Appsec Phoenix

AppSec Phoenix Wide

Security Vulnerability of the Week 10/07/22


Date Posted: 10th July 2022

Previous Issues of vulnerability Weekly



This week we deep dive into OPENSSL Hearbleed2, Apache Common, CuteBoi NPM exploit, Iconburst NPM exploit, Orbit attack, Follina Weaponization, Chrome’s latest vulnerabilities


Appsec

Apache Commons – New Log4J

CVE-2022-33980 affecting Apache Common   Apache Commons is another Apache project that provides numerous Java utilities (sub-projects, if you like) that provide a wide range of handy programming toolkits.

As the project itself says, “the Commons Configuration software library provides a generic configuration interface which enables a Java application to read configuration data from a variety of sources.”

Commons Configuration, lets Java apps work with configuration files of a wide range of different formats, including XML, INI, plist, and many more.

 The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation.

That means that specially crafted (aka Booby-Trapped) configurations could trigger a Remote Code Execution (RCE) 

According to the Commons Configuration team, this “interpolation” bug was introduced in version 2.4 (released in late 2018) and patched in version 2.8.0 (released 2022-07-05, which is Tuesday this week).

Are you vulnerable?

Try executing

commons-configuration2-*.jar, where * is awildcard

Linux

$ find / -type f -name ‘commons-configuration2-*.jar’

Windows:

> DIR C:\commons-configuration2-*.jar /S

Vulnerable versions have the names:

commons-configuration2-2.4.jar

commons-configuration2-2.5.jar

commons-configuration2-2.6.jar

Commons-configuration2-2.7.jar

The latest, patched, version, is:

Commons-configuration2-2.8.0.jar

OpenSSL heartbleed 2 style Vulnerability

OpenSSL project have released patches to address a high-severity bug in the cryptographic library that could potentially lead to remote code execution under certain scenarios.

The scenarios are more rare than the original Heartbleed, but affect the SSL/TLS servers using 2048-bit RSA key making this vulnerability a serious threat to the confidentiality and integrity of the system.

The issue, now assigned the identifier CVE-2022-2274, has been described as a case of heap memory corruption with RSA private key operation that was introduced in OpenSSL version 3.0.4 released on June 21, 2022.

“SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue,” the advisory noted.

Xi Ruoyao, a Ph.D. student at Xidian University, has been credited with reporting the flaw to OpenSSL on June 22, 2022.

Solution: 

Upgrade library to the version OpenSSL version 3.0.5 to mitigate any potential threats.

NPM package infected involved in CuteBoi cryptomining scam

Credit Hackernews

Researches at Checkmarx have discovered a large scale of npm packages infected and prone to Cryptomining 

software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules

“This was done using automation which includes the ability to pass the NPM 2FA challenge,” Israeli application security testing company Checkmarx said. “This cluster of packages seems to be a part of an attacker experimenting at this point.”

Cryptomining Campaign

“The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool,” researcher Aviad Gershon said. “The attacker didn’t change this feature of the code and for that reason, it won’t run upon installation.”

Previously in March this year red LILI threat actor implemented a similar technique: https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html 

“Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks,” Israeli security company Checkmarx said. “As it seems this time, the attacker has fully automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot.”

The findings coincide with another NPM-related widespread software supply chain attack dubbed IconBurst that’s engineered to harvest sensitive data from forms embedded in downstream mobile applications and websites.

CuteBoi relies on a disposable email service called mail.tm. To exfiltrate data and credentials 

Always verify the NPM packages  and code as well as verifying outgoing connections to services that are not legitimate or part of a baseline

NPM packages steal data from apps & webforms

A widespread software supply chain attack has targeted the NPM package manager at least since December 2021 with rogue modules designed to steal data entered in forms by users on websites that include them.

The researchers at ReversingLabs have named this vulnerability IconBurst

New update: Since july – malicious packages attributable to the accounts identified in our original report appeared on npm. In addition, a new CDN (content distribution network) infrastructure was identified as being used for script inclusion. 

The vulnerability relies on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages. Attackers impersonated high-traffic NPM modules like umbrellajs and packages published by ionic.io.

As seen previously NPM typosquatting is becoming more and more of a common technique: ​​

“These clearly malicious attacks relied on typo-squatting, a technique in which attackers offer up packages via public repositories with names that are similar to — or common misspellings of — legitimate packages,” security researcher Karlo Zanki said in a Tuesday report. “Attackers impersonated high-traffic NPM modules like umbrellajs and packages published by ionic.io.”

Some of the most download malicious modules are listed below –

  • icon-package (17,774)
  • ionicio (3,724)
  • ajax-libs (2,440)
  • footericon (1,903)
  • umbrellaks (686)
  • ajax-library (530)
  • pack-icons (468)
  • icons-package (380)
  • swiper-bundle (185), and
  • icons-packages (170)
  •  

The technique of data exfiltration is quite crafty as data exfiltrated by icon-package was routed to a domain named ionicio[.]com, to a similar page ionic[.]io crafted to be similar to the original website.


INFRA/Network

Google Chrome

Google Chrome updated the browser on July 4th due to a critical vulnerability in the audio/video module. 

 CVE-2022-2294, vulnerability is linked to WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.

“Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code,” MITRE explains. “When the consequence is arbitrary code execution, this can often be used to subvert any other security service.”

CVE-2022-2294 also marks the resolution of the fourth zero-day vulnerability in Chrome since the start of the year –

Users are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to mitigate potential threats.

Follina weaponized to deploy Rozena Backdoor

In previously issue https://appsecphoenix.com/security-vulnerability-of-the-week-27-06-22/ we have mention the weaponization of follina being quite widespread. 

Due to the simplicity of attack, malicious actors are leveraging this vulnerability of the Microsoft suite to deploy ransomware

Researchers have discovered a new weaponization method: Backdoor deployment.

An ongoing phishing campaign is leveraging Follina’s security vulnerability to distribute a previously undocumented backdoor on Windows systems.

Now that follina CVE-2022-30190 has a remediation we encourage everyone to upgrade to the latest version. The method of attacking the MSDT tool has come under heavy exploitation in recent weeks ever since it came to light in late May 2022.

It’s worth noting that macros have been a well-known method to deploy vulnerabilities. 

Microsoft has temporarily paused its plans to disable Office macros in files downloaded from the internet. The company tells The Hacker News that it’s taking the time to make “additional changes to enhance usability.”

OrBit Linux Malware That Hijacks Execution Flow

Cybersecurity researchers have identified and disclosed a new Linux threat dubbed OrBit. This methodology increased in popularity as Linux OS attack

The malware gets its name from one of the filenames that’s utilized to temporarily store the output of executed commands (“/tmp/.orbit”), according to cybersecurity firm Intezer.

“It can be installed either with persistence capabilities or as a volatile implant,” security researcher Nicole Fishbein said. “The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.”

The malware works like a symbiote, replicating a well-known process and infecting all processes on the existing machine. 

But unlike the symbiote, which leverages the LD_PRELOAD environment variable to load the shared object, OrBit employs two different methods.

The first way is by adding the shared object to the configuration file that is used by the loader,” Fishbein explained. “The second way is by patching the binary of the loader itself so it will load the malicious shared object.”

The attack chain commences with an ELF dropper file that’s responsible for extracting the payload (“libdl.so”) and adding it to the shared libraries that are being loaded by the dynamic linker.

The rogue shared library is engineered to hook functions from three libraries — libc, libcap, and Pluggable Authentication Module (PAM) — causing existing and new processes to use the modified functions, essentially permitting it to harvest credentials, hide network activity, and set up remote access to the host over SSH, all the while staying under the radar.

Orbit then release a series of method that allows it to function without the process running. 

“What makes this malware especially interesting is the almost hermetic hooking of libraries on the victim machine, that allows the malware to gain persistence and evade detection while stealing information and setting SSH backdoor,” Fishbein said.

We have seen a threat to mac and Linux operating systems increasing as the distribution of those endpoints has increased

Previous Issues of vulnerability Weekly


Share this article

[ssba]

Categories

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO