blog

Vulnerability of the Week PiPI, python extractor, telegram, Cisco, Samsung hack, Qnap Dedbolt variant 

vulnerability managment and security vulnerability of the week - 12 September

Security Vulnerability of the Week 12/09/22 

Previous Issues of vulnerability Weekly



This week we deep dive into PiPI, python extractor, telegram, Cisco, Samsung hack, Qnap Dedbolt variant 



Appsec

PyPI 1 in 3 packages Executes Code Automatically After Python Downloads

pypi.org/static/images/logo-large.6bdbb439.svg

WordPress sites are being hacked to display fake Cloudflare DDoS protection pages to distributing NetSupport RAT and the RaccoonStealer password-stealing Trojan.

“A worrying feature in pip/PyPI allows code to automatically run when developers are merely downloading a package,” Checkmarx researcher Yehuda Gelb said in a technical report published this week.

Always monitor the 

One of the ways by which packages can be installed for Python is by executing the “pip install” command, which, in turn, invokes a file called “setup.py” that comes bundled along with the module.

“setup.py,” as the name implies, is a setup script that’s used to specify metadata associated with the package, including its dependencies.

Always monitor the dependencies for PIP

“pip download does the same resolution and downloading as pip install, but instead of installing the dependencies, it collects the downloaded distributions into the directory provided (defaulting to the current directory),” the documentation reads.

In other words, the command can be used to download a Python package without having to install it on the system. But as it turns out, executing the download command also runs the aforementioned “setup.py” script, resulting in the execution of malicious code contained within it.

Credit: https://thehackernews.com/2022/09/warning-pypi-feature-executes-code.html 

Prynt Stealer new data extractor malware

 

Telegram 'hacker' threatens 'bombshell' crypto revelations

Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a copy of victims’ exfiltrated data when used by other cybercriminals.

The cybersecurity firm analysis of Prynt Stealer shows that its codebase is derived from two other open source malware families, AsyncRAT and StormKitty, with new additions incorporated to include a backdoor Telegram channel to collect the information stolen by other actors to the malware’s author.

Prynt Stealer

“The Prynt Stealer author went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and chat ID into the malware. As the saying goes, there is no honour among thieves.”


INFRA/Network

Cisco Releases Security Patches latest vulnerabilities

Cisco Has released in the first week of september a cumulative patch lis

Tracked as CVE-2022-28199 (CVSS score: 8.6), the vulnerability stems from a lack of proper error handling in DPDK’s network stack, enabling a remote adversary to trigger a denial-of-service (DoS) condition and cause an impact on data integrity and confidentiality.

“If an error condition is observed on the device interface, the device may either reload or fail to receive traffic, resulting in a denial-of-service (DoS) condition,” Cisco said in a notice published on September 7.

Previous list of vulnerabilities: https://phoenix.security/weekvuln-08-08-22/ 

DPDK refers to a set of libraries and optimized network interface card (NIC) drivers for fast packet processing, offering a framework and common API for high-speed networking applications.

Cisco said it investigated its product lineup and determined the following services to be affected by the bug, prompting the networking equipment maker to release software updates –

  • Cisco Catalyst 8000V Edge Software
  • Adaptive Security Virtual Appliance (ASAv), and
  • Secure Firewall Threat Defense Virtual (formerly FTDv)

Lastly, it also disclosed details of an authentication bypass bug (CVE-2022-20923, CVSS score: 4.0) affecting Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers, which it said will not be fixed owing to the products reaching end-of-life (EOL).

For full information: https://thehackernews.com/2022/09/cisco-releases-security-patches-for-new.html 

QNAP has a new Deadbolt ransomware variant Exploiting Photo Station Flaw

QNAP has issued a new advisory urging users of its network-attached storage (NAS) devices to upgrade to the latest version of Photo Station following yet another wave of Deadbolt in the wild by exploiting a zero-day flaw in the software.

The Taiwanese company said it detected the attacks on September 3 and that “the campaign appears to target QNAP NAS devices running Photo Station with internet exposure.”

The issue has been addressed in the following versions –

  • QTS 5.0.1: Photo Station 6.1.2 and later
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
  • QTS 4.3.6: Photo Station 5.7.18 and later
  • QTS 4.3.3: Photo Station 5.4.15 and later
  • QTS 4.2.6: Photo Station 5.2.14 and later

The vulnerability is currently at high price in dark web with a high interest score and easely exploted. The weakness was shared 09/08/2022 as qsa-22-24. The advisory is shared at qnap.com. This vulnerability is known as CVE-2022-27593 since 03/21/2022. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment

An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later

Latest Stats by Censys:

Censys Deadbolt Ransomware Report

A majority of the hacked devices are located in the U.S. (2,385), Germany (1,596), Italy (1,293), Taiwan (1,173), the U.K. (1,156), France (1,069), Hong Kong (995), Japan (962), Australia (684), and Canada (646).

Hacks

Samsung reveals US customers exposed in the latest breach 

South Korean Samsung on September 2 has released a report on a recent cybersecurity incident that resulted in the unauthorized access of some customer information, the second time this year it has reported such a breach.

“In late July 2022, an unauthorized third-party acquired information from some of Samsung’s U.S. systems,” the company disclosed in a notice. “On or around August 4, 2022, we determined through our ongoing investigation that the personal information of certain customers was affected.”

The announcement comes less than six months after Samsung confirmed a similar incident. In March 2022, it revealed that internal data, including the source code related to its Galaxy smartphones, was leaked in the aftermath of an attack staged by the LAPSUS$ extortion gang.

Previous Issues of vulnerability Weekly



Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Owasp top 10 has been a pillar over the years; sister to CWE – Common Weakness Enumeration we provide an overview of the top software vulnerabilities and web application security risks with a data-driven approach focused on helping identify what risk to fix first.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Asset and Vulnerability Management – Associate assets with multiple Applications and Environments – Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
With cyber threats growing in sophistication, understanding exploitability has become crucial for security teams to prioritize vulnerabilities effectively. This article explores the key factors that influence the likelihood of exploits in the wild, including attack vectors, complexity levels, privileges required, and more. You’ll learn how predictive scoring systems like EPSS are bringing added dimensions to vulnerability analysis, going beyond static scores. We discuss the importance of monitoring verified threat feeds and exploiting trends from reliable sources, instead of getting distracted by unverified claims and noise. Adopting a risk-based approach to prioritization is emphasized, where critical vulnerabilities are addressed not just based on CVSS severity, but also their likelihood of being exploited and potential business impact. Recent major exploits like Log4Shell are highlighted to stress the need for proactive security. Equipped with the insights from this guide, you’ll be able to implement a strategic, data-backed approach to focusing on the most pertinent risks over the barrage of vulnerabilities.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Improved Management your Vulnerabilities and Assets Display “Closed” vulnerabilities list page Display vulnerability stats in Asset screens Override asset exposure for whole Apps/Envs Filter on-screen dynamic statistical and insights Risk-based Posture Management Update risk formula structure Update Vuln risk formula factors Integrations Configure “vulnerability types” fetched from SonarCloud/SonarQube Users can manually trigger a “scanner refresh” Update Jira tickets when the associated vulnerability is closed Other Improvements Handle large number of items in Treemap chart Improved scanner flow: don’t fetch targets until needed Improved performance of MTTR queries
Alfonso Eusebio

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO