javascript code in the target user’s window and a session fixation vulnerability (CVE-2022-31689) that allows authentication after obtaining a valid session token.

5. Citrix Urges Admins to Patch Critical ADC, Gateway Auth Bypass.

Citrix is urging customers to install security updates for a critical authentication bypass vulnerability in Citrix ADC and Citrix Gateway. Under specific configurations, the three vulnerabilities can enable attackers to gain unauthorized access to the device, perform remote desktop takeover, or bypass the login brute force protection. Citrix ADC is a load-balancing solution for cloud applications deployed in the enterprise, ensuring uninterrupted availability and optimal performance.The three vulnerabilities affecting both Citrix Gateway and Citrix ADC are the following: CVE-2022-27510; CVE-2022-27513; CVE-2022-27516. Affected customers of Citrix ADC and Citrix Gateway are recommended to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible.

6. Microsoft WinGet Package Manager Failing Due to CDN Issues.

Microsoft’s WinGet package manager is currently having problems installing or upgrading packages due to the Azure Content Delivery Network (CDN) returning a 0-byte database file. Starting over the weekend, Windows users began reporting that when they attempted to install or upgrade apps using WinGet, they would receive different errors depending on the operation. For example, winget upgrade would display an error stating, “Failed in attempting to update the source: «winget» and winget install would display the error, ‘An unexpected error occurred while executing the command: 0x8a15000f : Data required by the source is missing’.
WinGet displaying error

Windows users posted in a GitHub issue that the problem appears to be a CDN issue causing a zero-byte file to be sent back rather than the complete index of available applications. Like other package managers, WinGet uses a default repository to retrieve the available packages, which for WinGet is located at https://cdn.winget.microsoft.com/cache/source.msix. Microsoft Product Manager Demitrius Nelon has confirmed that they are suffering a CDN issue causing these errors for certain users. If you are using WinGet, your best bet is to wait for Microsoft to fix the CDN issue, and the package manager should automatically begin working again.

7. RomCom RAT Malware Campaign Impersonates KeePass, SolarWinds NPM, Veeam.

The threat actor behind the RomCom RAT (remote access trojan) has refreshed its attack vector and is now abusing well-known software brands for distribution. In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.
The website that impersonates SolarWinds NPM delivers a trojanized version of the free trial and even links to an actual SolarWinds registration form that, if filled out by the victim, leads to being contacted by a real customer support agent.
The spoofed Solarwinds website 
The downloaded app, though, has been modified to include a malicious DLL that downloads and runs a copy of the RomCom RAT from the “C:\Users\user\AppData\Local\Temp\winver.dll” folder. It is unclear at this time how the threat actors are luring potential victims to the sites, but it could be through phishing, SEO poisoning, or forum/social media posts.

8. Researchers Are Poisoning Open-Source Packages. What Should We do? 

In the field of open-source security, researchers often publish malicious packages or poison existing ones with malicious code. These proofs of concepts (POCs) are done in an attempt to verify whether an attacker with malicious intent would be able to cause similar damage — or worse. However, while performing these actions, security researchers should adhere to several guidelines that will enable them to complete their research while keeping the ecosystem safe and clean to the maximum extent possible.
In the article, Aviad Gershon analyzes malicious packages containing ransomware scripts. He concludes that  security professionals need to adhere to certain guidelines while conducting  their research, which among others, include the following:

1. Do No Harm — refrain from breaking existing components.
2. Transparency — declare our activity “for research purposes” to anyone who may encounter it.
3. Discretion — avoid collecting or revealing sensitive data of other parties.

1. Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution

IT service management software platform ConnectWise has released Software patches for a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM). The issue, characterized as a “neutralization of Special Elements in Output Used by a Downstream Component,” could be abused to result in the execution of remote code or disclosure of sensitive information. ConnectWise’s advisory notes that the flaw affects Recover v2.9.7 and earlier, as well as R1Soft SBM v6.16.3 and earlier, are impacted by the critical flaw. At its core, the issue is tied to an upstream authentication bypass vulnerability in the ZK open source Ajax web application framework (CVE-2022-36537), which was initially patched in May 2022. Affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9). While there is no evidence of active exploitation of the vulnerability in the wild, a proof-of-concept  shows that it can be abused to bypass authentication, gain remote code execution on SBM, and push LockBit 3.0 ransomware to all downstream endpoints.

2. OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email address. Versions 3.0.0 through 3.0.6 of the library are affected by the new flaws, which has been remediated in version 3.0.7. It’s worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable. While CVE-2022-3602 was initially treated as a Critical vulnerability, its severity has since been downgraded to High, citing stack overflow protections in modern platforms.

The OpenSSL Project further noted the bugs were introduced in OpenSSL 3.0.0 as part of punycode decoding functionality that’s currently used for processing email address name constraints in X.509 certificates. Despite the change in severity, OpenSSL said it considers “these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible.”

3. Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories

File hosting service Dropbox on Tuesday disclosed that it was the victim of a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub. The breach resulted in the access of some API keys used by Dropbox developers as well as “a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.” It, however, stressed that the repositories did not contain source code related to its core apps or infrastructure. 

The investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers. The successful breach resulted from a phishing attack that targeted multiple Dropbox employees using emails impersonating the CircleCI continuous integration and delivery platform and redirecting them to a phishing landing page where they were asked to enter their GitHub username and password. On the same phishing page, the employees were also asked to “use their hardware authentication key to pass a One Time Password (OTP).”

Phishing email impersonating CircleCI  

After stealing the Dropboxers’ credentials, the attackers gained access to one of Dropbox’s GitHub organizations and stole 130 of its code repositories.

4. Exploit Released For Critical VMware RCE Vulnerability, Patch Now

Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances. The flaw (CVE-2021-39144) is in the XStream open-source library used by the two VMware products and was assigned an almost maximum CVSSv3 base score of 9.8/10 by VMware. Unauthenticated threat actors can exploit it remotely in low-complexity attacks that will not require user interaction. VMware released security updates to address the CVE-2021-39144 flaw . Additionally, because of the severity of the issue, the company also provided patches for some end-of-life products.

5. Microsoft Fixes Critical RCE Flaw Affecting Azure Cosmos DB

Analysts at Orca Security have found a critical vulnerability affecting Azure Cosmos DB that allowed unauthenticated read and write access to containers. Named CosMiss, the security issue is in Azure Cosmos DB built-in Jupyter Notebooks that integrate into the Azure portal and Azure Cosmos DB accounts for querying, analyzing, and visualizing NoSQL data and results easier. Azure Cosmos DB is Microsoft’s fully managed NoSQL database that features broad API type support for applications of all sizes. Jupyter Notebooks is a web-based interactive platform that allows users to access Cosmos DB data. The issue that researchers at Orca Security discovered is that Cosmos DB Jupyter Notebooks lacked authentication checks that prevented unauthorized access, and even modify a container, if they had the UUID of the Notebook Workspace. 

6. New Open-Source Tool Scans Public AWS S3 Buckets For Secrets

 A new open-source ‘S3crets Scanner’ scanner allows researchers and red-teamers to search for ‘secrets’ mistakenly stored in publicly exposed or company’s Amazon AWS S3 storage buckets. Amazon S3 (Simple Storage Service) is a cloud storage service commonly used by companies to store software, services, and data in containers known as buckets.

Unfortunately, companies sometimes fail to properly secure their S3 buckets and thus publicly expose stored data to the Internet.  This type of misconfiguration has caused data breaches in the past, with threat actors gaining access to employee or customer details, backups, and other types of data.

During an exercise examining SEGA’s recent assets exposure, security researcher Eilon Harel discovered that no tools for scanning accidental data leaks exist, so he decided to create his own automated scanner and release it as an open-source tool on GitHub. To help with the timely discovery of exposed secrets on public S3 buckets, Harel created a Python tool named “S3crets Scanner”.

Actions performed by the S3crets Scanner

The scanner tool will only list S3 buckets that have the following configurations set to ‘False,’ meaning that exposure was likely accidental:

• “BlockPublicAcls”,
• “BlockPublicPolicy”,
• “IgnorePublicAcls”,
• “RestrictPublicBuckets”.

Any buckets that were intended to be public are filtered out from the list before the textual files are downloaded for the “secrets scanning” step. When scanning a bucket, the script will examine the content of text files using the Trufflehog3 tool, an improved Go-based version of the secrets scanner that can check for credentials and private keys on GitHub, GitLab, filesystems, and S3 buckets.

7. Microsoft fixes Windows vulnerable driver blocklist sync issue

Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions. This blocklist (stored in the DriverSiPolicy.p7b file) is designed to block threat actors from dropping legitimate but vulnerable drivers on targets’ systems in Bring Your Own Vulnerable Driver (BYOVD) attacks on HVCI-enabled Windows machines or those running Windows in S Mode. The flawed drivers are then exploited to escalate privileges in the Windows kernel and execute malicious code, disabling security solutions and taking control of the device. Although Microsoft has been advertising its driver blocklist as capable of hardening Windows systems against vulnerable third-party drivers, ANALYGENCE security analyst Will Dormann found that wasn’t the case. As Dormann discovered, unlike Windows 11 devices, even up-to-date Windows 10 and Windows Server systems were being provided with an outdated list of vulnerable drivers from December 2019, exposing customers who thought they were protected to BYOVD attacks. Microsoft reluctantly acknowledged his findings and promised to address this issue and update its misleading online support docs.

1. New Timing Attack Against NPM Registry API Could Expose Private Packages

A novel timing attack discovered against the npm’s registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats. By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them. The Scoped Confusion attack banks on analyzing the time it takes for the npm API (registry.npmjs[.]org) to return an HTTP 404 error message when querying for a private package, and measuring it against the response time for a non-existing module.

It takes on average less time to get a reply for a private package that does not exist compared to a private package that does. The idea, ultimately, is to identify packages internally used by companies, which could then be used by threat actors to create public versions of the same packages in an attempt to poison the software supply chain.

Recommendation 

As preventive measures, it’s recommended that organizations routinely scan npm and other package management platforms for lookalike or spoofed packages that masquerade as the internal counterparts.

2. PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks

A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches. The issue, tracked as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system, including altering network configurations, adding malicious users, and intercepting network traffic.
That said, the cybersecurity firm said that there are two essential prerequisites when making such a request: 

• Using the Forwarded header, an attacker is able to set the client_ip to “127.0.0.1”
• The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.

3. Zimbra Releases Patch for Actively Exploited Vulnerability in its Collaboration Suite

Zimbra has released patches to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances.
Tracked as CVE-2022-41352 (CVSS score: 9.8), the issue affects a component of the Zimbra suite called Amavis, an open source content filter, and more specifically, the cpio utility it uses to scan and extract archives. The flaw, in turn, is said to be rooted in another underlying vulnerability (CVE-2015-1197) that was first disclosed in early 2015, which according to Flashpoint was rectified, only to be subsequently reverted in later Linux distributions.
An attacker can use cpio package to gain incorrect access to any other user accounts. 
Fixes are available in the following versions: 

• Zimbra 9.0.0 Patch 27
• Zimbra 8.8.15 Patch 34
  All an adversary seeking needs to do to weaponize the shortcoming is to send an email with a specially crafted TAR archive attachment that, upon being received, gets submitted to Amavis, which uses the cpio module to trigger the exploit.

4. Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text

Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component. The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity. The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, “disables the problematic interpolators by default.”

5. Feature-Rich ‘Alchimist’ Cyberattack Framework Targets Windows, Mac, Linux Environments

Researchers have uncovered a potentially dangerous cyberattack framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild. The framework consists of a new, stand-alone, command-and-control (C2) tool dubbed “Alchimist,” a previously unseen remote access Trojan (RAT) called “Insekt,” and several bespoke tools like a custom backdoor and malware for exploiting vulnerabilities in macOS. It also includes reverse proxies and several dual-use tools such as netcat, psexec, and an intranet-scanning tool called fscan.Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor. It can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands. Giving it those capabilities are a variety of malware tools, including a Mach-0 backdoor for macOS and a separate macOS malware dropper that exploits a known vulnerability in a root program associated with major Linux distributions (CVE-2021-4034).

6. Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software

HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems. 
The post-exploitation tool consists of a team server, which functions as a command-and-control (C2) component, and a beacon, the default malware used to create a connection to the team server and drop next-stage payloads. The issue, tracked as CVE-2022-42948, affects Cobalt Strike version 4.7.1, and stems from an incomplete patch released on September 20, 2022, to rectify a cross-site scripting (XSS) vulnerability (CVE-2022-39197) that could lead to remote code execution. The XSS vulnerability could be triggered by manipulating some client-side UI input fields, by simulating a Cobalt Strike implant check-in or by hooking a Cobalt Strike implant running on a host. This means that a malicious actor could exploit this behavior by means of an HTML «object» tag, utilizing it to load a custom payload hosted on a remote server and inject it within the note field as well as the graphical file explorer menu in the Cobalt strike UI. However, it was found that remote code execution could be triggered in specific cases using the Java Swing framework, the graphical user interface toolkit that’s used to design Cobalt Strike.

7. Researchers Detail Windows Zero-Day Vulnerability Patched Last Month

Details have emerged about a now-patched security flaw in Windows Common Log File System (CLFS) that could be exploited by an attacker to gain elevated permissions on compromised machines. Tracked as CVE-2022-37969 (CVSS score: 7.8), the issue was addressed by Microsoft as part of its Patch Tuesday updates for September 2022, while also noting that it was being actively exploited in the wild. Now, the Zscaler ThreatLabz researcher team has disclosed that it captured an in-the-wild exploit for the then zero-day on September 2, 2022. The cause of the vulnerability is due to the lack of a strict bounds check on the field cbSymbolZone in the Base Record Header for the base log file (BLF) in CLFS.sys.  If the field cbSymbolZone is set to an invalid offset, an out-of-bounds write will occur at the invalid offset. According to Zscaler, the vulnerability is rooted in a metadata block called base record that’s present in a base log file, which is generated when a log file is created using the CreateLogFile() function.