Securin’s Threat Intelligence: Mar 27, 2023 – Mar 31, 2023

This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.

Check out our Threat Intelligence Podcast hosted by David Rushton!

Trending Threats

Vulnerabilities to Watch Out For

Trending Threats

Unicode Support in Python Exploited to Evade Detection

An unnamed threat actor was discovered using onyxproxy, a malicious package to harvest and exfiltrate credentials and other sensitive data, on the Python Package Index. To avoid detection while carrying out this attack, attackers used the Python interpreter to obfuscate their malware. The Python interpreter was used to generate a novel kind of obfuscated code that appears ordinary without divulging exactly what the code is trying to steal. Other attackers are expected to use this technique in their target environments to avoid detection. 

CVE-2021-42574 is a vulnerability in Unicode BiDi that handles the order in which text displays. Threat actors have exploited this to carry out malicious script installation. 

Given below is a timeline of this CVE on Securin’s Vulnerability Intelligence platform.

Chinese App Exploited Zero-Day on Millions of Devices

The Pinduoduo app is used for e-commerce. The legitimate application is not available in the Google app store prompting users to download third-party versions. A malicious version of the application is available on these third-party websites which when downloaded and installed, exploits several zero-days and known vulnerabilities. One of the zero-days is CVE-2023-20963, an Android vulnerability that was patched by Google two weeks ago. It can allow attackers to escalate privileges to download code from a developer-designated site and run it within a privileged environment. This vulnerability is actively being exploited in Samsung phones. The Pinduoduo application has about 900 million monthly active users and anyone who has downloaded it from unknown sources should verify its legitimacy.

Spyware Vendors Exploit Several Vulnerabilities in Popular Platforms

Several zero-day and n-day vulnerabilities are exploited in two campaigns carried out by threat actors selling spyware. They target Google (Pixel), Android, and iOS devices of government officials, journalists, activists, etc, to spy on them. Some of the vulnerabilities being exploited are:

  • CVE-2022-42856, a WebKit remote code execution exploiting a type confusion issue within the JIT compiler. The exploit used a PAC bypass technique which was fixed in March 2022 when Apple removed DYLD_INTERPOSE from WebKit.
  • CVE-2021-30900, a sandbox escape and privilege escalation bug in AGXAccelerator, Apple. 
  • CVE-2022-3723, a type confusion vulnerability in Chrome which was exploited in the wild.
  • CVE-2022-4135, a Chrome GPU sandbox bypass only affecting Android 
  • CVE-2022-4262, a type confusion vulnerability in Chrome fixed in December 2022.
  • CVE-2022-3038, a sandbox escape in Chrome fixed in August 2022.
  • CVE-2022-22706, a vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022 and marked as being used in the wild. An attacker can gain system access by exploiting this vulnerability.
  • CVE-2023-0266, a race condition vulnerability in the Linux kernel sound subsystem reachable from the system user and that gives the attacker kernel read and write access.

Attackers look for unpatched devices to exploit these vulnerabilities. Therefore, all users must cautiously update their devices as soon as the vendor releases patches.

Hackers Compromise 3CX Application to Launch Supply Chain Attacks

Labyrinth Chollima, a subset of the Lazarus group is suspected to have been launching supply chain attacks using a trojanized version of the 3CX application. The 3CX desktop app is a computer program available for Mac and Windows that allows users to make and receive VoIP calls from their computer via the internet. A digitally signed malicious version of this app is used to target the company’s customers. This campaign is called SmoothOperator and installs malicious DLL, which can deploy secondary payloads. The malware is then used to extract system info, steal data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles.

3CX users should watch out for malicious versions of the app and download it only from trusted sources.

Update: The Lazarus group is found to be behind these supply chain attacks. The vulnerabilty being exploited by this gang is tracked as CVE-2023-29059, a Windows zero-day.

New Malware Harvests API Keys

A new toolkit, AlienFox, that steals authentication secrets and credentials is available in the market. It targets misconfigured hosting frameworks, such as Laravel, Drupal, WordPress, etc to collect credentials, API keys, authentication tokens, etc. It also collects lists of misconfigured cloud endpoints from security scanning platforms like LeakIX and SecurityTrails. This information is leveraged by threat actors to break into organization networks and deploy ransomware or take over systems. The toolkit is sold on a private Telegram channel to threat actors. There are several versions of this toolkit. The second version features an exploit for CVE-2022-31279, a deserialization vulnerability on Laravel PHP Framework. The third version features initialization variables, Python classes with modular functions, and process threading.

CISA Adds 10 Vulnerabilities to the KEV catalog

Following the active exploitation of vulnerabilities in popular platforms such as Google, Apple, etc., to install spyware, the CISA added them to the KEV catalog on March 31, 2022 to raise awareness. They are:

The rest of the vulnerabilities are:

All these vulnerabilities need to be patched by April 20, 2023.

Vulnerabilities to Watch Out For

CVE-2023-23529: Apple’s WebKit Zero-Day

Apple recently addressed this zero day vulnerability in its macOS and iOS devices. CVE-2023-23529 allows arbitrary code execution with maliciously crafted web content. This actively exploited CVE affects older Apple devices such as iPhone 6s and 7 (all models),  iPhone SE (first generation), iPad Air 2, iPad Mini (fourth generation), and iPod Touch (seventh generation) for which the patches are available now.

CVE-2023-22809: Linux Sudo Vulnerability

This CVE-2023-22809 vulnerability is in QNAP’s Linux-powered network-attached storage (NAS) devices, specifically, in the. If exploited, attackers can escalate privileges by editing unauthorized files after appending arbitrary entries to the list of files to process. QNAP has released an advisory to patch all affected devices and recommends that users patch ASAP.

MooBot and ShellBot Malware Resurface

Threat actors have been deploying the ShellBot and Moobot malware while exploiting CVE-2021-35394 (Realtek) and CVE-2022-46169 (Cacti) vulnerabilities. 

CVE-2021-35394 is an arbitrary command injection vulnerability that affects UDPServer due to insufficient legality detection on commands received from clients. 

CVE-2022-46169 is a command injection vulnerability that allows an unauthenticated user to execute arbitrary code on a server running Cacti. 

Both these are marked as high-severity vulnerabilities and can be used for remote code execution. Moobot malware can deploy brute force attacks, while ShellBot variants can install other malware from their C2 server.

CVE-2023-23383: Azure Service Fabric Explorer (SFX) Vulnerability

This flaw is named FabriXss. It impacts the Azure Service Fabric Explorer and is rated 8.2 in the CVSS scale. Attackers can exploit it by sending a crafted URL to any Azure Service Fabric user and then remotely execute code on the container which is deployed to the cluster. An attacker can even take over critical systems. 

Microsoft fixed this vulnerability and is urging users to apply it.

CVE-2022-27926: Hackers Exploit this Zimbra Vulnerability

CVE-2022-27926 is a cross-site scripting (XSS) vulnerability in Zimbra Collaboration products. An unauthenticated attacker can execute arbitrary web script or HTML via request parameters by exploiting this vulnerability. A hacking group known as Winter Vivern has been exploiting this vulnerability in attacks against NATO entities. They mimicked European agency sites fighting cybercrime to spread malware that pretends to be a virus scanner. Initial access is gained through phishing emails with a link that exploits CVE-2022-27926 and injects other JavaScript payloads into the webpage. The payloads then extract usernames, passwords, and tokens from cookies received from the compromised Zimbra endpoint. 

Follow our weekly blog and podcast to get proactive alerts on trending threats.

Leverage our expertise and manage your threats continuously to stay safe from attackers. Talk to Us!

Share This Post On